Risk
Contents
Introduction
3
Managing conversion and risk 3
Managing false positives 4
Finding the optimum 4
How it works
5
Hosted payment pages 5
Fraud score action 5
Managing the settings 5
Settings management in more detail 5
Settings levels 5
Advanced features
6
Dynamic 3D secure 6
Device fingerprinting 6
Oil Splash Search 6
Advanced search 6
Risk API 7
Specific risk checks 7
Checks specific for payment methods 7
Country-specific checks 7
Refusal reason code support 7
Risk reporting and monitoring
8
Risk checks explained
9
Referral checks 9
Card number referral list 10
Shopper IP originates from high-risk country 11
Shopper IP referral list 11
Issuing country referral list 12
Issuer referral list 12
Shopper using anonymous proxy 12
Shopper email referral list 12
Shopper name referral list 13
Consistency checks 13
Shopper country differs from issuing country 13 The card holder name contains non-alphabetic characters 14
The card holder name is only one word 14
The bank account number contains a numeric sequence 14 Bank account is not likely to be a consumer bank account 14 Bank name doesn’t match bank location ID (blz.) (ELV) 14 Bank address doesn’t match any branch offices (ELV) 14 Billing address does not match card holder address (AVS) 14
Velocity checks 15
Card chunk usage frequency 15
Card number usage frequency 15
Card holder name usage frequency 16
Shopper email usage frequency 16
Shopper IP usage frequency 16
Cases and examples
17
Introduction
The advantages of the Barclaycard SmartPay risk management system are:
– fully hosted and managed risk system
– works real-time on merchant’s payment traffic – highly customisable by changing risk settings – can effectively block fraud while letting genuine
customers pass
– advisory modules for risk settings and yield optimisation – special reporting and search to give merchants insight
into risk performance.
Key features discussed in this whitepaper are the following: – how conversion optimisation works together with risk
management
– how to use the Barclaycard SmartPay risk control system to block fraudulent shoppers
– how to minimise false positives in this process – what could be the best risk strategy
– how to realise an effective yield optimisation.
Risk management consists mainly of dealing with transactions that are reversed after the
product of service has been delivered. For merchants this means that revenue is lost so it is
important to keep control over this process.
This whitepaper describes the innovative way Barclaycard SmartPay deals with fraud and risk management. The most important question to answer is how to minimise fraud costs while maximising revenues.
Managing conversion and risk
The Barclaycard SmartPay payment system is built to optimise conversion for its merchants – the hosted payment pages offer a high degree of customisation and have been thoroughly tested to make it as easy as possible to pay. However, accepting payments also means accepting the risk for transactions that will be reversed later on. These chargebacks can occur for both credit cards and debit payment methods. Possible reasons for chargebacks are: – fraud, where a credit card or bank account of someone
else is used by a fraudster
– insufficient balance on a bank account (especially with direct debits)
– the transaction is not recognised by the card holder who made the payment
– there has been a problem in the delivery or return of the product.
Therefore a risk management system is needed that can detect transactions that are viable to be reversed in a later stage. Although not all chargebacks can be detected beforehand, it is still possible to detect and avert most of the fraudulent transaction attempts.
False
Positive
Positive
True
This is fraud
The fraud detection system
rightly blocks it
This is not fraud, but the fraud detection system
thinks it is fraud The transaction is blocked
while it shouldn’t have
You miss legitimate revenue here
True
Negative
Negative
False
This is a fraudulent transaction Fraud system fails to detect it This is a genuine
transaction
You lose money because of chargebacks
It passes the fraud detection
Managing false positives
However, for every blocked transaction, there is a chance that it would have been a legitimate transaction. So a fraud protection tool that is setup too tightly will block many genuine transactions, and therefore have a negative impact on revenues.
These transactions are called false positives: transactions that a fraud system triggered as potentially fraudulent (therefore having a ‘positive’ result in the fraud check and subsequently blocked) but which actually would have been normal transactions not resulting in a chargeback.
Of course, it is nearly impossible to know which blocked transactions were genuine and which ones would have resulted in a chargeback.
Strict settings
Optimum
somewhere
Less strict settings
less fraud but many false positives
more fraud but also more revenue
Finding the optimum
For a tightly configured fraud detection system that blocks most of the fraudulent transactions, many false positives may occur as ‘collateral damage’, seriously impending the business.
The definition of ‘acceptable’ varies from merchant to merchant. For selling online access to games, higher fraud rates will be acceptable than for selling high-value tangibles such as consumer electronics.
How to minimise false positives...
... while at the same time keeping fraud at an acceptable level
How it works
Hosted payment pages
A payment page is presented where the payment options and payment details can be entered,1 after which the fraud
score is calculated.
– The original request should contain as many details about the customer as known to the merchant already, if available.
– Along with these details, we also obtain crucial data such as IP address, browser settings etc. from the consumer. All these data together are fed to the Barclaycard SmartPay Risk Control System, where many checks are performed on the data, resulting in a final fraud score.
Fraud score action
– If the fraud score is 100 or higher, the transaction is refused by Barclaycard SmartPay automatically.
– If the fraud score is less than 100, the transaction is sent for authorisation to the credit card networks (usually from acquirer via central scheme to the issuer).2
– How the risk control system calculates its final score, largely depends on the settings which we will discuss now.
Threshold. All transactions with a fraud score >+ 10 are blocked by Barclaycard SmartPay
Transactions with a fraud score 0-99 carry a varying degree of suspected fraud
A negative value means that the transaction is considered relatively safe
> 100
Negative
score
100
0
Managing the settings
The risk control system calculates the final score based on many checks that are performed on a transaction. We will discuss some of the individual checks further on in this whitepaper. Every check can, if triggered, add a score to the total fraud score.3
This means that merchants can experiment with the settings to find the optimum between blocking too many transactions and letting too many transactions pass through. During setup of the merchant account with Barclaycard SmartPay, the account manager at Barclaycard SmartPay will assist and advise on a good starting point. But it is also part of our standard operations to keep monitoring performance of individual and global risk control settings within Barclaycard SmartPay.
Settings management in more detail
There are several classes of real-time checks Barclaycard SmartPay performs on each transaction:
– referral list checking of card numbers, email addresses, ip addresses - the comparison of data points against a variety of databases
– consistency checks like comparing countries of the card issuer, card holder and merchant - the comparison of data points against each other
– frequency/velocity checks (e.g. how often did the shopper make a payment attempt in the last hour).
These are discussed in more detail further in this whitepaper.
Settings levels
Risk control settings can be used from different levels:
1 The Barclaycard SmartPay risk control system also works with API-based payments. In all cases, merchants should send Barclaycard SmartPay as many data points
as possible on the transaction.
2 The transaction can then still be refused by card scheme or issuer, because of fraudulent use, insufficient funds or other reasons. 3 There are also some checks with a negative score, notably whitelists that can be managed.
Global Barclaycard SmartPay settings Company-specific settings Merchant-specific settings
Settings that are applied to all merchants. Example: cards reported stolen.
Settings that are shared among two or more merchant accounts under the same company account. Settings that are specific to one merchant
The Barclaycard SmartPay risk management system
contains a large number of checks, as well as some advanced features, of which the most appealing ones are as follows.
Device fingerprinting
The Barclaycard SmartPay Device Fingerprinter
unobtrusively gathers a lot of information from the shopper’s device and uses the combined value to identify the device of the shopper.
This allows the Barclaycard SmartPay system to discover suspicious behaviour like the entering of ten different card numbers from the same device within thirty minutes – even when different IP addresses are used or browser or proxy settings are changed.
Each of these data elements are not discriminative enough to uniquely identify a device among all devices in the world. However, studies show that a combination of all these data elements in many cases is unique. To illustrate this principle, consider the following example: we are trying to find Tom, living in Shoreditch in London. None of the three data elements Tom, Shoreditch and London are in themselves unique enough to find this person. A combination of the three elements, however, will probably be enough to find him. The Barclaycard SmartPay device fingerprint is very effective in stopping fraudulent transactions. What Barclaycard SmartPay has seen is that fraudsters change their payment details (email, IP addresses, name, card numbers) which means that the fraudsters do not get stopped by only the regular velocity settings. With the device fingerprint, most of these attempts can be stopped.
Oil Splash Search
Barclaycard SmartPay also offers Oil Splash Search, allowing merchants to link payments together that belong to the same shopper. Many fraudsters will try to avoid detection by regularly changing identifying data like IP addresses and email addresses. Most of the time fraudsters do not change every detail at once, allowing Barclaycard SmartPay to still track fraudsters and identify all their payments. This reduces time and effort for fraud analysts and ensures that all fraudulent transactions from the same fraudster can be located and acted upon.
Advanced search
The Barclaycard SmartPay search functions are extended with special fraud-investigation options. If one fraudulent payment is located, then with the click of a button merchants can search for payments from the same IP Address, shopper name, card number and the merchant reference for that shopper. Dynamic 3D Secure Country-specific checks Risk Reporting and Chargeback Level Monitoring Device finger-printing
Apply 3D Secure selectively for high-risk transactions.
Risk checks that are specific to one country
Specific real-time reporting on risk management performance. Automated monitoring of chargeback levels.
A better technique to repeatedly get the right identification of the device that the shopper is using.
Dynamic 3D Secure approach (example) >= 100
70-99 0-69
Force 3D Secure Block (deny)
Pass (authorise) without 3D Secure
Dynamic 3D secure
Barclaycard SmartPay always recommends the use of 3D secure authentication. 3D secure means that shoppers have to fill in a unique password (in addition to the CVC code), depending on the issuer. This further reduces the chance that a fraudulent transaction can occur.
There is an automatic liability shift to the issuing banks for personal cards once 3D Secure has been initiated by a merchant.
The disadvantage of 3D Secure can be a lower conversion rate because people might have forgotten their credentials or have other difficulties using 3D Secure, or issuing bank systems might have problems.
Therefore, Barclaycard SmartPay developed support for Dynamic 3D Secure where only risk transactions are sent through to 3D Secure authentication.
– Use 3D Secure only for transactions that are deemed risky, for instance if the fraud score is more than 7. – It is also possible to select 3D Secure automatically for
transactions higher than a certain amount, for instance for all orders exceeding USD 250. Read our separate Dynamic 3D-Secure whitepaper for more information.
Risk API
A special Risk API is available to do risk only calls without processing payments. This will help merchants looking only for a risk management solution. Consider for example the possibility of blocking unwanted shoppers already during registration on a website.
Specific risk checks
Checks specific for payment methods
Several checks are specific for payment methods (such as ELV) or groups of payments methods (such as direct debits). This allows merchants to further tailor risk settings based on experienced fraud with certain payment methods.
Country-specific checks
For different countries Barclaycard SmartPay provides country specific checks. For example in the USA and UK Barclaycard SmartPay offers an address verification service. Also in other countries, for example Germany, the Netherlands and Brazil, Barclaycard SmartPay provides specific market related checks.
Refusal reason code support
Barclaycard SmartPay attempts to be as complete as possible in sending transaction and risk feedback to the merchant. Whenever available from the issuer, Barclaycard SmartPay will try to include the refusal reason in transaction responses.
A refusal with a reason of ‘insufficient funds’ or ‘over limit’ reached is no fraud and should be treated differently than a CVV2 failure or a lost/stolen refusal response code.
Barclaycard SmartPay offers several reports on the performance of the risk system that gives merchants feedback. Statistical information is gathered over the transactions processed over the various sales channels of one merchant.
With this analysis the risk system can be adjusted by the merchant. Not only can the weight of a score can be varied, checks can also be deactivated and activated by merchants. With the reports providing progressive insight, checks need to be periodically adjusted to the best values. The nature of fraud also has proven to change over time, requiring further adjustments. When a coordinated fraud attack occurs, often the refusal rate of a merchant drastically increases and people can be alerted immediately to take proper action.
Risk reporting and monitoring
IS IE UK NL BE PT ES FR AD DE CH DK PL NO SE FI RU EE LV LT BY UA MD RO BG GR TK CY CZ SK HU SL HY AL MO MK AT MT SM VA MC LU LI
Risk checks explained
Fraud control settings are only available at the merchant level in the account hierarchy. If you select this setting at company level you will first be prompted to select a merchant. Once this is done you will be presented with the fraud scoring screen.
Once again, it is important to understand that a transaction will be refused when the score reaches 100.
To only change the score associated with one or more risk checks, or to only activate/deactive one or more risk checks, change the scores accordingly and check/uncheck the checkboxes, then click the Save Merchant Checks button.
If you wish to further configure risk checks, first perform the above, then click the Configure link next to the risk check you wish to view or change (these are described in more detail below).
Referral checks
Referral checks work on transaction information at one end and existing databases at the other. The referral checks are shown in the screen below.
Card number referral list
The Blocked/Trusted Payment Details screen allows you to review and specify the credit cards, ELV accounts, and Dutch direct debit accounts that you trust or wish to block. This is a ‘firewall for cards and accounts’. Merchants should always place a reason in the block for audit trail purposes.
Four actions are possible:
1. block by entering the credit card or ELV or dutch direct-debit details, ensuring the Block radio button is selected, typing in a reason, and clicking the Apply button in the applicable section
2. unblock/trust by entering the credit card or ELV or dutch direct-debit details, ensuring the Trust radio button is selected, typing in a reason, and clicking the Apply button in the applicable section
3. view the current credit card block/trust list by clicking the Current Card Block/Trust List (or equivalent) link
4. remove details from the existing list by entering the credit card or ELV or dutch direct-debit details, ensuring the Remove from List radio button is selected, typing in a reason, and clicking the Apply button in the applicable section.
Another way to put a credit card or bank account number on the referral list is by using the ‘Fraud Control’ box in the payment details screen. You can reach this page by going to the payment list, selecting the transaction that belongs to the fraudster and clicking on Fraud Control.
Shopper IP originates from high-risk country
The Blocked/Trusted IP Countries screen allows you to specify the countries where shoppers can not purchase from based on their IP at time of purchase.
It is important for fraud purposes that merchants send Barclaycard SmartPay the shopper IP address with each transaction, it is a key tool in stopping fraudulent transactions.
This block would be utilised if a merchant identifies a number of fraudulent transactions or chargebacks caused by fraud originating in a specific shopper country. Merchants do, however, need to ensure that they do not have ‘genuine’ shoppers who also originate in those countries as they would be blocked as well.
Two actions are possible:
1. block by selecting a country from the drop-down list, typing in a reason, and clicking the Block button
2. unblock by clicking the Remove button in the necessary row. Countries with an action of fixed can only be removed by contacting Barclaycard SmartPay Support.
Shopper IP referral list
The Blocked/Trusted Shopper IP Addresses screen allows you to specify the IP addresses and ranges from where shoppers can not purchase from.
Two actions are possible:
1. block by entering the IP address, indicating whether it is for one IP address only or a range via the drop-down list, typing in a reason, and clicking the Block button
2. unblock by clicking the Remove button in the necessary row.
Issuing country referral list
The Blocked/Trusted Issuing Countries screen allows you to specify the countries where shoppers can not purchase from based on their card or bank account country of issue.
Merchants should utilise this check if they see fraudulent transactions or chargebacks arising as a result of fraud from cards issued in certain countries. These cards should only be blocked if merchants do not have ‘genuine’ shoppers who hold cards issued in the same countries. A good example is USA-issued cards. Many merchants in Europe do not have shoppers who use USA-issued cards. However, they do have a lot of fraud with USA issued cards, therefore they block cards issued from the USA.
Issuer referral list
This list contains issuing (Shopper) banks which have a high percentage of fraudulent transactions and is controlled at the Barclaycard SmartPay end. It is only used in very rare circumstances and it is usually associated with banks found in exotic countries.
Shopper using anonymous proxy
Fraudsters often try to use anonymous proxys to try and hide their IP address. A shopper using an anonymous proxy will be a fraudster, therefore transactions such as these are blocked.
Shopper email referral list
The Blocked/Trusted Shopper Email Addresses screen allows you to specify the shopper email addresses that you trust or wish to block.
Four actions are possible:
1. block by entering the shopper email address, ensuring the Block radio button is selected, typing in a reason, and clicking the Apply button
2. unblock/trust by entering the shopper email address, ensuring the Trust radio button is selected, typing in a reason, and clicking the Apply button
3. search whether a shopper email address is in the current list by entering it and clicking the Check button
4. remove details from the existing list by clicking the Delete button next to the applicable row, or by entering the shopper email address, ensuring the Remove from List radio button is selected, typing in a reason, and clicking Apply.
Shopper name referral list
The Blocked/Trusted Shopper Email Addresses screen allows you to specify the shopper names that you trust or wish to block. Merchants need to be careful when blocking regular names, such as John Smith in the UK.
Consistency checks
Consistency checks compare two or more transaction data points with each other. The consistency checks are shown in the screen below.
Shopper country differs from issuing country
By default any difference between shopper country and issuing country will trigger this fraud risk check.
This check is one of the most effective checks in stopping fraudulent transactions from occurring. In our experience, the majority of fraudulent transactions occur when the shopper country differs from the issuing country. Some merchants do not have regular transactions where the card issuing Country and shopper Country are different. Therefore, for those merchants it is worthwhile setting the score to 100 for that check. For other merchants, it is effective to set the score to 90 and then manually review the transactions where the check is triggered.
The shopper country differs from issuing country screen allows you to trust or block combinations of countries. This is best utilised when IP addresses may cross countries such as Belgium/France, Netherlands/Belgium etc.
Bank address doesn’t match any branch
offices (ELV)
This check verifies specifically for ELV if the entered bank address matches the bank branch offices. If it does not then the fraud check will trigger.
Billing address does not match card holder
address (AVS)
The settings for AVS check screen allows you to set the minimum level of matching required for AVS checks, and whether an unknown response is OK (example 9). This check is only available in the UK and the USA. Two decisions are made:
1. for the postal / zip Code, decide whether it must match (Needs to Match), doesn’t need to match (Doesn’t Match), or is OK if the check cannot be performed (Unable to Perform Check). Also decide whether an unknown response is OK (Unknown Response OK?)
2. for the address, decide whether it must match (Needs to Match), doesn’t need to match (Doesn’t Match), or is OK if the check cannot be performed (Unable to Perform Check). Also decide whether an unknown response is OK (Unknown Response OK?).
Three actions are possible:
1. block by entering the shopper country in the left drop-down list, issuing country in the right drop-drop-down list, ensuring the Block radio button is selected, typing in a reason, and clicking the Submit button. The shopper and issuing countries should be the same
2. allow by entering the shopper country in the left drop-down list, issuing country in the right drop-drop-down list, ensuring the Allow radio button is selected, typing in a reason, and clicking the Submit button. The shopper and issuing countries should be different
3. remove details from the existing list by clicking the Remove button next to the applicable row.
The card holder name contains
non-alphabetic characters
Fraudsters often try to hide their identity and will therefore insert random characters in the card holder name field. The fraud tool will therefore attribute a score to transactions where this occurs.
Merchants in countries such as Israel where names are more likely to contain non alphabetic characters need to be careful when setting this check.
The card holder name is only one word
Fraudsters often only fill in one word in the card holder name field, for example ‘John or Bob’. The fraud score will trigger if this happens and will attribute a score accordingly.
The bank account number contains a
numeric sequence
This check verifies the bank account used for direct debit payments to see if there are numeric sequences. An example of a sequence is a bank account number like “1234567890”. Fraudsters will often try different sequences until they get a match.
Bank account is not likely to be a consumer
bank account
The account is not likely to be a consumer account. For ELV we check if the account has no check digit, for Dutch direct debit if the account has the correct number of digits.
Bank name doesn’t match bank location
ID (blz.) (ELV)
When an ELV transaction is carried out the bank’s name must be filled in. We receive regular updated details from ELV about
Velocity checks
Velocity checks are the most effective way for merchants to stop fraudulent transactions from occurring. Velocity checks allow merchants to control how often shoppers can make a purchase in a specified time frame. If fraudsters discover they can purchase something once then they are likely to continue purchasing items in a small space of time.
To best utilise these checks merchants need to understand the behaviour of their shoppers. Merchants need to know how often a regular shopper would purchase something on their website (e.g once a day, twice a day etc).
The behaviour of each merchant’s shoppers is different, therefore there cannot be one generic setting for every merchant. The available velocity checks are shown in the below screen.
Card chunk usage frequency
The Settings for Card Chunk Usage screen allows you to specify the number of times six digits of a credit card can be used over a number of hours.
The default is six times over six hours. Change the values as required and click the Save button.
Card number usage frequency
The Settings for Payment Detail Usage screen allows you to specify the number of times the same credit card or bank account details can be used over a number of hours.
The default is six times over six hours. Change the values as required and click the Save button.
Card holder name usage frequency
The Settings for Account/Card Holder Name Usage screen allows you to specify the number of times the same shopper or card or account holder name can be used over a number of hours.
Shopper IP usage frequency
The Settings for Shopper IP Address Usage screen allows you to specify the number of times the same shopper IP can be used over a number of minutes.
Merchants need to be careful when using this check as often different shoppers can be using the same IP address, for example in the case of an office building or an internet cafe.
Shopper email usage frequency
The Settings for Shopper Email Address Usage screen allows you to specify the number of times the same shopper email can be used over a number of minutes.
Solution: put Russia on the High-Risk Country Referral List
Solution: raise the velocity checks to 100, with max 4 transactions a day (to avoid stopping legitimate shoppers, do not put it at max 2 a day)
Solution: raise the ‘shopper country differs from issuer country’. You may decide to put it at 100, if you are experiencing a lot of fraud. If that will block too much legitimate shoppers, put it at 70 and set the velocity checks at least at 30, so a combined score with one of the velocity checks will block the fraudster. You experience a lot of fraud from
Russian shoppers. Russia is not a country where you normally get orders from.
A fraudster has placed 20 orders in a couple of hours.
Legitimate shoppers on your web shop however are never ordering more than 2 products a day. You experience a lot of fraud from cards issued in countries other than those that the shoppers come from. Cases and resolutions
Cases and examples
Examples of suspicious transactions
– The shopper country (IP address) differs from the issuing card country (e.g French IP address with a USA issued card). This is especially apparent if a USA , Canadian or Australian or New Zealand issued card is seen on a European merchant.
– The shopper IP address differs from the Issuing card country and the merchant location (e.g French IP address with a USA issued card used on a Spanish website) – The shopper name contains irregular characters. – The transaction value is higher than your average
transaction value and one of the above combinations is in place.
– You see a number of transactions in a short period of time from the same credit card, email address or shopper name.
– You see transactions from the same email address or shopper name with several different credit cards being used.
To conclude this whitepaper, we give some examples of fraud cases and their resolutions by adjusting the risk settings.
Fraudsters keep finding new ways to trick risk management detection systems – our account managers and fraud prevention specialists will be happy to discuss what’s best in your situation.
This information is available in large print, Braille or audio format by calling
0844 811 6666
***Calls may be monitored or recorded to maintain high levels of security and quality of service.
**For BT business customers, calls to 0844 811 numbers will cost no more than 5.5p per minute, min call charge 6p (current at January 2014). The price on non-BT phone lines may be different. Calls may be monitored and/or recorded. Barclaycard is a trading name of Barclays Bank PLC Barclays Bank PLC is authorised by the Prudential Regulation
