How to fight fraud and abuse using Stripe Radar
Online transaction handling has become one of the most vital aspects of all business activities in our modern-day economic landscape. The global e-commerce market is expected to be valued at $4.94 trillion in 2021 and is estimated to grow over 49% by 2025. Unfortunately, the rapidly increasing customer trend towards e-commerce has paved the way for fraudsters to follow. A study shows that fraudulent transactions have increased by 18% in 2021, totaling more than $20 billion in losses for businesses.
Without the standard security measures such as identification checks and paying with a chip-enabled card, an online transaction is far less secure compared to a transaction at a POS. Given the risk associated with receiving an online transaction, the liability of accepting fraudulent transactions rests with the merchant and not the bank. If a merchant accepts an order that is later deemed fraudulent, the cardholder may initiate a dispute which may force the merchant to issue a refund and pay the accompanying dispute fees.
Understanding this liability is essential for online merchants, many of whom are unaware of their responsibility to review their orders to weed out fraudulent activity. There is an increasing number of tools entering the market to support identifying and reducing fraud. One of the most sophisticated tools is Stripe Radar.
Fundamental measures against fraud
The first step to avoiding hefty fines is to collect as much payment information as possible without compromising the checkout process and its inherent conversion rate. Industry best practices require an integration to collect the following relevant payment information:
- Customer name
- Customer email address
- CVC number
- Billing address including postal code
- Shipping address (if different from billing address)
Some disputes are lost because only the minimum information was required during checkout. This makes it difficult for Stripe or the card issuer to verify that the customer is legitimate. For instance, while a billing postal code is not always necessary to process a card payment, including it allows the payment to be verified by the card issuer.
Stripe built-in verification checks
Stripe Radar provides two built-in verification checks:
- Radar includes a rule to block any payments that fail the CVC verification check, which you can enable or disable within the Dashboard. The CVC (also referred to as CVV) is the three- or four-digit number printed directly on the credit card, usually on the signature strip or the front of the card.
- Address verification (AVS) checks to determine whether this information matches the billing address on file with the card issuer. Radar includes a rule to block any payments that fail postal code verification, which you can enable or disable within the Dashboard.
Support for AVS checks varies by country and card issuer, however, street address verification is commonly supported for cards issued in the United States, Canada, and the United Kingdom.
Furthermore, Radar enables merchants to compare key fraud metrics with similar businesses. The aim of which is to help inform actions a merchant can take to improve the performance of Radar.
aye4fin’s fraud prevention recommendations
From our experience, the following set of Radar rules may significantly decrease your dispute rate and overall fraudulent activity:
Stripe enables merchants to take advantage of its ability to distinguish email addresses for payments and weed out fraudulent activity. Whenever a disposable email registered with a known throwaway address provider is used Stripe identifies and flags the payment.
When engaging in card testing fraudsters often employ a script that generates names, emails, and addresses. A good rule to address this would be to set a limit for purchases made with more than 3 emails associated with the same card.
There are cases in which fraudsters manage to pass all security measures and e.g. complete a purchase with a stolen card. Once they have reviewed the success of the charge they may continue to use the card for a larger purchase or begin testing other cards. By adding a rule which counts and verifies the successfully authorized charges per IP address, merchants may steer fraudsters away from their platform.
In many cases, declined transactions indicate that the card a user has been flagged by the issuing bank. Credit cards are often flagged automatically when used in a way that suggests the charges might be fraudulent. Our recommendation would be to list the customers with transactions of this kind and block the customers with multiple retries over a period of days.
Furthermore, an indication of fraudulent activity is the multiple sessions created for the same card. If the first transaction is authenticated and captured, fraudsters continue to use the card until it runs out of funding or a limit is hit. To prevent hefty dispute fees merchants are advised to set a limit for successful transactions.
As experts with more than 20 years of experience in the field of payments, aye4fin offers unique insights into the e-commerce landscape. Our tailored and provider agnostic approach enables clients to gain industry-leading know-how on topics ranging from payment provider selection and integration to improvements in checkout conversion and transaction optimization.
As all industries differentiate themselves, we highly recommend scheduling an appointment in which we can perform a review of the current setup and offer future-proof solutions. We look forward to hearing from you!