Hi, name is Duncan Malcolm. I convene First Six Last Four to help us understand more about fraud threats and the things that we can do to reduce our risk in the face of highly motivated adversaries.
To diagnose the issues below you should get a list of twenty or so transactions that looked perfect but turned out to be fraud.
Then investigate transaction by transaction to find out what went wrong. This is the only way to effectively diagnose what’s going wrong. You won’t get the answer from a summarised excel or powerpoint report.
#1. First party fraud
The easiest explanation is that the transaction was made by the actual card holder and they’re scamming you.
This happens all the time, goods claimed not to be delivered or that ‘someone else’ used their card. They can also be a as a result of a customer service issue so check your CS systems to see if the customer was already complaining about something.
#2. Your data is wrong
This one is unexpected but shockingly possible. I’ve seen it IRL.
It’s quite possible that what you think looks like a perfect transaction isn’t. For each transaction go and check each feature with each primary source and see if they’re correct.
Did 3DS really pass. If you think it was 3DS v2.x check with the PSP, literally call them and ask to be 100% sure.
If you think the customer used the same card as the last 5 transactions, go and look at their last 5 tranactions in the PSP portal AND on your payment site/application and check the last 4 digits, are they all the same or different?
This goes for every single other data point.
You’d be blown away at what I’ve found with a good old dig around.
#3. Your first 3DS check is v1.0
There’s a big difference between 3DS v1.x and v2.x.
A v1.x check is generally something the customer knows and it doesn’t fire for every transaction.
It’s up to the issuer to decide when a 3DS v1.x challenge happens and guess what they’re probably wanting to issue credit to will authorise as much as possible.
So even if a 3DS check = PASS it doesn’t mean the customer has had a ‘challenge’ their side.
Even worse, often the check can be as easy as their DOB or a ZIP code. If your fraudster has access to Facebook or has checked the real card holders trash, or knows them, this one is easily defeated.
The newer standard of 3DS requires SCA which means something you have and something you know. So this could be an SMS with a code from the issuer that the card holder has to input into a screen during checkout hosted by the issuer.
This makes it much harder to fake.
Even better as the merchant you can dynamically. I.e. whenever you feel like it, request a challenge irrespective of what the issuer or PSP thinks.
So, if your products are high risks and your customers are in countries where 2.x is largely supported (not the US unfortunately, yet), then for the first transaction or a notable transaction with any new card you should consider doing this ‘step-up’ check.
One gotcha is that some issuers notably neobanks (read startup card issuers), will sometimes upgrade a v1.x to a 2.x check because it gives a better experience. This doesn’t mean that all your customers will be getting this.
Check with your PSP what the settings are for each of your MIDs.
#4. Not shipping to the card holder address
This is an easy one. Make sure if you’re shipping a physical good that you’re sending your products to the card holder address if you’re concerned about the transaction being fraudulent.
Or do sufficient checks to ensure that the person ordering is the cardholder.
#5. You’re not doing enough checks to spot it
You only know what you know. There are over 200 different features you can legally check for when you take a payment online.
If all your transactions look the same, consider doing more checks either explicit or passive so you know more about the customer before you take their transaction.