Four Stage Strategy To Fight Credit Card Fraud.

Recently, I am assigned the responsibility of developing and executing a fraud prevention strategy for a business that was placed on the Visa Fraud Monitoring Program. My goal is to develop an action plan that will yield immediate results and expedite the process of removing the business from the monitoring program as quickly as possible

[More about Visa Fraud Monitoring Program Here and MasterCard Excessive Fraud Merchant Program Here]

This is a high-risk business, and fraud is a significant concern for businesses operating in high-risk environments. A high-risk environment is where we have a higher likelihood of fraudulent activities because of the transactions, the volume of transactions, or the customers involved. It is important for businesses operating in high-risk environment to have a robust strategy in place to control fraud and minimize its impact on the business.

After figuring out how existing things are working, I made a four-stage plan to deal with this.

Plug the gaps in the existing process.

Typically, online businesses have some plan to fight fraud, and luckily, this business had a strong fraud prevention strategy. However, recent fraud problems occurred when they were misled by a chargeback protection company they were using to handle chargebacks. Trying out some new strategies led to a huge increase in fraud.

So the first step in my strategy is to quickly improve existing processes and ensure that basic fraud tools and checks are applied correctly. This involves verifying that transactions are being checked properly. As the business is processing a large number of transactions, it is not feasible to manually review each one. Hence, I developed scripts to identify anomalies based on a set of simple rules and flag them for manual inspection. Additionally, I developed new reports that can be easily downloaded with a single click, providing a broader overview of the current situation to make manual reviews easy. Some other stuff that can be quickly fixed are following.

  1. Updated the SOPs for ID Verification & KYC.
  2. Checking the transactions against known patterns of fraudulent activity.
  3. Analyzing the transactions based on geographic and demographic, standards, and identifying not only transaction-related patterns but also other relevant trends.
  4. Improving the process of checking the transaction against lists of fraudsters known to business.

Many might question, β€œWhy not use a fraud protection service that scores your transactions in a first place?” There are two issues with that: first, fraud changes rapidly, and unless you have an adequate monitoring system, these scoring services won’t be helpful. Second, the business was already using a fraud scoring service, which rejected 35% of the transactions but still couldn’t safeguard the business.

Connect the Missing Dots

Businesses often possess a wealth of data they are unaware of, and examining this data alongside fraudulent transactions can offer significant insights into the situation.

So, the next step in my strategy is to connect the missing dots and ensure that all the data is being used to support our fraud-prevention strategy. This involves making sure that all relevant data is collected, analyzed, and used to make informed decisions about fraud prevention and detection.

Usually the payment process will show the disputes and provide you the way to contest that dispute, but there is more to that β€œreported fraud” differs from disputes, for example, if you are doing a 3DS transaction for your business you get your liability for unauthorized transactions shifted away from the merchant, and depending on your payment processors it might not be easy to get access to this additional data related to reported fraud, issuers still monitor this β€œreported fraud” and an increase in this fraud can lead to things like loosing liability shifts, fines and bans. [More about reported fraud here]

Good thing there are tools to help, so in this stage I reached out the payment processors and requested access to this data. Some steps I took are following:

  1. Request access to TC40 report
  2. Request access to SAFE report
  3. Making sure these reports are part of the fraud prevention strategy.
  4. Improving business’s overall understanding of Credit Card Fraud.
  5. Creating New SOPs and Training Workshops.

Implement a Monitoring System

Implement a monitoring system that collects an extensive amount of events and orchestrates those events to detect anomalies. Scoring provides the risk factor involves in the individual transaction while a monitoring system will help us visualize the over-all trend and detect any anomalies or fraudulent pattern in these trends. This involves setting up a system that continuously monitors transactions and other relevant events for signs of fraudulent activity. The system should be able to collect and analyze a large volume of data in real-time and identify any unusual patterns or anomalies that may show fraud.

This might seem similar to a SIEM (Security Information and Event Management) solution, with a primary focus on identifying behavioral patterns leading to the execution of transactions. Collecting events to find behavioral patterns can generate a lot of noise and produce too much data to sift through, implementation of monitoring requires the following:

  1. Create a system to collect events, save them in a cost effective way.
  2. Connect this data with the transaction data to better understand the behaviour of fraudulent trends.
  3. Use ML to detect trends in this data that could lead to the rapid fire transaction related attacks.
  4. Use ML to orchestrate and visualize trends that are important.

Use Machine Learning & Risk Scoring

At its core, fraud prevention is about making educated guesses. We analyze data and estimate whether a transaction is fraudulent or not. Our goal is to improve the speed and accuracy of our guesses over time, and this can be achieved with the help of Machine Learning (ML).

In the initial stage, we promptly changed the current process to halt the ongoing surge of fraud as much as we could. Next, we pieced together the information to gain a deeper understanding of our fraud situation. In the third stage, we put in place a real-time monitoring system to identify trends. Lastly, in the final stage, we will employ advanced technology and machine learning to predict fraudulent transactions.

A lot of 3rd party services are available which can do transaction risk scoring, with this business we have a huge amount of data and we feel confident that we can train our own Machine learning model on our historical data to identify patterns of fraudulent activity and predict future fraud in real time. We will use this model to monitor transactions in real time and flag any suspicious activity for further investigation.