To build or to buy a fraud solution? That is the question.

At Ravelin we’re in the fairly unique position of having both built our own fraud solution as merchants and now providing fraud solutions as a third party to lots of other merchants. This post will go through some of the things you will need to think about for both options as well as offer advice on best practices for each.

As a caveat to all of this, we’re going to assume that you are going to want to select a machine learning solution. This is because through our own testing of machine learning and rules (both as merchants at Hailo and now here at Ravelin), machine learning has always produced better results - read more about this here.

Key Questions

How many transactions are you processing per month?

As we’ve written about previously, we think the best way to combat fraud is by using machine learning. The one drawback of machine learning is that it requires large amount of data to produce accurate results. This is why companies like Amazon and Ebay have been able to build their own extremely strong fraud prevention products in-house. If you are collecting fewer than 10m transactions per month it is probably worth using a 3rd party so you can benefit from everything they know about fraud from similar customers to you as well as their network of cards. If you are collecting over 10m payments per month and you satisfy the below conditions, it may be worth looking into building your own fraud prevention service in-house.

How much do you want to invest in fraud?

As with any big purchase, cost is one of the primary factors to look at when assessing whether to buy or go it alone. A few things you should consider include:

- What is the total cost of the third party per month?

- How much would you lose to fraud with the third party vs something in-house per month?

- How much will it cost to hire and pay a full-time in-house fraud expert?

- How much will it cost to provide this hire with the ongoing engineering and data resources they need?

- How many hours of manual review do you expect per month with an in-house system vs a bought system? What does this equate to in salary, hiring and training costs for a review team?

Once all costs are considered, you are in an excellent place to decide whether to build or buy. As a general rule of thumb, unless you have over 100 engineers, data scientists, and support staff and are willing to commit a full time data scientist and engineer to fraud, you should go with a third party system. One thing we didn’t fully appreciate at Hailo was the extent to which we needed to constantly upkeep and improve what we’d built already.

Do you have in house fraud expertise?

If you have a lot of in-house knowledge about fraud it may be worth looking into building your own solution. As well as data scientists and engineers, building a robust solution typically requires a fraud expert as well as highly trained reviewers. A good third party solution, such as Ravelin, will equip your customer support team with the right tools so they can manage fraud effectively and efficiently.

Do you have in-house engineering and data expertise?

Building a robust fraud tool in house doesn’t just mean hiring an in-house fraud expert. That person will also require extensive engineering and data resource to implement the program both initially and ongoing. If you have a strong engineering and data science team this may be something you want to consider. If these aren’t core competencies within your company, you are better off looking to a third party who have full-time engineers and data scientists working constantly to adapt to changing fraud patterns.

Are you looking to release new products or have you expanded into new geographies?

As we’ve mentioned before, one of the drawbacks of machine learning is that it works well only with large data sets. If you are selling the same product you have been for years in the same geographies, building something in-house could work well for you (although you will still have to be wary of the ever-changing fraud behaviours). If you are looking to release new products or into new areas it is usually best to partner with a third party who has data on the countries you are going into and may have experience with the new products you are about to release.

How pressing is your fraud problem?

If you’ve been put on something like Visa or Mastercard’s Excessive Chargeback Programme and are under pressure to get chargebacks under control immediately your best bet is to go with a third party vendor. You can integrate Ravelin in about a week and should see significant improvements within your first month. If you have fraud under control currently but are looking to get something in place for the future, you may want to consider building your own tool in-house.

Top tips if you are building

If you do decide you want to build something, the most important first step is to hire a fraud expert. Look for someone that has experience in your industry and who can demonstrate the results they achieved and explain the methods they used to achieve them. This should take 3-6 months if you can find a good recruiter. You will then need to assign this person a number of engineers and data scientists to assist them.

The next step is training/hiring your fraud team. You should set a benchmark of what % of orders you want to manually review and then work from there on how many need to be trained. It’s usually worth having a senior manual reviewer as well who new hires can go to with particularly tricky cases. The % of order reviewed can vary drastically from company to company. Ravelin customers typically review 1% of orders, yet a 2016 Cybersource report found that customers using rules reviewed as many as 25% of their orders. The exact number will be determined by how good your models are.

Work out what the key metrics you want to track are and review them on a monthly basis with the relevant stakeholders, usually head of payments, head of fraud, head of marketing.

Top tips if you are buying

The first thing you will want to do is work out what things are important to you. For instance, if you want to ensure your customers’ data is safe you may want to choose a provider who is ISO 27001 certified, likewise if you deal with transactions in real time, you might want to choose a provider who gives instant fraud decisions.

Secondly you will want to work on a timeline for when you want your solution implemented. If it is quickly, the best thing to do is scan through a few websites, work out which ones might suit your needs and then arrange calls. If you want a longer more protracted process, it may be worth conducting an RFP.

One thing we do suggest is that if you do opt for buying a solution rather than building, you select a provider that can build models based around your own data. This means you essentially get all the benefits of building your own solution without any of the hassle or cost and at a fraction of the time.

Another thing we strongly suggest you do is select a third party supplier with PCI compliance who is able to collect full card numbers. This means if they spot compromised cards being used at another one of their merchants, they can protect you against that aggressor too.

Once you have entered into a contract with a supplier it’s important you work out with the supplier what the most important metrics are for your business (i.e. are you more concerned with keeping fraud down or accepting as many orders as possible) and track these on a monthly basis with your account manager. Results should improve month on month.

Learn more about machine learning here.