What to do to avoid online payment fraud
Updated: May 20, 2020
Online payment fraud is rising, so if you take orders via the web or mobile apps you need to take precautions.
Business IT discussed the issue with Stripe's ANZ head of growth Mac Wang.
What is the scale of online payment fraud?
As chip-enabled cards have made brick-and-mortar shopping safer, fraudsters are increasingly targeting online stores, leading to a rise in online fraud globally and in Australia. In 2017 alone Stripe Radar prevented around $5.15 billion AUD in attempted fraud, helping the millions of companies around the world who run their business on Stripe. That said, it's important to note that these rates are still within a small percentage of overall shopping volume.
More critically, unlike their offline counterparts, internet businesses are not only responsible for detecting fraud, but are also responsible for paying the associated costs. On average, every $1.30 of fraudulent orders costs an online store an additional $3.50 and a mobile store $4.50. This makes it key for businesses online to remain vigilant and to take steps to detect and thwart fraudsters.
What are the common types of online payment fraud, and how can they be detected?
In a study of several years' worth of fraud data globally, Stripe discovered some telling patterns across countries, time of day and other behaviours that give a better understanding of the underpinnings of fraudulent behaviour.
First, fraudulent transactions are often small, which is surprising given that fraudsters are not paying for the products they buy. Stripe data shows that in Australia fraudulent transaction amounts are only slightly larger than regular transaction amounts. Second, fraudsters exhibit a more revealing signature when it comes to where and how often they shop, especially in repeat purchases on the same stolen card. Unfortunately, repeat fraud on a card is common, and more than 40 percent of compromised cards are charged for more than one fraudulent transaction. In fact, fraudsters often give themselves away by making rapid additional charges at the same businesses on the same credit card, initiating repeat purchases ten times more quickly than actual cardholders.
Third, fraudsters prefer products that don't need to be delivered, can be delivered to locations like public buildings or parks without raising flags, and can be obtained quickly before transactions are invalidated. These considerations can explain the prevalence of fraud among on-demand services and low-end consumer goods. Lastly, fraud can happen year-round and at any time of day and tends to happen during "quiet" times. For example, while fraud rates do increase during the holidays, they don't typically rise on big shopping days, but rather on days like Christmas when many people are not shopping. Similarly, fraud rates tend to peak late at night and flatten out during the day.
These trends make it critical for online businesses to have robust fraud defences ㄧ as fraudulent transactions still represent a very small percentage of overall shopping volume, the last thing you want to do is to shut out legitimate transactions along with the fraudulent ones.
What steps should small businesses take in order to protect themselves against online payment fraud?
There are three important lessons that all online businesses should consider when tackling fraud:
Don't rely on manual reviews alone.
They can be helpful, but also time consuming and not completely effective. Many businesses rely on employees to audit transactions and create complex, custom rules. However, these reviews are not the most effective way of catching fraud.
Instead, pair these manual reviews with machine learning.
With machine learning, businesses can analyse online transactions and buying patterns to flag outliers long before a human analyst would spot a problem. Plus, these models can update and retrain themselves every few weeks (or in the case of Stripe Radar, every day).
Speed is important.
Your best chance as a business of staying one step ahead is relying on what is essentially fraud-prevention-as-a-service. This is where any new signal or fraud tactic Stripe Radar detects in one part of our network can be quickly applied to help protect users across the entire Stripe network. Having this powerful machine learning combined with manual reviews provides fraud detection at an incredible scale for any business.
There's strength in numbers.
Machine learning is most effective when it's trained on a sufficiently large amount of data. That's why it's important — especially as a small business — to work with infrastructure companies that can provide great machine learning at scale.
You can save your business on training a team of engineers in house or building your own fraud prevention models by working with a third-party, especially when using machine learning. In processing transactions for hundreds of thousands of businesses around the world, Stripe is able to spot even subtle and sophisticated fraud techniques, and when Radar analyses a transaction to determine if it might be fraud, it draws from literally hundreds of billions of individual data points. That's machine learning operating scale that very few individual businesses could ever hope to achieve on their own.
Consider the trade-offs.
As with any strategic decision, it's crucial to consider the unacknowledged downsides that come from fraud prevention methods. The main difficulty is that pre-emptively blocking too many transactions means foregoing legitimate purchases too. So even once you've implemented tools for preventing fraud, it's good to remember that your ultimate goal isn't blocking fraud – it is maximising revenue.
How can small businesses ensure that their customers' card details aren't accessed by criminals?
Small businesses can protect customers' card details by working work with a trusted infrastructure platform, as well as taking into account key safety factors like tokenisation and PCI compliance. Each time a customer makes a purchase, Stripe securely collects payment information and returns a representative token to replace the sensitive card data. This is inherently more secure than sharing usable credit card numbers with each transaction, and protects sensitive information from both the customer and business.
Another crucial consideration is ensuring you are fully compliant with Payment Card Industry Data Security Standards (PCI DSS), which is a requirement for anyone involved with processing, transmission or storage of card data. Online businesses can do this either directly by undertaking the technical and operational requirements set by the PCI Security Standards Council, or by working with a PCI compliant payments platform, like Stripe, that undertakes these on your behalf, ensuring that sensitive payments data is never passed through or stored on a business' server.