In The News

Customer Quotes

"The Fraud Practice is a world-class credit card fraud mitigation consulting practice."

Kevin Mitnick, President Mitnick Security Consulting LLC

For Email Marketing you can trust

Fraud Blog Subscribe in a reader

ACH Processing

Advertisement

Consulting Services
Mr. Montague  is the founder and President of The Fraud Practice. He has spent the last fourteen years in the information technology industry.
Read more
Fraud Library
Looking for information on fraud prevention techniques, solutions and best practices. The fraud library is your first stop to find free research.
Read more
Fraud in the News
A series of news feeds and articles of interest to fraud professionals.
Read more

Hot lists, Warm Lists, Positive Lists - Fraud Library

The Fraud Practice eCommerce Fraud Consulting Services

Lists are used to identify returning consumers to determine if they have had good business or bad business in the past. Hot lists, sometimes referred to as negative lists, are utilized to reject orders from consumers that have had charge-backs on previous orders. Warm lists are used to either reject or review orders from consumers who have been customer-satisfaction problems in the past. Warm lists aren’t used for fraudsters, just consumers that never seem to be satisfied. Positive lists are used to identify a merchant’s best customers who have successfully closed business with them in the past and are trying to make a new purchase.

Google

The second thing you should implement...

Lists are used to identify returning consumers to determine if they have had good business or bad business in the past. Hot lists, sometimes referred to as negative lists, are utilized to reject orders from consumers that have had charge-backs on previous orders. Warm lists are used to either reject or review orders from consumers who have been customer-satisfaction problems in the past. Warm lists aren’t used for fraudsters, just consumers that never seem to be satisfied. Positive lists are used to identify a merchant’s best customers who have successfully closed business with them in the past and are trying to make a new purchase.

How Good Is It? 

The use of lists is one of the most fundamental elements in any fraud-prevention strategy. If a merchant is doing nothing today, implementing a hot list is the very first thing they should do. If a merchant is doing business today and someone defrauds them, and the merchant has nothing in place to prevent the fraudster from coming back and defrauding them again, the fraudster will come back. Lists in general can also save a company money by allowing them to cut out certain orders before they have to pay for external calls such as authorizations, fraud screening, credit checks and the like.

          Things to know about lists are:

  • Hot lists are excellent at preventing repeat fraud, and are fairly good at catching some forms of identity morphing.

  • Warm lists are an effective way to stop those customers that continuously make purchases and then just return the goods, or don’t make full payments.

  • Warm lists are also a good way to track return or credit abuse.

  • Positive lists are an excellent way to reduce the number of orders you have to call out to external fraud screening for. They are also a good way to fast-track orders from a merchant’s best customers if they rely heavily on manual reviews.

Considerations When Implementing or Buying This Functionality    

  • To maximize the effectiveness of using lists, a merchant should make sure they can share data from, and be checked from all channels (i.e., e-commerce, MOTO and card-present) if possible.

  • Merchantscan exponentially increase the effectiveness of lists by having access to shared fraud lists.

  • The data fields a merchant uses for these lists are critical, so make sure you can add data elements, import and export data into the set. Also make sure you have methods to purge old records.

  • Plan on maintaining data in a hot list for at least 12 months — I recommend 18 months.

Estimated Costs – Costs vary based on the method you implement. A merchant can get basic hot list capabilities from most fraud-screening services, and they can get it as part of most decision engines. They can also build it internally very easily.

Alternative Solutions – None

Vendors – CyberSource, eFunds, Retail Decisions, HNC/Fair Isaac

How Does it Work?  

List checks are fairly simple: A merchant designates a set of fields to maintain in a database, and they populate it with records where they want to take some action. When they process a transaction, they check it against the list.

Typically the data element used for list checks are address, state, zip code, phone number, credit card number and e-mail address. Name is not recommended as there are too many people with similar names and this could really kill their sales or fill their manual review bins.

When checking new transactions against the database, a merchant is looking for a match on any of the data elements, not just one of them. For address checks merchants will have to use some normalization to be effective. Make sure states are represented in the two-character designation, zip codes are five digits or five-plus-four and all blanks are stripped out of the address line. Look for matches on parts of the address line, not exact matches, as some individuals will change just one digit or letter to make it look like a different address. Set up a process that mandates that all charge-backs that are related to fraud must be input into the hot list.

How Do I Use the Results? 

  • Always perform the hot list check first, before any call for an authorization. If a consumer is on the hot list, reject the order.

  • If using warm lists to catch customer service issues, do this check second, before authorization. If a merchant’s policy is to reject all warm list customers simply cancel the order, otherwise if it is to review, then do this check after you do the authorization.

  • Positive file checks, unlike the warm list or hot list, must be a 100% match. Address, phone and e-mail — everything — must match before a merchant decides to skip any other fraud checks.

One of the interesting ways warm lists have been implemented is to catch customers that are constantly returning goods. They can also be used to catch internal fraud rings that do credits to third-party credit cards. The method calls for a connection to their applications that process credits. Using a velocity of use technique, they count the number of credits based on each of the data elements discussed earlier. When they reach a preset number (e.g., more than 3 in 30 days), have that data populated into the warm list.

Building This In-House 

The main thing a merchant needs is a database. Have a Database Administrator set up a database to use, adding the data elements discussed above. Working with the credit or finance group, compile a list of previous charge-backs using the data elements to fill it in. You can put the data into a comma-separated file or you can put it into a spreadsheet application such as Microsoft Excel. With the spreadsheet or comma-separated file, the Database Administrator should be able to easily import the data into the database.

The next step is to set up a call to the database from the e-commerce engine, if a merchant is processing orders in real time, or from their order-processing application if they are operating in batch. The Database Administrator can set up the lists so they are optimized for fast queries by presetting stored procedures. Remember, although it is easy to add this directly to the e-commerce engine, I recommend that you create a fraud-prevention strategy first and implement this and other techniques with the end-state “strategy” in mind.

Property of The Fraud Practice, all rights reserved, no unauthorized duplication, reproduction or distribution without the express written permission of The Fraud Practice.