Fraud is expensive. If you process a fraudulent transaction, refunding it and losing the product is your cheapest option. If it turns into a chargeback, things get more painful; after the fees and penalties, plus the headache of dealing with them, chargebacks can cost you up to three times the ticket value. Savvy merchants are always on the lookout to prevent processing fraud in the first place. Blacklisting transactions is a potential strategy, but will it be effective for your business?
Blacklisting is not a cure-all against eCommerce fraud; it employs some useful mechanisms for catching suspected fraud, but declining these transactions may not always be the best course of action. Blacklists are built with data from known fraudulent transactions, and subsequent transactions that match that data are flagged. The problem is that fraud is not nearly so simple. Blacklist declines can be effective against lower-level “lazy” fraudsters and some friendly fraud. But more sophisticated fraudsters are not so easily detected. The last thing you want is to block legitimate customers.
HOW BLACKLISTS ARE MADE
If you’re considering using blacklists, first understand how they work. For every transaction, the buyer provides certain details. There are also buyer behaviors that can be tracked and considered. Details and behaviors collected in known fraud will inform the blacklist to screen future transactions. But how is fraud identified in a way that informs a blacklist?
When cardholders catch a fraudulent transaction they report it to their issuing bank. The issuer must then give notice to the parties involved: the acquiring bank, card network, and other issuers. For Visa transactions, this fraud notice is known as TC40 data. Mastercard fraud reports go into their System to Avoid Fraud Effectively (SAFE). By default, TC40 or SAFE data are not shared with the merchant, however you can opt to subscribe to these notices. Otherwise, the merchant learns a transaction was fraud through dispute alerts or through chargebacks carrying the fraud reason code — too late for any preventative action.
Whether by fraud notices, dispute alert, or chargeback, the merchant receives transaction data, which can then be used to inform a blacklist:
- Transaction ID
- Purchase IP
- Device ID
- Credit card number
- Billing address
- Shipping address
Other contextual information on that transaction can be also be gathered. Examples include behavioral attributes such as the buyer’s shopping pattern, transaction history, the amount spent, and how long the transaction took. Transactional and behavioral data are combined to identify these patterns to trigger blacklist actions.
HOW BLACKLIST DECLINES ARE TRIGGERED
Fraudulent transactions are usually a mix of victim and fraudster information: the product goes to the fraudster and the bill goes to the victim. So billing address and card number will only be useful once a fraud is identified to prevent subsequent attempts using that information. Buyer location/IP address, device ID, and shipping addresses can help identify fraud when paired with certain behaviors:
- Multiple IPs, Addresses
- Multiple cards, same source
- Quantity and frequency
- Card testing
The delivery address and IP on stolen cards will invariably be different than the billing information. As the number of IPs and delivery addresses for a card increase, so does the likelihood of fraud. If these IPs and addresses are unusual compared to your average customer base, this is also a pattern of concern.
Most of us have two or three payment cards. Fraudsters often have many more than that. When a single location is processing multiple transactions with several different cards from different issuers, this is a red flag.
Stolen cards have a short lifespan, so fraudsters will spend big and fast while the card is valid. If you receive an order that is larger than average, with large quantities of the same item, or multiple orders in rapid succession, these are considered suspect.
When a fraudster acquires a stolen card profile, they will typically test it with smaller transactions before their main attack. These tests can trigger authorization failures as they figure out the correct inputs. You can catch these smaller orders before the big attack.
These are some common red flag scenarios that can trigger blacklist declines. However, more sophisticated fraudsters know how to blend in. Legitimate transactions can also have these patterns. When fraud looks like legit purchases, the probability of false declines increase.
HOW TO USE BLACKLIST DATA
The main problem with blacklisting transactions is that you don’t want false declines. A study by Javelin Strategy & Research found on average that 1 of every 4 declines are false — 1 in 3 for digital goods. So beware the caveats of using blacklists, they’re not always accurate.
A single transaction is not going to give you enough information to start blocking transactions. At first, your best action might be to require deeper security measures when you encounter these red flags. If red flags persist, then you might have some actionable patterns that support a decline.
In cases of friendly fraud, a more aggressive approach can be warranted. You’re not trying to predict future instances of fraud as you are cutting off one specific customer for stealing. In these cases, you’re combining transaction information with fulfillment data that confirms the customer made the purchase, received the product, and attempted chargeback fraud.
Whether you’re avoiding false positives, or confronting friendly fraud, both instances underscore how blacklists need backup information beyond the transaction. The more information you can bring together, the more effective your response will be.
At a bare minimum, blacklists would have to do the following to be effective. First it would have to capture fraud data from TC40 or SAFE notices on known fraud that you’ve processed. Second, it would also need to match that data with the deeper contextual information that led up to the sale. Third, it would have to be responsive enough to trigger a range of actions to a fraud match, from requiring deeper authentication to outright declines. A blacklist should also get granular enough to differentiate between true fraud and friendly fraud.
The main downside to blacklists is the potential for false declines. Fraud may cost you revenue, but false declines cost you customers. Although blacklist algorithms and machine learning have come a long way in recent years, false declines persist. You may have noticed another issue — you have to process fraud to begin informing those algorithms. So blacklists are not a catch-all for fraud.
Whether you put blacklists to work for your business or not, there is one significant upside — you’re thinking about fraud prevention. Fraud is a problem no merchant should ignore. However, fraud prevention is just one piece of a bigger dispute management strategy. Blacklists or not, you should be taking a multi-layered approach to protect your transactions and ensure your revenue stays where it belongs.
ChargebackHelp can assist you with your dispute management strategy. We can show you the most viable courses of action to prevent fraud and disputes with the information your transaction stream provides. We can also integrate TC40 and SAFE data fraud reporting, along with dispute alert notifications. Contact us to find out how your business can prevent fraud and reduce chargebacks. Send us an email, call us at 1.800.975.9905 or contact us here.