The best fraud prevention strategies for your eCommerce store
Anyone who owns and operates an eCommerce site knows that developing a website and delivering a positive and seamless checkout experience is anything but simple. In fact, it takes a lot of effort behind the scenes to put a successful eCommerce operation together. Not to mention the amount of thought, resources, and preparation that go into creating the product or service you’re offering online in the first place.
Your eCommerce site might be your pet project—your break-through moment—your livelihood. Whatever your site is to you, you certainly didn’t intend it to be a source of income for fraudsters and cybercriminals. And yet, selling online automatically makes you a target for fraud.
Fraud continues to be a major problem for U.S. merchants, particularly online since EMV chip card technology has been largely successful at curbing fraud in-store. Making in-store fraud more difficult has prompted a surge in online fraud attacks where EMV can’t offer protection.
In March 2017, Experian data showed a 33 percent increase in eCommerce fraud in the U.S. following the adoption of EMV for in-store purchases. That was mostly expected by industry experts since other countries saw a similar surge in online fraud after adopting EMV.
So, what does an increase in online fraud look like in terms of dollars? Data from eMarketer and LexisNexis projected a $6.7 billion loss to fraud in the U.S. in 2016. If you already operate an eCommerce business, you know how deeply a 33 percent increase in fraud would hurt your business.
However, another more surprising impact of fraud is the financial loss associated with declining legitimate transactions in fear of fraud. Riskified estimates that nearly $118 billion in revenue was missed due to false declines for fraud--the actual loss only amounted to $9 billion that same year. A Javelin study similarly found that 15 percent of cardholders experienced a false decline when attempting to make a legitimate purchase.
Finding the perfect anti-fraud solution involves balancing the very real risk of online fraud with the financial cost of turning good business away. In fact, one of the most important areas of consideration for a successful eCommerce store is your fraud and chargeback mitigation strategy.
To reduce the multi-faceted problem of fraud and the resulting chargebacks associated with eCommerce, it’s important to leverage reputable anti-fraud solutions. Some of these anti-fraud measures are inexpensive and easy to implement, whereas others are more robust and costly. Which solutions you need depends in part on the size and volume of your business.
Follow along for more information about important technologies and policies that can help define the line between avoiding real fraud and declining legitimate transactions.
Warning signs of fraud
Cyber criminals are drawn to eCommerce sites the way Cookie Monster is drawn to cookies. If you bake them, he’s sure to come. But how can you spot fraudsters and prevent them from taking a bite out of your profits?
The rapid pace of technology development and the hacks that inevitably follow make it challenging to stay ahead of fraud. But there are a lot of warning signs and best practices that can filter out a large portion of fraud before it occurs.
It’s a good idea to familiarize yourself with the most common fraud schemes like “card testing” to check for available funds and “man-in-the-middle” scams. And always watch out for suspicious behavior and follow up with the cardholder and/or card issuer if something feels off.
Here are some examples of suspicious behaviors indicating potential fraud:
- The shipping address differs from the billing address
- Multiple orders of the same item
- Unusually large orders with next day shipping
- Multiple orders to the same address with different cards
- Unexpected international orders
Card security codes
Part of the reason why card-not-present transactions carry additional risk of fraud compared with card present transactions is because it’s more difficult to verify a cardholder’s identity when you can’t observe their behavior, authenticate their signature, or inspect the card itself.
To help ensure that a customer initiating a transaction is in possession of the card, the card brands instituted an additional security feature to cards: the three-digit code on the back of the card (American Express uses a four-digit code on the front of the card) referred to as the CVV2 or CVC2 (Card Verification Value/Code), CMID (Card Member ID), or the CID (Card Identification Number) depending on the card brand.
The code is only found on the physical card itself and is not stored on the magnetic stripe with other cardholder data. This makes it impossible to reproduce on counterfeit cards that are created by capturing cardholder data via skimming.
Submitting the card verification code with the transaction request significantly reduces the likelihood of fraud and qualifies the transaction for a lower interchange rate.
Two things to note about card security codes:
- Not all payment processors support these security codes. Be sure to ask about it when choosing your payment processor since failing to use them could result in a higher volume of chargebacks and higher interchange rates.
- If the card issuer doesn’t support card security codes (uncommon, but possible) the issuer loses chargeback rights for CNP sales.
Address Verification Service
Address verification service (AVS) automatically confirms that the billing address used by the customer when making a purchase matches the billing address on file with the card issuer. It helps minimize fraud by allowing the merchant to decide whether to accept a transaction, reject it, or follow up with the customer for more information.
AVS works by including two additional pieces of information in the authorization request: the numeric house or apartment number of the cardholder’s address and their ZIP code. The payment processor submits the information with the transaction request and returns an AVS code.
A partial match indicates that some information matches the cardholder record, but not all. This could mean the ZIP code is the same, but the street address is off, or vice versa. A partial match could indicate fraud, but it could also just mean that the cardholder has moved without alerting the bank, or that the item is a gift or is being sent to a vacation home not listed with the card issuer, or any other plausible scenario.
It’s best to set parameters for partial matches to trigger a manual follow up. You may choose to accept partial matches for certain low-risk transactions. However, it’s a good idea to put orders in an AVS hold report for follow up if the following applies:
- Multiple units of the same item
- Larger than usual orders
- Expedited shipping
- Orders shipped to a different location than the billing address
A “no match” AVS response doesn’t automatically decline the transaction, but it’s a good idea to manually follow up on those transactions since they have such a high incidence of fraud.
IP geolocation and proxy piercing
One method fraudsters use to beat fraud screening is to hide the precise origin of a transaction by routing their IP address through an IP proxy or virtual private network (VPN). This way, a fraud ring based in the Ukraine can pose as customers in Iowa to reduce suspicion of their online purchasing.
Proxy piercing and geolocation help nail down a customer’s (or fraudster’s) IP address and server, exposing the true location of each transaction.
Device profiling technology tracks the unique fingerprint of each device submitting transaction requests on your site. It gathers multiple device attributes from user interactions to create legitimate buying patterns that abnormal attributes can be scored against.
Device fingerprinting can alert you if a device that is particularly vulnerable to malware and viruses is being used to make the transaction so you can take additional steps to verify the transaction before accepting it. To go one step further, it can also alert you if that particular device has been used to commit fraud.
There are a variety of fraud scoring tools available on the market for eCommerce merchants, each offering different capabilities. But the overall concept is the same: the tools access a database of billions of transactions compiled from thousands of financial institutions to create predictive models about fraud patterns. Then, each transaction request is placed within that context to provide a fraud probability score.
Fraud scoring can identify abnormal spending behaviors when they deviate from the normal card usage. And it can help spot problematic cards in real-time so fraudsters can’t strike again with the same counterfeit card.
The data can be manipulated to account for particular industries, card types, transaction types, geographic locations, and more. Fraud scoring tools often use a combination of intelligent software, data engines, and teams of people to analyze and manipulate the data.
When predictive models are created by fraud experts, they are flexible and subject to change as new tactics and threats arise. This level of human interaction combined with massive data engines gives your fraud scoring an edge that can’t be replicated by any other fraud solutions to date.
One of the greatest advantages of fraud scoring is the impact it can have on eliminating false positives so eCommerce merchants don’t decline an excessive number of legitimate transactions, which can be equally damaging to the bottom line as chargebacks.
Picking the right solutions
So, which solution is right for you? It depends. How much fraud are you experiencing and what percentage of your overall sales does it account for? Only you can answer these questions. But we can make some generalizations to help point you in the right direction.
First of all, it’s a good idea to utilize the fraud solutions already available to you through your existing relationships with vendors like your payment processor, shopping cart provider, and/or marketplace host. One of those vendors is likely going to provide the basics like card security codes and AVS. And it’s free to learn about the fraud warning signs for eCommerce and implement good policies for employees to follow.
Other more aggressive solutions like geolocation and fraud scoring are less likely to be standard options from your vendors, if they offer them at all. If you’re experiencing a high volume of fraud and have money to invest in more robust solutions, you may need to consider switching to a different processor or platform that offers the solutions you need. In some cases, fraud scoring may be purchased separately as a stand-alone, third-party service.
We offer a variety of fraud solutions for a variety of business types and industries, including eCommerce operations, both large and small. Our payments experts can help you identify the type of fraud solutions that would be a good fit for your business, and we’re happy to talk you through it, anytime.