Risk management. SmartPay

Risk management SmartPay

Contents Introduction 3 Managing conversion and risk 3 Managing false positives 4 Finding the optimum 4 How it works 5 Hosted payment pages 5 Fraud score action 5 Managing the settings 5 Settings management in more detail 5 Settings levels 5 Advanced features 6 Dynamic 3D secure 6 Device fingerprinting 6 Oil Splash Search 6 Advanced search 6 Risk API 7 Specific risk checks 7 Checks specific for payment methods 7 Country-specific checks 7 Refusal reason code support 7 Risk reporting and monitoring 8 Risk checks explained 9 Referral checks 9 Card number referral list 10 Shopper IP originates from high-risk country 11 Shopper IP referral list 11 Issuing country referral list 12 Issuer referral list 12 Shopper using anonymous proxy 12 Shopper email referral list 12 Shopper name referral list 13 Consistency checks 13 Shopper country differs from issuing country 13 The card holder name contains non-alphabetic characters 14 The card holder name is only one word 14 The bank account number contains a numeric sequence 14 Bank account is not likely to be a consumer bank account 14 Bank name doesn t match bank location ID (blz.) (ELV) 14 Bank address doesn t match any branch offices (ELV) 14 Billing address does not match card holder address (AVS) 14 Velocity checks 15 Card chunk usage frequency 15 Card number usage frequency 15 Card holder name usage frequency 16 Shopper email usage frequency 16 Shopper IP usage frequency 16 Cases and examples 17 Examples of suspicious transactions 17 Risk management Page 2

Introduction Risk management consists mainly of dealing with transactions that are reversed after the product of service has been delivered. For merchants this means that revenue is lost so it is important to keep control over this process. This whitepaper describes the innovative way Barclaycard SmartPay deals with fraud and risk management. The most important question to answer is how to minimise fraud costs while maximising revenues. The advantages of the Barclaycard SmartPay risk management system are: fully hosted and managed risk system works real-time on merchant s payment traffic highly customisable by changing risk settings can effectively block fraud while letting genuine customers pass advisory modules for risk settings and yield optimisation special reporting and search to give merchants insight into risk performance. Key features discussed in this whitepaper are the following: how conversion optimisation works together with risk management how to use the Barclaycard SmartPay risk control system to block fraudulent shoppers how to minimise false positives in this process what could be the best risk strategy how to realise an effective yield optimisation. Managing conversion and risk The Barclaycard SmartPay payment system is built to optimise conversion for its merchants the hosted payment pages offer a high degree of customisation and have been thoroughly tested to make it as easy as possible to pay. However, accepting payments also means accepting the risk for transactions that will be reversed later on. These chargebacks can occur for both credit cards and debit payment methods. Possible reasons for chargebacks are: fraud, where a credit card or bank account of someone else is used by a fraudster insufficient balance on a bank account (especially with direct debits) the transaction is not recognised by the card holder who made the payment there has been a problem in the delivery or return of the product. Therefore a risk management system is needed that can detect transactions that are viable to be reversed in a later stage. Although not all chargebacks can be detected beforehand, it is still possible to detect and avert most of the fraudulent transaction attempts. False Positive This is not fraud, but the fraud detection system thinks it is fraud The transaction is blocked while it shouldn t have You miss legitimate revenue here True Negative This is a genuine transaction It passes the fraud detection system True Positive This is fraud The fraud detection system rightly blocks it False Negative This is a fraudulent transaction Fraud system fails to detect it You lose money because of chargebacks Risk management Page 3

Managing false positives However, for every blocked transaction, there is a chance that it would have been a legitimate transaction. So a fraud protection tool that is setup too tightly will block many genuine transactions, and therefore have a negative impact on revenues. These transactions are called false positives: transactions that a fraud system triggered as potentially fraudulent (therefore having a positive result in the fraud check and subsequently blocked) but which actually would have been normal transactions not resulting in a chargeback. Of course, it is nearly impossible to know which blocked transactions were genuine and which ones would have resulted in a chargeback. Finding the optimum For a tightly configured fraud detection system that blocks most of the fraudulent transactions, many false positives may occur as collateral damage, seriously impending the business. Strict settings less fraud but many false positives Optimum somewhere Less strict settings more fraud but also more revenue How to minimise false positives...... while at the same time keeping fraud at an acceptable level The definition of acceptable varies from merchant to merchant. For selling online access to games, higher fraud rates will be acceptable than for selling high-value tangibles such as consumer electronics. Risk management Page 4

How it works Hosted payment pages A payment page is presented where the payment options and payment details can be entered, 1 after which the fraud score is calculated. The original request should contain as many details about the customer as known to the merchant already, if available. Along with these details, we also obtain crucial data such as IP address, browser settings etc. from the consumer. All these data together are fed to the Barclaycard SmartPay Risk Control System, where many checks are performed on the data, resulting in a final fraud score. Fraud score action If the fraud score is 100 or higher, the transaction is refused by Barclaycard SmartPay automatically. If the fraud score is less than 100, the transaction is sent for authorisation to the credit card networks (usually from acquirer via central scheme to the issuer). 2 How the risk control system calculates its final score, largely depends on the settings which we will discuss now. Managing the settings The risk control system calculates the final score based on many checks that are performed on a transaction. We will discuss some of the individual checks further on in this whitepaper. Every check can, if triggered, add a score to the total fraud score. 3 This means that merchants can experiment with the settings to find the optimum between blocking too many transactions and letting too many transactions pass through. During setup of the merchant account with Barclaycard SmartPay, the account manager at Barclaycard SmartPay will assist and advise on a good starting point. But it is also part of our standard operations to keep monitoring performance of individual and global risk control settings within Barclaycard SmartPay. > 100 100 0 Negative score Threshold. All transactions with a fraud score >+ 10 are blocked by Barclaycard SmartPay Transactions with a fraud score 0-99 carry a varying degree of suspected fraud A negative value means that the transaction is considered relatively safe Settings management in more detail There are several classes of real-time checks Barclaycard SmartPay performs on each transaction: referral list checking of card numbers, email addresses, ip addresses - the comparison of data points against a variety of databases consistency checks like comparing countries of the card issuer, card holder and merchant - the comparison of data points against each other frequency/velocity checks (e.g. how often did the shopper make a payment attempt in the last hour). These are discussed in more detail further in this whitepaper. Settings levels Risk control settings can be used from different levels: Global Barclaycard SmartPay settings Company-specific settings Settings that are applied to all merchants. Example: cards reported stolen. Settings that are shared among two or more merchant accounts under the same company account. Merchant-specific settings Settings that are specific to one merchant account only. 1 The Barclaycard SmartPay risk control system also works with API-based payments. In all cases, merchants should send Barclaycard SmartPay as many data points as possible on the transaction. 2 The transaction can then still be refused by card scheme or issuer, because of fraudulent use, insufficient funds or other reasons. 3 There are also some checks with a negative score, notably whitelists that can be managed. Risk management Page 5

Advanced features The Barclaycard SmartPay risk management system contains a large number of checks, as well as some advanced features, of which the most appealing ones are as follows. Dynamic 3D Secure Device fingerprinting Country-specific checks Risk Reporting and Chargeback Level Monitoring Dynamic 3D secure Apply 3D Secure selectively for high-risk transactions. A better technique to repeatedly get the right identification of the device that the shopper is using. Risk checks that are specific to one country Specific real-time reporting on risk management performance. Automated monitoring of chargeback levels. Barclaycard SmartPay always recommends the use of 3D secure authentication. 3D secure means that shoppers have to fill in a unique password (in addition to the CVC code), depending on the issuer. This further reduces the chance that a fraudulent transaction can occur. There is an automatic liability shift to the issuing banks for personal cards once 3D Secure has been initiated by a merchant. The disadvantage of 3D Secure can be a lower conversion rate because people might have forgotten their credentials or have other difficulties using 3D Secure, or issuing bank systems might have problems. Therefore, Barclaycard SmartPay developed support for Dynamic 3D Secure where only risk transactions are sent through to 3D Secure authentication. Use 3D Secure only for transactions that are deemed risky, for instance if the fraud score is more than 7. It is also possible to select 3D Secure automatically for transactions higher than a certain amount, for instance for all orders exceeding USD 250. Read our separate Dynamic 3D-Secure whitepaper for more information. Dynamic 3D Secure approach (example) >= 100 70-99 0-69 Block (deny) Force 3D Secure Pass (authorise) without 3D Secure Device fingerprinting The Barclaycard SmartPay Device Fingerprinter unobtrusively gathers a lot of information from the shopper s device and uses the combined value to identify the device of the shopper. This allows the Barclaycard SmartPay system to discover suspicious behaviour like the entering of ten different card numbers from the same device within thirty minutes even when different IP addresses are used or browser or proxy settings are changed. Each of these data elements are not discriminative enough to uniquely identify a device among all devices in the world. However, studies show that a combination of all these data elements in many cases is unique. To illustrate this principle, consider the following example: we are trying to find Tom, living in Shoreditch in London. None of the three data elements Tom, Shoreditch and London are in themselves unique enough to find this person. A combination of the three elements, however, will probably be enough to find him. The Barclaycard SmartPay device fingerprint is very effective in stopping fraudulent transactions. What Barclaycard SmartPay has seen is that fraudsters change their payment details (email, IP addresses, name, card numbers) which means that the fraudsters do not get stopped by only the regular velocity settings. With the device fingerprint, most of these attempts can be stopped. Oil Splash Search Barclaycard SmartPay also offers Oil Splash Search, allowing merchants to link payments together that belong to the same shopper. Many fraudsters will try to avoid detection by regularly changing identifying data like IP addresses and email addresses. Most of the time fraudsters do not change every detail at once, allowing Barclaycard SmartPay to still track fraudsters and identify all their payments. This reduces time and effort for fraud analysts and ensures that all fraudulent transactions from the same fraudster can be located and acted upon. Advanced search The Barclaycard SmartPay search functions are extended with special fraud-investigation options. If one fraudulent payment is located, then with the click of a button merchants can search for payments from the same IP Address, shopper name, card number and the merchant reference for that shopper. Risk management Page 6

Risk API A special Risk API is available to do risk only calls without processing payments. This will help merchants looking only for a risk management solution. Consider for example the possibility of blocking unwanted shoppers already during registration on a website. Specific risk checks Checks specific for payment methods Several checks are specific for payment methods (such as ELV) or groups of payments methods (such as direct debits). This allows merchants to further tailor risk settings based on experienced fraud with certain payment methods. Refusal reason code support Barclaycard SmartPay attempts to be as complete as possible in sending transaction and risk feedback to the merchant. Whenever available from the issuer, Barclaycard SmartPay will try to include the refusal reason in transaction responses. A refusal with a reason of insufficient funds or over limit reached is no fraud and should be treated differently than a CVV2 failure or a lost/stolen refusal response code. Country-specific checks For different countries Barclaycard SmartPay provides country specific checks. For example in the USA and UK Barclaycard SmartPay offers an address verification service. Also in other countries, for example Germany, the Netherlands and Brazil, Barclaycard SmartPay provides specific market related checks. Risk management Page 7

Risk reporting and monitoring Barclaycard SmartPay offers several reports on the performance of the risk system that gives merchants feedback. Statistical information is gathered over the transactions processed over the various sales channels of one merchant. IS With this analysis the risk system can be adjusted by the merchant. Not only can the weight of a score can be varied, checks can also be deactivated and activated by merchants. With the reports providing progressive insight, checks need to be periodically adjusted to the best values. The nature of fraud also has proven to change over time, requiring further adjustments. When a coordinated fraud attack occurs, often the refusal rate of a merchant drastically increases and people can be alerted immediately to take proper action. IE LI UK FR LU NL BE CH NO DK DE SE CZ AT SL HY PL SK HU FI EE LT LV BY RO MD UA RU PT ES AD 8.69% chargeback ratio in Italy MC VA SM MO MK AL GR BG TK CY MT Risk management Page 8

Risk checks explained Fraud control settings are only available at the merchant level in the account hierarchy. If you select this setting at company level you will first be prompted to select a merchant. Once this is done you will be presented with the fraud scoring screen. Once again, it is important to understand that a transaction will be refused when the score reaches 100. To only change the score associated with one or more risk checks, or to only activate/deactive one or more risk checks, change the scores accordingly and check/uncheck the checkboxes, then click the Save Merchant Checks button. If you wish to further configure risk checks, first perform the above, then click the Configure link next to the risk check you wish to view or change (these are described in more detail below). Referral checks Referral checks work on transaction information at one end and existing databases at the other. The referral checks are shown in the screen below. Risk management Page 9

Card number referral list The Blocked/Trusted Payment Details screen allows you to review and specify the credit cards, ELV accounts, and Dutch direct debit accounts that you trust or wish to block. This is a firewall for cards and accounts. Merchants should always place a reason in the block for audit trail purposes. Four actions are possible: 1. block by entering the credit card or ELV or dutch directdebit details, ensuring the Block radio button is selected, typing in a reason, and clicking the Apply button in the applicable section 2. unblock/trust by entering the credit card or ELV or dutch direct-debit details, ensuring the Trust radio button is selected, typing in a reason, and clicking the Apply button in the applicable section 3. view the current credit card block/trust list by clicking the Current Card Block/Trust List (or equivalent) link 4. remove details from the existing list by entering the credit card or ELV or dutch direct-debit details, ensuring the Remove from List radio button is selected, typing in a reason, and clicking the Apply button in the applicable section. Another way to put a credit card or bank account number on the referral list is by using the Fraud Control box in the payment details screen. You can reach this page by going to the payment list, selecting the transaction that belongs to the fraudster and clicking on Fraud Control. Risk management Page 10

Shopper IP originates from high-risk country The Blocked/Trusted IP Countries screen allows you to specify the countries where shoppers can not purchase from based on their IP at time of purchase. Shopper IP referral list The Blocked/Trusted Shopper IP Addresses screen allows you to specify the IP addresses and ranges from where shoppers can not purchase from. It is important for fraud purposes that merchants send Barclaycard SmartPay the shopper IP address with each transaction, it is a key tool in stopping fraudulent transactions. This block would be utilised if a merchant identifies a number of fraudulent transactions or chargebacks caused by fraud originating in a specific shopper country. Merchants do, however, need to ensure that they do not have genuine shoppers who also originate in those countries as they would be blocked as well. Two actions are possible: 1. block by selecting a country from the drop-down list, typing in a reason, and clicking the Block button 2. unblock by clicking the Remove button in the necessary row. Countries with an action of fixed can only be removed by contacting Barclaycard SmartPay Support. Two actions are possible: 1. block by entering the IP address, indicating whether it is for one IP address only or a range via the drop-down list, typing in a reason, and clicking the Block button 2. unblock by clicking the Remove button in the necessary row. Risk management Page 11

Issuing country referral list The Blocked/Trusted Issuing Countries screen allows you to specify the countries where shoppers can not purchase from based on their card or bank account country of issue. Merchants should utilise this check if they see fraudulent transactions or chargebacks arising as a result of fraud from cards issued in certain countries. These cards should only be blocked if merchants do not have genuine shoppers who hold cards issued in the same countries. A good example is USA-issued cards. Many merchants in Europe do not have shoppers who use USA-issued cards. However, they do have a lot of fraud with USA issued cards, therefore they block cards issued from the USA. Issuer referral list This list contains issuing (Shopper) banks which have a high percentage of fraudulent transactions and is controlled at the Barclaycard SmartPay end. It is only used in very rare circumstances and it is usually associated with banks found in exotic countries. Shopper using anonymous proxy Fraudsters often try to use anonymous proxys to try and hide their IP address. A shopper using an anonymous proxy will be a fraudster, therefore transactions such as these are blocked. Shopper email referral list The Blocked/Trusted Shopper Email Addresses screen allows you to specify the shopper email addresses that you trust or wish to block. Four actions are possible: 1. block by entering the shopper email address, ensuring the Block radio button is selected, typing in a reason, and clicking the Apply button 2. unblock/trust by entering the shopper email address, ensuring the Trust radio button is selected, typing in a reason, and clicking the Apply button 3. search whether a shopper email address is in the current list by entering it and clicking the Check button 4. remove details from the existing list by clicking the Delete button next to the applicable row, or by entering the shopper email address, ensuring the Remove from List radio button is selected, typing in a reason, and clicking Apply. Risk management Page 12

Shopper name referral list The Blocked/Trusted Shopper Email Addresses screen allows you to specify the shopper names that you trust or wish to block. Merchants need to be careful when blocking regular names, such as John Smith in the UK. Consistency checks Consistency checks compare two or more transaction data points with each other. The consistency checks are shown in the screen below. Shopper country differs from issuing country By default any difference between shopper country and issuing country will trigger this fraud risk check. This check is one of the most effective checks in stopping fraudulent transactions from occurring. In our experience, the majority of fraudulent transactions occur when the shopper country differs from the issuing country. Some merchants do not have regular transactions where the card issuing Country and shopper Country are different. Therefore, for those merchants it is worthwhile setting the score to 100 for that check. For other merchants, it is effective to set the score to 90 and then manually review the transactions where the check is triggered. The shopper country differs from issuing country screen allows you to trust or block combinations of countries. This is best utilised when IP addresses may cross countries such as Belgium/France, Netherlands/Belgium etc. Risk management Page 13

Three actions are possible: 1. block by entering the shopper country in the left dropdown list, issuing country in the right drop-down list, ensuring the Block radio button is selected, typing in a reason, and clicking the Submit button. The shopper and issuing countries should be the same 2. allow by entering the shopper country in the left dropdown list, issuing country in the right drop-down list, ensuring the Allow radio button is selected, typing in a reason, and clicking the Submit button. The shopper and issuing countries should be different 3. remove details from the existing list by clicking the Remove button next to the applicable row. The card holder name contains non-alphabetic characters Fraudsters often try to hide their identity and will therefore insert random characters in the card holder name field. The fraud tool will therefore attribute a score to transactions where this occurs. Merchants in countries such as Israel where names are more likely to contain non alphabetic characters need to be careful when setting this check. The card holder name is only one word Fraudsters often only fill in one word in the card holder name field, for example John or Bob. The fraud score will trigger if this happens and will attribute a score accordingly. Bank address doesn t match any branch offices (ELV) This check verifies specifically for ELV if the entered bank address matches the bank branch offices. If it does not then the fraud check will trigger. Billing address does not match card holder address (AVS) The settings for AVS check screen allows you to set the minimum level of matching required for AVS checks, and whether an unknown response is OK (example 9). This check is only available in the UK and the USA. Two decisions are made: 1. for the postal / zip Code, decide whether it must match (Needs to Match), doesn t need to match (Doesn t Match), or is OK if the check cannot be performed (Unable to Perform Check). Also decide whether an unknown response is OK (Unknown Response OK?) 2. for the address, decide whether it must match (Needs to Match), doesn t need to match (Doesn t Match), or is OK if the check cannot be performed (Unable to Perform Check). Also decide whether an unknown response is OK (Unknown Response OK?). The bank account number contains a numeric sequence This check verifies the bank account used for direct debit payments to see if there are numeric sequences. An example of a sequence is a bank account number like 1234567890. Fraudsters will often try different sequences until they get a match. Bank account is not likely to be a consumer bank account The account is not likely to be a consumer account. For ELV we check if the account has no check digit, for Dutch direct debit if the account has the correct number of digits. Bank name doesn t match bank location ID (blz.) (ELV) When an ELV transaction is carried out the bank s name must be filled in. We receive regular updated details from ELV about the bank name and store these in our system. If the bank name does not match then the check will trigger accordingly. Risk management Page 14

Velocity checks Velocity checks are the most effective way for merchants to stop fraudulent transactions from occurring. Velocity checks allow merchants to control how often shoppers can make a purchase in a specified time frame. If fraudsters discover they can purchase something once then they are likely to continue purchasing items in a small space of time. To best utilise these checks merchants need to understand the behaviour of their shoppers. Merchants need to know how often a regular shopper would purchase something on their website (e.g once a day, twice a day etc). The behaviour of each merchant s shoppers is different, therefore there cannot be one generic setting for every merchant. The available velocity checks are shown in the below screen. Card chunk usage frequency The Settings for Card Chunk Usage screen allows you to specify the number of times six digits of a credit card can be used over a number of hours. Card number usage frequency The Settings for Payment Detail Usage screen allows you to specify the number of times the same credit card or bank account details can be used over a number of hours. The default is six times over six hours. Change the values as required and click the Save button. The default is six times over six hours. Change the values as required and click the Save button. Risk management Page 15

Card holder name usage frequency The Settings for Account/Card Holder Name Usage screen allows you to specify the number of times the same shopper or card or account holder name can be used over a number of hours. Shopper IP usage frequency The Settings for Shopper IP Address Usage screen allows you to specify the number of times the same shopper IP can be used over a number of minutes. Merchants need to be careful when using this check as often different shoppers can be using the same IP address, for example in the case of an office building or an internet cafe. Shopper email usage frequency The Settings for Shopper Email Address Usage screen allows you to specify the number of times the same shopper email can be used over a number of minutes. Risk management Page 16

Cases and examples To conclude this whitepaper, we give some examples of fraud cases and their resolutions by adjusting the risk settings. Cases and resolutions You experience a lot of fraud from Russian shoppers. Russia is not a country where you normally get orders from. A fraudster has placed 20 orders in a couple of hours. Legitimate shoppers on your web shop however are never ordering more than 2 products a day. You experience a lot of fraud from cards issued in countries other than those that the shoppers come from. Solution: put Russia on the High-Risk Country Referral List Solution: raise the velocity checks to 100, with max 4 transactions a day (to avoid stopping legitimate shoppers, do not put it at max 2 a day) Solution: raise the shopper country differs from issuer country. You may decide to put it at 100, if you are experiencing a lot of fraud. If that will block too much legitimate shoppers, put it at 70 and set the velocity checks at least at 30, so a combined score with one of the velocity checks will block the fraudster. Examples of suspicious transactions The shopper country (IP address) differs from the issuing card country (e.g French IP address with a USA issued card). This is especially apparent if a USA, Canadian or Australian or New Zealand issued card is seen on a European merchant. The shopper IP address differs from the Issuing card country and the merchant location (e.g French IP address with a USA issued card used on a Spanish website) The shopper name contains irregular characters. The transaction value is higher than your average transaction value and one of the above combinations is in place. You see a number of transactions in a short period of time from the same credit card, email address or shopper name. You see transactions from the same email address or shopper name with several different credit cards being used. Fraudsters keep finding new ways to trick risk management detection systems our account managers and fraud prevention specialists will be happy to discuss what s best in your situation. Risk management Page 17

Find out more To see the latest versions of our Barclaycard SmartPay support manuals, please refer to our resource centre website: barclaycard.com/smartpay/documentation To contact our support team email: Support.SmartPay@barclaycard.co.uk call 01604 269518 * or from abroad +441604 269518. * Support hours are Monday Friday 09:00 to 18:00 GMT. This information is available in large print, Braille or audio format by calling 0844 811 6666 ** *Calls may be monitored or recorded to maintain high levels of security and quality of service. **For BT business customers, calls to 0844 811 numbers will cost no more than 5.5p per minute, min call charge 6p (current at January 2014). The price on non-bt phone lines may be different. Calls may be monitored and/or recorded. Barclaycard is a trading name of Barclays Bank PLC Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register Number: 122702) and subscribes to the Lending Code which is monitored and enforced by the Lending Standards Board. Registered in England No: 1026167. Registered Office: 1 Churchill Place, London E14 5HP BCD100962SP05. Created 01/14. 34366BD v1.0 Risk management Page 18