Risk Best Practice Guide Digital Goods & Services Merchants
Purpose of this Guide
This guide is for digital merchants (this includes but is not limited to providers of digital content, games etc. and merchants who sell goods using a digital sales model — airlines, hotels, railways etc.) to support how they manage and mitigate payment risks within their business when supplying digital goods or services. It covers policies, procedures and functionality currently in successful use by digital merchants today and recommendations based on Visa’s global payment industry experience.
This guide is intended to operate as a valuable planning tool and fulfilment guide for merchants throughout any stage of the eCommerce life cycle. It is focused upon helping eCommerce merchants to maintain a secure infrastructure for payment card transactions. However, processing dynamics differ by country and geography and merchants should ensure that the capabilities and approach described here reflect their own risk appetites and operating models.
Merchants offering digital goods or services will often offer multiple payment options through various providers. Diverse payment channels mean the job of managing risk is complex and proportionately harder to administer whilst, in the online environment, speed is of the essence giving little time to undertake risk assessment. For example, an order for a digital download typically requires immediate fulfilment if consumer demands and customer experience aspirations are to be satisfied. This leaves little opportunity for any form of manual review and therefore requires automated risk management technology to balance speed, efficiency and the identification and avoidance of fraud risk.
Criminals working in the online channel will target weak fraud controls, detection models and other risk mitigation offerings. A good place to start therefore is to ask whether your business is a likely target. Do you understand the scope of and reasons for a fraudster targeting your digital merchant business? Do you believe your controls are as robust as those of your competitors? Does your approach create exploitable weaknesses?
The following chapters highlight the risks from the online sales environment and gives some guidance on how risks can be mitigated or suppressed. The more you understand and recognize the different risks that arise from your business model and sales channel, the better you will be at fine-tuning your business policies, operational practices, fraud prevention tools and security controls.
Understanding the Risks
Fraud attacks against digital goods and services have a unique flavor that mark them out against attacks on physical goods. They are susceptible to automated attacks/bots (devices or software that execute commands, reply to messages or perform routine tasks) sometimes combined with mobile wallets which allow complex manipulations and high-volume activity, or payment orders.
There are Various Risks to be Managed, Some Obvious, Others with Greater Subtlety:
- Theft or misappropriation of digital goods/services — direct loss of digital assets.
- Adverse Economic impacts upon digital environments — particularly game mechanics and in-game marketplaces leading to damaged experience or gameplay.
- First party fraud — including buyer remorse, family fraud, etc.
- Account takeover — where an account relationship is taken over by a third party (which can be easily confused with first party fraud).
- Card testing — where a bad actor is using your merchant account to test card numbers, leading to use of bandwidth for no return and often creating issuer reactions which will damage wider approval rates.
- Data compromise — the theft of card data (and other confidential customer information) — that can lead to customer compromise, fraud at other merchants, Public Relations issues as well as substantial fines.
These risks, if crystalized, are likely to result in direct costs in terms of chargebacks, higher acquirer fees, scheme compliance fees, deterioration in authorization approval rates, regulator/legal costs and in some cases direct impact on the public perception of your business reputation and brand.
There are a host of other risk factors including; code manipulation, defacing of sites/assets and denial of service attacks. Whilst these fall outside of the scope of this document, due consideration should be given to them and adequate defenses put in place to mitigate.
Risk Mitigation and Fraud Prevention
To protect your business, you need to implement fraud detection and prevention measures within a reliable risk management system that supports robust consumer and device negative files with intelligent transaction controls that make sense for your business environment. You should recognize that data harvesting, processing and storage must, under the terms of Global Data Protection Regulations (GDPR) be only for legitimate reasons that may include asking the purchaser for direct consent. As such, Visa recommends obtaining legal advice in this respect.
Your organization should have a working knowledge of the risks that exist within payments and specifically the fraud and chargeback risks associated with digital trading as well as being well versed in risk management approach and appetite.
You can implement all of the controls you need to deter fraud, minimize customer disputes, and protect your site from hacker intrusions, but they will not necessarily prove fully effective without proper employee training and a clear and consistent risk methodology. Training your employees in digital business risk management particularly those operating, defining or supporting the sales functions allows them to act as your first line of defense.
The customer onboarding process is likely to be the first point at which a fraud can be identified. If you do not have strong processes in place, you are opening the door to nefarious characters straightaway. There are numerous online services and manual checklists available to help take the risk out of onboarding checks; as a business, you need to decide what works best for you. At a minimum:
- Look to collect enough data to understand who your customer is and recognize how they are interacting with your business. Uniquely identifying relationships allows you the opportunity to understand whether they are attempting to appear as multiple customers to work around controls and allows you the option to exclude the customer from your services if you ever determine their intentions are malicious. In this light, remember to make sure that your terms and conditions are clear on the data you are collecting and how you will use it, as per the data protection rules that apply to the transaction.
- Statistical models can be used to recognize risk attributes in the application process and be part of any risk management approach.
- Much of the data required for new entity scoring will be available to you direct. But third-party data sources in real-time can provide a valuable uplift to help you correctly evaluate new business (email address validation, known bad devices or IP addresses, derived device data footprint and device data fingerprint et al. will all support improved risk capability).
- Evaluate where an applicant is using a disposable email address intended to drive anonymity, as these can be indicative of a poor consumer profile. These email services will have no billing relationships, and often no audit trail nor verification that a legitimate customer has opened the account.
- Validate IP location, or longitude and latitude coordinates where captured with the card issuance location and the billing address if available. Any mismatch may be entirely genuine, but will mostly indicate an increased potential risk, or at least an anomaly worthy of further investigation.
- Match data with that stored in your negative files (to prevent as far as possible bad actors who have previously attacked you through First Party Fraud and/or chargebacks returning).
- Employ a robust account registration and access process to ensure that secure authentication takes place for the first, or each unique, transaction on an account, and make it clear to the customer why you are doing this. The additional data entry slows down fraudsters and creates appropriate friction to high velocity use.
Deriving context from available data using as many data sources as appropriate will create more obstacles for fraudsters to navigate and overcome, but digital merchants should be mindful of striking a balance between risk management and inconvenience to the genuine customers. A small inconvenience to the customer at the start of the process provides layers of validation, verification and authentication that helps protect the relationship from account takeover.
The sales arm of any business may dislike the introduction of potential consumer friction, but this perceived inconvenience is often considered by the consumer as a reassurance. A small inconvenience is offset by the time, effort and cost of recovering a relationship from an account takeover situation.
Full text is available here.