Best Practices for Acquirers and Merchants: Mitigating Crypto-Related Fraud
About this guide:
As a leader in payments, Visa remains focused on understanding risks inherent in the payment ecosystem in order to enable secure and trusted commerce. This guide provides fraud prevention strategies for crypto merchants (direct exchanges and wallet providers) and acquirers.
For the purposes of this document, crypto merchants, exchanges, or wallet providers are referred to as “merchants”.
On the front lines of payment acceptance, Merchants play a pivotal role in identifying and preventing fraud. Visa recommends a layered approach to merchant fraud prevention solutions, to ensure controls can be dialed at multiple points along the acceptance journey to ensure fraud can be identified and addressed without introducing unnecessary payment friction to legitimate cardholders.
Crypto merchants (direct exchanges or wallet providers) experience similar types of fraudulent payment methods seen in other Card-Not-Present (“CNP”) merchant verticals. Threat actors are using crypto flows to monetize compromised credentials acquired through familiar methods seen in traditional CNP channels. Like traditional CNP merchants, crypto merchants can leverage layered strategies and controls to identify and deter fraud in their vertical. This guide is provided for merchants and acquirers to have best practices for reducing fraud to benefit from the opportunities in this rapidly evolving industry.
Similar to existing CNP industries, the most common fraud vectors observed in the Crypto space include account takeover, synthetic identity, traditional payment fraud, and first party misuse (a.k.a. first party fraud). This means crypto merchants should be attuned to anomalous behavior during customer acquisition, payment onboarding, as well as the payment authorization/transactional phases. Crypto merchants should also be attuned to enumeration and card testing strategies, to further ensure their brand is protected from both fraud and payment credential (credit or debit card PAN) compromise.
Recognizing each merchant has different technical capabilities, risk appetites, and payment flows, the following strategies are proposed as starting point for further discussion and evaluation. These suggestions are focused on preventing payment fraud and compromise; they are not intended to guarantee compliance with or otherwise address any anti-money-laundering, regulatory, or underwriting requirements that may be demanded from merchants.
The card payment fraud and account compromise tactics observed in the crypto industry are similar to those witnessed in the existing Card-Not-Present industry.
Although merchants are often on the front lines of fraud prevention, acquirers also play a key role in monitoring their crypto clientele by ensuring merchants implement appropriate risk management measures, including compliance with Visa Rules pertaining to crypto. Acquirers may also engage in the following best practices.
- Ensure that merchants are properly classified; some crypto wallet providers offer pseudo-payment facilitator capabilities which may subject them to additional licensing and underwriting assessment. Additionally, when third party elements are part of the merchant business model (e.g., sub-merchant/ widgets placed on third party URLs) having risk oversight of third-party performance can help reduce fraud. This should include transactional and fraud performance of the third party. This will help merchants identify any transactional and fraud concentrations
- Crypto is a dynamic and evolving industry. Conduct regular reviews with crypto merchants to sustain an accurate understanding of the client’s business model that reflects the merchant’s current level of underwriting, certification, and licensing rigor
- Monitor and address transaction data hygiene with special attention to common issues in the vertical:
- Ensure proper use of the cryptocurrency indicator (Special Condition Indicator 7 in the authorization request and clearing record), MCC designations and processing codes (see VBN January 13, 2022, articles AI11730, AI11731)
- Ensure any merchants employing dynamic merchant descriptors are compliant with the Visa Merchant Data Standards for dynamic descriptors (see Visa Online)
- Ensure any changes to dynamic merchant descriptor models are compliant with the Visa Merchant Data Standards
- Monitor for merchants leveraging the cryptocurrency indicator (Special Condition Indicator 7 in the authorization request and clearing record) that are not properly identified and vetted by the Acquirer as a crypto merchant
- Respond promptly to enumeration and fraud alerts provided by the Visa Risk Operations Center (ROC)
- Inform fraud and monitoring strategy with Visa Security Alerts and intelligence reports highlighting emergent crypto threats and tactics
- Deploy Transaction Laundering Detection (TLD) tools or web-crawling tools to detect integration of any illegal URLs with crypto merchants. Upon identification, take immediate remediation measures, duly suspending the operations of the crypto merchant(s)
- Check for any crypto merchants in the TLD Alerts from Visa and carry out enhanced due diligence on the merchants
- Ensure Visa Direct originators are properly classified and certified with a Program Information Form (PIF) that reflects the merchant’s current business model
- Act on early warnings that a merchant is nearing compliance program thresholds and work with them to reduce fraud and dispute levels. Where thresholds have been reached, carry out prompt and thorough investigation of compliance identifications including:
- Visa Fraud Monitoring Program – VFMP
- Visa Dispute Monitoring Program – VDMP
- Visa Fraud Monitoring Program (3DS) – VFMP 3DS
- Visa Acquirer Monitoring Program – VAMP
- Check for duplicate merchant submissions with characteristics that overlap with accounts that have already been rejected (e.g., shared bank accounts or identity credentials)
- Create a negative list with statement descriptors and phrases associated with bad actor signups
- Perform cross-border acquiring checks and block inappropriate out-of-region activity
- Perform address validation screenings and ensure invalid data are rejected
- Protect merchant credentials by issuing strong user IDs and passwords for payment gateway portals
- Conduct internal training to identify and prevent phishing scams that may compromise merchant gateway credentials
- For additional Acquirer Best Practices, see Anti-Enumeration and Account Testing Best Practices for Acquirers on VOL
For merchants on the front lines of payment acceptance, Visa recommends a layered approach to fraud prevention solutions that allow merchants to strategically implement controls incrementally along the payment acceptance path. The following are high-level suggestions for solutions that can add value, organized by the stage of acceptance in which they are effective for crypto merchants.For merchants on the front lines of payment acceptance, Visa recommends a layered approach to fraud prevention solutions that allow merchants to strategically implement controls incrementally along the payment acceptance path. The following are high-level suggestions for solutions that can add value, organized by the stage of acceptance in which they are effective for crypto merchants.
Customer Acquisition and Lifecycle management
With the increase of card-on-file (COF) and wallet flows, it’s important to expand risk evaluations to nonfinancial customer interactions such as account creation, payment credential onboarding, or account management events. In addition to preventing fraud in subsequent authorization events, this approach allows merchants to identify and intercept systemic payment account compromise (enumeration), account takeover, or synthetic identify fraud in their COF systems. Best practices include:
- Account Takeover behavioral tools designed to identify anomalous account activity
- Two factor authentication for account changes, password resets, payment credential changes, or as a step-up during behavioral anomalies
- Account level user device management and/or binding
- Robust device profiling / fingerprinting capabilities, GeoIP tracking during account creation and credential onboarding
- Sanctions screening
- Know Your Customer (KYC) and identity tools to authenticate and validate user identities including:
- Identification verification
- Email, telephone intelligence
- Email, telephony, or public record intelligence tools for fraud management integration or use during ad hoc investigations
- Use network tokens to secure payment credentials with ID & verification checks capabilities during provisioning for COF flows
- In lieu of network tokens, the following protocols may also build trust with a payment credential onboarding request:
- 3D Secure authentication
- Account Verification employing:
- Card Verification Value 2 (CVV2) match
- Address Verification Service (AVS) – where available
- Expiration Date checks
- Volume and velocity Controls – elevate perceived risk as events increase in frequency by key indexes:
- Account creation attempts by session, device fingerprint, or IP
- Account modification and password resets
- Geographic disparities during requests, modifications, or credential onboarding
- Credential Onboarding:
- Number of unique credentials
- Failed onboarding attempts
- Adverse validation responses
- Employ lifecycle management solutions (e.g., VAU-Visa Account Updater, Token) to avoid unnecessary declines on aged credentials
It’s important to expand risk evaluations to non-financial customer interactions such as account creation, payment credential onboarding, or account management events to allow merchants to identify and intercept malicious activity
Checkout and Account Funding Transactions (AFTs)
Typically, fraud prevention controls and solutions are used at the point of authorization or authentication. Dedicated fraud management solutions continue to serve as the backbone of any fraud strategy and continue to play a central role in any comprehensive fraud toolset. These systems assess incoming payment authorization requests in real time and offer merchants the ability to intercept and prevent fraudulent activity as it unfolds. However, as the sophistication and scale of fraud and enumeration attacks unfold, merchants should consider augmenting these core capabilities with additional layers of intelligence and protection to ensure their approach does not sacrifice legitimate payment acceptance. Below, merchants will find additional tactics effective in establishing a layered and contemporary crypto fraud management strategy:
- Employ a robust fraud management solution designed to identify fraudulent transactions in real time, providing both fraud scoring capabilities as well as custom rule engines. Common core features include:
- Artificial intelligence and machine learning-based fraud scoring
- Static and dynamic rule-based decisioning
- Utilization of key attributes to identify behavior across transactions:
- Device Fingerprinting
- Fraud/dispute flagging
- PANs as a unique hash or network token
- Token only: PAR (Payment for Anonymous Routing)
- Order, merchant transaction, or cart number
- Ensure crypto purchases and wallet funding events are properly encoded with the required cryptocurrency indicator (Special Condition Indicator 7 in the authorization request and clearing record). Consult your Acquiring partner for additional details.
- Investment in the ongoing management and operation of fraud management systems, negative lists, rulesets, and velocity thresholds so that they remain tailored to evolving business needs and its unique threat landscape.
- Deploy negative listing capabilities to ensure devices, identities, IPs, and other attributes associated with prior fraudulent activity can be blocked in real time (often part of a fraud management solution).
- Use velocity controls (often part of a fraud management solution):
- Failed checkout/purchase attempts by device, account, credential, email, etc.
- Adverse decline codes associated with an account, email, IP, device, or identity (suspected fraud, lost stolen, closed account, etc.)
- Unnecessarily distributed purchase activity over time or across payment credentials (low dollar, high transaction count)
- Daily limits by PAN, user, or device
- Non-Card-On-File (COF) payments (not suited for crypto flows, but may provide value in one-time NonFungible Tokens (NFT) purchases):
- Volume and velocity controls by failed authorization or authentication attempts based on device, IP, session, cart, email, phone number and other attributes
- Volume and velocity controls by successful transactions based on device, IP, email address, phone, and other attributes
- 3D Secure authentication and step up
- Targeted use of reCAPTCHA during anomalous velocity deltas
Push Payments and Original Credit Transactions (OCTs)
- Leverage Account Name Inquiry (ANI) to identify anomalies during payouts (In pilot)
- Implement payout velocities and volumes rules by originator or recipient accounts
Merchants must continue to evolve their fraud deterrent approach to keep pace with the continual adaptation of their fraud-perpetrating adversaries. Crucial to the evolution of fraud prevention strategy are the ongoing monitoring of fraud prevention performance and the refinement of business operating procedures.
- Establish and monitor fraud, dispute, and authorization rate KPIs to optimize fraud management controls with internal accountability:
- Conduct regular reviews of rule effectiveness
- Coordinate with customer service teams to assess potential false positive fraud identifications to inform rule and control changes
- Terms & Conditions presented promptly and prominently to cardholders prior to completion of transactions
- Coordinate with internal business groups and the merchant’s legal team to ensure the current terms & conditions address the threats encountered by the business
- Disputes (Chargebacks):
- Articulated representment strategy
- See Dispute Management Guidelines for Visa Merchants on visa.com
- Ensure Fraud Management Solution(s) are fed timely TC40 and dispute data to inform fraud decision model
- Dispute Management services:
- Rules-based interception of dispute classes the merchant is comfortable refunding to avoid unnecessary disputes (chargebacks)
- TC40 and fraud reporting capabilities
Network and Platform Controls
Although technical information technology (IT) infrastructure is outside the scope of this document, the below is a starter list of platform security concepts merchant business groups can explore with their internal IT teams to ensure any fraud prevention strategies are built upon a secure platform:
- Ensure platforms are PCI/DSS compliant
- Implement a web application firewall
- Employ botnet detection, prevention, and removal tools -Network Intrusion Detection System (NIDS), rootkit detection packages, network sniffers, and third-party anti-bot solutions
- Implement Cross Site Request Forger (CSRF) tokens to prevent simplistic automated attacks
- Ensure all site pages load with the https protocol
- Conduct internal training to identify and prevent phishing scams that may compromise gateway credentials
- Monitor for suspicious requestors and user headers
- Monitor for unrecognized or high-use API tokens, rolling keys if necessary
- Limit the number of operations per user session and set sessions to expire after periods of inactivity
- Leverage behavioral analytic tools along all points of the cardholder experience to identify anomalous or potentially scripted behaviors (e.g., bots, macros, unusual copy/paste form fills, etc.)
Assign fraud prevention subject matter experts (SMEs) in payment checkout /onboarding platform QA testing and signoff to prevent the introduction of vulnerabilities through iterative development cycles.
Although the practices described in this document are globally scalable, they do not guarantee regional regulatory or network compliance. Merchants should consult their acquiring partner, internal compliance, or legal officers for guidance on these matters.
Consult the Visa Merchant Resource Library for additional updates, best practices, and fraud prevention resources for merchants.
As the demand for crypto exchanges grows, so too grows the number and variety of attempts to defraud it. Fraud attacks active in the crypto vertical originate across a wide spectrum of actor sophistication from individual opportunists to sophisticated criminal organizations. To combat these varied threats, crypto merchants should ensure that their payment platforms can provide preventative value at any level of sophistication, at any stage along the payment acceptance lifecycle. By employing a nuanced, diversified, and layered solution set, crypto merchants will be better equipped to grow their business in a responsible and sustainable manner to the benefit of all stakeholders in the payment ecosystem.
Visa Product Offerings
Visa provides a wide assortment of Risk products and services that can enable merchants in pursuit of these best practices:
- Visa Risk Solutions
- Visa Account Updater
- Account Verification
- Address Verification Service (AVS)
- Account Name Inquiry (ANI) – In pilot
- Cardinal Commerce
- Cardinal Consumer Authentication (3D Secure)
- Verifi Dispute Management