Preventing online payment fraud

This article is <i>amazingly</i> worth your time. Endorsement out of the way I have one quibble and some elaboration:<p>I don't exactly love conflating buyer's remorse with payment fraud, since buyer's remorse is a psychological phenomenon and happens independently of fraudulent intent. Then again that's a bit hairsplitting.<p>So, you're a digital goods business. What can you do to reduce the odds that a customer requests a transaction get reversed, given that the customer initially did authorize the transaction?<p>1) <i>Do nothing.</i> Treat this as a cost of doing business. This works astounding well for many client populations, which have naturally low refund rates. (I'll give you a refund for any reason whatsoever, and I give out substantially less than 2%. Not worth optimizing.)<p>But maybe you've made the decision to target poor customers, startups, infovores (they buy more books/videos/etc on X than they can consume or make effective use of, and have disproportionately high refund rates), or an audience demographically dissimilar to American housewives. OK, we still have options:<p>2) Add value to the one-time download by, e.g., providing a support channel gated on having an account in good standing. Note that this also lets you do fantastically lucrative things like e.g. the club model for digital goods (recurring payment for one-time downloads), which e.g. put WooThemes on the map.<p>3) For infovore-heavy niches, many people will suggest forcing delayed gratification on the customer. For example, let's say you have just sold someone 5 videos / ebooks / etc with expected consumption time of 2 hours each. Rather than hitting them with 10 hours of video all at once, you drip them out to the user at 2 hours per week for 5 weeks. This can be timed such that they don't get the final video until after your money-back guarantee expires. That's totally optional, though. The theory is that a) you avoid overwhelming people and b) getting in their inbox 5 times with announcements of <i>even more value they got from you</i> helps to prevent a common problem of "Oh, didn't actually have enough time to read/watch/act on that <i>because I totally forgot to make that time</i>, guess I should return it."<p>4) A lot of savvier folks in this space have customer communities where a) the interaction between customers adds value on top of the product, b) desire to maintain the interaction incentivizes people to not leave, and c) customers will (for their own reasons) do significant amounts of boring work for free, such that you don't have to add a not-so-lucrative "Infinite free support" sideline to a lucrative digital goods business.<p>5) Too late for you now, but for the benefit of everyone else, a great way to avoid getting emails by someone whining about getting a refund for the $8 they spent on your ebook is to never ever ever ever ever do business with people at the $8 price point. SearchHN [patio11 pathological customers] for more on this.

This article has great advice. I work on fraud detection, and a lot of companies start off by building basic checks like AVS, CVV, proxies, IP-billing location mismatch, etc. What usually happens afterward is that the fraudsters get more clever. For example, we've seen sites implement SMS verification, but then the fraudsters will set up Twilio phone numbers to fool it. The sites block IPs, but then fraudsters go through an internet cafe or proxy. Sites shut down one account, and the fraudsters rent a bot net and run scripts to create a thousand more. It's a cat and mouse game.<p>Companies where payments are central (e.g., PayPal, Square) end up building some combination of machine learning, investigation tools, a dedicated operations team to review/verify suspicious transactions, and custom logic to look at all sorts of signals correlated with fraud. Often they'll have dozens or hundreds of people working on this.<p>For everybody else, I'd echo Eran's advice to just outsource this. There are plenty of vendors out there. Here's one list: <a href="https://www.merchantriskcouncil.org/index.cfm?pageId=702" rel="nofollow">https://www.merchantriskcouncil.org/index.cfm?pageId=702</a><p>If anybody out there is dealing with fraud or chargebacks, my company (Sift Science) provides an API to do exactly the checks Eran's article suggests and a lot more. Even if our technology doesn't apply, I'm happy to just give advice and point people in the right direction. My e-mail is brandon@siftscience.com.

Given that my startup is heading towards an area with a historically high rate of chargebacks and I was facing the nightmare of fraud detection, this particular article is like a nugget of solid gold that has descended from the clouds with a heavenly host providing choral music.<p>Thankyou.

Online fraud is expected to grow substantially in the near future, as e-commerce and CNP (card not present) transactions are expected to grow exponentially in relation to offline (or Card present).<p>With card issuers planning to issue Chip cards (to stay in compliance with Visa's EMV Mandate), fraud will shift from retail to Online (where Chip offers no additional protection), as it has already happened in Europe with the EMV shift there.

It's a good article. I'd like to add two other things you should consider when handling credit cards.<p>The first is 3DSecure (or VbV). They are the most secure ways to accept credit cards, though they aren't as easy for users to use. However, they do go a long way to protecting the merchant. If your handling b2b transactions that are high risk, you might consider enforcing this. Again, it's not a solution to wield lightly, but it is a solution.<p>Also, you can require out-of-band authentication. Generally, this is in the way of making a telephone call, and requiring the user to input a 4-digit pin. This, combined with everything else, will help hinder potential fraud. More importantly, it helps to protect against friendly fraud.<p>Of the two, telephone authentication is easiest to implement, but do not discount 3DS for higher priced purchases.

Take a look at realtime device identification and shared reputation services. This allows you to uniquely identify the end user devices accessing your site and assess their reputation and fraud history across a shared network of intelligence. Services like <a href="http://www.iovation.com" rel="nofollow">http://www.iovation.com</a> are massively effective at fighting fraud.

Good collection of advice- very help.<p>I use Cybersource for payment processing on an e-commerce site. I've been really happy with their fraud screening service- automated rules, similar to the list in this post, flag certain orders for manual review. These automated rules have been able to catch orders that, otherwise, might have gone unnoticed and saved a lot of time in the process.

Very relevant. I was listening on Mixergy about how BrandStack shut down because of credit card fraud. For anyone contemplating building a marketplace, for heaven's sake, outsource this.<p>For digital sites like BinPress, an automated capture of a photo via a web cam might be sufficient to deter fraudsters. Anyone care to build something like this?

Well, I am thinking of selling goods in the future. It'll be bank transfers or bitcoins. Simple.<p>add: if someone worries about if I have the goods or will ship, I'll offer to take a photo of me holding them next to that day's newspaper and have some testimonials up on the site. Simple.