The basics of fraud protection in ecommerce

Spoiler — this will be non technical, business-oriented content.

Fraud is the sore spot for ecommerce. This cannot be eradicated completely and sometimes business just has to admit these losses. At the same time, a cost-effective anti-fraud solution is being sought. Companies evaluate the efficiency of different products and decide to use one of them or just create the something custom. Sometimes even outsource it. The main idea here is just make the right choice.

Let’s see what ways to fight fraud exist. How to make the right choice and what it depends on. If you are just starting out this activity, this guide will be useful.

In general the anti-fraud consist of three parts — people, services and procedures. I’ll split up these subjects and create the big picture in the end.

Services

As I already told before, there are three ways:

1. Developing the new one, some custom solution tailored to your needs
2. Using the anti-fraud services from your payment provider
3. Buying a third-party solution

A. Custom solution. This way makes sense for large busines. It’s some kind long-term investment which gives you competitive advantage over longer distances. This approach can save you a lot of resources in the future if your business growing. The management of these companies knows fraud problems quite well so we will not spend time on that case.

B. Payment provider services. Usually, this service goes in addition. It’s like a insurance comes as associated service when you buy car. Provider’s anti-fraud delivered in SaaS. So, you will not have to spend a lot of efforts for integration. Quite often it works well out of box and does not have advanced configuration options.

C. Third-party solution. This approach carries risks to be bound to some specific vendor. Need to take into account that some critical business processes like payments will be dependent on third-party anti-fraud solution. So, it brings the number of issues which need to be carefully considered. For example compliance concern — customers data will be share with third-party company. You need to know how they will be protected and does this meet your local laws (GDPR, CCPA, etc.). Also, in most cases you cannot change SLA, so at the very least pay attention to contract points about data protection and support levels.

People

Unfortunately, not all processes can be automated. Human work may be necessary for several reasons. For example a customer cannot pay the order cause payment system always reject his attempts. It would be better if he be able to contact with CMS team and resolve the issue. Also, your anti-fraud service will doubt some payments and someone will have to review them manually. In that case you anti-fraud team will work the same way as Security Incident Response team in Security Operations Center (SOC). They should have clear playbooks and deep understanding of underlying procedures. Besides, you will face Chargebacks and related losses. No matter how well anti-fraud works, you will get them. So, it means someone has to process them. To rise disputes and provide evidence you have to allocate some human resources.

As a result you need an anti-fraud specialist in several cases:

• process a chargeback
• review suspicious payment
• help customer with payment
• find the fraud pattern and tune your anti-fraud solution

Guidelines

Procedures and guidelines are always the link between people and tools. So, anti-fraud isn’t exception. Below I provided the workflow for anti-fraud team in some ecommerece. I put it here without taking into account the specifics of the business. Actually, it’s just a template. But you might include an item type, region, payment method, etc. Anything that will decrease your fraud rate and decline rate.

Enforce your anti-fraud team by custom guides. These playbooks should make the the reviewing as simple as simple as possible. The bottom line here to standardize and reduce the human factor. In addition provide them anti-fraud training, encourage them to share knowlage inside team. At the same time you have to admit it’s impossible to unify all aspects of anti-fraud team job. Well prepared guidelines and workflows are great but let your team think outside the box.

Evaluate your team’s performance regularly. Key metrics here:

Fraud rate — accurate representation of fraud and disputes for your business, because it shows which actual payments were disputed.

Dispute rate of payments you have approved — the fraud level of approved payments. It’s actually the performance rate of your anti-fraud team. Make sure you carefully review payments before approving them.

Amount of suspicious payments for manual review — think straight about abilities of your team. If it overloaded, people start make mistake.

The big picture

At first glance everything is clear. You evaluate the effectiveness and assess the costs. Make decisions and plan implementation. But in real life everything these things a bit more complicated. For exmaple, quite often you will meet a hybrid implementation. The anti-fraud services are splitted between payment provider and internal custom services. Suspicious payments are reviewed by some guy in CMS team. There is no separation of duties and hardly possible to find related documentation cause no one makes records. Unfortunately, it’s quite common case for most of companies. I wouldn’t be surprised the huge internal fraud in that mess. In other cases you could see so poorly implemented anti-fraud system that staff have to review everything manually.

I created the list of main pitfalls in this field

1. Always carefully review the SLA with your payment provider around anti-fraud subject. Need to have clear understanding of responsibility model.
2. Do the pilot projects before implementation. It would save you time and reduce costs while evaluating the system’s capabilities.
3. Perform a monitoring of any anomalies among declined and accepted payments. It would help you find new fraud pattern or identify the fault of your anti-fraud system.
4. There is a simple way for evaluating anti-fraud system performance. Keep it mind while assessing the costs, the performance ratio is 1,25 and higher can be reasonable threshold for anti-fraud activities.

And finally keep in mind that only a consistent approach helps you to avoid epic fails and bulid a really effective anti-fraud solution for your business.

Related links

• Fraud types
• How disputes work
• Chargeback statistics for 2019
• Chargeback (wiki)