Recent Insights for Advancing Card Payment Fraud Prevention
Companies face a double-edged sword when it comes to card payment fraud, reducing false positives and preventing actual fraud.
These two problems are intertwined, as merchants must balance the trade-off between protecting their revenue from fraudsters and maximizing their conversion from legitimate customers. The challenge is to find a fraud prevention solution that can accurately distinguish between good and bad orders, without relying on rigid rules or manual reviews that can lead to false positives and customer friction.
In other words, merchants need a solution that can adapt to the dynamic and complex nature of online fraud, while also providing a seamless and positive shopping experience for their customers.
Out with the Old…
Real-time fraud prevention tools are critical for company growth. Under the traditional model, companies use rules-based systems from third parties; often, their payment processor overlayed with their own intelligence, unique knowledge of their customers, and unique risk appetite.
The output is usually a yes/no/review decision, and unless you want to manually review so many orders that it makes the whole thing unviable, you naturally end up declining good orders in the name of keeping out the bad ones. This is the very definition of false positives in the fraud prevention space, and it costs merchants hundreds of billions in lost sales each year, or 75 times more than the cost of actual fraud, according to Forter.
Rules are only as good as the team that sets them and, more importantly, the data they are based on. Individual merchants cannot amass enough data on their own (unless we’re talking about Amazon), so it needs to be supplemented by other data sources to be useful, which can result in a complex web of interfaces.
Are False Positives a Problem?
The one good thing about fraud is that it is measurable. You can calculate your fraud or chargeback ratio and actively take steps to reduce it if needed. However, most merchants don’t know their false-positive rate. The reason is that it’s difficult to measure and requires some out-of-the-box thinking.
For most industries, if any of the following are true, it’s a good rule of thumb you’re probably losing a lot of orders from good customers:
Your fraud screening tool(s) declines more than 1-2% of received transactions.
Your chargeback ratio is very low.
You send most or all your traffic through 3DS (especially for non-UK/EU cardholders).
But how do you then quantify the problem?
One way would be to rely on complaints from legitimate customers who were declined, but this is anecdotal at best. Another would be to review a sample of orders manually, but this would come with another set of problems. It requires costly manual resources who may not actually be delivering the “hard truth” anyway and consistency across analysts may be difficult to ensure.
The best way, and this is where out-of-the-box thinking comes in, is to run tests with samples of transactions that you “know” to be fraudulent, i.e., let transactions through that you would have otherwise automatically blocked. You will know which were genuine from either a manual review or receipt of a chargeback and can adjust your logic accordingly. You’ll also know how big a problem false positives are for you and what you stand to benefit from if you are able to fix the problem.
In with the New…
This is where the next generation of fraud tools comes into play. It’s all about the size of the network, and they use advanced AI and ML tools to link transaction characteristics they’ve “seen” previously. This is often enriched with data from third-party sources (credit agencies, card schemes, etc.) and also user behavior by deploying scripts on the merchant's checkout page, which log a multitude of proprietary data points detailing how the payer behaves on the website, what device they are using, etc.
Some fraud companies can “recognize” up to 98-99% of new orders because they have seen something before in their network. This could be the name, email, IP address, shipping address, etc., or a combination of factors. All of this helps to make a decision in milliseconds, which is highly accurate, much more so than the rules-based systems of old, and usually without the need for any manual review, which is appealing as volumes grow. It also means shared threat intelligence from across their ecosystem is much more valuable the larger the network.
The kind of fraud tool required is very merchant-specific. Solutions from leading payment gateway vendors, such as Adyen and Stripe, may be sufficient for many merchants with less complex requirements. However, those with more complex requirements, such as those operating in multiple geographies or requiring BOT or account takeover protection, may benefit from dedicated SaaS-based fraud vendors such as Forter, Riskified, or Sygnifyd.
So, what are some of the key considerations when considering a new fraud solution?
Think about whether you need a generic or specialist solution. Many companies will get by with their payment gateway’s product, so it is a good starting point. If you believe this isn’t working, the above companies will happily work with you on a business case. The key is to ensure it is based on real data such as your auth levels, decline rates, 3DS drop-off, etc. If the business case makes sense, you then need to ensure that those results make their way into reality.
Chargeback Guarantee or Not – if you have a chargeback problem, it may be tempting to go for a guaranteed service, whereby the vendor takes on the risk of any chargebacks resulting from a transaction they accept. While this sounds like an elegant solution, it can result in lower acceptance rates as the vendor is weary of letting through transactions in that “grey” area. It’s important to ensure this comes with a guaranteed acceptance rate that you are comfortable with.
Relevant experience – some fraud vendors work with lots of airlines, some with lots of luxury retailers, and some with lots of hotel chains. Make sure the vendor has a lot of experience in your sector to ensure i) it is at the forefront of fraud threats targeting your sector and ii) you are maximizing the value of its network ecosystem.
How to Handle 3DS Optimization – Most fraud companies will also offer a dynamic 3DS engine that will handle exemptions (for PSD2) and recommend when to challenge and when not to. The use of exemptions is key to reducing friction where possible in the UK/Europe, which maximizes acceptance and reduces drop-off. Moreover, for cardholders outside of Europe, a targeted approach is absolutely necessary to balance acceptance with chargeback protection, but not all vendor solutions are created equally. Some will consider how likely a specific user is to be successful through 3DS or whether specific issuing banks are more or less likely to accept 3DS or not. It is worth spending some time comparing capabilities in this area, and specific metrics may be contracted to ensure performance.
Protection for account-takeover or non-fraud chargebacks—This area is receiving a lot of focus and investment currently. However, only some of the leading fraud players have solutions for targeting these threats. If these are a particular area of concern, the options are more limited unless you are happy to utilize multiple providers.
Warm-up time—A new vendor will sometimes spend some time in “listening” mode to train the model before you can trust their decisions and rely on contracted metrics. However, this is not always the case. Make sure you have something in place to offer sufficient protection during this time.
Technical integration – As with anything, it’s important to understand whether a new solution will integrate seamlessly with your existing tech stack. If a vendor has a plug-in for your storefront (e.g., Adobe Commerce, Salesforce, etc.) and payment gateway, don’t assume this will be plain sailing. Explore integration early as problems will inevitably arise that could influence the decision.
Conclusion
Fraud prevention is a problem for any online business, and getting it right is all about finding the right balance between preventing actual fraud and minimizing false positives, all while avoiding onerous or costly internal processes.
There are dozens of vendors to choose from, and finding the right mix of product capabilities, technical fit, and commercial outcomes requires considerable effort. However, when done right, it can typically boost top and bottom lines by 10% or more, which, in today’s competitive environment, is an unmissable advantage.