Efficiently Manage E-Commerce Payment Fraud and other Online Order Exceptions

Efficiently Manage E-Commerce Payment Fraud and other Online Order Exceptions

In a previous article, we discussed techniques for minimizing e-commerce payment fraud and resulting charge backs.  But what happens after you flag an order for suspected fraud?  Do you automatically cancel it?  Hopefully not.

Depending on the sensitivity of your fraud filters, many of these orders may be perfectly legitimate.  Obviously, the last thing you want to do is cancel a legitimate order.  So, this leaves the online merchant with two competing goals:

  1. Stop and cancel any and all fraudulent orders.
  2. Process and ship all legitimate orders quickly.

This article outlines a basic process Rush Order uses for accomplishing these tasks.  While your system may or may not allow for similar processes, we hope this article will help you think through your own order management process and identify steps that can be improved by similar thinking.

First, let’s review a few of the warning signs frequently associated with a fraudulent order.  Although this list is not comprehensive, it includes some of the more popular items we tend to see in our day to day operation.  Generally, when more than one of these flags is present on an order, it may a good idea to stop and review.

Credit Card Fraud Warning Signs:

  • The customer’s information contains misspellings.
  • The order is shipping to a PO Box. This may indicate a lack of permanent physical presence.
  • High value amounts shipping via an untraceable method such as first class mail.
  • High value or abnormally large quantities shipping via expedited shipping methods such as overnight delivery.
  • High value orders should be carefully inspected regardless of any other information in the order.
  • Multiple orders by the same customer in a short time span.
  • Orders containing free internet email addresses that seem to have no relevance to the person’s actual name.
  • The order fails AVS.  Always use your payment gateway’s address verification system (AVS).  If a customer cannot correctly enter her own billing address correctly, she is likely not a customer at all.  She is probably a thief.
  • International orders add complexity.  Most automated fraud tools cannot validate foreign addresses. Review international orders and verify information via email (or phone) when the legitimacy of an order is in question.
  • Multiple orders by different customers with the same credit card number.
  • The same credit card Bank Identification Number (BIN) is used in excess of normal volume in a short time span.  The BIN is the first six digits of the credit card number.  These numbers identify the institution that issued the card.  A sudden abnormal spike in the use of the same BIN may indicate a breach of that institution’s credit card data.

Automatic authorizations (and declines) may take place online using integrated APIs with the payment gateway.  Once an order is authorized by the gateway, it is reviewed by Rush Order’s system for dozens of potential fraud flags, as well as a similar number of basic business rules.

Once a suspected order is flagged in your system, what should you do with it?  Rush Order’s answer is to systematically score each order in terms of the quantity and severity of the fraud filters triggered.

If the total fraud score is relatively low, our system releases it for shipment.  If the total fraud score is relatively high, the order is put on hold and assigned a priority for our treasury team to review.

Priorities are usually based on shipment method and order value.  For example, high value orders shipping via next day air are reviewed and the next action in the process is executed before moving on to low value orders shipping via ground or mail.

At each step, orders may be released for shipment as soon as a member of the trained treasury staff deems the order is legitimate.  As evident in this chart, the release may occur upon initial review or subsequent contact with a legitimate customer.  All initial contacts are made within 24 hours and all follow up contacts are made within 48 hours.  Depending on several factors, orders for which no direct contact is established are usually cancelled within a week or two.

Similar processes are in place for other order exceptions such as incorrect address data, declined credit cards (unrelated to fraud), business rules, and backorders.  Unlike credit card fraud where some element of manual review is required, many of these issues can trigger automated emails.

If you have questions or would like additional guidance in implementing similar solutions in your current order management system, please do not hesitate to contact Rush Order.