March 1, 2016, 3:10 PM

Transferring risk

Security and fraud prevention systems that put the onus on vendors to protect transactions and data are getting popular with e-retailers.

When John McPheters last fall launched he used a variety of security measures to try to protect the site against possible fraud. The site, which sells premium sneakers and footwear, holds no credit card data, for example, to avoid the possibility of criminals stealing it. Credit card data is held instead by its payment processor, Vantiv Inc.

McPheters also worked with fraud prevention software vendor Signifyd to validate a wide range of information—such as a customer’s billing, device, location and social media account data—of everyone trying to buy from The e-retailer uses that data to evaluate whether a transaction is legitimate. In addition, given the high ticket value for many of its products, the e-retailer also manually verifies 40% of transactions.

But even with those security layers, Stadium Goods has been fooled by criminals. For instance, one $5,000 loss involved an international transaction that was shipped to an address different from the supposed buyer’s address. Shipping addresses different from billing addresses raise red flags, which was why Stadium Goods tried to manually verify the transaction, McPheters recalls. But the criminal, reached by phone, sounded legitimate and convincing enough for the retailer to ship the order. “The lesson there is that some people are really good on the phone,” when it comes to pulling off payment fraud, McPheters says.

Stadium Goods’ experiences demonstrate the challenges e-retailers contend with in facing down payment fraud, fraud that is likely to increase as the U.S. payment card world switches to chip cards designed to make fraudulent transactions at stores more difficult.

While no system is impervious, experts say combatting online fraud requires a layered security approach, much as Stadium Goods has done. Layers should address the twin concerns of data security and transaction fraud prevention and retailers should constantly review their systems for new vulnerabilities.

E-retailers have to set up these multiple lines of defense without slowing customer checkout to the point where consumers abandon their shopping carts, or to a point where fraud prevention controls are so high e-retailers reject legitimate customers. Many vendors offer software and services that offer to take responsibility for an e-retailers’ defenses, and they regularly roll out updates and techniques designed to stay ahead of criminals. Mixing such tools with well-trained and fraud-aware staff can help stave off criminal activity.

“The focus has got to be on layers, and the focus has got to be on processes in the organization,” says Andy Brinkhorst, director of product management, global compliance and risk services with Trustwave Holdings Inc., an online security consultant. Minimizing payment fraud requires “not just a technical solution but an overall, day-to-day business process that supports a secure environment.”

When addressing individual payment fraud, e-retailers should employ models that spot fraud signals such as a sudden pickup in the number of customer transactions, shipping to different addresses and a relatively small transaction followed by a series of larger ones. While larger sites may create their own warning systems, small and midsize merchants can opt to use outside services that score the validity of each transaction.

Some of these firms provide the data and let sites decide whether to verify the payment as legitimate. Others sell a variation on this service, offering to insure each transaction and assume the payment risk. They then take on the task of scoring and approving transactions.

When Ezzie Schaffran arrived as chief operating officer of Certified Watch Store last August, its site,, was using a hodgepodge of outside and in-house security measures to catch payment fraud.

Schaffran has a long history of fighting online payment fraud, having served as chief operating officer at jewelry e-retailer He considered a crop of vendors offering transaction insurance for, but says he found the fees, which ranged from 0.5% to 3% of the transaction value, higher than he thought practical.

He also looked at so-called 3-D Secure authentication protocols that require cardholders to register and create a password for their payment card with the likes of Visa, MasterCard and American Express that they then use to log in before a retailer authorizes payments. While 3-D Secure protocols shift some liability for fraudulent transactions away from the merchant, Schaffran felt those systems slowed consumers down and led to too many dropped transactions.

Instead, he opted for the services of fraud prevention platform NoFraud, which uses factors, such as the purchaser’s location, global blacklists of criminals and device identification in determining the legitimacy of transactions. When legitimacy remains unclear, NoFraud contacts the cardholder to personally confirm any questionable, non-automated transaction decisions. NoFraud charges a fee per transaction that is based on transaction volume and transaction value, and the average customer pays 10-20 cents per transaction. All of Certified Watch Store’s transactions go through NoFraud’s process, and Schaffran says the e-retailer has not had any fraudulent transactions since it began using the service.

The automation the service provides means Schaffran doesn’t have to spend so much time manually reviewing orders. Since switching, he says he’s cut the time staff devoted to fraud detection by 95%. “For the first time in my long career, I can actually focus more on customer experience,” than fraudulent payment detection, he says.

Shaya Posner, chief technology officer of NoFraud, estimates that online retailers check 27% of all transactions manually. But the number can vary greatly depending on what an online merchant sells.

High-ticket items and easily transferrable items, such as gift cards, generally attract more fraud and require higher levels of security. McPheters, for example, knows he’s a target because the sneakers he sells can command high prices on the black market, which is why his staff manually reviews about 40% of orders.

Paul Bryne, president of Razoyo, an e-commerce development company that runs several e-retail sites including, says some of its e-commerce sites manually check only 5% of orders. staff will call a credit card holder for any order more than $500 for which the billing and shipping addresses do not match, he says.

comments powered by Disqus
Get a Free Subscription to IR

From The IR Blog


Lindsay Moore / E-Commerce

Website accessibility: Understanding the ADA for e-commerce

Just since 2015, 300 lawsuits have been filed in or moved to federal courts regarding ...


Terri Mock / E-Commerce

How online jewelers fared this Valentine’s Day

The key takeaway: Start early, because sales tail off in the last few days before ...