Ecommerce Fraud Management Systems: The What The Why and The How

Card-not-present credit card fraud cost online merchants 0.9% of revenue in 2010 (down from 1.4% in 2008 and 3.6% in 2000) according to research by Cybersource.

The expense of chargebacks, unrecoverable transfers, unnecessary shipping costs and human resources to investigate disputes add up, and a company’s goodwill can be damaged with banks when fraud rates are higher than average. Chargeback rates higher than your merchant bank’s acceptable threshold may cause you to lose your merchant account, and make it more difficult for you to open one with another bank. And processing fraudulent transactions that a cardholder must dispute tarnishes your brand name in their eyes, and could spark negative word of mouth.

Fraud management systems, both manual and automated, aim to curb fraud losses and protect cardholders from unauthorized use of their accounts. Last post we covered 3D Secure cardholder authentication (e.g. Verified by Visa, MasterCard Secure Code), which is only one tool in your fraud management arsenal, and should not be relied upon alone. Today we examine these tools, and what you should consider when developing your fraud management solution.

Basic automated fraud management tools

AVS

Address Verification Service, or AVS, is a tool that checks a customer’s input name, address and card number details against a database of addresses on file with card issuing banks. AVS is not available for all countries, issuing banks and card types. For example, American Express only supports AVS in the US.

While AVS is effective at preventing fraudsters, it’s also prone to reject good orders, as it requires an exact match of the customer’s billing address. For example, an address #33-1234 Suchandsuch Road may be rejected if the on-file address is 1234 Suchandsuch Rd Apt. 33. If a bona fide customer attempts the address multiple times “incorrectly,” her card may be locked out of use temporarily.

Another problem is an AVS mismatch may not prevent the authorization from appearing on the cardholder’s statement. The issuing bank can hold the authorized amount for 3 to 7 days unless contacted by the customer. But confused and irate customers who find the charges may complain to your customer service.

It’s a good idea to provide error messaging when a mismatch occurs that explains the address must be exactly as on the cardholder’s statements. (Test it in different browsers to make sure it’s readable!)

Because it’s easy to reject good orders and accept fraudulent ones, you don’t want to rely on AVS alone. Mismatches and partial matches do not have to be rejected, they may be flagged for manual review.

CVV

I’ve written about the perils of and workarounds for CVV (aka CSC, CVN, CVC and CVV2) on Get Elastic before. To recap, CVV (card verification value) can create 2 conversion problems. Some customers will not know what CVV is or where to find it. Others fear handing over their security code means it may fall into the wrong hands. Address both these FUDs (fears, uncertainties and doubts) by showing visually where to find the code, and explaining the number will not be stored in your database.

3D Secure

As discussed in detail last post, Verified by Visa, MasterCard Secure Code and their cousins add an extra layer of authentication to the checkout process by means of a personal password/PIN. The main benefit for retailers is the liability shift from the merchant to the issuing bank should the customer file a chargeback. Merchants may also enjoy lower interchange fees for participating in the scheme. However, the extra step in checkout is not always appreciated by customers. Many merchants report a drop in conversion when using 3D Secure.

Again, 3D Secure is not the silver bullet to prevent fraud. Not all card issuing banks participate with Verified by Visa, and not all cardholders have enrolled. Unenrolled cardholders are allowed to opt-out a number of times (variable) before being required to join the program, and identity thieves who are first to use a new card online can set their own passwords.

The decision whether to use 3D Secure depends on a number of things explained last post.

Automated Transactional Risk Scoring

ATRS solutions enable ecommerce systems to identify suspicious behavior, assign a “risk factor” and reject or flag a risky order for manual review. The logic and settings are custom to the online retailer based on past experience and other industry factors. They may be home-grown or third-party (e.g. Cybersource, Ethoca, Accertify). The downside of home-grown solutions is they depend heavily on the trial-and-error experience of your own business. Third-party services that pull data from a large user base are more nimble in detecting fraud trends and can have higher accuracy, but may also come at a much higher cost.

Beyond AVS, CVV, 3D Secure, a variety of other tools may be used by the ATRS including:

  • IP detection Identifies user’s location and checks against known high risk IP and email addresses
  • Device fingerprinting Reads data from and about a device and browser session including true IP address and location (can identify proxies), and whether the device has been involved in previous fraudulent activities. (More features than simple IP detection)
  • Order velocity monitoring Flags orders that have been submitted within a specific time period from one card or IP address
  • Positive lists Records of “good” customers, based on order history
  • Negative lists Known “bad” IPs, card numbers, device IDs, name/address combos, etc. Some banks end up on black lists if they are known to have higher rates of fraud among cards they have issued
  • Shared lists Positive/negative lists shared across companies

Systems are typically tuned to detect suspicious behavior like high dollar value baskets, unusual product mixes (random selection of clothing sizes, for example), large quantities of a single item (especially electronics) and rapid additions to cart.

What one e-tailer considers abnormal may be the norm for other businesses, so automated systems allow rules-based tweaking. For example, a $1,000 order may be suspicious for an electronics store but very common for a furniture shop that sells $5,000 living room sets. A billing and shipping address mismatch is common with gifts and flower delivery sites, but may be more suspicious for others. Some businesses may want to reject orders from certain regions, or flag orders shipping to P.O. boxes, prisons, hotels, schools and hospitals.

Manual Reviews

Despite automation’s virtues, some orders call for manual review. This may involve calling the customer or the customer’s bank, using reverse lookup tools, checking customer records or even using Google Maps and social media to track down a name/address. (Some automated tools have the ability to check email addresses across social networks).

Manual review by humans is obviously more costly and time consuming than automated tools, and using a number of different automated tools *should* reduce costs. However, the more automated tools you use (the average is 7.4 for large ecommerce companies), the more likely an order will be flagged for manual review! Companies that seem to squeak by with a low percentage of manual reviews are likely rejecting good orders, and should understand where the sweet spot lies between resource savings and sales and profits. Ideally, manual reviews should be reserved for orders you want to keep, rather than as a fraud detection method.

What system is right for you?

There’s no one-size-fits-all fraud management solution. Your needs will vary based on your transaction volume, industry, geographic market(s) and rate of fraud, and your options may be limited by staffing or budget (smaller merchants tend to rely solely on manual reviews and the “basic” automated services). The rules you apply to your system will also vary based on the nuances of your individual business. Keep the following in mind when choosing / using a fraud management system:

1. Order rejection rates

Merchants with slimmer margins have more to lose when orders are fraudulent, and tend to have higher order rejection rates. Those with higher margins can absorb more fraud, accepting a higher risk in exchange for faster order processing and shipment, and less false-positives.

2. False-positives

A continual challenge with automated tools is the rejection of legitimate orders (false-positives). Tools should be continually tweaked when false positives are identified. Julie Fergerson of Ethoca recommends you monitor your “order resuscitation” rate, along with customer complaints to your call center on rejected orders. “It should be very low.”

3. System maintenance

In addition to false-positive feedback, tools require continual updating, both with new technologies to combat fraud and with information you gather from day-to-day operations. For example, daily review of declines (both internal rejections and those declined by issuing banks) can help you discover authorization problems that may exist, or commonalities among purchase behavior or other characteristics of declined orders. Fergerson says “even a purchased risk engine needs to be constantly analyzed. Otherwise, they can be worse than just guessing.”

4. Staffing

Insufficient staffing can delay orders, leading to unhappy customers and more WISMO (where is my order) calls to your customer service team. Ill-trained staff can also reject good orders and let bad ones slip through. Some fraud management vendors offer outsourced manual review staff, which may have some efficiencies (scale up and down as needed), and in some cases, better trained staff.

The takeaway

There are many weapons available to help your quest for fighting fraud, but there’s a fine balance between stopping bad orders and preserving good ones. No matter what your fraud management system looks like, it requires continual maintenance to be effective. You should be continually adjusting rules and processes based on the overall online fraud environment and your own learnings to ensure you’re maximizing profits and minimizing losses.

Looking for help with your ecommerce strategy and site optimization? The Elastic Path research and consulting division is available to enterprises selling digital goods and services. For more information, visit us at http://elasticpath.com/ecommerce-consulting/ or contact us at consulting@elasticpath.com.

Related Articles

11 Responses to “Ecommerce Fraud Management Systems: The What The Why and The How”

  1. In the UK at least it would be frowned upon to provide “helpful” error messages if AVS or CV2 check fails – if a fraudster is trying out cards you are giving them assistance as to what might need to be changed to get the transaction through.

  2. Jestep says:

    At this point CVV is pretty much Ok for 99% of shoppers. If the website is trustworthy, the conversion loss is normally minimal. I think it’s worth the risk of losing a conversion to at least know your customer had the card in their hand at some point. CVV also works for international transactions whereas AVS is only valid for the US and a few other participating countries.

    Implementing 3D on the other hand is akin to committing ecommerce suicide. I’ve heard of sites experiencing 80% or more decrease in sales when using 3D. It’s a pain to use as a customer. The idea is great, but it’s just not effective. Assuming a cardholder is already signed up as they were forced to when making some transaction, they never remember their PIN because it’s so rare to need it. If it’s their first 3D transaction consider the sale lost…

    The risk scoring systems are very effective if there is enough existing data to properly set them up. A new site is going to have a very hard time tuning one in, with the exception of some of the global metrics like country IP address, and some of the very obvious ordering patterns. The other problem is that it has no benefit against friendly fraud or smart thieves, both of which are becoming more common. Not to say that they aren’t worth it, but it’s very easy to tag a lot of legitimate orders as potential fraud which ends up being a waste of time and money, possibly more than you save in preventing fraud.

    Manual reviews are absolutely essential. If a site has the resources, I would recommend manually verifying all orders above a certain amount. I would also recommend manually verifying just about every overnight order, especially if they are overnight AM or another premium overnight service. It might sound crazy but fraudulent orders are almost always overnight delivery. This can also be made into a very proactive call. “Mr customer, we just wanted to let you know we received your overnight order and it is going out tonight!”. Most overnight orders are ordered that way because the customer needs it now. Giving them the piece of mind that they will get it is much appreciated.

    Lastly, one of the most effective manual searches is for the shipping address directly in Google. We’ve caught more than one fraud order being shipped to a foreclosed or empty property. Google maps, street view, and many other online tools can identify houses for sale, in foreclosure, or if you’re shipping to an empty lot or something. If any of these is the case, I would be hesitant to ship the order without some better verification.

  3. Linda – hats off for a thorough and insightful article.

    The tricky part is indeed to shrink fraud losses, manual reviews/operational costs, *and* customer insult rate all at the same time. Ethoca makes a compelling case that doing it requires that issuers, merchants and other stakeholders work as one (“Fraud Attacks Cross Industries” is an Ethoca study involving 95 merchants representing 61% of the top 500 Internet merchants – free at ethoca.com/crosstalk).

    Hopefully 2011 is the year of a great leap forward in eliminating ecommerce fraud from the system altogether vs shifting liabilty for it around.

    I’ll watch this space for more quality coverage of ecommerce fraud management systems!

  4. It has been our experience that if a customer has a billing address with a numbered street, such as “321 45th St”, it’s pretty much always going to be a partial match as the online gateways are so stupid that they read the house number as “32145″ instead of “321″. Stuff like this drives merchants nuts, but what is the processor’s incentive to fix it?

    I’ve really enjoyed these past two articles as they help to highlight just how poor the fraud detection tools provided by industry (AVS, CVN, and 3DSecure) for card-not-present transactions really are. When a small business has to resort to Facebook or an expensive service like Ethoca to try and judge whether or not a purchase is legit, something in the processing network is failing! =)

  5. David Minor says:

    For AVS, we only require one of either the ZIP or street to be correct, which helps cut down on false positives.

    Something we’ve noticed about fraudsters who are trying a lot of credit cards: the response almost always indicates a correct CVV.

  6. Great article. It is important to protect yourself and your business only. Thanks for the tips to help make my store a little safer. I look forward to the new features this year that will continue to improve my online experience. Thanks for the great article!

  7. Just wanted to add this in for UK readers on possible chargebacks:

    In the UK a bank can issue a charge back on any transaction, even if its 3D authenticated.
    The thing is, if its 3D authenticated they won’t, pretty much 99.999% of the time because they would probably lose.
    For this reason we’ve taken the steps to only all transactions though which are: 3D Authenticated, Address first line matched, Postcode Matches and Security code on the back matches.

    Typical attempted fraudulent orders details include anonymous emails (@yahoo, hotmail..etc) – somtimes emails just bounce to them, only mobile numbers supplied, different billing/delivery address

  8. Ed L. says:

    Great article. The part about manual review is spot on.

    Manual review is one of the most costliest components of fraud screening. It is costly in that reviewing too few transaction could mean that you are rejecting many good orders. Reviewing too many orders meaning that you are spending too much resources on manual review costs. For many companies, over 50% of the anti-fraud budget goes to salaries of review staff. For 20% of small companies, they review 100% of orders.

    Therefore, it is important to also have a good manual order review process in place to make sure that the orders you review can be done quickly.

  9. Your focus on manual review is absolutely right. Even within manual workflow review, many checks can be automated (automatic state transition), which reduces the need to have a huge team to monitor the incidents.

    Self promotion: I recommend looking at dataxo.com, which is an open sourced and inexpensive option for smaller companies. The fraud solutions are expensive and small companies cannot afford them.

  10. BSO says:

    No matter what the level of automated check we always check orders manually as you get a feel for fraud. Land lines and businesses are easy to check out. If its a business buying we always ring the company.

Leave a Reply

© 2014 Get Elastic Ecommerce Blog. All rights reserved. Site Admin · Entries RSS · Comments RSS