Do you know that according to the LexisNexis True Cost of Fraud Study, in 2016 large e-commerce merchants tracked 48% of successful attempts on credit card payment fraud? The situation with debit cards and other types of payments is slightly better, but the trend data is scaring. Since 2015 the fraud losses experienced by online merchants increased by 9% and the fraud growth continues to outrace the e-commerce growth! While some businessmen prefer to believe that this problem applies only to cardholders and account owners, payment fraud hits e-commerce platforms badly.
Fraud Faced By E-Commerce
E-commerce fraud is associated not only with cards payments via the Internet, but also with online or mobile banking and e-wallet payments. Any transactions made with the help of personal data obtained illegally or under false pretences can be classified as Internet payment fraud.
There are many ways for fraudsters to get sensitive personal data of cardholders and account owners. Here are the most widespread fraudulent schemes:
Theft of card details by installing a reading device on ATMs or installation of fake ATMs;
Getting card details or personal information via phone, SMS and emails containing a request to confirm the card number, card expiration date and other sensitive data;
Use of fake websites of existing companies for stealing the necessary data;
Use of malicious programs and cyber attacks, including attacks on e-commerce platforms and stealing data about their customers;
Theft of card details in point-of-sales (by a cashier in collusion with fraudsters), scanning the card or making a copy when the card is out of the holder’s sight.
Sometimes, fraudulent schemes are not directly associated with stealing card details. For example, a famous PayPal payment fraud involves sending an email with a fake PayPal request to provide a shipping confirmation with a tracking number in order to receive the payment which is pending. After sending the tracking/shipping number, the merchant never gets the payment, since this is a fraud.
When getting hold of necessary personal or payment information, fraudsters can use the data for payment card fraud paying for goods and services on the Internet. And here we come to the most important point – how e-commerce merchants lose their money.
Within international payment systems like Visa, MasterCard, American Express or Diners Club an "issuing bank" issues a credit card to a holder and an "acquirer bank" ensures that the credit card is accepted for payment. When the cardholder makes a purchase in an e-shop, the data on the credit card is transferred to the acquirer and then to the issuer. The issuer verifies the data and funds availability, and either allows or refuses the purchase. While under the rules of off-line trade, the issuer is responsible for fraudulent transactions with plastic cards (i.e. it refunds money to the cardholder in case of payment fraud), in e-commerce practice the responsibility lies with the acquirer, which as a rule shifts it to the e-shop.
Thus, an e-commerce merchant turns out to be the most vulnerable spot in the scheme, since he/she can lose both a product purchased by fraudsters and money refunded to a cardholder.
How to Build Protection against the E-Commerce Fraud
Payment fraud prevention can be built on both the e-shop side and the side of a payment gateway or billing company. Typically, this protection covers a certain set of filters and rules – if a transaction satisfies these rules, it is allowed and otherwise it is declined. Such filters can include:
Transaction security mechanisms, also preventing payment systems fraud, such as CVV2/CVC2 codes, Address Verification Service, etc.
Checking data specified by the buyer when placing an order (card details, the name and address, etc.). For example, if the cardholder’s home address differs from the shipping address, the transaction will be either rejected or approved only after contacting the cardholder for confirmation.
Monitoring fraudulent activity and statistics (multiple transactions featuring different credit cards, but the same IP-address can be interpreted as Internet payment fraud).
Monitoring user's Internet connection with an online store (for example, if a buyer visits the site via an anonymous proxy server, such a transaction is likely to be rejected).