Unfortunately, the need to reduce chargeback risk is an inescapable consequence of accepting card payments, especially in this digital age. It is predicted that merchants will collectively lose over $20 billion USD to chargebacks this year, with the majority of those claims being due to fraud. That’s where we come in.
We need to mitigate the chargeback risk of the fraudulent disputes that are issued against orders and purchases made from our companies. We need to stop them before they even happen… but how do we do this?
A single cure for these chargebacks does not exist. Effective solutions depend on the type fraud that is responsible for the dispute. This article will walk you through some general protective measures that you should take and some additional methods you could use to further safeguard your platform from specific types of payment fraud.
Let’s start with the universal protections that all e-commerce businesses should have in place.
Reduce chargeback risk with two-factor authentication
As common as two-factor authentication has become, there are still many companies that have no authentication processes in place. There has been a stigma surrounding 2FA and customer friction for years. In the beginning, yes, it was true. Customers were reluctant to use 2FA due to increased friction. However, times have changed and the world has moved online. Consumers have not only grown to be used to 2FA processes, they have come to expect and even appreciate them.
The key to keeping 2FA from creating any additional friction is to restrict its use to necessary actions and triggers.
Always have 2FA initiated during the creation of a new account. Have the customer verify their phone number immediately. Although there are workarounds, non-professional fraudsters will not go through the effort of doing so.
As for their email address, you can either do so right at that point, as well, or you can give the customer some time to do it. If you go the latter route, you can have the customer verify their email before their second or third order.
The reason you might choose to verify the customer’s email later is to limit the actions a customer must take to place their first order. You would be allowing the customer to verify their email on their own time, when they can get to it later on. Doing so will also reduce the risk of temporary email addresses being used for multiple orders on an account.
3DS / PSD2: Legislative requirements to reduce chargeback risk
3DS is sending additional data at the time of payment to verify that the purchaser is the card holder. PSD2 is basically the same thing but with extra security and less friction for the customer. In many countries, these are legislated and required.
If you are able and do not want these on every transaction, you could apply them based on the risk posed by the account and the order. Risk scores may be developed and used where greater risk scores have different actions against them. For example, on a risk scale of 1-100, scores above 50 could receive 3DS/PSD2 and those above 80 could be prevented from ordering all together.
Using either one of these will shift the liability away from the merchant and you will no longer have any chargeback risk. However, if you still have too many, even with the liability shift, you can still end up on an issuer’s monitoring program. We all know that using these will not eliminate chargeback risk entirely, but they will help and by you time to do so using other tools and methods.
3rd-party chargeback risk prevention solution
I highly recommend using a chargeback prevention solution but have listed them as optional. They are not an absolute necessity if you can do what you would need them to do in-house.
There are many solutions to reduce chargeback risk available on the market. Most of them have one strong selling feature that they focus upon with their marketing, followed by several general features that most of them have, like rule engines and risk scoring.
Some of these key prevention features include behavioral analytics, graph network analysis, anonymous data sharing and more.
Be sure that the main feature will compliment and enhance your present fraud prevention processes. They must work with them and do more than you are able to. The integration must be easy enough to not include too much development work. Finally, the pricing must make sense to the value of the fraud prevention. You do not want to pay more than what you are saving.
Following those general tools being in place, you’ll want to reduce chargeback risk by attacking each type of payment fraud in their own, unique way.
The risk of chargebacks from payment card fraud
These fraudulent transactions are what most often comes to mind when someone thinks of the risk of chargeback fraud. Bad actors use stolen credit card credentials to make purchases. They use these cards for various schemes using many different techniques.
Typically, merchants try to prevent card fraud with velocity rules. Industry AI and machine learning uses rules but they develop and revise very rapidly analyzing massive amounts of data in a very short amount of time.
In-house rules are effective for preventing chargebacks when added. But because they are static, you need to stay on top of things and continuously update them. If you set thresholds on order count, order value, card count or card failures, fraudsters will learn what they are and simply set their limits to be right below them. There is nothing wrong with using these rules. Set your maximums and remember to review them often.
On top of rules that look at individual objects, you need to observe your network and what is going on across accounts. Look at activities across connecting data points. Do connected accounts have chargebacks? Do they have a lot of cards added very quickly? How about an abnormally high number of failed or even successful transactions in a short period of time? Are they all younger accounts? Have your preventions effect them all.
Watch for oddities and activities that should not be happening, such as foreign nations where you do not operate placing orders. Keep your eyes open for name, phone number, order value and email patterns. Catch imbalances like addresses appearing within specific time-frames more than their IP or phone numbers do. Check through the technical details and look into any pattern involving any anomalies like missing details or older versions.
Observe the behavioral patterns of these fraudsters. Are they copying and pasting information? Does the gyroscopic data of their device show no movement? Are all of the clicks and taps too accurate and too similar? Are they moving through pages at an exceptional speed? Is an account placing multiple orders to different addresses? These are all indicators of the bad behavior we are battling.
You have to do the work to reduce chargeback risk by seeing what is going on within your network. Don’t forget that you have to analyze the good and the bad customers to find behavioral differences. Know your customer to know your fraudster. They will not appear the same, no matter how hard a fraudster tries to hide.
Account Takeover (ATO)
Account takeover is a type of payment fraud where an existing account is accessed by an unauthorized individual for unapproved purposes. By the time one of these is reported, it is already too late and we have to react to the need to reduce chargeback risk—and a whole lot more (such as money being directly wired to fraudulent accounts). You do not want things to get to that point.
We are all aware of the basics around preventing formjacking. Rate limits on the velocity of login attempts from certain details are common. Monitoring occurs at endpoints for excessive traffic. We watch for unique or standout background details like user agent, emulators, browsers and more. For these alerts, we want to block the logins.
Additionally to those, there are other indicators at the account level that are available to us to help us be proactive in our defense.
The key indicator to an ATO is new. New device, new device type, new IP, new geo-location, new language… Different combinations of new, new, new.
With an ATO, seeing as how many services are offered globally and anyone can place an order for anyone they would like both to and from anywhere in the world, you don’t want to prevent these orders unless you are quite certain that they are an ATO. With this type of activity, we want to bring in part of the 2FA process and challenge the customer to identify themselves before processing the transaction.
Weak account protection
I do not recommend using a one-time password. Those can be intercepted through social engineering. What I would suggest is an SMS push with a very long and random unique one-time URL for the customer to click on that will pass them through the process and complete their order. It is much more difficult for a bad actor to get such a link or URL from a customer through social engineering than a 4 to 8 digit OTP. If they do not click the link, you should lock-down the account, ending all sessions and force a password reset once they are able to pass the challenge.
Because ATO makes it so easy to commit chargebacks and other types of fraud, fraudsters will try to change account details to be able to pass these challenges and gain access to an account. An additional layer of protection should be 2FA upon account change requests, as well. Verify the phone number if they wish to change their email address. Do the same with their email address if they wish to change their phone number.
Upon discovering an ATO attack, be sure that the devices used cannot commit another one.
Friendly fraud chargeback risk
Friendly fraud chargeback risk is the hardest to prevent. It costs at least $130 billion per year, because genuine card holders decide to file a false dispute on their charge—something essentially impossible to detect the first time. These chargebacks happen unexpectedly, out of the blue. There is no way to proactively detect that this is going to happen unless they are a repeat offender. That is hard, because it’s difficult to uncover the repetition unless they share points of collected personal identifying information. Only then can you prevent them before they do it again.
When it comes to these offenders, they will always get away with their first one, unless you represent the claim and win, but that costs a lot of time and money.
Ideally, you would block the customer’s identity on your own. However, that ability does not exist today. We need the assistance of issuers to do so, which they do not currently provide.
This article was contributed by Shawn Colpitts, Senior Fraud Investigator at Just Eat Takeaway.com