Search results:

November 21, 2016

How can I prevent credit card fraud for my ecommerce business?

How can I prevent credit card fraud for my ecommerce business?

TL;DR: If you have a high-risk business, you need a dedicated system to spot payments that are at risk of getting lost. Often, you also need to verify some payments manually and get in touch with clients to verify their identity. Fraud prevention systems from your bank, your payment service provider, and dedicated SaaS companies can help you do just that.

The longer answer is outlined as follows. First, it is important to know the level of risk your business faces. You have five distinct approaches to fraud prevention; depending on your level of risk, you may be able to just use one. Assuming that you need a dedicated system, we’ll talk about what comes next. Finally, we’ll talk about what happens when you discover fraud.

1. Your level of risk

The level of risk your business faces depends on a few things:

  1. The geography of your business:
  2. Are you located in the United States or in the EU?
  3. Do you ship locally, nationally, and/or internationally?
  4. Your product catalog:
  5. Do you sell airline tickets or high-tech, sportswear, or luxury items?
  6. Is your average basket price under $20, between $20 and $200, or above $200?
  7. Your platform:
  8. Do you use standard e-commerce software such as woocommerce, magento, or prestashop, or do you use pay-as-you-go cloud-hosted solutions?
  9. What software versions do you have?
  10. Your business’s situation:
  11. Can you afford to review some of the payments manually?
  12. How fast do you ship (within 1 or 2 hours or within a week or more)?
  13. How big is your e-commerce business (micro, small, or large)?

2. Five approaches to preventing payment fraud

There are essentially five ways to prevent credit card fraud.

  1. Do nothing! You might choose this approach if you are just starting your business or if you are not exposed to fraud because you are selling products that have no “resell-ability,” like spare parts from a 1988 Ford Fiesta.
  2. You use 3DSecure (Visa), SecureCode (MasterCard) or SafeKey (AmericanExpress). These services provide insurance that protects your business against payment fraud. However, because these are forms of insurance, there are rules defining what’s allowed and what’s not allowed. Most of the time you will be eligible, but even though you are insured, you might still have to prevent fraud! That's because you can get excluded of the insurance if your fraud rate is too high. Online travel agents (OTAs), which operate very risky businesses (i.e., they have small payoffs and huge risks), need fraud systems on top of this insurance. See your bank or payment service provider to activate it.
  3. Do it yourself (DIY). This is pretty handy when you need to get started and react quickly. You just need to know how to program your payment flow, but programming yourself the rules to prevent fraud doesn’t scale. Your expertise will limit you now and further down the road. Managing rules may become a pain, especially if the person who creates the rules leaves your company so you are left figuring out what all the gibberish means.
  4. Use a legacy system. Many commercial banks and payment service providers offer these systems. If you have basic needs, these systems are conceptually simple and pretty good to start with. If you simply want to open a business in your country for people who have cards issued in your country, this option is ok!
  5. Use dedicated systems. There are quite a few options for these systems:
  6. Big e-merchants often prefer "brands", so they use Visa CyberSource, Accertify from American Express, SAP, Palantir Tech, Threat Metrix, FICO, etc.
  7. Some payment service providers typically propose add-ons to prevent fraud. However, you may be limited by these add-ons, and the indirect cost of a badly managed fraud system can become significant over time.
  8. Finally, you can choose from a range of start-ups (mostly from the Valley but also from Israel, the UK, France, etc.). This is the best choice when you want innovation, specific expertise in a domain, automation, or price competitiveness.

3. Determining which approach fits your e-commerce style

Your business context can help you determine whether you have a low-, medium-, or high-risk business and thus what approach you should choose.

  1. If your business is low risk (or you are just starting out), you might choose options 1 or 2.
  2. If you have a medium-risk business, you might consider options 2, 4, or 5. There are pros and cons for each, particularly in terms of conversion.
  3. If your business is high risk, you should definitely choose option 5 and a fully dedicated fraud prevention system.

4. What comes next when you need a dedicated system (option 5)

At this point, it’s essential to know how many payments you can review manually (5–10% is common, but that depends on your business). Because of your limited reviewing capacity, you need to prioritize payments that carry the highest risk while automatically accepting the rest. For this, you use the filtering mechanisms within your fraud prevention system (e.g., rule-based or machine learning-based). Every day, you will have a series of payments to review.

Still, you won’t always know whether to accept a payment. You may have to reach out to the customer for further verification. The way in which you do this depends on where you are located, on the forms of ID you can request, on your type of business, etc.

Parts of this payment verification process are very simple, such as managing CRM. You can figure them out yourself. Others are very advanced, so they demand expertise, particularly in digital forensics. Typically, it’s important to have some expert reviewers available.

5. You shipped the goods and…

Banks generally only notify you of fraud cases four weeks after the payment date (on average, but this can be as long as six months). A lot of time passes between when you ship and when the money is withdrawn from your e-commerce bank account. It can get even worse if additional fraud has occurred and you did not spot it in time.

The typical next step is to react to fraud cases (or failed fraud attempts) by finding their common denominator. You can make some rules to prevent additional fraud of that type. This means that fraudsters tend to have an edge over you because you are always too late, unless you fundamentally change the way in which you prevent fraud, which is what some start-ups are doing.

I hope this information helps. As usual, feel free to reach out with questions or comments.

Fabrice | Book