Tiered Identity Verification for E-commerce

In their 2013 Online Fraud Report,
Cybersource Corporation estimated $3.5B in lost revenue for e-commerce
merchants.Despite the enormity of the impact many e-commerce merchants
are hesitant to implement
verification methods
due to concerns regarding user experience.

As the occurrence of online fraud increases e-commerce
merchants will need to start looking at transactions differently. All
customers are not the same, and orders should likewise not all be treated the
same. By acknowledging that some transactions involve a higher level of
risk than others merchants can put controls in place without impacting the user
experience (and order completion rates) for the majority of users.

Visa provides
a list
of indicators for fraud in card not present (CNP) transactions like
e-commerce. These behaviors reflect the transactions that comprise the
greatest level of risk (and therefore would need the highest level of identity
verification to mitigate risk). While not included on Visas list,
transactions where the ship-to address and bill-to address are different also
involve a higher level of risk than transactions where the bill-to and ship-to
addresses are the same (although comparably moderate risk relating to the other
fraud indicators).

Considering the three levels of risk (low,
moderate, high) for various transactions, I would propose that e-commerce
merchants should incorporate the following levels of identity verification to
avoid fraud:

  • Low
    Risk (e.g. same ship-to and bill-to address, repeat customers) for low risk
    transactions name and address verification should be sufficient to avoid the
    majority of fraudulent activity. Some payment processors provide address
    verification for CNP transactions, or a 3rd party solution, such
    as Identifraud
    , can be utilized.
  • Moderate
    Risk (e.g. different bill-to and ship-to addresses) for moderate risk
    transactions a secondary layer of identity verification should be involved,
    such as verification of Drivers License information. While this step
    does involve minor intrusiveness to the user experience, if messaged correctly
    the minimal impact should not degrade checkout completion rates.
  • High
    Risk (e.g. high ticket item purchases, non-verifiable addresses) for high-risk
    transactions the level of confidence needed in the users identity is
    significantly higher.When other methods of verification either fail or
    are insufficient then it becomes necessary to ask users to put forth additional
    effort, such as providing responses for dynamic Knowledge Based Authentication
    (KBA). For most e-commerce merchants high risk transactions should
    represent a fraction of their overall user base, meaning the vast majority of
    their users will never have to complete this step.

Every merchant is different, so the definitions
and approaches represented above may need to be customized for each, but
addressing identity verification is the right long-term play for all e-commerce
merchants. As consumers increasingly consider security above convenience
merchants that can provide a more secure shopping environment will come out

Explore more articles