Why retailers need to look at risk management

Retail fraud is on the rise. Ecommerce fraud alone has cost retailers in North America, Asia and Europe US$57.8 billion in 2017 according to the October 2017 Global Fraud Index. Are ecommerce retailers and those with brick-and-mortar stores well-guarded against the rising fraud numbers?

Retailers with physical stores tend to have security guards on-site. Clearly, they have the notion that unless you put security in place, people will take your stuff and walk away. Then, when we look at ecommerce, it seems like some retailers are a bit naïve. Without a proper risk management system in place, it’s just like leaving your front gates open, and fraudsters know that vulnerability. This vulnerability is more common than you might expect.

Can you bring fraud down to zero? Yes, when you lock the doors and keep everyone out. Merchants always laugh when I say this, but in all seriousness, there’s always some level of risk you have to take when you operate a business. Zero fraud is not possible. You will need to find that sweet spot that you’re comfortable with – when it comes to conversion and fraud management.

Fraud is quite different across industries, and some industries suffer more than others. One thing to remember: fraud is not exclusive to merchants that sell expensive equipment or branded products.

For merchants who have lower average transaction value (ATV) and don’t have goods or services that are very resalable, they could unknowingly lend themselves to card-testing. Some examples of these merchants are music subscription or movie streaming services. Fraudsters may use these platforms to test if cards are valid or active.

It’s not easy to say which regions are more aware of fraud or risk – though I think that Europe may be more mature in terms of awareness. This is because the region is made up of many countries, has many country borders and has encountered fraud and risk very early on.

Instead of looking at Europe, Asia Pacific, the US or LATAM, it’s fairer to look at domestic versus international businesses. Take for example a US company that simply focuses on domestic business, which can be fairly huge even without any cross-border transactions. Once you cross borders, the same risk rules can’t quite apply because of different cultural habits, payment preferences and so much more. I'll give you some examples:

Cultural differences

A lot of fraud management systems have algorithms that calculate the probability of an email being scripted. This may be done by checking if there are more letters than digits in an email – but that’s not a good indication. We saw a lot of Chinese customers shopping in Europe, and their qq.com and 126.com domains are actually their phone numbers, e.g., 7894761304@qq.com. To make sure we account for that, we’ve had to make some adjustments.

Different accepted levels of security and friction

In Europe, local payment methods such as iDEAL in the Netherlands uses two-factor authentication to eliminate risk for merchants. 3D Secure authentication may also be used on high risk transactions. Learn more about the new 3D Secure 2.0.

Genuine shoppers find a certain level of friction acceptable especially when it’s a high-value transaction. Plus, many are already familiar with dynamic passwords and that bit of friction, if it’s even any friction at all. To optimize the shopping experience for their regular customers, some merchants prefer to use dynamic 3D Secure.

In India, 3D Secure is mandatory and shoppers don’t see it as friction. In Australia, merchants are encouraged to consider strong customer authentication as its ecommerce market grows. Retailers could be looking at obligatory strong customer authentication in Australia* as soon as in Q4 2019, so a balance between security and friction is important.

Online, offline, domestic, cross-border

Up until a few years ago, physical stores in the US tended to be the target for criminals using cloned, physical cards that only required a signature until chip-and-pin became compulsory.

Does that mean fraudsters have stopped? Of course not, criminals have just looked elsewhere. They have just gone from offline to online. It’s why 3D Secure became more and more important. It’s then and there that shoppers see it less of a friction point but a necessary security measure.

For some businesses, domestic transactions already provide a big enough volume. For others, going regional or international is the way forward to continue growing. But going regional or international means having to cross borders. You can’t just copy what works in one country and expect it to work exactly the same in another. This is not unique to ecommerce. Businesses really need to look at various shopper behaviors online and in stores. Some shoppers are used to entering their PIN in stores, others prefer to sign, or not sign at all for purchases lower than a certain value.

Because of Adyen’s international clientele, we get a bigger picture of what is preferred in Europe, Asia, the US – whether in stores, in-app or online. Our unified commerce approach lets us use what I call the “holy trinity” of authentication: phone, point-of-sale and online. This means we can build more accurate shopper profiles as shoppers buy from various types of merchants globally.

Implementation vs effectiveness of risk management

For risk authentication measures to work, many parties are involved, from the regulators and issuers to merchants and shoppers. Sometimes, the effectiveness of a system is dependent on how people understand it and how it is being implemented. For example, if issuing banks give static passwords sent by mail while the shopper is already trying to pay for his or her online shopping, that’s not going to work.

Retailers must remember that fraud is global and it grows with sophistication. Firstly, choosing the right partner is important, as is sharing the right amount of data. Calibrating your risk settings and defining your fraud strategy with your risk management partner is something that I encourage merchants to do. Not on a daily basis, but perhaps on a weekly basis.

It’s when you think fraud is under control that it creeps back up. If your risk management system is static, it’s easy for fraudsters to find out that you’ve lowered your defenses. It might look like you’re very successful for a promotion but it could be fraudsters getting through your risk checks and beating your system. So, it’s best to always stay alert.

Using a provider like Adyen that works with many merchants across verticals and regions gives merchants many advantages. Not only can we build out fuller and more accurate shopper profiles, we can also see warning signs and developments of fraud by comparing data across regions and industries. Merchants also get better and deeper insights from our various product teams.

Want to know more? Learn how RevenueProtect can help keep fraud at bay.

Related: Strong Customer Authentication in Australia: AusPayNet Card Not Present framework

*Content updated April 30, 2019.