The A to Z of payment fraud protection
By Alex Zeltcer
As unfortunate as it is, payment fraud is a common element of online activities.
In fact, it’s an all too common element as a new study shows that merchant losses to online payment fraud will exceed $206 billion in total between 2021 and 2025.
Fraud is evolving as fraudsters are constantly finding new ways to take advantage of the expanding digital market.
Whether you're a new player or an industry veteran, getting up to speed on how your business can be hurt and protected is critical.
Below, we explain different terms and concepts in payment fraud protection so you can learn more about this evolving space, draw a hard line between your acceptance and fraud rates, and make sure you know what type of protection you need.
A security protocol that offers an additional layer of security for online credit and debit card transactions. The name refers to the three domains which interact using the protocol: merchant domain, card issuer domain, and network domain.
Account analysis of transactions
Refers to the hundreds of data points that are analyzed in real time, such as the age of the email used for account creation, provided phone number and its ability to receive calls, billing and shipping address, as well as third-party data.
It’s important to note that account analysis is only one of the three key analysis points every fraud protection solution should have. See ‘Behavioral analysis of transactions’ and ‘Contextual analysis of transactions’ for more details.
Account takeover (ATO)
A particularly dangerous form of fraud that is, essentially, identity theft. First, a fraudster uses automated bots to gain access to an account that has a credit card or other form of payment already authorized to make a purchase. Then, they alter certain account details (e.g. delivery address, email) to redirect the goods ordered by the rightful buyer to them.
Authorization and capture
The two-step process that allows merchants to first authorize the cardholder's credit card to make sure it’s valid and that it has sufficient funds available for the transaction, then collect the funds at a later time.
For digital goods, as opposed to physical goods where capture happens the moment goods are shipped, the process happens simultaneously, which means that the fraud analysis needs to be completed in real-time. It also means that digital goods represent a different and significantly harder challenge for online retailers when trying to protect against digital fraud. See ‘Delayed vs. immediate goods delivery’ for more details.
Behavioral analysis of transactions
Analyzes the overall market behavior trends, as well as the actions of the individual buyer and groups of buyers with similar or exact behavior by following their exact movement through the buyer journey to identify fraudulent behavior.
Data that is analyzed includes time spent between entering the website and attempting checkout, if the buyer looked at different products and product variables such as size, price, and such, if they typed or copy/pasted their personal information, etc.
For analysis of cohorts, data used includes groups that exhibit trending behavior together, specific products they browse and purchase, overall market trends when it comes to the age of payment methods, changes in geo distribution, and so on.
Card Not Present (CNP) transactions
Transactions in which the merchant has received the customer's payment information remotely such as online purchases, rather than having the physical card present. As such, these types of transactions have a greater risk for payment fraud.
A type of payment fraud often found in eGaming where test purchases are made via a previously stolen credit card number. Purchases start in small amounts and rise incrementally, as soon as the fraudster realizes they can get away with bigger buys. Every purchase can become a chargeback filed by the credit card’s real owner.
A forced transaction reversal or a charge initiated by the cardholder’s issuing bank after a cardholder successfully disputes a purchase. Merchants usually incur a fee when a chargeback occurs.
Fees vary from $20 to $100 and every dollar lost to chargeback fraud costs an estimated $3.36 due to operational and customer acquisition costs.
A variety of techniques and technologies such as fraud protection tools that help safeguard merchants by reducing the risk from fraudulent chargebacks.
Chargeback safe zone
The acceptable percentage of transactions that are labeled as fraudulent within the payment processing cycle. A higher chargeback ratio determines the risk factor and ability to process payments.
It’s widely accepted that merchants with a consistent fraud rate of 0.7% of all transactions are considered in the “safe zone”. However, the 0.7% rule of thumb is a designated safe zone from the payment network's perspective.
As margins are very small and every transaction counts, we suggest 0.5% and below should be the upper limit for every merchant in order to avoid any kind of fines or worse, risk being blacklisted.
Contextual analysis of transactions
Analysis of context of each buyer attempting to make a purchase, against large data sets of proven legitimate and fraudulent purchases. Data includes the location from where the buyer is visiting (GEO), the browser being used, IP address, potential VPN usage, time of day and week, device fingerprinting, and so on.
Part of the internet that isn't visible to search engines and requires the use of specific anonymizing software to be accessed. Through the dark web, users can communicate and conduct business anonymously and privately, which makes it suitable for a wide range of criminal activities, including payment fraud.
The rate at which payments from cards are dropped due to a variety of reasons such as lack of funds on the card, fraud prevention measures, merchant’s poor handling of payments, and so on.
Our data-backed report has shown that the average decline rate in the digital gift card segment due to fraud prevention measures is 15%, while eGames and downloadable content have a higher average rate of declines at 20%.
A subset of machine learning that simulates the way humans gain knowledge by learning from large amounts of data. To achieve this, deep learning uses a multi-layered structure of algorithms called neural networks which are based on the structure of the human brain
Delayed vs. immediate goods delivery
Relates to the main difference between fraud protection for physical and digital goods merchants.
Delayed delivery comes into play for physical goods retailers as their buyers expect to receive their product only following a certain amount of time to account for shipping times.
On the other hand, digital goods merchants are expected to dispatch the goods immediately following the completion of the transaction.
It’s important to note that a delayed delivery also happens in instances where merchants employ a large manual review team to analyze the transactions, which can lead to a subpar purchasing experience for buyers.
Digital goods merchants
Essentially websites and apps such as digital gift stores, travel agencies, ticket stores, gaming stores, and software companies that sell digital products that require no physical delivery. These merchants suffer from highly elevated fraud pressure as their products require immediate delivery and have a high resale value.
Also commonly referred to in the industry as ‘insult rate’, these refer to Ttransactions from legitimate customers that were flagged as suspicious and rejected, in most cases due to the existing fraud protection solutions mistakenly labeling them as fraudulent purchases.
Our numbers show that 4 out of 5 declined payments come from real, legitimate customers. To make matters worse, 72% of these declines are new customers, which makes fighting fraud with AI‑based fraud protection platforms an immediate priority.
Transactions from actual fraudsters that the existing fraud protection system doesn’t detect and allows to make a purchase.
Our extensive industry research found that the majority of AI/machine learning models can accurately approve only 85% of purchase attempts in the digital goods domain, out of which 84.5% represent legitimate customers, while 0.5% fall on fraudsters. The remaining 15% of the purchases are being rejected in order to be on the safe side.
Fraud stemming from initially legitimate purchases. Once the buyer receives the product, they open a false dispute with their credit card issuer to reverse the payment on the grounds of supposed problems with the product or not having made the purchase at all.
The gold standard of fraud protection in which fraud protection vendors assume their clients’ fraud liabilities. The goal is not just to help merchants deal with the risk of fraud, but to completely remove it from their business.
By assuming their clients’ liability, fraud protection vendors are essentially betting on the success of their product, which is based on an algorithm that can learn autonomously from massive quantities of data. At the same time, this algorithm has to be sophisticated enough to distinguish between genuine customers and all the nuances of fraud.
Also known as promotion fraud or promotion abuse where fraudsters, but also employees, partners, and legitimate customers try to game and abuse the system in various ways: by creating multiple accounts to gain access to additional promotions and earn more points, sell or transfer points to non-members, repeatedly return items after earning points, etc.
A subset of artificial intelligence that represents the study of algorithms that can improve automatically through experience and by the use of data. In fraud protection, machine learning is used to analyze data (such as the context and actions the buyers took) at a high level of accuracy.
The process of evaluating the data of a specific transaction by trained specialists to further analyze if the purchase is fraudulent or not. The review process can consist of multiple emails sent to the submitted email address, phone call, requests for the buyer to send the review team some kind of verification of their identity, and other tactics. These are typically labeled as “challenges” within the fraud protection professionals.
While employing a team of fraud detection experts may be effective to a point, the reality is that manual review is expensive and slow. For high-volume sales environments where immediate fulfillment is key, this generates a bad customer experience due to delayed delivery.
Artificial intelligence supplemented with predictive analytics that leverages machine learning processes. It predicts outcomes using historical data. As a result, businesses can gain deeper insight into trends and patterns regarding their legitimate and fraudulent customers, and mitigate risk.
The rejection of payment from the payment processor based on a number of reasons: from incorrect credit card numbers and CVVs, to lack of funds in the cardholder’s account - but also because of the risk of the transaction being fraudulent.
Typically, about two-thirds of the declines happen due to the card issuer's risk evaluation. These carry no information regarding the reason for rejection, simply providing a ‘Do Not Honor’ code that means the card issuer is refusing to send an authorization token back to the payment system, thus failing to validate the transaction.
PSD2 (Second Payments Services Directive)
European regulation for electronic payment services. It mandates stronger security requirements for online transactions and also recognizes and regulates third-party providers to access or aggregate accounts and initiate payment services.
A fraud management approach that relies on obtaining and combining multiple risk scores that are calculated using rough data such as the age of the email address used for a purchase or geographic location of an IP address.
The risk score is eventually used to suggest whether to accept or decline a certain transaction. The model of risk scoring lacks concrete decision-making regarding each transaction, which coupled with real-time analysis of various data points makes for a truly risk-free framework.
A complex and relatively new form of identity theft in which fraudsters build a fake identity using either real personally identifiable information (social security numbers, home addresses, phone numbers) or combining it with fake sets of information.
Two-factor authentication (2FA)
General term for an additional layer of security for online accounts in which users provide two different authentication factors to verify themselves. This typically includes either a security token such as a smartphone or a biometric factor like a fingerprint or facial scan.
True acceptance rate
The rate of buyers that attempt to make a purchase and are allowed to do so based on a complete analysis of friction points such as geo limitations to a website or app, forced account creation, two-step authentication, account creation declines, as well as PSD2/3DSecure and processor declines.
True payment fraud
Type of fraud in which a credit card is stolen and used to make a fraudulent purchase. The cardholder disputes the purchase, which results in their account being closed with a new account number and card being issued.
Back to you
It is crucial for you as a digital goods merchant to leverage up-to-date knowledge about payment fraud, as well as industry best practices, to continually upgrade the way you understand and combat payment fraud.
Every day, fraudsters are getting more sophisticated - and so must you. We hope this glossary helps you boost your chances and prevail in this fight.
Want to know how to translate the above into a fraud protection solution that helps you sell your digital goods with confidence (98% approval rate with 100% chargeback guarantee)? Talk to our fraud product experts today.