Card-Not-Present Fraud Prevention Checklist for E-Commerce Businesses

Fraud is on the rise for card-not-present transactions, which especially impacts e-commerce companies. Here's a checklist to prevent fraud and save your business time, money and hassle.

This year’s e-commerce fraud forecast is familiar to anyone who’s been in the business for a while. Card-not-present (CNP) fraud rates are still rising, and fraudsters are getting more creative and efficient in their fraud attempts. While the theme isn’t new, there are some new trends in fraud prevention that not all merchants may be familiar with. 
In this article, I’ll go over the three primary trends that I think merchants can use to fight fraud better now or in the near future. Because the most effective fraud prevention plans are layered, we’ll also review current best practices for spotting fraud at the order-approval stage and beyond. This will give you a checklist to show where your program is on track, where it needs updating and where it may go next.


The rise of card-not-present fraud

The number of fraud attempts against US retailers tripled from 2017 to 2019, according to the most recent LexisNexis True Cost of Fraud report. Fraud is also costing merchants more than in previous years. Every dollar of fraud cost merchants an average of $3.13 in 2019, which is 6.5% higher than the year before.

LexisNexis found that some of the trends driving the increase in fraud are things that can generate more good orders, too, like more mobile shopping and more cross-border purchases. However, fraudsters are also getting more savvy about taking over existing customer accounts and inventing new customer identities using stolen data. They also continue to use botnets to launch fraud attempts at scale.

Because organized fraud rings keep innovating, merchants and fraud protection providers must evolve, too. What worked last year, or the year before, may no longer protect your business properly. Let’s look at the basic best practices for fraud prevention now, and the trends that may improve them.

Are your basic best practices up to date?

Verifying customer information, card numbers and CVVs, and any history of fraud associated with that data can flag the most obvious attempts at fraud. Rules-based fraud scoring programs typically check these items and many other factors to rate the likelihood that an order is fraudulent.

A limit on the number of times a customer can try to enter matching card and CVV numbers is a basic safeguard against card testing, which thieves use to guess the CVVs that go with stolen card numbers so they can go on buying sprees.

There are other basic fraud prevention tools that some retailers haven’t adopted yet. For example, LexisNexis found that fewer than 40% of mid-to-large merchants selling digital goods used geolocation to screen orders in 2019, even though those retailers experienced a higher than average number of fraud attempts.

Geolocation helps counter the rise in mobile fraud by comparing the customer’s stated location and delivery location to their actual location at the time of the purchase. An order placed by a customer who lives in Kansas but comes from a device on the other side of the world can be a fraud flag, especially if that customer has never ordered from overseas before. 

Device fingerprinting is another fraud prevention tool that can identify orders that look valid, but which come from an unfamiliar device. It does this by capturing technical details about the device the order comes from—things like the size of the screen, the device’s operating system, and other sites the browser has visited. Comparing the current device fingerprint to the customer’s device fingerprint history can spot possible fraud. Fingerprinting has been available for years, but 70% of merchants don’t include it in their fraud-prevention toolbox.

Manual reviewis another best practice that not all merchants use but excluding it can be costly. Rules-based fraud-screening programs can be set to automatically reject all orders that have fraud flags. Some merchants use this approach because it’s simple and appears to be cost-effective.

But false declines—tossing out good orders from legitimate customers—cost merchants more than fraud. Aite Group predicts that false declines will cost merchants $443 billion by 2021, compared to $6.4 billion in completed fraud. Manual review of flagged orders, in-house or outsourced, can reduce false declines, keep good customers coming back and, of course, prevent fraud.

Shipping fraud controls can help reduce cases of sophisticated fraud that get past fraud filters at the order stage. One simple method is to require rescreening of any order that a customer asks to reroute after it’s been approved.

Layering these basic fraud tools can help cut down on fraud and reduce false declines. But fraudsters will always look for workarounds, and technology can help close the gaps they seek to exploit.

Are you using hybrid scoring yet?

Even though machine learning and AI are available to help merchants detect fraud now, many organizations don’t use these tools yet. Only 13% of the companies surveyed in 2019 by SAS and the Association of Certified Fraud Examiners use AI and ML for any type of fraud detection. And lots of merchants rely strictly on rules-based systems that automate approvals and rejections.

That means many merchants are missing out on the power of hybrid scoring. Combining machine learning and rules-based fraud prevention systems creates a hybrid tool that can be more effective at spotting fraud than either option on its own. That’s because rules-based fraud screening systems provide a solid foundation for assessing risk, while AI can learn to identify subtle indicators of sophisticated fraud—and of good customers who might be flagged by a rules-based system.

For example, a wealthy customer who orders while they’re on vacation abroad and has the purchases sent to their hotel looks to a rules-based system like someone ordering with a stolen card. A hybrid scoring system learns the difference, so your good customer gets approved and your manual review team saves time.

How much do you know about behavioral analytics in fraud prevention?

Each of us has our own way of doing things. That fact means that fraud-prevention algorithms can learn to identify us by our behavior—and spot impostors. The way a customer types at their desktop, taps on their smartphone and navigates a website can help machine learning tools build a normal user behavior profile to compare to new site visits and orders.

For example, if a shopper who normally swipes lightly on her phone screen and uses the search bar to find products in your store suddenly starts browsing your category menus, tapping the phone screen hard and ordering products they’ve never been interested in before, that can be a flag for potential account takeover fraud or stolen card data.

Behavioral analytics technology is relatively new, so it’s not in wide use for fraud detection yet. But it’s something to keep on your list of tools to watch for and adopt when you can.

Are you monitoring developments in ensemble modeling?

Organized fraudsters are hard to stop because they’re organized. They share information about fraud methods, vulnerable merchants and sources of stolen data to exploit. In other words, they work together to leverage their knowledge. 
Fraud teams working for different merchants and service providers can do the same thing to get better at stopping fraud. Of course, each team will have its own way of scoring orders, and it can be hard to compare them in a way that shows which is the best. That’s because each merchant will have its own vertical, market and customer behaviors to factor into its scores.

With a data analysis technique called ensemble modeling, merchants and fraud teams can combine the results from several fraud score programs to deliver one score. That score is very precise, because it’s based on the strengths of all the programs that contribute data. If the fraud prevention and retail industries can collaborate in this area, ensemble modeling has the potential to improve fraud detection for merchants worldwide—and to continue improving as individual teams come up with new and better ways to score their orders.

If you’re addressing all the items on this checklist, you’re in a good position to keep your fraud and false declines rates low. If not, this list can show you where you need to strengthen your fraud detection and prevention practices so your business can reduce fraud costs, avoid declining good customers and make your store a less tempting target for fraudsters.

Original article at: