It's all about smaller, online retailers for this episode. Gerry called up a friend of Ravelin's, Michaela Verstraeten, to get top tips for businesses who are encountering fraud for the first time. They talk through 3D-Secure, point-solutions, chargeback guarantee programmes and much more. You can listen below or on our Soundcloud page - take your pick!
Gerry: So, welcome to the next in our series of Ravelin podcasts. This week we’re looking at the topic of how smaller retailers tackle the issue of fraud and we’re joined this week by someone I hope is going to become a regular contributor; she’s Michaela Verstraeten. She was the fraud lead and set-up many of the initial fraud systems at companies like Nike and Levi’s and was a former member of the European Merchant Risk Council so she is extremely well-placed to give us some great insight and advice and experience into tackling the issue of fraud. So, welcome Michaela.
Michaela: Hi Gerry.
Gerry: Hello so let’s get struck straight in. So, I’m a small business, I’ve been trading for some time online and I’ve come across the problem of chargebacks and fraud for the first time. We know there are a number of options available to them, just where do they start? What’s your advice on the first few things they should look at in terms of tackling this issue?
Michaela: I think most small businesses, when they begin in retail online, I mean they will also do so with a PSP - a payment service provider. If they’ve done well and their payment service provider has given them the right advice they will at least have some form of very basic fraud solution there to look at the transactions that are actually coming in. That said, I have seen businesses where that’s not the case, they’ve chosen just to start tackling business online and taking transactions without having anything in place. So, I think the first place that they should go knocking on the door is their own PSP. Go and ask the person who’s providing your payment solution if they have their own system for detecting fraud and if so, those things are usually based on some fairly standard rulesets, which should pick up the beginnings of any chargeback issue they are beginning to see.
But I think that another way to do it, and it’s often these days the first thing that your payment service provider, if you do ask them, will suggest, is using 3DS, so 3D Secure, meaning the solution that has been put in place by the VISA, MasterCard, Amex card systems in order to, if you like, prevent fraud in the sense that you make an extra check on every transaction as you take…
Gerry: It’s probably worth explaining a little bit Michaela, about what 3D Secure does, it’s a liability shift but it’s probably worth going into some detail about what that means.
Michaela: It certainly is because one of the misconceptions as well is if you put 3D Secure on, you’ll never have chargebacks.
Michaela: Chargebacks will still occur. In the most part, they will be covered by, as you mentioned, the liability shift, but it’s important for business, for merchants, to realise that there are parameters around that and that it still requires that no more than a small percentage of chargebacks occur, even when 3DS has been offered through the payment moment when a customer has placed an order. That’s very important for businesses to understand and I think that quite often people actually say, “Just put 3D Secure on and we’ll do that.” However, you do have businesses - often bigger businesses rather than the small businesses or start-ups - who are reluctant still today to use 3D Secure. The reason is that it is perceived to be an issue in conversion, because of course you’re putting the customer through an extra process during the checkout, during the payment process.
So, we send them to their bank, send them off to their bank and ask for further verification. In that verification if you pass, in effect, it comes back and says, “Thank you very much, here’s your order number,” if you don’t pass then the order doesn’t come through and the perception is that some people will drop off during that process. I think, correctly, often fraudsters will drop off, so that’s good. It’s not the golden answer based on if a card isn’t yet registered as 3D Secure, then the person who’s perpetrating the fraud can actually set up the 3D Secure log-in for that particular card, so…
Gerry: Oh, okay.
Michaela: So, in a market like the UK, for example, where it’s well-known, well-understood by customers, most people already have registered and they may not like going through the process but they’ll accept it. If you take another market, say one of the European markets that doesn’t actually use it as much, customers would not even know what it is, or the process can be even more difficult, or fraudsters will do it because they’ll know that the cards that they are trying to use are 90% certain not to yet have been enabled on 3D Secure, which allows them to do it.
Gerry: Okay, so 3D Secure isn’t a perfect answer to the fraud problem, but I do want to query one thing. You said it’s a perception that it hurts conversion, I’m just…in your opinion is that perception accurate or is that exaggerated?
Michaela: It’s interesting. There have been quite a lot of studies done by, of course VISA, MasterCard, but also by different PSPs of their actual experience in what they see and I have to say that now compared to five years ago, the experience is much better. There is one pain point still in that we are shopping more on mobile but we’re still waiting for a 3D Secure process that works well on mobile. So, if you have it switched on, for example, for your web store, it will work when someone’s using any form of browser that is not mobile but once they start using a tablet or a smartphone and checking out that way, then usually 3DS would be switched off because the process is so cumbersome. It’s about to be resolved, so people are waiting.
Gerry: And how is that?
Michaela: Just by an update of the system by the banks, by the issuing cards. Again, it’s a system that was put in place but it’s not one system. It works differently depending on which bank you are with. Different banks have different ways of making your verification happen. So, again, it’s not something the merchant can control, and for that reason, they’re not always very pleased with how it makes their web shop look.
Gerry: Okay, there are a host of other almost kind of point solutions, they do a specific thing, so you think of device fingerprinting with something like Threatmetrix, or social identification, social account identification with Trustev. I just wonder…there are many of them, how would a merchant go about selecting which ones make sense for their business and in your experience, do they perform a useful function?
Michaela: I think it’s fair to say that there are plenty of individual options on the market to, as you say, do the device fingerprint, look at social media and verification that way, actually looking for example just to verify the email, these are all what I would call ‘one-tool solutions’ and I think that because we are talking about small businesses, I think that if small businesses are growing and therefore are beginning to feel some pain from chargebacks - and chargebacks will happen - the aim of any business is to keep those chargebacks to a minimum. In doing so, using the tools you would have available from your existing systems in place would be the first thing to do, so your PSP.
Hopefully your PSP can offer some form of 3DS, which is then based against…you only put it on orders over £100 for example, which is basically referred to as dynamic 3D Secure, so you can choose which transactions you actually enact it upon. And then you have, for small businesses you have also companies who offer a form of chargeback guarantee model. They do tend to do this…it’s not very cost-effective once you get to bigger volumes, I think, but it has merit in the small business space. The issue when you are looking at the chargeback guarantee model is they will take the transactions and if there is a chargeback, you know, you as a merchant won’t suffer that chargeback cost.
Michaela: But what is often at stake there is a slight increase in false positives, so you may find that with those models you’re turning away some good business that may look fraudulent and that percentage tends to be a little bit higher when thinking about models and companies which are offering a chargeback guarantee.
Gerry: So, Michaela, is it the merchant turning it away or is it the chargeback guarantee provider who is turning down the transactions that causes false positives?
Michaela: Well, if you are using a chargeback guarantee provider, or a provider that gives you a chargeback guarantee, their system, like any of the other systems, would be integrated in effect into your checkout, into the payment page, and the decision that’s made about whether the information contained in this particular transaction is to be trusted or not trusted or potentially put into a manual review situation either internally or by the company that’s giving you the chargeback guarantee, they would err on the side of caution.
That would make sense for their business model because they don’t equally want to have too many chargebacks coming through since they are guaranteeing the whole value of those chargebacks. I think for that reason it makes since that in effect you can expect a higher false positive on that. I think the key is that it will block out fraud but it will also mean that some of your good orders will suffer, which means that your conversion as well.
Gerry: So, a lot of these tools, I guess that one piece of guidance is you know, watch the conversion because between 3DS and a chargeback guarantee, and some point solution, and the PSPs own fraud tools, there is a pretty strong risk that you’re going to be creating a false positive problem. Is that fair to say?
Michaela: I think that is fair to say across all sizes of retail business, small or large.
Michaela: If you consider in any company, I think it’s important that they review current systems regularly but with a small business they tend to really only start to pay attention when they discover that they have a chargeback problem which has suddenly mushroomed to a level where someone in finance says for example, “Why are we losing all this money, why are we getting all these chargebacks to us from our payment provider?” because generally you see that, if you like, in the invoicing of the PSP, because it’s charged back to them and then they charge it back to you as the merchant. It’s about management of the situation.
Gerry: Okay. I mean when would you advise a small business to start considering a…sort of a fuller, broad solution, a solution that, for sake of argument, Ravelin provide, or one of our competitors?
Michaela: I think that could be based on one of two things. I mean, some of it would be once you get over a certain volume of transactions, you know, the recommendation for a certain volume of business, so I would say plus 500 transactions a day, for example. But I think it could also be based upon the percentage of loss, and it’s quite interesting because many businesses actually offer various different payment methods but they do measure, if you like, fraud loss, so they do measure percentage of chargebacks against the whole revenue that they’re taking in.
Now, some people would discuss that that’s not a correct percentage because of course it will appear to be lower than if you were only measuring it against card transactions, so if your percentage of chargebacks against only card transactions is above 3 percent, then you should be really seriously moving to a full solution because although you can report that - and most businesses do - against your full revenue, including other payment methods, if you’re already at 3% on the cards, then you’re running into an area where you have a problem. I think even at 2 percent, to be honest.
Michaela: And it also depends across the different payment cards, because you could be at 2% overall, but you could be at 3% on MasterCard, for example, and have a lower rate on VISA, or the other way around, and each of…those companies in particular - VISA and MasterCard - are becoming much more vigilant of pursuing merchants that are experiencing an unacceptable level of chargebacks.
Gerry: Okay Michaela, thank you very much. We’ll talk again very soon I hope. I should say before we go, there is a bunch of materials available on ravelin.com/resources, you can find it gives a lot of advice to new and more mature businesses in terms of tackling fraud, it would be a good place to go next.
Okay, thank you very much.
Michaela: Thank you. Goodbye.