Ecommerce Fraud Prevention vs Ecommerce Usability
How far should an online store go to prevent ecommerce fraud? What if sniffing out fraudulent behavior actually reduced legitimate conversions? Where is the balance? This topic has again been inspired by my own online shopping experiences, and again with booking travel.
I always start with Kayak to find the lowest fares (I prefer flying with Air Canada as their loyalty program Aeroplan is one of our customers), but I go with another airline if it a significant price delta exists. In this case, I was booking tickets to eTail in Palm Springs and Orbitz had the best deal via Alaska Air.
I selected my flights, found my hotel, entered all travelers information, and entered credit card info - I was committed to the purchase. Upon submitting my order an error occurred - address verification kicked in and indicated my credit card address was faulty and therefore, the transaction would not proceed - please call customer service. I tried the transaction with a number of permutations of my address (ok, every permutation because I detest waiting on hold for customer service). Still no go, so I fold and call their support line. Hold for 5 minutes. Talk for 5 minutes. Get transferred. Hold for 10 minutes. Talk for 5 minutes. Result - call the credit card company. Grrr. I use this corporate card daily, it is legit.
The gist, when an online retail company is so stringent with it’s ecommerce fraud prevention that actual customers do not wish to complete orders or orders take over an hour to complete, it is a bad thing. A very bad thing. Where is the balance between fraud prevention and usability?
Unfortunately, many corporate etailers still don’t understand the concept of usability and how it can impact their bottom line and future business. The finance department has the fraud side covered, but there may be a disconnect between sales/marketing and finance. On the other hand, it’s not always possible to foresee every potential problem that can occur with databases/automated processes which adds to the challenge of bridging that gap, even with due diligence usability testing. It will be interesting to see, as technology advances, how the user experience and online security may improve.
I’d like to see the numbers on address verification and how it impacts the bottom line (long term). What does split testing prove in terms of fraud reduction vs conversion rate - is it all a wash? Are there alternative methods of reducing fraud? I know Ice.com seems to have their fraudulent orders in check. ~ And HI Linda, long time no chat.
Oh man. You have no idea the frustration caused by an online form with address verification. So I had a couple hours to kill at Houston International airport. No problem, $10 for a couple for wifi from Sprint seems OK, but not if you have a Canadian Postal Code with crazy things like numbers AND letters!! Form won’t process my Visa because I have a Canadian address! I called Visa and they confirmed everything was fine on their end, then I called Sprint only to be told there was nothing they could do, they couldn’t even take my Visa number over the phone!!! WTF. Get this when I arrived in San Jose, Costa Rica the whole airport had free wifi!!
HI Jason :)
It seems the biggest companies are the ones I always end up calling tech support for: Amazon, Yahoo etc. Had smoother checkouts with little guys!
We learned our lesson, and we even provide services that do the same thing. We ended up using a LUHN alogorith verification tool. It simply makes sure the number of your credit card is a valid number for that credit card. I am guessing that more expensive purchases like you are talking about should probably do an actually bank verification so there is no way to lose money. Fraud is horrible these days. We get atleast on fraudulent sign up a day. It is almost as much of a pian as keeping your email spam filter up to date because you lose actual money from people that arent even in your country. It is a financial nightmare to prosecute a kid in another country.
What are online payment application providers (like elasticpath) doing in the wake of the Payment Card Industry announcing the Payment Application Data Security Standards? Are you guys on track with the standard or have and plans to align with the standard?
We adhere to the standard up to the level where appropriate. To qualify with Level 1 compliance, there are a lot of measures that have to be in place exclusive of the transactional platform. The ultimate responsibility lies with the retailer - but we make the platform conform accordingly.
How does Elasticpath demonstrate it is “adhering to the standard”? Do you have a Report on Validation or can something similar be provided? Is EP planning to become a PCI validated payment application in 2008?
Thanks for the quick response.
A sales engineer at EP is in the best position to answer this question. I suggest asking your account rep - with that said…
Retailers running EP have been validated as PCI compliant by 3rd party scanning vendors such as ScanAlert Hackersafe (now owned by McAfee). This is level 2 PCI compliance and those vendors doing over 6 million transactions per year must go to level 1. That requires on-site auditing of practices and is a step beyond the platform.