Marginal gains #3: Protecting shoppers

For track cyclists, their safety is in their speed. Riding slow and without intensity could mean a last-place finish, or worse still, the risk of a crash or dismount. As such, everything related to the track is fast but safe; aerodynamic helmets, clip-on pedals, right the way through to the curve of the velodrome.

Until recently, many ecommerce businesses prioritized security ahead of customer experience. Many payment providers applying a less-than-perfect, slowed-down approach to combat fraud, blocking payments at the slightest sniff of inconsistency.

A different IP address? Block it. New card details? Block it. An unusually large amount? Block that too!

Despite this approach, fraud has continued to evolve. According to Nilson, fraud losses worldwide reached $27.85 billion in 2018 and are projected to rise to $35.67 billion in three years.

In this, the third part of our marginal gains series, we'll explore ways to optimize security and protect shoppers without trading down the customer experience. We'll look at customizing the set-up of your risk management tools, as well as using advanced algorithms and shopper recognition to get the best authorization rates.

The risk management tech that keeps the wheels turning

Risk management technology concerns itself with developing tools and techniques to keep up with the rapidly changing fraud landscape. Across the industry, there are several approaches. Some providers recommend a hardline on safety, ultimately turning away genuine shoppers while promoting a '0% chargeback guarantee.' Other providers position new advancements in machine learning, artificial intelligence (AI), biometrics, and even PSD2 strong customer authentication (SCA) regulation as magical fixes.

Now you're probably asking what we at Adyen think of these, and we have a simple answer: There's no such thing as a silver bullet. We believe that the best way to protect shoppers is by combining different techniques to make the best risk decisions.

Recalibrate in shifting environments

Riders tweak their bikes as they move from the sprint to the mountain stage. The same goes for the changing fraud terrain that we see daily. Ecommerce fraud used to be all about hacking the payment gateway and stealing card details, but this has evolved in recent years. It's now a battle against both automated and human-driven attacks.

The emergence of click-farms and bots is one such story. Ten years ago, very few people knew what these were, but today they influence everything from reality TV, to elections, to payment fraud, coordinating a high velocity of automated attacks to yield results. They're often real-world, physical sweatshops where people are employed to conduct focused attacks by presenting themselves as real shoppers. Workers combine a range of data points (a date of birth, a password leaked in a data breach, or a postal address) to sign-in, then access any available payment or identity details.

If you can't calibrate fraud across both automated and human-driven attacks, you'll fall behind the pack and lose trust with shoppers. That's enough of the scary stories though; it's time to see what businesses can do to fight back and get ahead.

Combining the components to build a winning machine

There are five components that you should look for when building your risk management system. Some are obvious (fraud detection tech), and others might be new to you (testing and experimentation). Let's take a closer look at these components and their features.

1. Fraud detection technology

Your first step in preventing fraud is having the ability to detect it. Most fraud detection technology uses advanced data science, utilizing machine learning models to detect behavioral abnormalities across a range of data sets. The technology can be configured for specific high-risk segments, gambling for example, or geographic regions with higher fraud rates.

Find a provider that utilizes multiple machine learning models and theories used to detect fraud. This way, you cover all possibilities and avoid unintentional biases regarding locale, payment method, or transaction value.

2. Using risk knowledge and data to fight fraud

Using the combination of your own risk knowledge and that of the machine is known as 'supervised machine learning'. Supervised machine learning uses labeled data, payment authorization details, and thousands of other data points when making decisions. The machine is 'rewarded' based on its success (each correctly blocked fraudulent transaction), so it doesn't rely on predetermined ideas or notions like humans would.

The idea is that by starting with a base of information, the machine learns and adapts to a multitude of fraud situations.

Providers with a long history of risk management, international coverage, as well as access to comprehensive transaction and shopper data often mean the machine holds better judgment and results. Ensure your provider is continuously training the machine to go up the gears as the fraud terrain changes.

Remember that with supervised machine learning, the machine is only as good as the base data. If there are anomalies or unique reasons to block a payment, the human approach is still important to consider.

3. Customizable settings to support the needs of your business

Regular readers will be familiar with our stance that there's no 'one size fits all approach to payments.' And whether it's offering the right payment methods, operating in a particular market, or today's topic, risk management, it's important to adapt accordingly. Nevertheless, companies and industries can learn from one another, especially when detecting certain types of fraud. That's where industry risk templates can come in handy.

Take streaming services with a freemium pricing model; these businesses may experience many card testing attacks. Similarly, you might be a sports retailer launching a hot sneaker drop when a bot attacks to buy up stock before real shoppers can. This is where industry risk templates come in handy, giving you a somewhat tailored guide based on your industry. It's not a blanket approach either, with the right risk management platform you can build on the template by adding customized risk rules.

Risk rules make it easy to apply customizable settings, putting your specific needs front and center when deciding on what happens to a payment within a particular scenario. This could manifest itself as a large number of unexpected transactions or a high volume of payments from one IP address, the list goes on. Risk rules also allow you to trigger an alert or to complete an automatic action like sending the transaction to review queues or decline a payment. Adding and adapting these help you to respond to changing internal risk appetites, market seasonality and set hard no-go rules for your business. You can also manually override machine learning rules with your own custom rules when applicable.

At Adyen, we also provide suggested custom rules based on learnings from our merchant network. We can apply said rules at a campaign level. E.g., for limited edition items, like the aforementioned hot sneaker drop, add a block rule so shoppers can only purchase one item.

Our merchant stories

Learn about some of our customers and their journey with Adyen by checking out our case studies

4. The ability to test and experiment from the outset

Strengthen your risk settings by conducting regular A/B testing. This will ensure that you protect your customers as fraud evolves.

When experimenting, setting a clear hypothesis is vital. It's also important to set significant sample sizes. You can achieve this by running tests longer, using smaller segments so you can see lagging indicators, or choosing groups you'd like to test with, e.g., specific geographies on a larger scale over less time.

Look for a provider that lets you set A/B testing, define target segments and get recommendations on how large a sample size needs to be. Factor in outliers like seasonality (i.e., don't run a general experiment during Black Friday), and learn how to extrapolate results to make meaningful changes based on your tests.

5. Cost-efficient risk operations

We know fraud isn't always black and white. If it isn't click-farms or bots, it's an over-enthusiastic shopper with a slow internet connection. It's essential to have the ability to optimize your risk management flows and to make sound review decisions promptly. Customizing and segmenting your support queues allow you to control the flow of cases by routing traffic to the correct support queues.

The ability to review payments with relevant information is key, so use a provider that integrates third-party databases such as postcode checkers, social media snippets, and other verification databases.

Related: Beating payments fraud

Protected right away

It isn't always possible to detect fraud, but you can fight back. It's all about the small incremental improvements, whether with machine learning, experimentation, or regulatory safeguards. Think of the cyclist's literal and physical risk management; their aerodynamic bike, their specialized diet, and the latest in helmet design protect them on their way. They might crash every once in a while, but they'll finish the race and keep getting better.

The next and final part of our marginal gains series is concerned with recovery. Check back soon.

Protect your shoppers