E-commerce verification processes face regulatory pitfalls


Kimberley Long
Published on:

E-commerce protection measures often focus on how to safeguard the consumer, but merchants also need security to counter the threat from fraud.

Merchants are wary of the level of exposure they face from e-commerce transactions. Hacks can lead to heavy fines and reputational damage, while fraudulent transactions can lead to loss of revenue.

There are a number of ways in which payments companies are helping these merchants to reduce the risk of loss of earnings due to fraud. Daniel Kornitzer, chief product officer at digital payments provider Paysafe, says there is often a defined pattern of behaviour that is flagged up when fraud is taking place on an account. 

“Fraudulent transactions will often have suspicious characteristics, such as repeated logins, unusual addresses or unusual payment amounts, and overuse of odd or free email addresses,” he says. “These anomalies can be spotted by analysing a merchant’s order and transaction data. Acquirers can also help by notifying a merchant of suspicious chargeback and authentication activity.”

Daniel Komitzer

Daniel Kornitzer, Paysafe 

Kornitzer says that payments have remained vulnerable to attacks despite all of the processes now in place to check the validity of transactions. There are, however, a range of signifiers that are unique to the individual, and any variations outside of this can also be a sign of fraud. 

“Various elements of a payment can be uniquely identified for every e-commerce transaction,” he says. “The size of the transaction, mismatches in addresses, velocity, inconsistencies and whether it goes against normal spending patterns, all play a part in deciding whether a transaction needs to be flagged or escalated for further checks by a human.”

Something as simple as checking that the customer is in the country they claim they are can flag up problems. Kornitzer says: “Checking the location of the IP address, and comparing this with the shipping and billing address is just one of these checks.”

The difficulty comes with customers expecting their transactions to be completed instantly, meaning all of these detailed checks have to take place within seconds.

One key aspect is that customers must decide how much information they want their banks and merchants to hold about them. Rabobank has partnered with digital identity provider Signicat to launch the Digital Identity Service Provider (DISP) in the Netherlands. The platform stores customer information, and gives customers insights on the level of information stored.

Marco Bosma, senior vice-president of fintech and innovation at Rabobank, says that having the bank as the central party seemed to be a natural solution due to the amount of information banks already hold on their customers, and the inherent level of trust customers have with their banks: “With ID management, there are very few trusted parties that customers want to give their ID and credentials to.”

However, ID checks throw up concerns of their own. Although data can be stored to an extent, there are regulations that need to be adhered to. The EU’s General Data Protection Regulation (GDPR) aims to give control back to the customer on how and where their data is used.

Lu Zurawski-160x186

 Lu Zurawski, ACI 

Lu Zurawski, practice lead, retail banking and consumer payments at payments solutions provider ACI, says: “Under GDPR there needs to be understanding on who owns the customer data. As well as encouraging merchants to handle information more securely to avoid data breach fraud, the regulation also means customers need to have their personal data properly protected, and to have the decision on how and what data about them is kept on file.”

Rabobank’s Bosma says giving the customer control of their own information is a prominent part of DISP: “ID fraud is a headache for everyone involved. Putting the individual customer in control of the data is the critical element.”

There are also options available that relate to the relationship between the customer’s card and their mobile device that get around the issues of data storage. MasterCard’s Digital Enablement Service (MDES) service is used on mobile payment platforms like ApplePay. MDES issues card numbers used by the mobile device, known as tokens, which are used in the transaction in place of the customer’s actual card number.

MDES tracks the transaction back and forth from the customer to the issuer to be authorized. Should fraud be detected the transaction will be blocked and a new token can be issued without disruption to the customer.

David Deschamps, senior vice president, digital payments at MasterCard, says: “The service will provide the level of ID needed to the merchant to know the transactions is secure. It will use the card number required related to bank, but send an alternative card number to store.” 

Paysafe offers the payolution solution which takes on the financial risk faced by the merchant. Kornitzer says: “Payolution provides a pay-after-delivery model. By offering this we take on the merchant risk of the payment not being made, as well as providing added convenience to the consumer.”

In many cases, having these multiple layers of verification in place is necessary to complete transactions. A high level of security helps to reassure merchants, especially as they look to take full advantage of the benefits that operating in a global marketplace can provide. Kornitzer says: “Some merchants fearcross-border payments, especially when they feel ill-equipped to identify fraudulent transactions. This is why it’s important to work with a payments company that has the people, tools and processes to filter out the transactions that are likely to be fraud.”