Search results:

November 10, 2016

What are the KPIs of security and loss (fraud) prevention department at companies like Amazon?

What are the KPIs of security and loss (fraud) prevention department at companies like Amazon?

TL;DR: Some KPIs reflect how your business stands generally (e.g., turnover, number of transactions, conversion rate, types of payment methods, or geographical distribution of clients). Others describe how well you manage your risks (e.g., fraud rate and charge back rate, automatically accepted and rejected transactions, review rate, time per review, rate of cases won and lost) or how well you handle requests from sellers and buyers (e.g., number, response time).

  1. The objectives of KPIs
  2. The challenges
  3. How to select KPIs
  4. Business KPIs
  5. Payment KPIs
  6. Fraud KPIs
  7. Payment fraud KPIs

1. The objectives of KPI. Users of your C2C e-commerce are either buyers or sellers. Your goal is to facilitate transactions between them with trust and reliability.

However, a series of events may make those transactions unsuccessful, e.g., the items do not arrive, the items do not match the description, the items are damaged, or this payment is a fraud. Failed transactions make your users unhappy. If failures repeat, they will lose trust in your e-commerce business, which will affect your success.

It is therefore crucial to monitor KPIs that provide an accurate snapshot of how well you are fulfilling transactions.

2. The challenges. This is measurable with a simple binary indicator (e.g., ok, not ok) or with a rating (e.g., 0 to 5 stars).

Ratings are the most elementary mechanism to engineer trust [1, 2]. In particular, ratings help buyers and sellers build credibility and establish trust in your e-commerce services.

However, each additional user input is known to reduce the transaction velocity (cf. “One Click Checkout” from Amazon or “Stay Logged In” from PayPal), which also reduces customer lifetime value and the profitability of your e-commerce business.

3. How to select KPIs? Your selection of KPIs depends on your business strategy, your legal requirements, and your turnover.

For some e-commerce businesses, one side (the buyer or the seller) is strategic, which means transaction success for those users is monitored more precisely than for the other less-strategic user. Legal requirements also influence how litigations are arbitrated and how each side is protected. Finally, your turnover determines your resources and therefore the perimeter of your set of KPIs.

Timewise, you would have KPIs before the payment, during the payment, after the payment but before the shipment, and after the shipment. In terms of domain areas, you would have business, payment, fraud, and fraud prevention KPIs. I will cover these KPIs in the following paragraphs.

4. Business KPIs. Since conversion is king in e-commerce, the #1 and #2 business KPIs are certainly your conversion (%) and your sales (e.g., amount, number, average cart, min, max). Your #3 KPI could be the speed at which transactions get fulfilled. Then, you would track the volume of affair per payment method (#4) and, if your e-commerce is large enough, the metrics per geographical area, e.g., country, state (#5).

5. Payment KPIs. Next, you would identify where your e-commerce transactions are at risk and if you can address those risks. Usually you look at the failure reasons. For instance, when a charge on a credit card fails, your payment service provider returns a code that says:

  • if the customer cancelled the transaction;
  • if 3DSecure failed;
  • if the 3DSecure server was down;
  • if the card is not 3DSecure enabled;
  • if the funds are insufficient;
  • if the card is blacklisted, etc.

Ideally, you would track each code, understand its root cause, and see if you can address it.

6. Fraud KPIs. In terms of the bottom-line of the business, there are two fraud subtypes:

  • those where your business does not lose the principal (e.g., because of the liability shift [3] or because you won the defense of the case) and
  • those that lead to a refund of the principal (the so-called “chargeback”). Obviously, since the financial impact differs between fraud subtypes, tracking each is necessary.

However, note that the rates vary significantly between payment methods, e.g., with geographical distribution, type of product, etc.

In fact, these two fraud rates (as well as your volume of transaction and volume of frauds) are essential to determine if you fall under the liability shift, which is a mechanism, like insurance, that protects e-merchants from chargebacks in case of fraud when the payment was acquired with 3DSecure authentication.

Hence, card networks like Visa or MasterCard review your fraud rates periodically, and if they are higher than a certain threshold, they will warn you first. Then they may stop protecting you under the liability shift and refuse to process your payments.

Fraud Prevention KPIs. If your e-commerce service is exposed to payment fraud, you likely have a fraud prevention system with some rules and some scoring in place. In that case, the KPIs are straightforward.

At first you want to know how many payments your fraud prevention system is automatically accepting, how many it rejects, and how many it sends for manual verification (if any).

Second, because your process in place will make errors, you want to know how many instances of fraud your scoring, rules, and reviewers considered ok. You want to minimize those.

Third, you might want to A/B test how many true transactions were rejected by your rules, scores, and reviewers.

Finally, you want to evaluate the total cost of preventing payment fraud (e.g., review time, statisticians, staff).

Fabrice works at Ubivar (www.ubivar.com), a SaaS solution that helps e-merchants detect, verify, and manage payments at risk of fraud.

[1] How can I reduce fraud for a jewelry rental site?

[2] How does Etsy prevent credit card fraud?

[3] How do banks afford to absorb costs associated with credit card fraud?