In their 2013 Online Fraud Report,
Cybersource Corporation estimated $3.5B in lost revenue for e-commerce
merchants.Despite the enormity of the impact many e-commerce merchants
are hesitant to implement identity
verification methods due to concerns regarding user experience.
As the occurrence of online fraud increases e-commerce
merchants will need to start looking at transactions differently. All
customers are not the same, and orders should likewise not all be treated the
same. By acknowledging that some transactions involve a higher level of
risk than others merchants can put controls in place without impacting the user
experience (and order completion rates) for the majority of users.
Visa provides
a list of indicators for fraud in card not present (CNP) transactions like
e-commerce. These behaviors reflect the transactions that comprise the
greatest level of risk (and therefore would need the highest level of identity
verification to mitigate risk). While not included on Visas list,
transactions where the ship-to address and bill-to address are different also
involve a higher level of risk than transactions where the bill-to and ship-to
addresses are the same (although comparably moderate risk relating to the other
fraud indicators).
Considering the three levels of risk (low,
moderate, high) for various transactions, I would propose that e-commerce
merchants should incorporate the following levels of identity verification to
avoid fraud:
- Low
Risk (e.g. same ship-to and bill-to address, repeat customers) for low risk
transactions name and address verification should be sufficient to avoid the
majority of fraudulent activity. Some payment processors provide address
verification for CNP transactions, or a 3rd party solution, such
as Identifraud
Consumer, can be utilized.
- Moderate
Risk (e.g. different bill-to and ship-to addresses) for moderate risk
transactions a secondary layer of identity verification should be involved,
such as verification of Drivers License information. While this step
does involve minor intrusiveness to the user experience, if messaged correctly
the minimal impact should not degrade checkout completion rates.
- High
Risk (e.g. high ticket item purchases, non-verifiable addresses) for high-risk
transactions the level of confidence needed in the users identity is
significantly higher.When other methods of verification either fail or
are insufficient then it becomes necessary to ask users to put forth additional
effort, such as providing responses for dynamic Knowledge Based Authentication
(KBA). For most e-commerce merchants high risk transactions should
represent a fraction of their overall user base, meaning the vast majority of
their users will never have to complete this step.
Every merchant is different, so the definitions
and approaches represented above may need to be customized for each, but
addressing identity verification is the right long-term play for all e-commerce
merchants. As consumers increasingly consider security above convenience
merchants that can provide a more secure shopping environment will come out
ahead.