Karsten Witke, Head of Risk Payment Services at PPRO Group
Online fraud rates continue to rise on a global scale, with predictions expecting 13.7% growth from 2017-2022, while card-not-present fraud is estimated to reach $19.3 billion by 2022[i].
In the UK alone, fraudsters stole a total of £310.2 million from victims in 2017 by using illegally-obtained credit and debit card details to make online purchases, according to UK Finance, the industry trade body [ii].
The easy-to-access nature of the internet and the anonymity it provides fraudsters makes fraud a faceless crime, which is an appetising prospect for fraudsters. Not only that, but the threat surface continues to grow. Meanwhile, advanced security measures are increasingly being implemented to protect against fraud carried out at physical locations. It is for these reasons that fraudsters are continually on the lookout for new threat vectors and make it their mission to develop skills to outsmart consumers and merchants alike over the internet.
Online merchants have found themselves fighting against an uphill battle to gain control over fraudulent activity, against maintaining profitability and consumer happiness. With cybercriminals and fraudsters alike becoming increasingly savvy when it comes to tricking merchants and affecting their bottom line, how can the industry get ahead of individuals with malicious intent and claw back margin?
Fraudulent threats to online merchants
The current biggest threat to online merchants from fraudulent activity is the loss of money. The biggest causes of this is chargebacks, which is not new news, and the use of risky payment methods such as credit cards. Such payment methods come with the risk of merchants not being paid for goods, who will also lose the monetary value of the commodities, essentially resulting in a double loss.
There are also several common misconceptions that are hindering merchants regarding risk according to different payment methods. If an online merchant expands globally, they must educate themselves on the need to onboard Alternative Payment Methods (APMs) to facilitate customers preferences in target markets. However, when on-boarding new methods, merchants must also make themselves aware of the risk levels associated with each method. Unfortunately, most merchants don’t find out the associated risks until it’s too late. Due diligence must be done before APMs are offered to customers.
The reality is that merchants want and need to attract new customers, so once they’ve got their attention, they must make it easy to buy their goods online, and so often minimise the amount of data requested to carry out a transaction. However, new customers are also risky, as merchants don’t have the insight into their shopping behaviours. For example, new customers could knowingly choose a risky payment method and only plan to do one big transaction, and then disappear with valuable goods after doing a chargeback. If this happens and the merchant has only asked for minimal data, detailed checks cannot be made before approving a transaction. This also means that if the purchase does turn out to be a fraudulent, there is minimal information available to track down the culprit.
No matter which way you look at it, merchants are struggling to get the balance right between customer experience and security.
Getting ahead of fraud
So how do merchants start to get ahead of the issue at hand?
By understanding a merchant’s target market or average customer profile, and what the average transaction would look like, an understanding and an outline of what a risky transaction would look like can be built. This would be different for each and every merchant depending on their target market and which retail sector they fit into. For example, for fast fashion online merchants, if a customer bought a high volume of goods over separate transactions in a window of 10 minutes, this would be considered risky. However, for gambling merchants, if a number of high-value bets were placed in the same period of time, this wouldn’t be deemed out of the ordinary. If a merchant applies ‘Know Your Customer’ then they’re one step closer to mitigating fraudsters.
The same applies to the payment mix a merchant chooses to offer to customers. Merchants must make it their business to know the risk profile of each individual payment method and what the implication would be to them for a fraudulent transaction.
By combining the two, ‘Know Your Customer’ (KYC) and ‘Know Your Payment Risk Profiles’ then merchants can monitor for transactions involving high-risk customers, who choose to use high-risk payment methods and make a decision to decline the transaction, should it be deemed necessary.
Again, it is all about balance. Depending on the risk level of the preferred payment method for each market and the value of the goods at hand, more KYC may be required. This can include address verification, velocity checks, credit checks and multi-factor authentication, such as 3D secure, depending on the payment method used.
So, to recap; Know Your Customer, Know Your Risk and add additional layers of security for high-value items and high-risk payment methods, appropriate for the retail sector (fast fashion, gambling etc.).
Prepare, prepare and prepare some more
While merchants can be reassured that the financial services sector is working to clarify the requirements for the upcoming the Secure Customer Authentication regulation under the PSD2’s Regulatory Technical Standards, which will help mitigate against fraud by enforcing Multi-Factor Authentication (MFA). However, as this won’t be implemented until September 2019, merchants cannot afford to wait any longer.
It may be time that UK merchants consider moving away from credit-based payments, and look to more secure APMs, such iDEAL in the Netherlands and GiroPay in Germany, which are more secure by default. Such bank to bank push payment method not only help the consumer to finalise his transactions in his own secure online banking environment without giving out data to third parties; these APMs also have already build in multi factor authentication as a security measure by default. Merchants must make an educated decision on the payment mix they implement according to the risk index, with the help of their Payment Service Providers (PSPs), to tackle fraud head-on. While more layers of security may require more methods of authentication and customers to input more information, which may hinder speed and convenience at the checkout, merchants can be safe in the knowledge that high-value transactions are coming from loyal customers, and fraudulent transactions are a thing of the past.