During the period from 2017 to 2022 there is predicted to be a 13.7 per cent growth in online fraud rates across the globe. Meanwhile, card-not-present fraud rates are anticipated to reach £19.3 billion by the end of 2022. The industry trade body of UK Finance reports that during 2017 fraudsters in the UK stole a total of £310.2 million from victims, by using illegally-obtained credit and debit card details for online purchases.
The easy-to-access nature of the internet and the anonymity it provides fraudsters makes fraud a faceless crime, which is an appetising prospect for fraudsters. Not only that, but the threat surface continues to grow. Meanwhile, advanced security measures are increasingly being implemented to protect against fraud carried out at physical locations. It is for these reasons that fraudsters are continually on the lookout for new threat vectors and make it their mission to develop skills to outsmart consumers and merchants alike over the internet.
Online merchants have found themselves fighting against an uphill battle to gain control over fraudulent activity, against maintaining profitability and consumer happiness. With cybercriminals and fraudsters alike becoming increasingly savvy when it comes to tricking merchants and affecting their bottom line, how can the industry get ahead of individuals with malicious intent and claw back margin?
How fraud threatens online merchants
The current biggest threat to online merchants from fraudulent activity is the loss of money. The biggest causes of this is chargebacks, which is not new news, and the use of risky payment methods such as credit cards. Such payment methods come with the risk of merchants not being paid for goods, who will also lose the monetary value of the commodities, essentially resulting in a double loss.
There are also several common misconceptions that are hindering merchants regarding risk according to different payment methods. If an online merchant expands globally, they must educate themselves on the need to onboard Alternative Payment Methods (APMs) to facilitate customers preferences in target markets. However, when on-boarding new methods, merchants must also make themselves aware of the risk levels associated with each method. Unfortunately, most merchants don’t find out the associated risks until it’s too late. Due diligence must be done before APMs are offered to customers.
The reality is that merchants want and need to attract new customers, so once they’ve got their attention, they must make it easy to buy their goods online, and so often minimise the amount of data requested to carry out a transaction. However, new customers are also risky, as merchants don’t have the insight into their shopping behaviours. For example, new customers could knowingly choose a risky payment method and only plan to do one big transaction, and then disappear with valuable goods after doing a chargeback. If this happens and the merchant has only asked for minimal data, detailed checks cannot be made before approving a transaction. This also means that if the purchase does turn out to be a fraudulent, there is minimal information available to track down the culprit.
No matter which way you look at it, merchants are struggling to get the balance right between customer experience and security.
How to get one-step ahead of fraud
So how do merchants start to get ahead of the issue at hand?
By understanding a merchant’s target market or average customer profile, and what the average transaction would look like, an understanding and an outline of what a risky transaction would look like can be built. This would be different for each and every merchant depending on their target market and which retail sector they fit into. For example, for fast fashion online merchants, if a customer bought a high volume of goods over separate transactions in a window of 10 minutes, this would be considered risky. However, for gambling merchants, if a number of high-value bets were placed in the same period of time, this wouldn’t be deemed out of the ordinary. If a merchant applies ‘Know Your Customer’ then they’re one step closer to mitigating fraudsters.
The same applies to the payment mix a merchant chooses to offer to customers. Merchants must make it their business to know the risk profile of each individual payment method and what the implication would be to them for a fraudulent transaction.
By combining the two, ‘Know Your Customer’ (KYC) and ‘Know Your Payment Risk Profiles’ then merchants can monitor for transactions involving high-risk customers, who choose to use high-risk payment methods and make a decision to decline the transaction, should it be deemed necessary.
Again, it is all about balance. Depending on the risk level of the preferred payment method for each market and the value of the goods at hand, more KYC may be required. This can include address verification, velocity checks, credit checks and multi-factor authentication, such as 3D secure, depending on the payment method used.
So, to recap; Know Your Customer, Know Your Risk and add additional layers of security for high-value items and high-risk payment methods, appropriate for the retail sector (fast fashion, gambling etc.).
Preparation is key
While merchants can be reassured that the financial services sector is working to clarify the requirements for the upcoming the Secure Customer Authentication regulation under the PSD2’s Regulatory Technical Standards, which will help mitigate against fraud by enforcing Multi-Factor Authentication (MFA). However, as this won’t be implemented until September 2019, merchants cannot afford to wait any longer.
iDEAL in the Netherlands and GiroPay in Germany are, by default, more secure APMs. These payment methods enable customers to complete transactions within a secure online banking environment, without the risk of third-parties asking for further data. These APMs also have built-in multi-factor authentication as an additional stats measure. It may be time that online UK merchants consider moving away from their current credit-based payment methods. According to the risk index, along with the help of their Payment Service Providers (PsPs), merchants must make an educated decision on the payment methods they implement in order to tackle fraud head-on. Although this approach may mean that more methods of authentication are required and therefore customers must input more information, which in turn may jeopardise the speed and convenience of the overall checkout process. However, ultimately, it will help tackle fraud, and as a result, merchants will feel safe in the knowledge that these high-value transactions are coming from loyal customers; with fraudulent transactions in the past once and for all.
Karsten Witke, Head of Risk Payment Services, PPRO Group
Image Credit: Gustavo Frazao / Shutterstock