As online merchants catch their breath from what looks like a very strong holiday shopping season, and we all ease back into more normal sales volumes, the ongoing fight against card not present (CNP) fraud continues.
Since fraudulent orders which get approved can cut deeply into profits due to chargeback fees, refunds, and merchandise replacement, many e-tailers resort to unnecessarily strict fraud filters and policies. This cure can be just as bad as the disease, since falsely declined legitimate orders result in lost revenue, both from that particular order, and from the lifetime value of a customer who is unlikely to ever return to a brand who mistook them for a criminal.
The costs of false declines don’t stop there either. When a legitimate shopper willing to part with their money for your wares gets rejected, all the money spent to acquire that customer and keep him or her in your funnel is wasted. This includes all the resources spent on ad buys, email marketing, content marketing (including SEO), promotional discounts, and the personnel dedicated to social media marketing and customer engagement.
eCommerce’s identity challenge
Before the advent of ecommerce, preventing credit card fraud was much easier: by glancing at an official photo ID next to the card presented, a cashier could easily verify the three-step match: between the person’s face and the face on the ID, from the photo on the ID to name printed on it, and finally the match of the name on the ID and the name on the credit card. Any mismatch and the chain of identity becomes broken and the transaction safely declined.
Although lacking any equivalent “photo ID”, CNP fraud prevention is still based on detecting and evaluating mismatches between pieces of data that usually should agree. These pieces include the purchaser’s IP address, billing address of the credit card, shipping address, customer name, etc. As the clues have become more digital, ecommerce fraud prevention tools have become more sophisticated. Of course, there are still human analysts who perform the equivalent job as the cashier (albeit from behind a screen), but during peak times like the holiday shopping season, manual review is hard to do well at scale. Whether the fraud filter is an algorithm or an analyst, discrepancies in an order are still the primary indicators of a fraudulent order.
Yet there is one wrinkle: mismatches often occur in legitimate orders too.
What’s in a name?
Let’s say an incoming order lists an email address that doesn’t include any part of the credit card holder’s name. This could indicate fraud, since fraudsters will often use stolen CC info and their own email address. On the other hand, names change due to marriage, the use of initials instead of a name in the email, and an order for digital goods sent directly to a friend’s email address (e.g. digital concert tickets) are all perfectly legitimate explanations for this discrepancy.
Instead of declining an order just because of this mismatch, online merchants should check the age of the email address (accounts older than a few months are far more likely to be used for legit orders than fraudulent ones) and look for a link between the email domain and the billing details (someone could be using their corporate email address for online shopping). The account name, age, and domain of the email address provided during ordering are useful clues for fraud prevention, especially when they are linked to other details in the shipping and billing addresses, allowing merchants to safely approve orders which simple rules would automatically decline due to mismatches.
Another fraud prevention tool that leverages data linking is device fingerprinting, which refers to the gathering of device characteristics like operating system type (iOS, Android, macOS, Windows 10), operating system version, IP address, screen resolution, and the number and type of installed plugins to provide a sort of digital identity. This helps solve the eCommerce “photo ID” problem described earlier and helps merchants identify returning customers who are much less likely to place orders which later result in chargebacks, and thus can be quickly and safely approved without further order review.
Not only can device fingerprinting identify legitimate customers across separate orders, but across national borders as well. With increased global trade and travel, there’s a lot of money to be made in international orders – if the risk of fraud can be appropriately managed. Business travelers, tourists, military personnel stationed overseas, diplomats, and foreign students are far too often falsely declined due to mismatches and the overall perception that cross-border online orders are inherently more risky than domestic ones.
One inconsistency often seen on international ecommerce orders is a country in the shipping address which is different from the credit card BIN (i.e. issuing) country. Again, this could be a sign of a fraudster using the stolen credit card details of a victim from another country (like a lot of commerce these days, criminal black markets are increasingly global). This could also, however, be someone sending a gift to a friend who lives overseas, or an international business or vacation traveler shipping to their hotel address, or a legit customer simply using a reshipping service because the merchant doesn’t ship to their country, or to save on shipping costs.
To get the full picture of the story behind the order, check for a connection between the email domain, shipping address, and billing name. Usually, in orders involving a reshipper the email domain is the name of the company in the shipping address. Also, check to see if the email domain and billing name are linked on publicly available listings – the shopper could be making a business purchase while visiting from abroad, using their business card, and shipping to their hotel room.
Hopefully, you’ll notice a recurring theme in the above two examples: more data means a more complete story. By looking at all the data points in an order and attempting to connect them, ecommerce companies can keep the chargeback Grinch at bay any time of year.