Fraud Scoring - Fraud Library

The Fraud Practice eCommerce Fraud Consulting Services

Fraud Scoringis used by merchants to determine the level of risk associated with taking an order in the card-not-present marketplace. Merchants use the score either to reject, review or accept orders, as well as to find out information on what other types of preventive checks they should perform on the order.

Enter your search terms Submit search form

Web www.fraudpractice.com

The Bundled Approach...

Fraud Scoring is used by merchants to determine the level of risk associated with taking an order in the card-not-present marketplace. Merchants use the score either to reject, review or accept orders, as well as to find out information on what other types of preventive checks they should perform on the order.

How Good Is It? 

Use of fraud scoring services gives merchants a much more economical way to use the effectiveness of external checks that could be costly to implement individually; such as delivery address verification, geolocation, credit checks, reverse lookups, shared negative files, cross-merchant velocity and use of neural nets. It also frees the merchant up from training, setting up and maintaining an internal neural network or fraud solution.

An internal fraud scoring system will only have limited effectiveness, as the breadth of data that is being looked at is only a single merchant’s data. This will affect any and all velocity checks such as velocity of change and velocity of use. For example, modeling and neural nets that are built, and/or used, solely in a one-merchant implementation don’t get the benefit of seeing consumer activity outside of their business. For fraud scoring the more data that go into building the service, the better it will predict and catch fraud.

It is important to know that:

• Modeling and neural nets that are maintained in-house suffer from breadth of data, missing key information from attempts on cross-merchant data.

• Better fraud-screening services will catch between 40% and 70% of fraud attempts, but the higher the catch rate the higher the insult rate.

• It is only a tool: It provides good information, but merchants have to build the logic into their system to handle the responses.

• It can be very difficult to set up and understand how to effectively weight rules if building in-house. Can require significant intellectual capital.

• It is a great tool to automate manual fraud reviews.

Considerations When Implementing or Buying This Functionality    

• How often are the underlying models updated? This is important as the fraud patterns and data points that are used in a model come from actual good and bad purchases. If a model is a year old, merchants are trying to predict fraud off of data elements that were fraud that occurred a year ago, whereas a model updated monthly or on every transaction is looking at more recent patterns.

• How often is the data updated and verified by the vendor?

• What types of fraud-prevention techniques does the vendor use (e.g., heuristics, neural nets, external scores)?

• What other components does the service provider include as part of their screening service (e.g., delivery address verification, reverse lookups, geolocation, freight forwarder checks)?

• Do they offer any guarantee on charge-backs or provide any risk sharing?

• Do they offer a pass/fail-only solution or one that provides a true score and range?

• Does the fraud-scoring service support e-commerce, mail order and telephone order? Remember to look at the data elements they use to confirm what the focus of the service is. A service designed to predict e-commerce fraud will have less effectiveness in detecting mail order and telephone order fraud, as the data elements are different. For example the e-commerce consumer will have an IP number and e-mail address.

• For merchants that do a lot of volume, this solution can get very expensive, so make sure you negotiate volume discounts.

• What case studies can they give to show how effective the solution was for other merchants?

• Be leery of any fraud-scoring service that guarantees less than .5% fraud without explaining what the effect will be on sales conversion.

• One direct measure of the depth of a fraud-screening service is the number of descriptors it can relate back to help you understand why it scored the way it did. These are codes that tell you more about why it scored they way it did (e.g., can’t verify address, geolocation inconsistency with country, high velocity of use, currently on a negative list).

• What type of reports does the service provide?

• Does the service provide tools for the fraud-review team to do manual reviews?

• Can a merchant tune or change the service to meet their unique needs?

• Can they tell you what to expect as far as insult rates?

• If the service offers negative files, are these shared negative files or strictly for the merchant putting in the data?

Estimated Costs – Costs will vary based on the vendor you select. Typically this service is offered on a transaction basis. There are some providers that offer flat subscription pricing, volume discounts and better pricing for entering long-term agreements. There are also some providers that offer basis points pricing, and these typically offer some sort of risk sharing or charge-back guarantee.

Alternative Solutions – Use of a decision engine, application of rules.

Vendors –, BizChord, CyberSource, Mango, Experian, Equifax, Fair Isaac/HNC, Lexis-Nexis (Riskwise), ChoicePoint, The ai Corporation, TrustMarque Risk Guardian, Retail Decisions.

How Does it Work?  

First a merchant must understand that they can either use an external service for fraud scoring or they can build their own fraud-scoring engine. In general you will send an order to a fraud-scoring service, which will provide all of the data elements of the order. Typically the merchant will have performed an authorization prior to making this call, so they can provide information such as address verification results and the card security results to the fraud-scoring service. These services are typically set up to process orders in a real-time environment, but this does not mean a merchant can’t use them in a batch mode. The service typically takes a matter of seconds to evaluate an order to determine the level of risk associated with it. Once a fraud-scoring service is done, it will provide one of several data points back to the merchant. Make sure to check what the service provider will return: 

A pass or fail result

A score

Descriptors 

So now that you understand what you will see, what is the fraud-scoring service doing with their order? When you call a fraud-scoring service it runs a series of data integrity checks on the data you provided to look for things that are unusual or are blatantly fraudulent. Examples of this could be nonsensical input such as: Name: IUYIOUYIY, or it could be that “Mickey Mouse” is trying to buy a brand new three caret diamond ring. The service can then look at the data elements (such as name, address, phone, e-mail) to see if there are any matches to internal fraud lists. It would then check for issues with velocity of use and change. The service may then look at things such as geolocation, address and phone verification, and combine these in a model to see how well this order compares to previous good and bad orders. The service then correlates this into a score or a pass/fail response. This is only an example. Each service is unique, and most vendors will not share the exact methods they use, as this is their “secret sauce.”

How Do I Use the Results? 

Selecting a fraud-screening service depends on a merchant’s sales channels, MOTO, e-commerce or both. If a fraud-screening service requires data elements from you, you should do everything you can to submit any and all of these data elements. E-commerce fraud-screening services will have less effectiveness with MOTO transactions. But if a solution is 70% effective in e-commerce and it is 50% effective with MOTO it will still catch half of the fraud attempts.

If an order fails authorization merchants don’t need to send it out for fraud scoring. This being said a merchant should perform their authorization check prior to a fraud screen.

These services typically don’t provide a case management interface, and they provide no means to establish initial settings. Merchants have to base the original settings off of their own previous history with charge-backs. Merchants can easily get bogged down in the details of the solution. I highly recommend that merchants have a fraud analyst from the vendor of choice or independent source to assist in completing the initial set up, going over best practices of using the fraud-screening service. This can save a merchant a lot of time and money in implementing their solution.

Building This In-House 

It takes typically two weeks to set up a fraud-screening service technically: One week of setting up their initial business processes to use the service, and one week for completing the integration. Most vendors provide an API that has been designed to be very simple to use, and which has a lot of pre-built plug-ins to major e-commerce applications.

Implementing fraud screening is easy from a technical standpoint, but is a little trickier from the business side. You need to do a fair amount of analysis on your side to determine what types of risk may be encountered. Also a merchant has to determine how they want to deal with that risk. This information is critical for correctly setting up and using fraud scoring to its fullest potential. Merchants will also have to code in rules to handle return results from fraud-scoring services.

Property of The Fraud Practice, all rights reserved, no unauthorized duplication, reproduction or distribution without the express written permission of The Fraud Practice.