The first article in this series covered a 4-step strategy development process that will serve to provide merchants with a high-level overview of what an effective strategy entails. Part two outlined the difference between in-person payment such as cash, check and card (swiped at a point of sale) and the associated data points, drilling down on the inherent points that are verified by issuing banks. This is especially useful for merchants who are new to e-commerce and are using sales platforms like Shopify, Magento, Big Commerce and others.
In this article, we will expand our scope and cover various use cases for data implementation across the customer journey with a focus on e-commerce retail, but also shedding light on processes in other industries that are sought after by fraudsters.
As I mentioned in the first article, the first step is to identify each “Transfer of Value” that your company participates in. A Transfer of Value is any engagement across the customer journey wherein a consumer (or potential fraudster) might make a request that affects an order. In order to isolate the transfers of value, we need to identify the various touchpoints offered to customers and put thought towards the related data.
Here I’ve listed five touchpoints for a typical e-commerce retail operation.
- Account Creation
- Checkout
- Fulfillment
- Customer Service / Sales
- Accounting
There are many ways for this list to grow and change, but for now we will focus on the basics.
Let’s open up the list and the data available.
1. Account Creation
It is possible for a fraud prevention strategy to take effect as early as first interaction that a customer (or fraudster) has with your website. For the sake of simplicity, we will be starting with account creation.
Potential data points: Account Name, Email Address, Phone Number, IP Address, Device ID, Biometrics, Geolocation, etc.
2. Checkout
This is the only step wherein real verification is a mandate, although the various pieces of verified information can vary. For example, there are checkout forms (coded by hired developers) that only require a valid credit card number and expiration date. This is a cheap route to go, but offers no real security. CVV (the 3 digits on a card, or 4 digits for American Express), AVS (Address Verification Service, submitted billing address verified by the issuer of the card, relative to the information they have on file.) are not being employed with these weak forms. Fraudsters can exploit systems like these by generating credit card numbers.
Adversely, checkout forms that ask for (and verify) every available piece of information will be the most difficult to exploit.
Potential Data Points: Billing Name / Address, Shpping Address, Payment details: Card number, Expiration date, CVV, Phone number, Email, etc.
3. Fulfillment
A typical fulfillment period is 48-hours. That’s 48 hours wherein a customer (or fraudster) has a chance to submit tickets or requests to alter the package in one way or another, relative to fulfillment / shipping.
Changing the shipping address. A fraudster might place an order with accurate billing information and matching shipping address, but submit a request to change the shipping address during the fulfillment period.
Potential Data Points: Account Name, Order Number, Shipping Address, Phone number (for phone call requests), Email (for Emailed requests), Phone number (for text messages), Social media (for requests submitted over social media, etc.
4. Customer Service / Sales
These teams typically operate isolated from each other. The unifying concept here is this: Both teams are responsible for taking requests from customers / clients and working to satisfy them. Examples of exploits might include: Bypassing website security, adjusting orders after the verification has been completed, adding or removing objects, requests wholesale refunds and reimbursement, establishing billing cycles, associated payment details to an account, and many many more.
Potential Data Points: Account Name, Order Number, Shipping Address, Phone number (for phone call requests), Email (for Emailed requests), Phone number (for text messages), Social media (for requests submitted over social media, etc.
5. Accounting
Everything ends with accounting. Reflected in spreadsheets, statements, chargebacks / disputes, profits, losses, and so on. Methods employed against accounting might include promotion abuse, returns abuse, refund abuse, policy exploits, billing cycle exploits, payment fraud, and more.
Potential Data Points: Accounting should have access to most parts of a system or should have the ability to task departments to complete research, so it isn’t too far-fetched to name every data point that a company holds for this one.
Account Name, Order Number, Shipping Address, Phone number (for phone call requests), Email (for Emailed requests), Phone number (for text messages), Social media (for requests submitted over social media, Shipping information, Dispute information, card numbers, dollar amounts, IP Addresses, geolocation and so on…
Now that we have outlined the various types of data that are available at different touchpoints across the customer experience journey, we can quickly see how various data points are represented across various departments within our operations.
The next article will cover examples of cross referenceing information for establishing rules and adjusting policies.
This article has been contributed by Alex Hall, a former fraudster who spent ten years successfully operating in the Las Vegas fraud scene. Today, he is the Principal at Dispute Defense Consulting, a Full-Spectrum Fraud Mitigation Consulting agency, with an aim to assist merchants to build a comprehensive defense against fraud throughout many aspects of their system.