Fraud Scoring

Fraud scoring is a system of predictive fraud detection models or technologies that payment processors use to identify the highest-risk transactions in card-not-present environment that require additional verification. Some of the most efficient scoring models use predictive software techniques to capture patterns of fraudulent activity, and to differentiate these patterns from legitimate purchasing activity. Scoring models typically assign a numeric value (a score) that provides the probability that a transaction may be fraudulent.

E-commerce merchants should develop internal transaction fraud-scoring procedures or implement third-party services to do that for them. Whether internally developed or externally built, well designed fraud scoring systems enable merchants to assigns points for different elements of a card-not-present transaction. Such elements typically include the following:

• IP address.
• Email address (free or not).
• Time of day the order is placed.
• AVS result code.
• Sale’s amount.
• Type of merchandise.
• Shipment method.
• Different shipping and billing addresses.
• ZIP codes.

The sum of all elements’ points generates the fraud score that indicates the likelihood of fraud. Points could also be added for other factors such as previous orders, length of time as a customer, etc. The merchant decides what point levels should be used to approve, reject, or review an order and can adjust these values based on trends and time of the year. Some larger merchants have built their scoring models based on their historical data of fraud and chargebacks. Such targeted models should be more efficient, but can be also more time consuming and costly to implement.

The following best practices should be followed for best results:

• Perform internal fraud screening before submitting transactions for fraud scoring. Then consider the following suggestions:
  • Only submit transactions that have passed your organization’s internal fraud screening procedures. Transactions that have failed are obviously high-risk and you do not need their fraud score to indicate that.
  • Do not obtain fraud scores for transactions that were declined by the card issuer or have raised flags for suspected fraud or other reasons.
• Evaluate the costs and benefits of fraud scoring for low-risk transactions. For many merchants it will not be cost-effective to obtain fraud scores, internal or third-party, for every single transaction. Eliminating the low-risk transactions from the fraud-scoring process will help keep costs down. In particular:
  • If using third-party scoring, analyze your service agreement and estimate the cost of scoring transactions.
  • Identify transactions where the potential fraud losses are lower than the cost of fraud scoring.
• Check if multiple orders are placed to be shipped to the same address, but different credit cards were used. Criminals may have stolen several card numbers.
• Check orders for an unusually high quantity of a single item.
• Check if multiple orders are being sent from the same IP address.
• Check the credit card numbers — if they vary by only a few digits, it is very likely these numbers were generated by software.
• Identify users who repeatedly submit the same credit card number with different expiration dates. Often criminals who have stolen a credit card number do not know the expiration date, so they will keep trying with a different expiration date until they hit the right combination.
• Statistically, most fraudulent orders in the U.S. are placed between midnight and 2 a.m.

Image credit: Cow Girl Interactive Dallas.