How to minimise payment fraud on your e-commerce store
If you are running an e-commerce store, then you can accept payments from your customers through a payment gateway.
When you accept payments on your e-commerce store, you will also want to reduce or even prevent payment fraud.
Indeed, payment fraud can have huge financial impact on your business.
Therefore, it is important for you to look at how you can minimise payment fraud on your e-commerce store.
Given that, let us explore how we can reduce payment fraud on our e-commerce stores.
Understand how you can lose money if you get involved in a fraud case
First, let’s look at how your store can lose money.
Losing money through credit card disputes and lost goods
Suppose that you are a selling DSLR cameras through your e-commerce store.
After receiving payment from your customer, you ship out the camera to the indicated address. However, the "customer" made the payment with a stolen credit card and you have no idea about it.
When the real credit card owner discovers the transaction that he did not make, he files a dispute to his issuing bank. Given that, the issuing bank stops the 1000 dollar credit into your bank account and refunds the money back to the victim.
Since you had shipped out the camera, you will also not get it back.
As a result, you lose money from:
- losing the camera and
- paying the hefty dispute handling fee.
Losing money through denial of service
Another way that you can incur financial lost is when a saboteur brings your payment channel down.
Since payment gateways are shared resources, providers can disable a payment gateway account when they detect abuse.
Given that in mind, a saboteur can run automated scripts to abuse your payment form. When they do so, your payment gateway may disable your payment gateway account.
In this situation, you will not be able to accept payments on your e-commerce store, resulting in business losses.
In addition to that, payment gateway can charge you hefty transactional fees on those transactions made by the saboteur.
Losing money through carding attacks
Another way to lose money is when your e-commerce website becomes a target for carding attacks.
There are many ways where credit card information is stolen without cardholders being aware:
- Merchant stores credit card information of customers without encryption, employees and/or hackers downloads a copy.
- Customers put credit card details on paper to subscribe or make a payment later. An internal staff collects the papers and notes down the credit card numbers at the side.
- Waiters record the credit card details when diners provides their credit card to settle the bills.
These stolen credit card information can find their way on a black market. Someone who collates the stolen credit card information into a list will test if those credit cards make purchases.
In order to be efficient, bots are often used to run those tests in parallel.
When your store is targetted, the bots will use the credit cards to buy random stuff from your website.
Given that such activities result in high transactional traffic, your payment gateway can bill you for the processing fees.
In addition to that, the traffic from these bots can result in the denial of service situation that we had covered earlier.
When that happens, your website will not be able to accept orders from legitimate customers for a while.
Losing money through large number of recurring unsuccessful charges
If you offer subscription trials, then you may collect your customers' card details when they sign up for your subscription.
In this situation, many of your customers may sign up for your subscription with cards that cannot be charged successfully.
When the trial is over, trying to take money from those cards will fail with processor declines.
If processors return a soft decline such as insufficient balance, then your billing engine may continue with more charge attempts on the cards.
Just like carding attacks, you incur processing fees even though you fail to collect money for next billing cycles.
Utilise tools to filter out traffic from unwanted bots
Indeed, the online world is full of bots that can harm our online businesses.
However, if we can reduce bot traffic hitting our e-commerce stores, we can avoid reduce financial losses.
One easy way to do so is to implement recaptcha at your checkout page.
When you implement recaptcha on your checkout page, recaptcha will help you differentiate bots from actual human customers.
Given that, you can then implement logic to prevent the bots from hitting your payment gateway.
Verify payer with 3D Secure before accepting payment from payer
In addition to filtering traffic from unwanted bots, you can also verify the identity of your payers.
If you can ensure that the payer is the true owner of the card, then you can prevent illegitimate purchases.
When only true card holders can buy from your website, you avoid losing money through lost of goods and dispute handling fees.
One of the best way to verify your payers is by implementing 3D Secure verification.
When you implement 3D Secure verification on your website, you will first get the card issuing bank to verify the payer.
You will only take the money from the card when the issuing bank confirms that the card holder is legit.
Since the issuing bank is the one who verifies the card holder, the liability for dispute will be taken up by the issuing bank. In case there are disputes filed on a card transaction, there will be a stronger case for you to fight the case.
Sounds good, but what are the catches?
First, not all issuing banks participate in 3D secure verification. If a customer is holding a card from a bank that do not participate in 3DS, then that customer cannot buy from your e-commerce store.
However, this is not really a problem if the bulk of your customers are holding cards from issuing banks operating in countries that mandate 3DS implementation. For example, all issuing banks in Singapore are required to provide 3D secure verification services for their card holders. Therefore, if most of your customers are holding cards from Singaporean banks, then you can turn on 3DS verification on your e-commerce site without losing many customers.
Second, 3DS verification is an extra cost on top of the card processing fee. If you do not have a way to stop bot traffic, then saboteurs can sabotage your website with bots. In addition, bots can use your website to check if a stolen credit card number is valid for making purchases. After all, if there is an OTP challenge coming from the issuing bank, it can mean that the credit card is eligible for making purchases.
Third, your customers can still file disputes even though you implement 3DS verification. If you have a programming bug that causes duplicate transactions charged to your customer's card, then you are liable for dispute handling fees on those duplicate transactions.
Verifying payer with Address Verification Service
You can also use the Address Verification Service (AVS) to verify your payers.
As the name implies, Address Verification Service uses an address to verify against customers' records maintained by the bank.
In order to use AVS, you will first prompt the card holder for some billing address in addition to the credit card details. When the customer had provided such details, you will submit them to the payment gateway. When the issuing bank receives these information, it will check if the billing address matches the card holder's record. If billing address does not match, then the issuing bank declines the transaction.
The rationale of this is that the billing address is something that is known to the card holder and his/her circle of friends. Therefore, it is unlikely that a credit card thief can guess the billing address correctly.
Sounds ok, but what's the catch?
First, just like 3DS, not all issuing banks provide this service. Many card issuing banks outside of the US, UK, and Canada do not consistently support AVS. If most of your customers are not holding cards issued from those countries, then many transactions can be declined when you turn on AVS.
Second, the address matching can be very stringent. A card holder submitting the address in a different way may fail the verification. Furthermore, the card holder may have moved and had forgotten to update the issuing bank with a new billing address. Therefore, there can be a large number of false declines as well.
Verify payer with CVV
Another way to filter out fraudulent transactions is by verifying the payer with CVV or card verification value.
The rationale of using this value is that the CVV is often not stored in databases and is found at the back of the physical card.
However, this mode of verification is useless against cases when stolen card information includes CVV.
Use fraud management tools provided by your payment gateway to reject fraudulent transactions
When you use a payment gateway like Braintree to accept payments, you will get fraud management tools on top of 3DS, AVS and CVV.
Turn on simple velocity checks
One such tool can be velocity checks on the different fields associated with the transactions. For example, you may allocate an order ID for each order session and submit it your payment gateway for processing. In such a situation, your payment gateway may let you configure a limit to the number of unique credit card numbers supplied to one order ID within a timeframe. When your payment gateway detects a transaction hitting the threshold limit, it will reject that transaction. Therefore, this kind of check can help stop people or bots from using your e-commerce store to test out credit card details.
Turn on sophisticated fraud checks based on machine learning and collective intelligence
More sophisticated tools can involve a mix of machine learning and collective intelligence. Since your payment gateway serves many merchants, they have good visibility of credit cards sent for processing at any point in time. For example, if a credit card number had dispute cases before, your payment gateway can reject transactions that you had accepted with that credit card number.
Blacklist payment methods that result in bad transactions
Depending on the features that you had signed up with your payment gateway, you may have the ability to blacklist payment methods manually.
If the integration options provided by your payment gateway provides a way to get a unique identifier to bad payment methods, then you can build your own blacklist programmatically.
For example, suppose your integration point provide you with a unique number identifier for each credit card. Given that, you can program your code to track occurrences of processor declines to the unique identifiers.
Whenever you hit a hard decline with a credit card, you can blacklist that unique number identifier so that you don't use it for future transactions.
When you hit a soft decline with a credit card, you may want to count the number of transaction failures before you send the unique number identifier to your blacklist.
In addition, the velocity checks can happen at a wider scale. For example, your payment gateway can reject transactions that contains a credit card number received from multiple merchants at once.
If your payment gateway provides you with some means to submit customers' device data, then the fraud checks can extend to geolocation or any other device related data.
Limit the usage of a payment method for multiple subscription accounts
Since social engineering is common, a fraudster can appear to be a genuine owner of a given payment method.
For example, a fraudster can trick the owner of a credit card and take over his/her mobile device that OTP challenges are sent to.
In such situations, a fraudster can sign up for multiple subscription accounts and pass the 3DS challenges sent by the issuing bank.
Therefore, as a merchant, you may want limit the usage of a payment method for multiple subscription accounts.
If you are expecting that your customers are using a same payment method for multiple subscription accounts, then you can consider increasing the usage threshold only after the first few subscription accounts had multiple successful bill charges without disputes.
That initial usage threshold should be a number that your business can risk losing if a fraud case arises.