Card-not-present credit card fraud cost online merchants 0.9% of revenue in 2010 (down from 1.4% in 2008 and 3.6% in 2000) according to research by Cybersource.
The expense of chargebacks, unrecoverable transfers, unnecessary shipping costs and human resources to investigate disputes add up, and a company’s goodwill can be damaged with banks when fraud rates are higher than average. Chargeback rates higher than your merchant bank’s acceptable threshold may cause you to lose your merchant account, and make it more difficult for you to open one with another bank. And processing fraudulent transactions that a cardholder must dispute tarnishes your brand name in their eyes, and could spark negative word of mouth.
Fraud management systems, both manual and automated, aim to curb fraud losses and protect cardholders from unauthorized use of their accounts. Last post we covered 3D Secure cardholder authentication (e.g. Verified by Visa, MasterCard Secure Code), which is only one tool in your fraud management arsenal, and should not be relied upon alone. Today we examine these tools, and what you should consider when developing your fraud management solution.
Basic automated fraud management tools
Address Verification Service, or AVS, is a tool that checks a customer’s input name, address and card number details against a database of addresses on file with card issuing banks. AVS is not available for all countries, issuing banks and card types. For example, American Express only supports AVS in the US.
While AVS is effective at preventing fraudsters, it’s also prone to reject good orders, as it requires an exact match of the customer’s billing address. For example, an address #33-1234 Suchandsuch Road may be rejected if the on-file address is 1234 Suchandsuch Rd Apt. 33. If a bona fide customer attempts the address multiple times “incorrectly,” her card may be locked out of use temporarily.
Another problem is an AVS mismatch may not prevent the authorization from appearing on the cardholder’s statement. The issuing bank can hold the authorized amount for 3 to 7 days unless contacted by the customer. But confused and irate customers who find the charges may complain to your customer service.
It’s a good idea to provide error messaging when a mismatch occurs that explains the address must be exactly as on the cardholder’s statements. (Test it in different browsers to make sure it’s readable!)
Because it’s easy to reject good orders and accept fraudulent ones, you don’t want to rely on AVS alone. Mismatches and partial matches do not have to be rejected, they may be flagged for manual review.
I’ve written about the perils of and workarounds for CVV (aka CSC, CVN, CVC and CVV2) on Get Elastic before. To recap, CVV (card verification value) can create 2 conversion problems. Some customers will not know what CVV is or where to find it. Others fear handing over their security code means it may fall into the wrong hands. Address both these FUDs (fears, uncertainties and doubts) by showing visually where to find the code, and explaining the number will not be stored in your database.
As discussed in detail last post, Verified by Visa, MasterCard Secure Code and their cousins add an extra layer of authentication to the checkout process by means of a personal password/PIN. The main benefit for retailers is the liability shift from the merchant to the issuing bank should the customer file a chargeback. Merchants may also enjoy lower interchange fees for participating in the scheme. However, the extra step in checkout is not always appreciated by customers. Many merchants report a drop in conversion when using 3D Secure.
Again, 3D Secure is not the silver bullet to prevent fraud. Not all card issuing banks participate with Verified by Visa, and not all cardholders have enrolled. Unenrolled cardholders are allowed to opt-out a number of times (variable) before being required to join the program, and identity thieves who are first to use a new card online can set their own passwords.
The decision whether to use 3D Secure depends on a number of things explained last post.
Automated Transactional Risk Scoring
ATRS solutions enable ecommerce systems to identify suspicious behavior, assign a “risk factor” and reject or flag a risky order for manual review. The logic and settings are custom to the online retailer based on past experience and other industry factors. They may be home-grown or third-party (e.g. Cybersource, Ethoca, Accertify). The downside of home-grown solutions is they depend heavily on the trial-and-error experience of your own business. Third-party services that pull data from a large user base are more nimble in detecting fraud trends and can have higher accuracy, but may also come at a much higher cost.
Beyond AVS, CVV, 3D Secure, a variety of other tools may be used by the ATRS including:
- IP detection Identifies user’s location and checks against known high risk IP and email addresses
- Device fingerprinting Reads data from and about a device and browser session including true IP address and location (can identify proxies), and whether the device has been involved in previous fraudulent activities. (More features than simple IP detection)
- Order velocity monitoring Flags orders that have been submitted within a specific time period from one card or IP address
- Positive lists Records of “good” customers, based on order history
- Negative lists Known “bad” IPs, card numbers, device IDs, name/address combos, etc. Some banks end up on black lists if they are known to have higher rates of fraud among cards they have issued
- Shared lists Positive/negative lists shared across companies
Systems are typically tuned to detect suspicious behavior like high dollar value baskets, unusual product mixes (random selection of clothing sizes, for example), large quantities of a single item (especially electronics) and rapid additions to cart.
What one e-tailer considers abnormal may be the norm for other businesses, so automated systems allow rules-based tweaking. For example, a $1,000 order may be suspicious for an electronics store but very common for a furniture shop that sells $5,000 living room sets. A billing and shipping address mismatch is common with gifts and flower delivery sites, but may be more suspicious for others. Some businesses may want to reject orders from certain regions, or flag orders shipping to P.O. boxes, prisons, hotels, schools and hospitals.
Despite automation’s virtues, some orders call for manual review. This may involve calling the customer or the customer’s bank, using reverse lookup tools, checking customer records or even using Google Maps and social media to track down a name/address. (Some automated tools have the ability to check email addresses across social networks).
Manual review by humans is obviously more costly and time consuming than automated tools, and using a number of different automated tools *should* reduce costs. However, the more automated tools you use (the average is 7.4 for large ecommerce companies), the more likely an order will be flagged for manual review! Companies that seem to squeak by with a low percentage of manual reviews are likely rejecting good orders, and should understand where the sweet spot lies between resource savings and sales and profits. Ideally, manual reviews should be reserved for orders you want to keep, rather than as a fraud detection method.
What system is right for you?
There’s no one-size-fits-all fraud management solution. Your needs will vary based on your transaction volume, industry, geographic market(s) and rate of fraud, and your options may be limited by staffing or budget (smaller merchants tend to rely solely on manual reviews and the “basic” automated services). The rules you apply to your system will also vary based on the nuances of your individual business. Keep the following in mind when choosing / using a fraud management system:
1. Order rejection rates
Merchants with slimmer margins have more to lose when orders are fraudulent, and tend to have higher order rejection rates. Those with higher margins can absorb more fraud, accepting a higher risk in exchange for faster order processing and shipment, and less false-positives.
A continual challenge with automated tools is the rejection of legitimate orders (false-positives). Tools should be continually tweaked when false positives are identified. Julie Fergerson of Ethoca recommends you monitor your “order resuscitation” rate, along with customer complaints to your call center on rejected orders. “It should be very low.”
3. System maintenance
In addition to false-positive feedback, tools require continual updating, both with new technologies to combat fraud and with information you gather from day-to-day operations. For example, daily review of declines (both internal rejections and those declined by issuing banks) can help you discover authorization problems that may exist, or commonalities among purchase behavior or other characteristics of declined orders. Fergerson says “even a purchased risk engine needs to be constantly analyzed. Otherwise, they can be worse than just guessing.”
Insufficient staffing can delay orders, leading to unhappy customers and more WISMO (where is my order) calls to your customer service team. Ill-trained staff can also reject good orders and let bad ones slip through. Some fraud management vendors offer outsourced manual review staff, which may have some efficiencies (scale up and down as needed), and in some cases, better trained staff.
There are many weapons available to help your quest for fighting fraud, but there’s a fine balance between stopping bad orders and preserving good ones. No matter what your fraud management system looks like, it requires continual maintenance to be effective. You should be continually adjusting rules and processes based on the overall online fraud environment and your own learnings to ensure you’re maximizing profits and minimizing losses.
Looking for help with your ecommerce strategy and site optimization? The Elastic Path research and consulting division is available to enterprises selling digital goods and services. For more information, visit us at http://elasticpath.com/ecommerce-consulting/ or contact us at firstname.lastname@example.org.