Risk management

Introduction

The development of commerce goes hand in hand with the development of financial fraud. E-commerce is not the exception. One of the most widely spread types of fraud in this sphere occurs when the payment card information gets compromised and the perpetrator poses as a cardholder. Other types of fraud are becoming more common as well—both for cards and other payment instruments.

To counteract fraud, payment systems and other parties instrumental in payment processing—issuers, providers, and merchants—employ a comprehensive set of measures. First and foremost, these measures are used to perform two types of checks:

  • Authentication of customers and their payment instruments which includes using the 3‑D Secure authentication protocols, Address Verification Service, and other similar tools.
  • Validation of payments based on their parameters which includes checking whether the parameters match the whitelists and blacklists and various rules as well as conducting different kinds of risk analysis and assessment.

With the ecommpay payment platform, you have full access to these checks in order to reduce the risk of fraud. For fraud detection and prevention,

To counteract fraud, payment systems and other parties instrumental in payment processing—issuers, providers, and merchants—employ a comprehensive set of measures. With the ecommpay payment platform, you have full access to these checks in order to reduce the risk of fraud. For fraud detection and prevention,

  • Make sure your web service is set up to work efficiently with the customer authentication solutions. For instance, in case of 3‑D Secure 2 the use of the challenge flow can be set as preferable for each processed payment while in case of the AVS check address information can be specified in the initial request which allows performing verification without the involvement of the customer. In addition, when 3‑D Secure protocols are used, the issuer bears financial responsibility for processing fraudulent payments (while it is waived for other parties). This also allows preventing chargebacks with the reason code fraud. Smart use of these capabilities ensures high level of both fraud protection and payment acceptance rates.
  • Make sure that the payment validation rules are set up and maintained. They should be used together with the rules of other parties (ecommpay, payment systems, and issuers) and should ensure payments are screened efficiently. Together with the ecommpay specialists, determine restrictions and rules specific to a given project which will be used in the payment platform and can be updated whenever necessary. In addition to such rules, you can compile your own whitelists and blacklists which will factor in the payment processing by the payment platform.
  • Monitor cases of detected fraud and declined payments. When necessary, be available to respond and take part in the review sessions of special cases with the ecommpay specialists following which correct the settings already in use. This can be achieved both by using Dashboard capabilities and by contacting your account manager and technical support specialists.
  • Make sure your web service is set up to work efficiently with the customer authentication solutions by using the 3‑D Secure authentication protocols, Address Verification Service, and other similar tools.
  • Make sure that the payment validation rules are set up and maintained. Together with the ecommpay specialists, determine restrictions and rules specific to a given project which can be updated whenever necessary. In addition to such rules, you can compile your own whitelists and blacklists which will factor in the payment processing by the payment platform.
  • Monitor cases of detected fraud and declined payments. When necessary, be available to respond and take part in the review sessions of special cases with the ecommpay specialists following which correct the settings already in use. This can be achieved both by using Dashboard capabilities and by contacting your account manager and technical support specialists.

The Dashboard interface allows you to compile your own whitelists and blacklists as well as monitor fraud cases detected by ecommpay and payment systems. This section combines a brief overview of risk management in general with the description of procedures that can be performed using Dashboard.

General process

Overview

The process of financial fraud prevention can be characterised as follows.

First of all, this process is multilayered. It involves different stakeholders—merchants, providers, payment systems, and issuers, and each of them is responsible for fraud prevention at their level in respect to the payments they handle. It also involves different tools some of which can be commonly used by several parties (for example, 3‑D Secure authentication) while others can be distinctly specific to each party (for example, whitelists and blacklists). Utilising these tools consistently ensures multiple-step filtering of operations and achieving efficiency of the overall performance.

Secondly, this process implies that two-way communication predicated on feedback is expected between all stakeholders. Thus, if a certain operation is established to be fraudulent after it has been processed and finalised, this information is brought to the attention of all parties involved and allows modifying the countermeasures intended to prevent similar operations at different levels.

Thirdly, at each of these levels the process can be presented as an iterative cycle with four steps—setup, monitoring, response, and analysis.

The process of financial fraud prevention is multilayered as it involves different stakeholders—merchants, providers, payment systems, and issuers. Each of them is responsible for fraud prevention both at their level in respect to the payments they handle and together with all parties involved. At each of these levels the process can be presented as an iterative cycle with four steps—setup, monitoring, response, and analysis.



Thus, financial fraud prevention can be presented a system of interlinked actions which repeat cyclically at different levels.

Main steps of this process—setup, monitoring, response, and analysis—are described in the sections that follow with the focus on the aspects that can be useful and relevant for merchants.

Setup

Authentication

The payment platform supports a range of auxiliary procedures for customer authentication such as the 3‑D Secure authentication, and the authentication on merchant's request, and the Address Verification Service. Moreover, to ensure efficient authentication, certain additional capabilities can be useful—for instance, collecting and submitting additional customer data.

As a rule, if the interaction with the platform takes place through Gate, the integration with the web service may require additional changes and modifications, while if the Payment Page is used, everything is performed in the payment platform and does not involve the web service at all. To learn more about auxiliary procedures, go to Gate, about additional capabilities—go to sections Gate and Payment Page.

In order to work efficiently with these tools, merchants should:

In order to work efficiently with these tools, merchants should make sure that the required capabilities and procedures are supported by the web service.

  1. Determine capabilities and procedures that need to be maintained for specific projects.
  2. If necessary, ensure that target capabilities and procedures are supported by the web service.

To learn more about combining procedures and capabilities as well as their implementation and setup, contact your account manager and technical support specialists.

Validation

When payments are validated, their parameters are checked in the platform against various rules which can be common for all payments or specific for payments of individual merchants and their projects. First and foremost, this applies to whitelists and blacklists—they can be used both by merchants and by ecommpay.

In order to work efficiently with these tools, merchants should:

In order to work efficiently with these tools, merchants should determine rules and restrictions applicable to specific projects and compile their own whitelists and blacklists.

  1. Together with the ecommpay specialists determine rules and restrictions applicable to specific projects.
  2. Compile their own whitelists and blacklists which can be viewed and edited in Dashboard and which are going to be used in the platform together with other rules.

To learn more about configuring validation rules and working with whitelists and blacklists, including transferring such lists from other systems, contact your account manager and risk management specialists.

Monitoring

Before operations are processed in the ecommpay payment platform, they need to be validated. During the validation process, the parameters of each operation are checked against the predefined rules, and the operation is automatically deemed one of the following:

Before operations are processed in the ecommpay payment platform, they need to be validated. Following the validation check, the operation is automatically deemed one of the following:

  • Fraudulent—if any parameter of the operation is blacklisted or the risk of executing this operation (based on all its parameters) is considered high. In this case, the operation is declined, and the ecommpay payment platform sends the web service a final callback with the operation status decline and the error code (the comprehensive list of such error codes and their description is available in the section RCS codes).
  • Suspicious—if it is not possible to reach a definitive conclusion regarding the risks associated with the execution of the operation after the predefined algorithms were used, and additional evaluation is required. In this case, the operation is processed while the ecommpay specialists additionally review the operation and decide whether it is trustworthy or fraudulent. Then, if necessary, they report their findings to the merchant's employees for further assessment. Following the review by the specialists, different measures can be taken which includes issuing a refund and updating the blacklist.
  • Suspicious—if it is not possible to reach a definitive conclusion regarding the risks associated with the execution of the operation after the predefined algorithms were used. In this case, the operation is processed while the ecommpay specialists additionally review the operation. Then, if necessary, they report their findings to the merchant's employees for further assessment.
  • Trustworthy—if any parameter of the operation is whitelisted or the risk of executing this operation (based on all its parameters) is considered low. In this case, the operation is executed.
Restriction:

Keep in mind that such risk assessment includes prioritising list rules. In general, if at least one operation parameter is blacklisted, then the operation is deemed fraudulent because the blacklist takes precedence over the whitelist. However, there can be cases when the whitelist is prioritised and the operation is deemed trustworthy (learn more). Hence, whitelists and blacklists should be approached with maximum caution.

Risk monitoring does not stop after risks have been initially assessed by the merchant and ecommpay: if ecommpay approved an operation, it does not exclude the possibility this operation is going to be flagged by other parties involved in payment processing. Likewise, the approval of the operation by all parties involved does not exclude the possibility of detecting fraud retrospectively. In such cases, the information about the fraud attempts and cases detected by other parties is reported to ecommpay, and then, by the ecommpay specialists to the merchant's employees. In addition, the merchant can monitor the execution of operations and learn about declined or fraudulent operations using Dashboard or via email (more details below), and in any unusual situation should contact the ecommpay risk management team.

The operation that has passed the validation check in the payment platform can still be flagged as suspicious or fraudulent by other parties. In such cases, the information about the fraud attempts and cases is reported to ecommpay, and then, by the ecommpay specialists to the merchant's employees. In addition, the merchant can monitor the execution of operations and learn about declined or fraudulent operations using Dashboard or via email (more details below).

Response

The merchant's response is based on the assessment of the risks associated with the operation execution and whether the operation is deemed fraudulent after it has been processed and finalised. If the response is efficient, it can significantly impact the success rates of fraud prevention and doing business as a whole.

Cases when the merchant's response is needed include the following:

  • The operation is rejected as fraud by ecommpay. In this case, reviewing the reason of rejection (by examining the callback or using Dashboard) is recommended. If necessary, the following response is due:
    • Update the blacklist—if the operation is definitely fraudulent and it is possible to identify a condition for blocking similar operations in the future (for example, a phone number of the customer).
    • Update the whitelist—if it is certain that the operation is trustworthy, albeit characterised by the unusual behaviour of the customer, and it is possible to identify a condition for confirming reliability of similar operations in the future.
    • Contact the ecommpay specialists—if there are any questions regarding the operation processing.
    • Initiate the operation again—if it is applicable to the given user scenario and (following the update of the whitelist or the approval by the ecommpay specialists) it is clear that the rejection of the operation is not going to be repeated.
  • The operation is flagged as suspicious by ecommpay. In this case, analysing the reason and the nature of suspicions is recommended. If necessary, contact the customer for clarification as well as the ecommpay specialists—to coordinate the required course of action following which necessary measures should be taken. This may involve issuing refunds and updating whitelists and blacklists.
  • The operation has been approved by ecommpay, but is flagged as fraudulent by the other party. In this case, reviewing the reason of rejection (by using Dashboard or by contacting the ecommpay specialists) is recommended. If necessary, the following response is due:
    • Update the blacklist—if the operation is definitely fraudulent and it is possible to identify a condition for blocking similar operations in the future.
    • Initiate the operation again with the updated or expanded list of parameters—if the reason of rejection does not prevent a retry and it is certain that the operation is trustworthy, and it was declined due to incorrect or incomplete data.
  • The operation has been processed and finalised, but is deemed fraudulent retrospectively. In this case, revising criteria which were used to flag the operation (by using Dashboard or by contacting ecommpay support specialists) is recommended. If necessary, the blacklist should be updated and the customer affected by fraud should be compensated.

In any unusual case, contact the ecommpay risk management team.

Analysis

To ensure efficient payment processing—with high levels of conversion rates and fraud prevention, merchants should analyse the overall performance on a regular basis. It includes evaluating the ratio of correct and incorrect payment rejections, identifying additional criteria for whitelists and blacklists, determining whether ecommpay should introduce changes to the procedures of customer authentication and operation validation rules, and so on. All aspects of fraud prevention require constant scrutiny, not in the least because fraud patterns in e-commerce continue to develop as perpetrators attempt to circumvent current countermeasures.

To ensure efficient payment processing, merchants should analyse the overall performance on a regular basis: evaluate the ratio of correct and incorrect payment rejections, identify additional criteria for whitelists and blacklists, make sure operations validation rules of ecommpay are updated, and so on.

To learn more about analysing risk management efficiency, contact your account manager.

Monitoring fraudulent operations

Overview

The payment platform allows you to monitor information about attempts and cases of fraud detected by ecommpay and payment systems. You can use the tools of the Dashboard interface and the option of receiving automated emails.

Using the Dashboard tools

Use the following tools to monitor fraudulent operations:

  • The payments list in the Payments section (which contains information about all payments).
  • The fraud register in the Risks section (which contains information about operations flagged as fraud by payment systems).
  • Fraud reports which are prepared in the Reports section.

When working with these registers, you can use standard filtering tools (learn more) as well as payment information tabs which specify details of individual payments and all operations initiated within them (to open the payment information tab, click the row of the payment you need in the list).

In sections Payments and Risks, users can work with registers and payment information tabs that specify details of individual payments. Accessing the Risks section is limited by a separate permissions set and, by default, is granted to user accounts with the Risks and Merchant Admin roles.

Access to fraud information in the Risks section and payment information tabs is limited by a separate permissions set and, by default, is granted to user accounts with the Risks and Merchant Admin roles. In addition, managing reports requires a separate permission that is available to all user accounts but not included in a basic permissions set.

Figure: Payments list



Figure: Fraud register in the Risks section



When working with payments lists and fraud register, consider the following:

  • Information in registers and payment information tabs is shown with a time lag which can take up to several minutes. In addition, automatic data refresh is not supported.
  • Payment systems report detected fraud to the payment platform twice a day: before 7:00 and 15:00 UTC+0, which is why you are recommended to monitor this information after the indicated times.
  • The fraud register can contain several records about the same operation with different update dates when the information about this operation is included into several reports from the payment systems.
  • The number and the order of columns in the registers can be customised which means that with the appropriate set of permissions the registers can be arranged according to individual needs. For example, if you need to see the date when the fraudulent operation was performed, you can add the Purchase date column to the basic set of columns in the fraud register.

To monitor information about the relevant operations, you need:

  1. Go to the required section: Payments or Risks.
  2. Find the operation you need using filters if necessary.
  3. In the Payments list, the operation declined by ecommpay as high risk can be found by payment status decline and the service response status code (such codes include 402 and codes from RCS). Operations flagged as fraudulent by other parties can be found by using the fraud indicator (also with the filter).
  4. Verify the information you need, directly in the list or in the payment information tabs.

    In the fraud register and the Fraudulent payments information located in the payment information tab, you can view the details of the fraud for a certain operation.



Receiving automated emails

You can monitor information about operations flagged as fraudulent by payment systems not only with the use of different Dashboard tools but also by receiving automated emails sent to the email address associated with the Dashboard user account. Emails with notifications are sent out at 14:00 UTC+0 if the platform receives any new information about detected fraud. By default, the option to receive these emails is enabled for all user accounts. You can disable this option on your own by going to the My profile section, or an employee with the Merchant admin role can do it for you in the My team section.

To disable the option to receive automated emails on your own:

  1. Open the user profile.

    Click the user name or the user account icon in the top right corner and select My profile in the dropdown menu.

  2. Disable the Receive emails about fraudulent transactions option.

    Switch to the editing mode by clicking on the User Profile panel, turn off the toggle switch and save changes by clicking Save on the upper-right side of the User Profile panel.

  3. Make sure all changes have been saved.

    The option should be disabled.

Using whitelists and blacklists

Overview

When operations are validated, their parameters are checked in the platform against various rules, including whitelists and blacklists. These lists can be common for all merchants or specific to an individual project of the merchant.

  • Whitelist is a list of criteria matching any of which indicates that an operation is trustworthy.
  • Blacklist is a list of criteria matching any of which flags an operation as fraudulent.

The following considerations are applied when assessing the risks of processing specific operations:

  1. If at least one of the operation parameters is blacklisted and the blacklist category is Customer ID, Account number, or E-mail, then the blacklist takes precedence over the whitelist and the operation is flagged as fraudulent.
  2. If the condition described above does not apply, but the operation has parameters that are found in the IP and BIN lists (one parameter can be blacklisted, the other can be whitelisted, in either combination), then the whitelist has higher priority and the operation is deemed trustworthy.
  3. If the operation is deemed untrustworthy following the AML (Anti-Money Laundering; matching the person included in the sanctions list) and Compliance (matching the country in the prohibited country list) checks, it is declined even if some of the operation parameters are whitelisted.

Interface capabilities

Dashboard allows you to manage criteria of whitelists and blacklists applicable both to your specific projects and to all of your projects. The Risks section includes the B/W list subsection that allows you to do the following:

The Risks section of Dashboard includes the B/W list subsection that allows you to:

  • View the list of criteria, using filters, using search and filtering, if necessary.
  • Add new criteria, one by one or in bulk.
  • Delete criteria, one by one only.

You can search for criteria of whitelists and blacklists using filters on the upper panel, which includes the possibility to enter multiple values of one category (for example, customer_id) separating them by a comma or a space.

Adding risk assessment criteria to whitelists and blacklists is also possible using payment information tabs. This capability is supported for all operations: there are no restrictions on payment types or payment methods, or whether the operation has to be flagged as fraudulent by a payment system or not.

Capability of managing risk assessment criteria can only be accessed with a separate permissions set which, by default, is granted to user accounts with the Risks and Merchant Admin roles.

Figure: Whitelists and blacklists register



Adding criteria using payment information tabs

In the payment information tabs, you can add criteria to whitelists and blacklists for individual operations initiated within payments without any restrictions. This is convenient when individual cases of fraud are reviewed, and it allows you to respond quickly. To add criteria:

  1. Locate the payment within which the target operation was initiated. The target operation is the one whose parameter values should be whitelisted (blacklisted).

    Use Search (learn more) or filters in the registers in the Payments and Risks sections.

  2. Open the payment information tab by clicking the row in the register of the selected section.
  3. Add criteria to the whitelist (blacklist) by doing the following:
    1. Click the Add to list button on the right of the Manage operation panel.
    2. Select in the window that opens the type of the list (whitelist or blacklist), categories available for this operation (for the criteria you need to whitelist or blacklist) and identifiers of projects (to which these changes will apply). If necessary, you add a comment: it will be the same for all added criteria.
      Note: In certain cases, the Add to list window may display categories that were not used for performing the target operation. For example, the email category can be shown as available, even if the request to perform the operation in question did not contain such a parameter. If this is the case, then nothing is added to the whitelist or blacklist when you attempt whitelisting or blacklisting a criterion.
    3. Confirm adding criteria to the whitelist (blacklist) by clicking Apply.

  4. Make sure that the criteria have been added to the whitelist (blacklist).

    Check the register with the list of criteria in the B/W List subsection.

  1. Locate the payment within which the target operation was initiated in the Payments and Risks sections.
  2. Click Add to list on the panel with information about an individual debiting operation performed as part of the purchase.
  3. In the window that opens, add the required criteria to the whitelist (blacklist) and confirm the request by clicking .
  4. Make sure that the criteria have been added to the whitelist (blacklist) by checking the register with the list of criteria in the B/W List subsection.

Adding criteria using the form

In the Risks section, you can add various criteria to whitelists and blacklists using the form in the B/W List subsection. This is convenient when different cases of fraud are reviewed and analysed for determining additional criteria of risk assessment, for example, when the need to update whitelists or blacklists does not stem from processing specific operations. To add criteria:

  1. Open the form.

    Go to the B/W List subsection of the Risks section, click the Manage button on the left of the filter panel (if the button does not show, click the () button on the right of the filter panel).

  2. Add the criteria.

    Select the list you need (whitelist and blacklist), specify the required criteria in the target fields, and click Apply.

    If any of the fields is filled incorrectly, the corresponding error message is shown. Correct the errors (or do not complete these fields) and click Apply again.

  3. Make sure that the criteria have been added.

    A notification that the adding request was sent successfully should be shown. You can also verify that the criteria have been added to the criteria list in the B/W List subsection.

  1. Open the form for adding criteria individually by clicking the Manage button in the B/W List subsection.
  2. Specify the criteria to be added to the whitelist (blacklist) and click Apply.
  3. Make sure that the criteria have been added: a notification that the request was sent successfully should be shown. You can also verify that the criteria have been added to the criteria list in the B/W List subsection.

Figure: Adding criteria to the blacklist



Adding criteria using the file

How to add criteria

If you use additional sources of information about risks, you can add various criteria to whitelists and blacklists by uploading a file. This is convenient when both whitelists and blacklists need to be updated without referencing specific operations and with no limitations on how many criteria should be added. To add criteria with the help of a file,

When working with the Risks section, you can add various criteria to whitelists and blacklists by uploading a file in the B/W List subsection. To add criteria:

  1. Create and prepare the file with the information about criteria in the specified format.

    Note that you can specify criteria for both whitelists and blacklists in the same file. You are required to provide the merchant ID assigned by ecommpay at the stage of integration for each operation (if necessary, this identifier can be found in the Payments list—add the Merchant column using the register builder).

    You can find the file requirements with the template and a file sample below.

  2. Create and prepare the file with the information about criteria in the specified format. You can find the file requirements with the template and a file sample below.
  3. Open the form of adding criteria in bulk by clicking Manage lists on the B/W List subsection.
    1. Go to the B/W List subsection of the Risks section.
    2. Go to the B/W List subsection of the Risks section.
    3. Click the Manage lists button on the left of the filter panel (if the button does not show, click the button on the right of the filter panel).
    4. Go to the Mass adding tab.
  4. Upload the file with the list of criteria to add.

    You can either drag the file or use the Browse button to upload. After the file has been uploaded, click Apply to add the criteria.

    If any of the fields is filled incorrectly, the corresponding error message is shown. Correct the errors in the file, reupload it, and click Apply again.

  5. Make sure that the criteria have been added.

    A notification that the adding request was sent successfully should be shown. Also you can verify that the criteria have been added to the criteria list in the B/W List subsection.

  6. Make sure that the criteria have been added: a notification that the request was sent successfully should be shown. You can also verify that the criteria have been added to the criteria list in the B/W List subsection.

Figure: Adding criteria using the file



File upload requirements

To prepare the file, you can use the template available for download on Dashboard or here. Having downloaded the template, you can fill it in any CSV file editor, for example, Microsoft Excel. Each file used for adding criteria in bulk must meet the following requirements:

  • The data files must be uploaded in CSV format and the character encoding must be UTF-8 without BOM (Byte Order Mark string).
  • The file size cannot exceed 128 MB.
  • The first row must contain the names of parameters. The order of parameters can be random.
  • The subsequent rows must contain values of target parameters. Specifying values for optional parameters is not required.
  • If operation parameters are specified in strings (not in the table format), parameter values in each row must be separated by a semicolon (";"). In addition, the fields without values are separated by semicolons in the same way as the fields with values, and two or more ";" characters can follow one another, for example:


    If you use Microsoft Excel to create and prepare the file, use a different editor, for example Notepad, to check it for errors.

Available parameters

When adding data to files, you can use the following parameters.

merchant_id
integer, required

Merchant identifier assigned by ecommpay at the stage of integration.
Example: 644

project_id
integer, required

Project identifier assigned by ecommpay at the stage of integration. It identifies the project to which the added criterion applies. When the IP address of the customer is added, the ID of any merchant project can be specified.
Example: 1020

list_type
string, required

List type. The value can be whitelist or blacklist.
You can specify criteria for both whitelists and blacklists in the same file.
Example: whitelist for the whitelist

category
string, required

Category of the criterion:

  • email—email address of the customer
  • customer_id—the customer ID
  • pan—card number of the customer
  • bin—bank identification number
  • ip—IP address of the customer


When the ip category is used, the criterion is added to the lists applicable to all projects of the merchant, regardless of the specified project ID.
Example: email

value
string, required

Value of the criterion.
Example: joe.doe12@sunmail.com for email

reason
string, optional

The reason of adding a certain criterion.
Example: The customer requests a refund for each purchase

Deleting criteria

You can delete criteria included in the whitelists and blacklists in the Risks section. Keep in mind that they should be deleted one by one.

  1. To go to the Criteria subsection, click the B/W Lists button in the Risks section.
  2. Find the record you need using filters if necessary.
  3. To delete the record, click the button in the corresponding line.
  4. Make sure that the record has been deleted from the list.