Online businesses in the US lose an estimated $3.5 billion to fraud every year. That number is only set to rise as long as we keep having security breaches like the Target hack, which put an estimated 40 million credit card numbers in the hands of fraudsters.
The payments industry has typically fought fraud by making merchants go through a lengthy and involved process to prove they aren’t risky before they accept their first cent from customers. Yet in today’s digital economy, that just doesn’t cut it anymore. The platform businesses that are the real drivers of growth in the new economy — things like crowdfunding sites, marketplaces, and small business software providers — need to sign on new merchants fast and start processing payments immediately. That requires a new kind of payments system — one that’s faster, more secure, more flexible and backed by more machine intelligence than ever before.
At WePay, we’re building that payments system. It’s a tough engineering challenge, something our VP of Risk John Canfield laid out recently for attendees to Q Conference in New York at his talk “Leveraging Big Data for Payment Risk Management.”
You can watch the whole talk here, but one of the more interesting bits was John’s take on what data to actually look at — a bigger problem than you might think. Machine intelligence approaches rely on having data points that are actually predictive; so choosing what to focus on is an important first step in creating a system for assessing payment risk.
Here are some of the data points that can help a payments company assess risk:
· Know Your Customer, or KYC info: This is the classic information like name, address, date of birth, and social security number that is required by all banks to open a merchant account. Everyone requires this because it works — although fraudsters can gain this info too, so it can’t be the whole of a fraud assessment strategy. It’s good for a first pass —You can check it against records held by companies like Experian and Equifax to verify that a person by that name actually exists.
· Traditional business credit reports: Assuming you can get a business credit report, this is a great source of insight into a potential merchant. The problem is that this isn’t usually available in the Bottom Up Economy, the fast-growing e-commerce space in which “merchants” are often individuals able to punch above their weight thanks to small business software, online marketplaces and crowdfunding. If a merchant isn’t a traditional business, then the credit reporting bureaus generally won’t have the same level of data about them.
· Business License: Again, this isn’t going to be available for many payers. But if a business is registered, that’s a signifier that it might be legitimate.
· Business Social Media: This varies from business to business because businesses use social media to greater or lesser extent. However, if a business has a social media profile, that can be a good thing to look at. It’s not a 100 percent signal, because it can be faked, but if a social profile has accumulated a great deal of likes or followers over a long period of time and sees regular engagement, that’s an excellent sign of legitimacy.
· Editorial reviews and ratings: This can be even better than social media, because these are outsiders evaluating a business, and even businesses that aren’t especially active on the Internet might have garnered reviews or been mentioned in newspaper articles. The issue is that it can be a difficult process to gather this info, because it’s not usually packaged neatly into an API for you. Often, checking for this can be a very manual process, but parts of it can be automated as you get a better understanding of the sources for this data.
· Street view addresses: Also a manual process that can be automated somewhat later on. Street view is useful because it allows a payment company to answer a simple question: does the building at the address the merchant has given me look like it matches the kind of business they’re representing themselves as? A word of warning, however: small businesses very often try to make themselves look larger than they are by doing things like giving a mail forwarding address that belongs to a large, professional looking building.
· Personal Facebook pages: A person’s social media profile is an incredibly valuable source of data — it establishes their identity online in much the same way a drivers license does in the offline world. What’s more, it’s hard to fake. Even a person who doesn’t use Facebook much will look very different from a fraudster — they’ll likely have had the account for years and have many followers that have built up over time. This is doubly so if you can confirm the merchant has control of this account.
· Device ID: These are newer technologies that try to tie a transaction to a specific device offered by companies like ThreatMetrix, Iovation and Experian/41st Parameter. This goes beyond just looking at the IP address — these technologies look at a variety of data points to establish a unique fingerprint for each device. And that’s useful because it lets one establish blacklists, allowing one to prevent further fraud from the same device once fraud is found.
· Google: When you do a Google query for the name of the business or individual, does it return results? Is their website or social profile in those results? It’s a simple test, but still useful. Google search results provide 3rd party verification of the existence of a business or an individual, and they could lead to other potentially useful sources of data like reviews and blog posts about the business.
· Control Verification: This requires users to take an additional step to sign into an account by entering a code sent to their cell phone. This protects against takeover attacks, because in order to takeover an account an attacker would have to have the victim’s cell phone in addition to their username and password. Passing a control verification is thus a very good sign, from a risk perspective.
· Transaction History: Not all sources of data are external. If a merchant has been using your service for a decent period of time, then their transaction history is an excellent source of insight. Fraud might look very different than the baseline behavior you see from this merchant — think a Halloween store that normally does all of its business in October which suddenly sees a spike of transactions in March. It can also give you early warning that a merchant is starting to go down hill. If a usually good merchant starts generating an unusual number of chargebacks, that’s a sign that fraud or something like it is occurring.
· Partner Data: It turns out that most platform companies actually have a lot of data about the people using their service that would be very helpful for a payments company trying to assess fraud risk — things like the kind of payment being made, what’s actually being bought, how the service will be delivered and 3rd party data that they’ve collected themselves. Yet tradition payments vendors have had no way to see this data, so they can’t use it.
WePay’s answer to that problem is Veda Risk API, our patented method for collecting a range of data from our partner platforms easily, securely and without any impact on the user experience. Not to toot our own horn, but we think it’s pretty great. Obviously, the kinds of data varies a lot from platform to platform — a crowdfunding site knows different things about its users than a small business accounting software. That’s why we’ve built Veda to be extremely flexible. Here’s a sampling of some of the things Veda can look at:
If you want to learn more about how our risk assessment system works, contact our API team at firstname.lastname@example.org