OmniCommerce and the changing nature of fraud

Blog Post created by gjsissons on May 9, 2016

Developers have a key role to play


While fraud has always been a concern, with the EMV liability shift upon us, combating fraud at the point of sale (POS) is top of mind for merchants. As the POS becomes a harder target however, fraudsters are likely to shift their focus toward softer targets like the merchant website and mobile platforms. As the nature of the threat evolves, developers have a key role to play in helping merchants combat fraud across all their payment channels.


Striking the right balance


Developers of payment applications face a difficult dilemma. If they don’t pay enough attention to fraud, they leave the merchants that rely on them vulnerable to increased chargebacks, sanctions from credit card companies and other potential costs. If developers are too aggressive in implementing anti-fraud measures, they risk turning away legitimate transactions and antagonizing the merchant’s customers. Merchants are looking for the “Goldilocks solution” – one that calibrates anti-fraud measures precisely such that they catch the majority of bad transactions while minimizing false positives. With this in mind, it is useful to step back and recall how fraud, and associated countermeasures have evolved.

Necessity is the mother of invention


Innovations in fraud prevention have come about mainly in response to abuse. Looking back almost a decade and half, when card fraud became an issue with CNP eCommerce and other channels such as mail order and telephone order transactions, the card industry responded with Card Verification Values (CVV) and the Address Verification Service (AVS). These measures, implemented around the year 2000, helped ensure that customers were physically in possession of cards and helped merchants manage fraud from stolen cards. Most developers built applications with custom logic or in-house rules to filter or perform additional reviews on transactions that failed AVS or CVV. They paired these basic checks with certain white lists and black lists based on the card number and customer name. These basic filters and black lists are now table stakes for most payment processors. For example, Vantiv offers a wealth of features that help eCommerce merchants make better decisions about what transactions to accept. These include additional options to Filter pre-paid cards to avoid them being used for recurring payment transactions, flagging cards that have resulted in prior chargebacks, and velocity filters that can trigger declines when a threshold number of authorization or sales transactions have taken place.


Beyond these basic capabilities, Advanced Fraud Tools from Vantiv help “score” transactions based on dozens of fraud predictors for even greater accuracy. Some specific techniques include:


  • Fingerprinting devices, and detecting machines that have exceeded configurable payment thresholds within particular periods
  • Detecting devices originating transactions on behalf of multiple customers
  • Identifying devices originating transactions through multiple proxies, anonymous proxies, or attempting to cloak their identity
  • Flagging transactions involving the same customer originating from multiple geographies or mismatches between the location and the browser language


While these techniques are powerful, cost is an issue - especially for smaller merchants. Having dedicated analysts and even data scientists on staff makes sense for large merchants where the savings outweigh the costs, but smaller merchants cannot deploy the same types of sophisticated analytic environments that will make sense for a major retailer.


Toward more automated detection


To address the challenge of providing increasingly sophisticated analytics in a manner that is easy for developers to implement and merchants to manage, leading providers like Vantiv are investing in new approaches to better detect and manage fraud. One such approach is the use of “beacon” technology – small fragments of JavaScript that developers can embed in the merchant’s web store that silently relays telemetry back to the payment provider, tracking the behavior of the website visitor at every step (behavioral analysis). Similar to the way Google Analytics functions, this approach frees developers from the need to instrument and analyze fraud related activity themselves.


Owing to their economies of scale, payment processors collaborating with Fraud providers can centrally and cost-efficiently deliver sophisticated behavior-based analytics, monitoring users for anomalous behavior on the website and flagging activity that looks suspicious. By processing this gathered information with machine-learning algorithms able to fine tune predictive models, merchants can find the optimal balance. This level of sophistication would be impractical and cost prohibitive for most merchants to implement and manage themselves.


Vantiv provides developers with a choice. They can collect critical information, relay it to Vantiv as payment transaction metadata, and let Vantiv make the determination of what constitutes fraud based on server-side fraud detection settings configurable for each merchant. As an alternative, developers can take advantage of API level extensions that expose sophisticated anti-fraud capabilities, providing developers with more granular control over how to handle potentially fraudulent transactions.


Taking a broader view of fraud


With the need to support EMV, developers and merchants are re-examining their POS technologies. The time is ripe to think beyond the checkout line, to solutions that can cost efficiently combat fraud across all the channels. For developers interested in learning more about how developers can help reduce fraud for CNP transactions, download our whitepaper A Developer’s Guide to Combating Fraud.


More information about Vantiv’s Advanced Fraud Technologies, and other security solutions of interest to developers, visit the Vantiv Developer Network at https://www.vantiv.com/developers/ecommerce-payments#security-features.