Fraud Scoring Methods For Large-Scale Ecommerce Websites

Fraud scoring is one of the best ways to help large ecommerce merchants detect and prevent credit card fraud online. Leveraging the right fraud scoring tools can also help minimize your risk of chargebacks.

There are several different components to consider when developing a fraud scoring method.

Certain instances or events could raise suspicion, but on their own, just one red flag might not be enough to void the transaction. Merchants must weigh the value of each component to determine if an order meets the criteria for fraud—or at the very least, further investigation.

For example, if just one thing is “wrong” with an online order, it would have a lower fraud score. These sales could still be completed without hesitation.

But if multiple factors raise suspicion, it will increase the fraud score, and merchants should consider declining the transaction. 

Lots of payment gateways include built-in fraud scoring scripts. But since certain factors vary from business to business, your company must understand which elements hold the most relative weight in the scoring model. 

CVV/CVV2

CVV stands for card verification value. This is the three or four-digit number that appears on the front or back of a card. It’s not part of the card number or account number itself.

The location of the CVV/CVV2 depends on the card type. For Visa, Mastercard, and Discover, this will be a three-digit sequence on the back of the card, after the signature line. For Amex, the CVV appears on the front of the card with a four-digit sequence. 

Merchants should use CVV to confirm that the card is actually in possession of the shopper buying online. Failure to enter the correct CVV is a strong indication that the purchase is unauthorized. 

Address Verification System (AVS)

An address verification system does exactly what it sounds like—it verifies the address of the cardholder. If the billing address and shipping address do not match, then it’s a potential cause for concern. 

In many cases, shipping a package to a different address is perfectly normal. 

The customer could be buying something as a gift. Or maybe they are staying at a temporary address, vacation home, or any other number of legitimate reasons. 

But if the order is being shipped to a high-risk fraud country that’s out of the norm for your regular business, it’s obviously more suspicious. You should also consider declining sales if multiple credit cards are being used to ship items to the same address.

For example, if three orders, each with billing addresses in three different states, are all shipping items to the same address in a fourth state, this is likely fraudulent activity. 

International Orders

Is it common for your business to ship orders internationally? If not, then an international order should automatically raise suspicion.

Address verification systems don’t typically work outside of North America. So you can’t rely on that alone for international transactions. 

Consider automatically declining any transaction shipped to certain high-risk countries like North Korea, Iran, Nigeria, Vietnam, Somalia, etc.

With some exceptions, of course, most of you probably won’t be sending orders to certain countries. If 99% of your business comes from the United States and you randomly get an order from West Africa, it should raise red flags. 

IP Address

You can learn a lot about a transaction from the IP address. International IPs should be looked at closer, especially if it’s in a different country than the shipping and billing address.

In many cases, a mismatched IP is normal. For example, someone could be ordering something to their house from a work computer. If this is the only discrepancy, the merchant could take additional steps (such as calling the customer) to verify the sale. 

There are online tools that can be used to conceal IP addresses. While this is something that can be used for legitimate purposes, fraudsters use anonymous open proxy IP addresses to hide their identities and locations while committing crimes online. 

If you detect an open proxy, you should consider declining the sale if there are other fraud indicators at play.

3D Secure Authentication

3D secure transactions add an extra layer of protection for debit and credit card transactions online. Originally developed by Visa, it’s most commonly used in Europe and the United States. 

• Visa — Verified by Visa
• Mastercard — Mastercard SecureCode
• American Express — Safekey 3D Secure

Here’s an example of what a Verified by Visa transaction looks like for an ecommerce sale.

For the consumer, they checkout on the merchant’s website as they normally would. After entering the card details, they’ll be redirected to the bank URL (like Verified by Visa).

The buyer will then enter a predefined password or single-use PIN sent via text message. 

Merchants using 3D secure authentication have an extremely low risk of processing a fraudulent transaction due to this extra layer or protection. 

Repeat Purchases or Attempts

Repeat attempts of a single transaction could indicate that a buyer has access to a credit card number and is testing zip codes or CVVs to finalize the sale. 

You should lock out users after multiple failed attempts. If someone enters the wrong CVV or zip code three times, it’s unlikely that they made an honest mistake. 

Repeat purchases using different credit cards from the same IP address is another strong indication of fraud. 

Order Details

There has to be some common sense used in fraud scoring as well.

If the order amount is significantly higher than your average ticket value or if the quantity is far more than any person would need, it could be fraudulent. 

For example, let’s say you sell computers online. You have some B2B wholesale customers, but direct to consumer buyers are never purchasing more than one or two computers at a time. If you get an order for 50 computers sent to Brazil (not from a wholesale client), you should investigate its legitimacy. 

Consider the time of order as well. Is someone in Boston really shopping online at 4 AM? Maybe. But it’s probably not likely if other red flags have been raised.

If the buyer is trying to complete the purchase with missing information, it could also indicate fraud. You should require a last name, verified email address, and phone number for all online transactions. 

Final Thoughts

Lead scoring can help you reduce fraudulent transactions and lower your chargeback rate.

Just make sure you understand how different factors should be weighed. You don’t want to cancel legitimate transactions for just one small fraud indicator. 

But if transactions have several indicators and a high fraud score, they should not be processed without further investigation.