In recent years, there has been a noticeable rise in fraudulent activities, especially in the world of online shopping. This increase has been fueled by the growing amount of money spent online and the sophisticated tools that fraudsters now have at their disposal. One common form of fraud is card testing, where criminals check the validity of stolen credit card information through small purchases.
While it's challenging to eliminate this type of criminal behaviour, there are effective strategies and best-practices that provide the best conditions that you as a business partner can implement to avoid and mitigate impact of fraudulent attacks.
Warning signs of potential attacks #
Increased sales of a certain product with or without running a campaign
Increase of registered customers in particular geographical region
Increase of payment attempts in the particular geographical region
Increased authorization declines with response code indicating potential fraud
An indication of a fraudulent order may exhibit characteristics such as:
Autogenerated values in the address fields
Repeated patterns in email addresses (e.g. firstName + lastName + 2 random digits @ domain.com)
Inconsistent address details (country/city/street/zip code do not match)
Valid and consistent address details but unusual spikes in product purchases or shipping addresses in specific regions
Risk and cost analysis#
In the context of risk and cost analysis in payment processing, it is crucial to consider the fees applied by each party involved in the transaction chain. Stopping fraudulent payment attempts early in the process, can reduce the number of parties involved and minimize cumulative fees. For example:
If a fraud attempt is stopped at the FrontEnd and not forwarded to the PSP, no fees are applied.
If the PSP stops a payment attempt before sending an authorization request to the card network, fraud/processing fees may apply (note: fees vary among PSPs).
Allowing a payment attempt to proceed to the card network without being stopped by the PSP can result in additional fees.
Excessive chargebacks initiated by customers can lead to financial losses, increased fees from payment processors, and potential restrictions on accepting certain payment methods. Therefore, preventing fraudulent transactions is essential.
When considering disabling payment or shipping methods, it is important to weigh the potential costs of such action. For example:
Is it more cost-effective to temporarily suspend orders in a specific market or to avoid processing fees from stopping fraudulent attempts?
Are alternative payment options available in that market (e.g., PayPal)? If so, yes disabling card payments instead of shipping may be a viable option.
By carefully evaluating these factors, businesses can make informed decisions to mitigate risks and manage costs associated with fraudulent transactions.
Best-practices#
Enable and turn up infrastructure-level bot prevention. Cloudflare has good security tools for fighting bots like their "Bot Fight Mode", which will challenge requests of known bot patterns before the bot even reach the site
Additionally enhance with a fraud detection service that can prevent bots and other automated attacks while approving valid users, e.g., reCAPTCHA.
A common approach is to enable e.g., reCAPTCHA in markets that are more exposed to fraud attacks.
Centra offers invisible and frictionless Captcha protection, specifically designed to prevent bots from abusing your stores. This new feature helps block fraudulent activities before they hit your checkout, reducing unwanted orders, fees, and cleanup efforts. It’s quick to set up and seamlessly integrates into your existing workflow. For more details, visit our docs.
Stop Fraudulent Approvals by PSP#
The most important aspect is to enable risk settings in Adyen Merchant Dashboard. This will allow for the fraudengine provided by Adyen to be activated per your desired risk settings.
Additionally, the recommended configuration with your Payment Service Provider includes:
Separating authorization and capture (by turning off direct capture on Centra side and auto capture on the PSP side). When fraudulent orders are placed and detected before capture, it allows to void the authorization without incurring additional cost.
Sending real shopper’s IP in POST /payment call even when behind a proxy. Shopper IP can be then forwarded to the Payment Service Provider and used for setting up risk settings.
Making sure Adyen’s client key is whitelisting only frontend production origin.
Dealing with Fraudulent Activity#
As an immediate action in urgent cases (e.g., if the risk rules are not enabled on the PSP side) you can:
Turn off payment methods - e.g., if you have multiple PSPs in place for a certain market and one is being targeted you can turn that payment method off.
Turn off shipping options - e.g., if fraud attempts are related to a specific country, turn off shipping options to that market. Please see “Risk and Cost Analysis” for more information.
Cancel and refund orders if any attempts went through.
Validate that the risk settings in Adyen are set properly (see above).
How to integrate a Fraud Prevention Solution with Centra#
Adding a fraud prevention solution boosts security by providing an extra layer of screening after the Payment Service Provider (PSP) authorizes transactions. This helps catch potential fraud that might slip through initial checks, reducing the risk of fraudulent activity and protecting both businesses and customers. It can also save money by preventing chargebacks and fraud-related losses. Detailed instructions for implementing this solution can be found here.