Mitigating Merchant Fraud and Lowering Risk

Merchant fraud-related losses continue to climb making it important to have a prevention plan in place. Here are some best practices to help lower your risk.
Project 1-1 (1)

Key Takeaways

  • Merchant fraud-related losses continue to skyrocket reaching $50 billion by 2030.
  • Layered security tools provide the best fraud detection and prevention strategy.
  • Technology can lower risk and mitigate fraud.

Merchant fraud refers to any false or illegal transaction initiated by a consumer or a cybercriminal against a seller. Whether it is an unauthorized transaction or a false claim regarding lost merchandise, fraud is estimated to have cost the global market close to $30 billion with a projected cost to reach almost $50 billion by 2030.

As digital purchases have increased over the last two years, so has payment-related crime. According to the Federal Trade Commission, credit card and gift card fraud are the most frequent type of payment fraud. With fewer transactions occurring in person, retailers are expected to lose about $130 billion from card-not-present (CNP) transactions over the next five years.

With financial losses reaching into the billions, merchants need secure online payment processing solutions to minimize their fraud-related losses. Without adequate payment security, businesses run the risk of slower growth as profit margins shrink. While most merchants are aware of chargeback or friendly fraud, they may not be familiar with the fraud associated with gaming. Cybercriminals are exploiting the fast-growing gaming market to acquire skills to apply to other merchant categories.

Secure Online Payment Processing

The 110% annual growth in online orders has merchants working to improve efficiencies and protect their supply chains. As part of their improvement efforts, they should consider how to protect their operations from the most common forms of payment fraud.

Chargeback Fraud

Chargeback fraud costs merchants more than just the purchase price. When the purchaser claims that the item was not received or was damaged, a chargeback is issued against the merchant. The merchant can contest or accept the chargeback. Contesting a chargeback takes time and resources. Depending on the cost of the item, retailers may accept the chargeback rather than incur added costs fighting it.

Friendly Fraud

This type of chargeback fraud happens when a customer requests a refund from the card issuer, claiming the transaction is fraudulent. In most cases, the card issuer simply refunds the money and issues a chargeback to the merchant without seeking verification from the merchant. Friendly fraud may be intentional on the part of the consumer, but accidental by the card issuer. It is estimated that friendly fraud makes up 40% to 80% of fraud losses.

Gaming Fraud

Gaming has an annual growth rate of over 125%, making it one of the fastest-growing online transaction sources. Bad actors are using this rapid growth to exploit weaknesses that can be leveraged into other online markets. Credential stuffing occurs when cybercriminals flood a site with login attempts to verify stolen usernames and passwords. Every verified credential provides cybercriminals access to someone’s account. Using a modified form of credential stuffing enables bad actors to hijack valid consumer accounts beyond the gaming industry.

Another tactic is to send small-dollar transactions through to determine if the information is correct. If the transaction is approved, the hacker knows the payment source is valid. Because gaming transactions are often authorized in real-time, the tactic allows a hacker to take over an account and leverage the information to initiate transactions for larger dollar amounts. Losses from account takeover topped $9 billion in 2019.

Layered Protection

If merchants want to mitigate risk and improve fraud detection and prevention, they need to look to technology. The best cybersecurity protection uses layers of technology. By layering different fraud detection and prevention solutions, companies build a security stack that mitigates risk.

Envision a stack of Swiss cheese slices, where each hole is a security weakness. The first slice is full of holes. When a second slice is placed on top of the first, it blocks some first-slice holes. By adding more slices to the stack, eventually, the holes are blocked. Effective fraud protection builds a technology stack to deliver the most secure payment methods online.

Best Practices to Mitigate Fraud and Reduce Risk

Building effective fraud prevention and detection solutions is costly and outside the wheelhouse of most merchants. Many look to third parties for help; however, not all solutions are created equal. That’s why we’ve put together this best practices list to show how to make secure payments online.

Know the Rules

Accepting card-based transactions means adhering to the Payment Card Industry’s (PCI) Data Security Standard (DSS). The standard is designed to protect cardholder information and includes such requirements as:

  • Encrypting, masking, or truncating cardholder data
  • Deploying anti-virus and other intrusion protection software
  • Ongoing testing of environment
  • Recording all activity

These are just four of the twelve standards that must be met. Implementing the technology to stay in compliance can be overwhelming and costly, but failing to comply can result in fines, penalties, and legal action.

Segpay recommends that merchants be familiar with the applicable PCI standards and ensure their payment processors are fully compliant, as they form the basis for much of the security surrounding cardholder data and makes it an essential part of any best practices list.

Send Addresses

Address Verification Service (AVS) has been around for some time. It examines the billing address associated with a card. Whether it is a complete physical address or a zip code, the information is included in a transaction request. When received, the card issuer compares the data in the authorization request with what is on file. If the two do not match, the transaction is declined.

AVS forms part of a security stack, but it is far from foolproof. Bad actors may have the cardholder’s billing address depending on how they acquired the card number. At the same tune, the cardholder could make an error when entering the address. Segpay suggests using AVS as a simple method to check for possible fraud. Merchants cannot enforce AVS, but they can provide the information, shifting more of the responsibility to the card issuer should they decide not to check.

Supply CVV Numbers

Whether it is called CVV or CSC, these values provide another layer of security checking. Most people are familiar with the CVV2 which appears on the back of a card (or front on American Express cards). When it appears in a transaction request, the authorizer assumes the card is present at the time of the transaction. Given the rise in card-not-present (CNP) fraud, we recommend asking consumers to provide their CVV2.

Look for Buying Sprees

Velocity refers to the number of times a card is used during a given period. Most consumers do not initiate multiple transactions for big-ticket items in quick succession. Cybercriminals do. Bad actors may steal a batch of card numbers and sell them to other cybercriminals who use them to perform unauthorized transactions. Their first action is to test the card to see if it is valid. Once they locate a valid card, they move to empty the account or reach the credit limit as quickly as possible.

Velocity checks should look at the card number, the number of transactions using that card number, and the time frame in which the transactions occurred. Odds are that a sudden influx of transactions from the same card indicates a stolen card, especially if the purchases are for big-ticket items. Setting velocity limits is a way to flag transactions for further review; however, they should be set to coincide with your typical customer behavior.

Segpay recommends implementing a velocity check tool to add to the security requirements of electronic payment systems. Identifying consumer behavior patterns can reduce the number of fraudulent transactions resulting in chargebacks.

Know Your Lists

In the transaction processing world, there are two types of lists — blacklists and whitelists. Each has a specific role to play in reducing fraud. These lists are really databases that contain information that automatically denies or approves a transaction. Blacklisting blocks traffic from specific sources.

Merchants can create their own blacklists, or they can use external lists. Sometimes retailers will combine lists. Blacklists are databases that contain information to block traffic from specific users or locations. For example, transactions coming from high-risk countries can be blocked as can specific card numbers.

Alternatively, whitelisting identifies valid sources for transaction processing. For example, a merchant that only sells in the United Kingdom and the United States can place the countries on a whitelist to limit transactions to only those coming from the two locations.

Using these lists adds another layer to the fraud prevention stack; however, they are far from perfect. We recommend working with payment processors to identify the best way to implement the lists to decrease suspicious traffic without impacting legitimate transactions.

Enable 3-D Secure

3-D Secure authenticates cardholder information in real-time using multiple data points contained in a transaction request. The original 3DS created user obstacles that led to cart abandonment and merchant frustrations. Later versions of the 3DS process simplified the consumer process.

The European Union has mandated the use of strong customer authentication (SCA) such as multi-factor authentication (MFA) and 3DS 2.0. Where appropriate merchants must enroll in a 3DS program to increase fraud protection on EU-based transactions. Although it is not mandated outside the EU, 3DS is likely to become more widespread as it addresses the overlap between the issuer and acquirer in reducing fraud.

Segpay recommends implementing 3DS on some if not all cards. Card brands such as VISA, MasterCard, and American Express have their versions of 3DS, so it is possible to activate the process on a per-card basis.

Apply Strong Customer Authentication (SCA)

SCA is also known as multi-factor authentication (MFA). It is a method of user identification that goes beyond a username and password. The technology requires two elements for authentication:

Drawbacks of Annual Subscription Billing

 

  • Something you know such as a password or PIN.
  • Something you have such as a smartphone or a computer. 
  • Something that is uniquely you such as a fingerprint or voice recognition. 

Merchants can require customers to create an account that requires a password. They then require a security code that is sent in a text message or email. The passcode is entered and authenticated before the customer can make a purchase. Alternatively, the second verification item could be a fingerprint.

The assumption is that someone may have your password, but they won’t have your phone, or they can’t mimic your voice. Adding a layer of security makes it harder for criminals to hijack accounts. For those merchants who are not using 3DS, we recommend using multi-factor authentication to protect against unauthorized transactions.

Locate the Cardholder

Geolocation refers to technology that accesses GPS or IP data to pinpoint its location. Suppose a consumer with a home address in Seattle initiates a transaction in Peru for an unusually high-ticket item. With geolocation technology in your security stack, the transaction should raise a red flag.

Yes, the cardholder could be traveling, but other security tools can help minimize false positives. For example, the Seattle cardholder purchases a cup of coffee just before the Peru transaction is sent.

Increasing the size of your security stack helps mitigate risk. That’s why geolocation technologies can form a part of comprehensive security solutions.

Understand Fraud Scoring

Think of fraud scoring as consumer credit scores for transactions. When a transaction is received, a fraud scoring tool assesses such factors as transaction amount, address, merchant category, order history, zip code, and IP address. The tool then assigns a rating to the transaction. The higher the score, the higher the risk.

The factors used in calculating a fraud score and the weight attached to each factor depend on the algorithms used in the software. These rules should be dynamic and based on the amount of risk you are willing to take. It can serve as a real-time evaluation of a transaction-associated risk. When a transaction is deemed questionable by other tools, fraud scoring can provide a simple yes, no, or maybe response. Maybe scores could be forwarded for further examination.

Segpay recommends fraud scoring as a way to evaluate a significant number of data points quickly and provide an easy-to-follow risk score. Fraud scoring is only as good as the data it uses. The more tools a merchant uses, the more data is collected and available for analysis.

Use Artificial Intelligence

Artificial intelligence (AI) uses data and experience to assess possible fraud. Whether it is the output from another security tool or direct analysis of data, machine learning solutions apply algorithms to the information to produce real-time insights. They can be configured to respond to the results or forward the transaction for manual review.

AI is continuously evaluating its responses and adjusting its decision tree based on new data. The results are a self-learning tool. Part of its capability comes from the massive amounts of data that can be processed quickly. Let’s go back to the Seattle customer’s coffee buying habit. The consumer purchases the same latte every Monday through Thursday but has an iced coffee every Friday with no purchases on Saturday and Sunday.

Suddenly, the customer makes a large purchase at a store near the coffee shop on a Saturday afternoon. With AI, the technology realizes that the transaction is outside the customer’s normal patterns and denies the transaction. How long would it take for a person to realize that the pattern even existed?

Using other detection tools, the transaction might be authorized because it originated in the same zip code as the typical coffee purchases not realizing the consumer only buys Monday through Friday. This example illustrates the importance of layered security solutions.

Want to learn more about mitigating risk and lowering fraud?

Whether it is deciding on credit card encryption best practices or how to configure velocity checks, the expert team at Segpay can help you design a security stack that delivers the best fraud prevention and detection for your business. Get in touch to begin deploying the best practices to mitigate fraud and lower risk for your business.

Subscribe to our Newsletter

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Share this post with your friends

Our website uses “cookies” and other technologies, which store small amounts of information on your computer or device, to allow certain information from your web browser to be collected and improve your experience. By using this website, you accept the terms of our privacy policy and cookie policy.