Recent Insights for Advancing Card Payment Fraud Prevention

Previously I’ve written about how merchants can reduce bank declines thereby increasing revenue and reducing customer friction.

However, much bigger problems for merchants are typically i) reducing false positives and ii) preventing actual fraud.

 

Out with the Old…

 

Real-time fraud prevention tools are critical for company growth. Under the traditional model, companies use rules-based systems from third-parties, often their payment processor, overlayed with their own intelligence, unique knowledge of their customers and unique risk appetite.

The output is usually a yes/no/review decision and, unless you want to manually review so many orders that it makes the whole thing unviable, you naturally end up declining good orders in the name of keeping out the bad ones. This is the very definition of false-positives in the fraud prevention space and it costs merchants hundreds of billions in lost sales each year, or 75 times more than the cost of actual fraud according to Forter.

Rules are only as good as the team that sets them and, more importantly, the data they are based on. Individual merchants cannot amass enough data on their own (unless we’re talking about Amazon) and so it needs to be supplemented by other data sources to be useful, which can result in a complex web of interfaces.

 

Are False-Positives a Problem?

 

The one good thing about fraud is that it is measurable. You can calculate your fraud or chargeback ratio and actively take steps to reduce it if needed. However, most merchants don’t know their false-positive rate. The reason is that it’s difficult to measure and requires some out of the box thinking.

For most industries, if any of the following are true, it’s a good rule of thumb you’re probably losing a lot of orders from good customers:

  1. Your fraud screening tool(s) declines more than 1-2% of received transactions
  2. Your chargeback ratio is very low
  3. You send most or all of your traffic through 3DS (especially for non-UK/EU cardholders)

But how do you then quantify the problem?

One way would be to rely on complaints from legitimate customers who were declined but this is anecdotal at best. Another would be to manually review a sample of orders but this comes with another set of problems. It requires costly manual resources who may not actually be delivering the “hard truth” anyway and consistency across analysts may be difficult to ensure.

The best way, which is where the out of the box thinking comes in, is to run tests with samples of transactions which you “know” to be fraudulent i.e. let transactions through which you would have otherwise automatically blocked. You will know which were actually genuine from either from manual review or receipt of a chargeback and can adjust your logic accordingly. You’ll also know how big a problem false-positives are for you and what you stand to benefit if you are able to fix the problem.

 

In with the New…

 

This is where the next generation of fraud tools comes into play. It’s all about the size of the network and they use advanced AI and ML tools to link transaction characteristics they’ve “seen” previously. This is often enriched with data from third-party sources (credit agencies, card schemes etc.) and also user behaviour by deploying scripts on the merchants checkout page which log a multitude of proprietary data points detailing how the payer behaves on the website, what device they are using etc.

Some fraud companies can “recognise” up to 98-99% of new orders because they have seen something before in their network. This could be the name, email, IP address, shipping address etc. or a combination of factors. All of this helps to make a decision in milliseconds which is highly accurate, much more so than the rules-based systems of old and usually without the need for any manual review which is appealing as volumes grow. It also means shared threat-intelligence from across their ecosystem is much more valuable, the larger the network.

The kind of fraud tool required is very merchant specific. Solutions from leading payment gateway vendors, such as Adyen and Stripe, may be sufficient for many merchants with less complex requirements. However, those with more complex requirements, such as those operating in multiple geographies, or requiring BOT or account takeover protection may benefit from dedicated SaaS-based fraud vendors such as Forter, Riskified or Sygnifyd.

 

So what are some of the key considerations when considering a new fraud solution?

 

  1. Think about whether you need a generic or specialist solution. Many companies will get by with their payment gateway’s product so is a good starting point. If you believe this isn’t working, the above companies will happily work with you on a business case. The key then is to ensure it is based on real data such as your auth levels, decline rates, 3DS drop-off etc. If the business case makes sense, you then need to ensure that those results make their way into reality
  2. Chargeback Guarantee or Not – if you have a chargeback problem it may be tempting to go for a guaranteed service, whereby the vendor takes on the risk for any chargebacks resulting from a transaction they accepted. Whilst this sounds like an elegant solution, it can result in lower acceptance rates as the vendor is weary of letting through transactions in that “grey” area. It’s important to ensure this comes with a guaranteed acceptance rate which you are comfortable with.
  3. Relevant experience – some fraud vendors work with lots of airlines, some with lots of luxury retailers, some with lots of hotel chains. Make sure the vendor has a lot of experience in your sector to ensure i) it is at the forefront of fraud threats targeting your sector and ii) you are maximising the value of its network ecosystem.
  4. How to Handle 3DS Optimisation – Most fraud companies will also offer a dynamic 3DS engine which will handle exemptions (for PSD2) and recommend when to challenge and when not to. Use of exemptions is key to reducing friction where possible in UK/Europe which maximises acceptance and reduces drop-off. Moreover, for cardholders outside of Europe, a targeted approach is absolutely necessary to balance acceptance with chargeback protection but not all vendor solutions are created equal. Some will consider how likely a specific user is to be successful through 3DS or whether specific issuing banks are more or less likely to accept with 3DS or not. It is worth spending some time comparing capabilities in this area and specific metrics may be contracted to ensure performance.
  5. Protection for account-takeover or non-fraud chargebacks – This is an area which is receiving a lot of focus and investment currently, however, only some of the leading fraud players have solutions for targeting these threats. If these are a particular area of concern the options are more limited, unless you are happy to utilise multiple providers.
  6. Warm-up time – a new vendor will sometimes spend some time in “listening” mode in order to train the model before you can trust their decisions and rely on contracted metrics, however, this is not always the case. Make sure you have something in place to offer sufficient protection during this time.
  7. Technical integration – As with anything, it’s important to understand whether a new solution will integrate seamlessly with your existing tech stack. If a vendor has a plug-in for your storefront (e.g. Adobe Commerce, Salesforce etc.) and payment gateway, don’t assume this will be plain sailing. Explore the integration early as problems will inevitably arise which could influence the decision.

 

Conclusion

 

Fraud prevention is a problem for any online business and getting it right is all about finding the right balance between preventing actual fraud and minimising false-positives, all while avoiding onerous or costly internal processes.

There are dozens of vendors to choose from and finding the right mix of product capabilities, technical fit and commercial outcomes requires considerable effort. However, when done right, it can typically boost top and bottom lines by 10% or more which, in today’s competitive environment, is an unmissable advantage.

 

Click here to read more interesting blogs by Bankhawk

Register for more information and regular updates here