The revenue you earn from the rental is very small compared to the price of the jewels you rent out: your “payoff/value at risk” ratio is between 100x and 1000x. Problems start when the risk becomes reality and then becomes too frequent. By getting paid online, you face the well-known risk of payment fraud, which has a 1–5% likelihood of occurring. If you are getting paid online, you must deal with this reality. However, there are many instances of successful companies that operate under such a risk:
- Airbnb is maybe the most prominent of these companies. They make a tiny revenue from rentals—let’s say $10 to $20—while facing a huge risk if guests steal items from a home, break items in a home, or accidentally damage a home.
- Other companies that deal with this risk are online travel agents (OTAs), such as Booking or Expedia, that act as intermediaries for booking airline tickets. They make a small percentage of each sale—i.e., $10 to $40—and they face a high risk of payment fraud. To break even from one fraud loss, OTAs have to sell 40 to 80 tickets priced at a thousand dollars each. That’s steep!
- Companies like Fashionphile, which resell pre-owned luxury items, are an excellent example that’s related to your business. They face the risk of payment fraud and the risk that items are counterfeit.
How do these companies reduce their risk?
— They focus on engineering trust.
In that phrase, the words “engineering” and “trust” are equally important. Engineering relates to the construction of processes. Trust is necessary to attract people to your marketplace. In your case, you propose to engineer trust by:
- running a $1 pre-authorization,
- using an address verification service to match shipping and billing addresses, and
- placing a percentage hold on credit cards.
1. Are these steps good enough in terms of security?
— Yes. No. Whatever.
What matters is that you iterate with small steps and figure out how to engineer the trust your business needs. As a profit-making company, you aim* *to increase the number of deals per time period (including the quantity and velocity of your deals), increase their size (e.g., by cross-selling), and reduce your risk (e.g., payment fraud). That means you should benchmark the changes you make against those metrics when engineering trust.
Getting back to your proposal, a pre-authorization to put a temporary hold on funds for a few days and holding a percentage will definitely test a credit card. The address verification will also tell you if the customer’s addresses match. However, people are moving a lot these days, and they are more frequently picking up their packages in shops and not at home.
The positive side of address verification is that it is totally invisible to the client. A $1 pre-authorization has a pretty light touch too. These approaches won’t reduce the velocity of your sales. While a credit card hold may be logical, it shifts the burden of trust to the client, which will definitely affect the velocity of your sales.
2. What else would you recommend?
— Know your customers (KYC) while limiting data collection
As you engineer trust, any additional information you request from your clients will reduce your sales velocity and conversion, your clients’ overall satisfaction, and the likelihood that customers will make repeat purchases (lifetime value). If you expect your clients to become repeat buyers, your risk management strategy could differ from the strategy an OTA uses and become more similar to what Airbnb does. It might be a good idea to open up a new account with Airbnb to see how they work.
Airbnb offers links to social media sites like Facebook, Twitter, LinkedIn, or Google +. This helps develop the trust hosts need, and it improves Airbnb’s knowledge of its clients (KYC). With more data, Airbnb can segment its clients by risk and thus become proactive in managing risk. This is a cheap option.
Authenticating IDs through a company like Jumio lets you know with great certainty whether an ID is authentic and if the client’s name matches the name in your records. Adopt this strategy if you need a very high level of trust. However, this choice is expensive, and it will affect your business performance.
You can multiply the number of factors authenticated, e.g., by verifying email addresses with a link (pretty standard and cheap), by verifying phones via SMS or voicemail if the customer only has a landline (also cheap), or by using 3DSecure (Visa), SecureCode (MasterCard), and/or SafeKey (American Express) to make sure that credit card holders have two-factor authentication from their issuing bank. This last option is pretty cheap to request and although it may hurt your conversion, it will protect the small amount of revenue you make from each rental.
You can request forms of ID or proof of address from your clients. This can get pretty expensive to manage since it requires a lot of work on your side and from the client. In addition, many documents can be forged, which means you will need someone with experience in digital forensics to authenticate the documents. Still, this is the approach used by many OTAs and e-merchants because the startup costs are so low—you only need email, not any software.
Last but not least, lenders may review users. This is a very powerful way to build credibility, and Airbnb uses it a lot. I would only choose this option if you expect your clients to have high lifetime values. Otherwise, it won’t work.
3. What happens if someone cancels their card while they still have a rental piece out?
— How often does this happen?
There are various fraud subtypes. You should consider the likelihood of each type of payment fraud. Depending on the likelihood of the risk, you may want to disregard it, proactively manage it because it is a serious threat, or buy insurance.
Be aware that buying insurance will cost you more in the end than what the risk would cost you on average. Insurance is handy when you are risk-averse and you want to hedge your bets, but in my view, your competitive advantage lies in how you engineer trust to prevent the risk and make your business sustainable.
4. What payment service best meets my needs
- I’m not sure this is the central point…
Given what was discussed above, you may need some of the following services from your payment service provider: pre-authorizations, holds, reversals, two-factor authentication (e.g., 3DSecure) and a fraud prevention system. This system may or may not be part of the bundle you receive from your payment service provider.
Personally, I am a proponent of isolating company functions and using the best software that exists for each vertical. There are some great companies that provide payment verification and prevent payment fraud.
I hope this information helps. As usual, feel free to reach out with questions or comments.
Fabrice | Book