Skip to content

In this blog post, through analysis of situational examples, my aim is to uncover some of the essential fraud precautions that should be considered before expanding internationally. I will also identify differences in the cross-border eCommerce strategies for high-risk verticals, providing best practice examples. In this context, cross-border will refer to an eCommerce purchase where the IP country, card issuing country and shipping country differs from that of the merchant.

Case 1: Moving to the US within a high-risk vertical

A high-end retail brand, which only accepts online orders with UK billing and shipping details, opens a new store in the US and makes their online business available to the entirety of the US market. Additionally, a huge campaign is rolled out to generate awareness. The publicity is necessary for the company to grow its footprint in the new region, however this kind of mainstream hype can also draw the attention of localized fraud networks. Understanding the market which your business is entering and taking the necessary precautions is essential for cross-border expansion to be a success. So, what sort of precautions could be taken in this case?

The darker blue on the heat map represents where the highest chargeback rates (by US state) occur. When operating in the UK, the merchant had limits in place to only allow UK billing and shipping details. Similar logic should be applied to the new US channel (a channel or sub client in this case being a configuration which allows a merchant to separate their traffic for analytical purposes). The recommendation is to initially only allow US billing/shipping and US issued cards through the new US channel. These limits, while more restrictive, can always be lifted once your company has settled into the new market and better understands the fraud landscape.

#

US STATE

CB RATE

1

Florida

0.40%

2

Nevada

0.36%

3

New York

0.35%

4

Georgia

0.35%

5

Louisiana

0.34%

6

California

0.34%

7

Arizona

0.31%

8

Delaware

0.30%

9

Alabama

0.30%

10

Illinois

0.30%

It is also possible to moderate higher-risk states by using a variety of velocity and value-based rules. Florida was the US state with the highest risk in 2017, with a 0.40% chargeback (CB) rate. The CB rate is calculated by dividing genuine transactions by the reported chargebacks (CB/TXN = CB Rate). New York (0.35% CB rate) and California (0.34% CB rate) also featured highly, so a tighter rule balance strategy is best, at least initially, when trading in these states.

The exact strategy chosen will depend on the risk of a company’s vertical. Retailers selling high-value products are at the most risk and typically fall into a higher risk vertical. This is because targeted items will have a higher resale value and desirability once acquired fraudulently. When entering a new market, within a high-risk vertical, it’s recommended that you apply tighter limits in the ruleset.

The biggest consideration when implementing a tighter ruleset is how false positives (rejected genuine transactions) could increase, and in turn, how this could impact the overall customer experience. Particularly for a business trying to optimize for sales in a cross-border context, false positives are never welcome. Therefore, this type of strategy is generally best when working with the high-risk verticals.

The advantage of implementing a tighter ruleset is that chargebacks will be minimized. Chargebacks can be very costly, and losses can be as much as double the initial recommended retail price of the product. This is due to products being unrecoverable, as well as the merchant’s liability to pay back the bank. Additionally, if the chargeback rate reaches a certain percentage, additional penalty charges will be levied by the card schemes.

Considering all these factors, the recommendation when entering a new region with a high-risk vertical is to start with a focused ruleset, relaxing the criteria when the business has settled and the ruleset has matured. A ruleset can mature in several ways; the evolution of targeted rules, the development of negative lists, the maturity of ‘time on file’ based fields, and the experience of how these new localized fraud networks operate, will all contribute to safe and secure trading.

Case 2: European expansion

In another example, a UK based merchant has made the business decision to expand their CNP (card not present) business into several new European countries. Each country requires its own channel and ruleset; effectively its own roll out.

The highest risk European shipping countries (where the goods were sent) in 2017 were Estonia, Spain and Serbia. Note: Other countries were removed due to low transactional counts causing exaggerated chargeback rates (for example Andorra and Armenia).

When integrating with your fraud provider, ensure that each country is set up on a different channel. This will allow a new ruleset to be created per country without affecting any of your existing traffic. It will also enable you to vary the rules depending on localized fraud trends, country specific laws and business requirements. Let’s look at some figures around shipping to Spain in 2017, to understand how this could work in practice.

#

SHIP COUNTRY

CB RATE

1

Estonia

0.20%

2

Spain

0.18%

3

Serbia

0.09%

4

France

0.09%

5

UK

0.07%

6

Latvia

0.07%

7

Iceland

0.06%

8

Greece

0.06%

9

Slovenia

0.06%

10

Belgium

0.06%

When breaking down the customer base for goods shipped to Spain, Spanish issued cards made up 83% of the transaction volume with Italian issued cards coming second with 4%. The most fraudulent card-issuing countries with Spanish shipping addresses in 2017 were Norway (2% CB Rate), Austria (1.71% CB Rate), Netherlands (4.65% CB Rate), Czech Republic (10.84% CB Rate) and Taiwan (8.53% CB Rate).

Completing the same analysis for France in 2017, French cards made up 89.15% of the transaction volume with Spain (0.38%) coming second. The most fraudulent card issuing countries with French shipping addresses were Taiwan (3.85% CB Rate), Croatia (3.27% % CB Rate) and Mexico (1.73% CB Rate).

Using this type of information, it would be possible to incorporate rules around high-risk card issuing countries, adding limitations if fraud continued into 2018-19.

Common cross-border fraud trends

As a merchant, you should be aware of common fraudulent trends and how configuration of the front-of-house website can affect your fraud solution. Markets such as the US and Europe can be very lucrative, but also come with increased localized threat of fraud. Understanding the heatmaps used here will give you some of the ammunition needed to ask your fraud provider the right questions. This will ensure the correct rules/blocks and services have been applied before a fraud attack occurs. Understanding these localized trends does come down to experience, but following are a few common types of fraud and their resolutions:

Bot attacks: This type of attack can affect the merchant in a few different ways. Firstly, bot attacks can be used to test a merchant’s fraud prevention solutions and website limitations. This is achieved by filling a merchant’s order system with thousands of fraudulent transactions, causing serious losses if the merchant has not split their traffic. Secondly, while this type of fraud attack is happening, well placed fraudulent orders have a higher chance of going through. Finally, the merchant can experience increased costs from chargebacks as well as the increased traffic they will be paying for with no generated profit.

It is recommended to incorporate a third-party service into your front-end system, which forces the customer to prove they are human. This is done by entering a sequence of identifiers that can be found in a supplied picture or audio message (i.e. CAPTCHA). This will prevent hackers using bots that can place thousands of orders in a very short period. Making sure you do not have this service active all the time is important, as it does stop the navigation flow for genuine customers.

Gift cards: There are vulnerabilities on the merchant’s websites, for example gift cards, which can be abused by fraudsters. It is very important that as a merchant you limit the amount of gift cards that can be purchased at one time on your online store. It is also not best practice to send the gift card via email as they are so high risk.

Card Testing: Usually occurs in lower risk verticals, with the aim of the fraudster not to purchase an item but to test that the card works to use later in another fraudulent transaction. This method might also be used to identify limits and thresholds that have been set for the merchant by their fraud provider.

Key takeaways for merchants

Ultimately, merchants should carefully consider their fraud solution and strategy before pursuing cross-border eCommerce expansion.

  • Ensure you send your fraud provider the additional traffic in a separate channel (configuration that separates traffic for analytical purposes) to your existing traffic, or at least a flag to identify it.
  • Make sure the data provided is enriched and regularly send fraud providers your chargeback information. This is so they can analyze the fraud trend as it is happening, rather than afterwards.
  • If your company sells high-value/risk items start off with a more stringent ruleset, slowly relaxing thresholds over a period of time. This should be enough time for your ruleset to mature and negative lists to be effective.
  • Make sure your front of house website has limits on gift cards or similar cash value goods.
  • Ensure that front of house services have been integrated and can quickly be switched on to help combat bot attacks.

Additionally, when moving to a larger market, it is recommended to only allow cards, billing and shipping information that matches your new channel. Fraud providers, such as ACI, offer services such as global fraud databases, which gives visibility to existing and ongoing fraudulent patterns.

It is also important to consider a solution serviced by a global risk team, which has the local experience needed to combat local threats.

Though there are myriad considerations, there is great opportunity when expanding your eCommerce business cross-border, provided fraud prevention is part of the strategy every step of the way.

ACI ReD Shield is a key component of ACI’s UP Payments Risk Management solution—delivering real-time, multi-tiered protection that’s tailored to the needs of eCommerce merchants, payment service providers (PSPs) and Independent Sales Organizations (ISOs). Find out how ACI’s fraud experts and risk analysts support global eCommerce growth and enhance customer experience.

Risk Analyst, EMEA

Patrick Hengeveld has worked for ACI as a fraud risk analyst for the past three years. In this time he has worked closely with a range of merchants across sectors and verticals, preventing fraud attacks and improving ruleset effectiveness.