Use Business Rules and Profiling to Guard Your E-commerce Transactions
By Ken Burke
With e-commerce fraud on the rise, e-tailers are eager to find ways to cut their losses. Fortunately, a common e-commerce technology can be used to create an effective system that can filter out bad transactions before they get processed.
Any e-commerce Web site can be set up with its own automated anti-fraud system. The goal is to have your Web site watch for transaction profiles that indicate an elevated risk of fraud, then hold those transactions for scrutiny by a trained customer service representative (CSR). More advanced versions can automatically rank each flagged order according to risk and send the customer an appropriately worded e-mail.
A Basic Profiling System
Profiling is all about spotting certain customer activities or transaction characteristics that indicate potential fraud. Profiles use business rules that examine every order immediately after the customer submits it but before it is processed. If any of the key data points meet the fraud profile, the order is set aside for further investigation by a CSR. Orders that do not match any of these points are processed as usual.
Certain conditions are known within the industry to signal an increased likelihood of fraud:
>Ship-to and bill-to addresses are different and the dollar amount is over a certain amount;
>Expedited shipping is requested and the dollar amount is over a certain amount;
>The total number of items exceeds a certain level;
>The quantity of any one item exceeds a certain level;
>The order originates from an IP address that statistically generates a large number of fraudulent transactions;
>The customer's e-mail address is from a domain that statistically generates a large number of fraudulent transactions;
>The customer's e-mail address or other information is on your blacklist of known fraud perpetrators.
You can mix and match these rules based on your business requirements. For example, if only one shows up in an order it will not be considered a hazard, but if two or more are present it will be flagged for review. Evaluate your filtering results regularly and refine your rules.
Ranking and Messaging
A more advanced system will assign a high, medium or low risk profile to each suspect order based on which rule or combination of rules it triggers. Each order can be flagged accordingly and then dropped into an appropriate queue for review by a CSR. To initiate a dialog with your customers and reduce the load on CSRs, the system should automatically generate e-mails for each category. Predefined responses for each category could be as follows:
High risk: Hold or even delete these orders immediately. Automated e-mails should tell customers their order cannot be processed and that they should call your toll-free customer service line. Fraud perpetrators will almost certainly never call, but legitimate customers probably will. After further investigation, the order can be completed or cancelled as appropriate.
Medium risk: The order is held in a queue for review by a CSR. The customer then receives an e-mail explaining that his or her order is on hold for a routine security/quality review and a CSR will be calling him or her soon.
Low risk: These orders are reviewed by a CSR who either deletes or approves them. The customer is not notified unless further investigation is necessary.
It's up to you how you define your risk levels. If you can, base them upon empirical evidence gathered from other aspects of your fraud system.
A blacklist is a list of all e-mail addresses, names, phone numbers, billing addresses, shipping addresses or other information associated with fraudulent transactions. Check every transaction against the blacklist, and if any of the information matches, your system can stop it automatically.
Your Web site should automatically add all fraud perpetrators to your blacklist. If you get information on fraud perpetrators from outside sources, those addresses should be added to this list as well. Fake or out-of-service
e-mail or postal addresses also may indicate fraud, and if someone uses one, he or she should go on your list.
Blacklisting is only an intermediary step. Many questionable transactions could be perfectly legitimate, so canceling all of them would needlessly reduce sales and alienate customers.
Where to Stop the Order
Whether you identify a potentially fraudulent transaction through a blacklist, business rules, or profiling and ranking, there are two places you can stop orders. The first is the moment they are submitted, with the thank-you page replaced by a message informing the customer that his or her order could not be accepted. The second is to let these orders be submitted, but to hold them in a queue for review and a call to the customer by a CSR.
Credit Card ID Codes
Program your site to check the customer's credit card identification code ("card code"). All major credit card companies now place a three- or four-digit number somewhere on the credit card itself. The card code helps identify the legitimate user of the card whenever it's not possible to obtain a signature, such as during e-commerce and phone transactions.
Until now, credit card companies have encouraged the use of the card code, but they haven't required it. However, it's likely that they soon will begin requiring it for all online transactions.
The credit card companies also will require you to provide customers with educational information about card codes. During checkout, include a button labeled "What is a credit card identification code?" or something similar. This should link to a plain-language explanation of what the code is, how to use it, and how to protect it. Also include images of major credit cards to show your customers where they can find their code.
Remember the Customer
Whenever your customers receive an e-mail or a phone call as a result of your anti-fraud efforts, phrase it in the most positive way possible. Explain that this is a routine security check to make sure their personal information and credit card are not being used without their consent. Provide the details of their order so they can be sure your communications are legitimate. Emphasize that your primary concern is their privacy and financial security.
Your customers will appreciate your diligence in watching out for their interests. Remember that a large number of suspect transactions will turn out to be legitimate. Also keep in mind that you might be talking to the unknowing victim of fraud and not its perpetrator.
How stringent you make your profiles, responses and messaging is up to you. Crack down on those who are up to no good, while protecting the relationship with genuine customers.
KEN BURKE is president and CEO of Multimedia Live, an e-commerce technology and development company based in Petaluma, CA. He can be reached at (707) 773-3434 or by e-mail at email@example.com.