Search results:

September 19, 2016

Five ways to prevent credit card fraud for your e-commerce service based on your level of risk

Five ways to prevent credit card fraud for your e-commerce service based on your level of risk

If you have a high-risk business, you need a dedicated system to spot payments that are at risk of getting lost. Often, you also need to verify some payments manually and get in touch with the clients to verify their identity. Fraud prevention systems proposed by your bank, your payment service provider and dedicated SaaS companies help you do just that.

The longer answer is that it matters to know the level of risk that your business faces. Then we have laid out the five distinct approaches to fraud prevention. You can settle for one depending on your level of risk. Assuming you need a dedicated system, here is what comes next. Finally, sometimes when you discover a case of fraud, here is what happens.

  1. The level of risk of your e-commerce service;
  2. The five ways to prevent payment fraud;
  3. Choosing the approach that fits your e-commerce;
  4. What follows if you need a dedicated system;
  5. You shipped the goods and your are hit by a chargeback.

1. The level of risk of your e-commerce service

Influencing factor Description
Geography The level of risk faced by your business depends on the geography of your business.
  • Are you located in the US, in the EU?
  • Do you ship locally, nationally, internationally?
Catalog The level of risk faced by your business depends on your catalog of products:
  • Do you sell high tech, sportswear, luxury items, airline tickets, …?
  • Is your average basket price under $20, between $20 and $200, or above $200?
Your platform The level of risk faced by your business depends on your platform:
  • Do you use standard e-commerce software such as woocommerce, magento, or prestashop, or pay-as-you-go cloud-hosted solutions?
  • What versions do you have?
Your situation The level of risk faced by your business depends on the situation of your business:
  • Can you afford to review some of the payments manually?
  • How fast do you ship? within 1h or 2, or within a week or more?
  • How big is your e-commerce? micro, small, or large?

2. The five ways to prevent payment fraud

Option Description
Do nothing You do nothing! Because you are just starting, or because you are not exposed to fraud —there are, indeed, some types of products that have no "resell-ability" like spare parts from, let's say, a Ford Fiesta of 1988.
Use 3D Secure You use 3DSecure (Visa), SecureCode (MasterCode) or SafeKey (American Express). These are "insurances" that protect your business against payment fraud. However, because these are "insurances", there are rules defining what's allowed and what's not allowed. Most times, you are eligible, but even though you are "insured", you might still have to prevent fraud! That's because you can get excluded if you have too much. Online travel agents (OTA), who are in a very risky business (small payoff, huge risk), need fraud systems on top of this insurance — see with your bank or payment service provider to activate it—.
Do it yourself You are able to do it yourself (DIY), which is pretty handy to get you started and to react quickly; you just need to know how to program your payment flow; but because it's DIY, it doesn't scale. Your expertise will limit you now, but also further down the road. Managing the rules may become a pain, especially if the creator of the rules has left your company and you are left figuring out what this gibberish means.. Right when you need it to change things...
Legacy system You use a legacy system provided by many commercial banks and payment service providers. If you have the basic needs, these systems are conceptually simple and pretty good to start with. Let's say that you simply want to make business in your country, with people holding a card from your country, then it's ok!
Dedicated system You use dedicated systems. Here, there are quite a few options:
  • big e-merchants often prefer "brands", so they head for Visa CyberSource, Accertify from American Express, SAP, Palantir tech, Threat Metrix, FICO, etc.
  • Then, there are the payment service providers who typically propose add-ons to prevent fraud. But you may get limited here, and the indirect cost of a badly managed fraud system can get huge over time; and
  • finally, you have a series of startups (from the valley but also from Israel, the UK, France, etc.) that are the ones to run to for innovation, for specific expertise in a domain, for automation, or for price competitiveness.

3. Choosing the approach that fits your e-commerce service

The context of your business tells whether you are in a low, medium, or high risk business, and hence influences what approach you choose:

Risk level Option
Low If it's low risk (or you are just starting), then you might go for options 1
Medium If you have a medium risk, then you might consider options 2, 4 and 5 — there are pros and cons for each, notably in terms of conversion…—
High If it's high risk, then you should definitively go for option 5 and a fully dedicated fraud prevention system.

4. What follows if you need a dedicated system

At this point, it's essential to know how many payments you can review manually (5–10% is common, but, again, that depends on your business). Because of your limited reviewing capacity, you need to prioritise the payments with the highest risk whilst auto-accepting the rest. For this, you use the filtering mechanisms of your fraud prevention system (rule-based, or machine learning-based, whatever), and every day, you will have a series of payments to review.

Still, you won't always be able to know whether to accept the payments or not. You may have to reach out to the customer for further verification. The way you do it depends on where you are located, on the pieces of ID you can request, on your type of business, etc.

Part of this payment verification process is very simple, like managing CRM. You can figure it out by yourself. Others are very advanced and demand expertise notably in digital forensics. Typically, here, it's important to have some expert reviewers at hand.

5. You shipped the goods and your are hit by a chargeback

It is only four weeks after the payment date (in average, but this can be as long as 6 months..) that banks notify you of fraud cases. A lot of time passes between when you ship and when the money is withdrawn from your e-commerce bank account. It can get even worse if other frauds have occurred and you did not spot them in time.

So, the typical next step is to react to fraud cases (or failed fraud attempts) by figuring out what their common denominator is. You make some rules that, are meant to prevent additional frauds of "that type". This means that fraudsters tend to have an edge over you because you are always too late... unless you change fundamentally the way you prevent fraud, which is what some startups are doing.


  1. How can I prevent credit card fraud for my ecommerce business? Quora.
  2. Photo by Shahenshahkillz (Own work) CC BY-SA 4.0