Risk management

Restriction: This section describes the Dashboard interface. To learn how to access this interface if you already use Old Dashboard, the previous version of the interface, see Getting started.

Introduction

The development of commerce goes hand in hand with the development of financial fraud. E-commerce is not the exception. One of the most widely spread types of fraud in this sphere occurs when the payment card information gets compromised and the perpetrator poses as a cardholder. Other types of fraud are becoming more common as well — both for cards and other payment instruments.

To counteract fraud, payment systems and other parties instrumental in payment processing — issuers, providers, and merchants — employ a comprehensive set of measures. First and foremost, these measures are used to perform two types of checks:

  • Authentication of customers and their payment instruments which includes using the 3‑D Secure authentication protocols, Address Verification Service, and other similar tools.
  • Validation of payments based on their parameters which includes checking whether the parameters match the whitelists and blacklists and various rules as well as conducting different kinds of risk analysis and assessment.

With the ECommPay payment platform, you have full access to these checks in order to reduce the risk of fraud. For fraud detection and prevention,

  • Make sure your web service is set up to work efficiently with the customer authentication solutions. For instance, in case of 3‑D Secure 2 the use of the challenge flow can be set as preferable for each processed payment while in case of the AVS check address information can be specified in the initial request which allows performing verification without the involvement of the customer. In addition, when 3‑D Secure protocols are used, the issuer bears financial responsibility for processing fraudulent payments (while it is waived for other parties). This also allows preventing chargebacks with the reason code fraud. Smart use of these capabilities ensures high level of both fraud protection and payment acceptance rates.
  • Make sure that the payment validation rules are set up and maintained. They should be used together with the rules of other parties (ECommPay, payment systems, and issuers) and should ensure payments are screened efficiently. Together with the ECommPay specialists, determine restrictions and rules specific to a given project which will be used in the payment platform and can be updated whenever necessary. In addition to such rules, you can compile your own whitelists and blacklists which will factor in the payment processing by the payment platform.
  • Monitor cases of detected fraud and declined payments. When necessary, be available to respond and take part in the review sessions of special cases with the ECommPay specialists following which correct the settings already in use. This can be achieved both by using Dashboard capabilities and by contacting your account manager and technical support specialists.

The Dashboard interface allows you to compile your own whitelists and blacklists as well as monitor fraud cases detected by ECommPay and payment systems. This section combines a brief overview of risk management in general with the description of procedures that can be performed using Dashboard.

General process

Overview

The process of financial fraud prevention can be characterised as follows.

First of all, this process is multilayered. It involves different stakeholders—merchants, providers, payment systems, and issuers, and each of them is responsible for fraud prevention at their level in respect to the payments they handle. It also involves different tools some of which can be commonly used by several parties (for example, 3‑D Secure authentication) while others can be distinctly specific to each party (for example, whitelists and blacklists). Utilising these tools consistently ensures multiple-step filtering of operations and achieving efficiency of the overall performance.

Secondly, this process implies that two-way communication predicated on feedback is expected between all stakeholders. Thus, if a certain operation is established to be fraudulent after it has been processed and finalised, this information is brought to the attention of all parties involved and allows modifying the countermeasures intended to prevent similar operations at different levels.

Thirdly, at each of these levels the process can be presented as an iterative cycle with four steps—setup, monitoring, response, and analysis.



Thus, financial fraud prevention can be presented a system of interlinked actions which repeat cyclically at different levels.

Main steps of this process—setup, monitoring, response, and analysis — are described in the sections that follow with the focus on the aspects that can be useful and relevant for merchants.

Setup

Authentication

The payment platform supports a range of auxiliary procedures for customer authentication such as the 3‑D Secure authentication, authentication on merchant's request, and the Address Verification Service. Moreover, to ensure efficient authentication, certain additional capabilities can be useful—for instance, collecting and submitting additional customer data.

As a rule, if the interaction with the platform takes place through Gate, the integration with the web service may require additional changes and modifications, while if the Payment Page is used, everything is performed in the payment platform and does not involve the web service at all. To learn more about auxiliary procedures, go to Gate, about additional capabilities—go to sections Gate and Payment Page.

In order to work efficiently with these tools, merchants should:

  1. Determine capabilities and procedures that need to be maintained for specific projects.
  2. If necessary, ensure that target capabilities and procedures are supported by the web service.

To learn more about combining procedures and capabilities as well as their implementation and setup, contact your account manager and technical support specialists.

Validation

When payments are validated, their parameters are checked in the platform against various rules which can be common for all payments or specific for payments of individual merchants and their projects. First and foremost, this applies to whitelists and blacklists—they can be used both by merchants and by ECommPay.

In order to work efficiently with these tools, merchants should:

  1. Together with the ECommPay specialists determine rules and restrictions applicable to specific projects.
  2. Compile their own whitelists and blacklists which can be viewed and edited in Dashboard and which are going to be used in the platform together with other rules.

To learn more about configuring validation rules and working with whitelists and blacklists, including transferring such lists from other systems, contact your account manager and risk management specialists.

Monitoring

Before operations are processed in the ECommPay payment platform, they need to be validated. During the validation process, the parameters of each operation are checked against the predefined rules, and the operation is automatically deemed one of the following:

  • Fraudulent—if any parameter of the operation is blacklisted or the risk of executing this operation (based on all its parameters) is considered high. In this case, the operation is declined, and the ECommPay payment platform sends the web service a final callback with the operation status decline and the error code (the comprehensive list of such error codes and their description is available in the section RCS codes).
  • Suspicious—if it is not possible to reach a definitive conclusion regarding the risks associated with the execution of the operation after the predefined algorithms were used, and additional evaluation is required. In this case, the operation is processed while the ECommPay specialists additionally review the operation and decide whether it is trustworthy or fraudulent. Then, if necessary, they report their findings to the merchant's employees for further assessment. Following the review by the specialists, different measures can be taken which includes issuing a refund and updating the blacklist
  • Trustworthy—if any parameter of the operation is whitelisted or the risk of executing this operation (based on all its parameters) is considered low. In this case, the operation is executed.
Restriction:

It is important to keep in mind that such risk assessment prioritises whitelists over blacklists and risk scores. For instance, a certain operation can have a number of parameters which may seem suspicious or even be blacklisted, but if at least one parameter is whitelisted, the operation can be deemed trustworthy. Therefore, whitelists should be approached with maximum caution.

Risk monitoring does not stop after risks have been initially assessed by the merchant and ECommPay: if ECommPay approved an operation, it does not exclude the possibility this operation is going to be flagged by other parties involved in payment processing. Likewise, the approval of the operation by all parties involved does not exclude the possibility of detecting fraud retrospectively. In such cases, the information about the fraud attempts and cases detected by other parties is reported to ECommPay, and then, by the ECommPay specialists to the merchant's employees. Moreover, the merchant can monitor the execution of operations and learn about declined or fraudulent operations using Dashboard (more details below) and in any unusual situation should email the ECommPay risk management team.

Response

The merchant's response is based on the assessment of the risks associated with the operation execution and whether the operation is deemed fraudulent after it has been processed and finalised. If the response is efficient, it can significantly impact the success rates of fraud prevention and doing business as a whole.

Cases when the merchant's response is needed include the following:

  • The operation is rejected as fraud by ECommPay. In this case, reviewing the reason of rejection (by examining the callback or using Dashboard) is recommended. If necessary, the following response is due:
    • Update the blacklist—if the operation is definitely fraudulent and it is possible to identify a condition for blocking similar operations in the future (for example, a phone number of the customer).
    • Update the whitelist—if it is certain that the operation is trustworthy, albeit characterised by the unusual behaviour of the customer, and it is possible to identify a condition for confirming reliability of similar operations in the future.
    • Contact the ECommPay specialists—if there are any questions regarding the operation processing.
    • Initiate the operation again—if it is applicable to the given user scenario and (following the update of the whitelist or the approval by the ECommPay specialists) it is clear that the rejection of the operation is not going to be repeated.
  • The operation is flagged as suspicious by ECommPay. In this case, analysing the reason and the nature of suspicions is recommended. If necessary, contact the customer for clarification as well as the ECommPay specialists—to coordinate the required course of action following which necessary measures should be taken. This may involve issuing refunds and updating whitelists and blacklists.
  • The operation has been approved by ECommPay, but is flagged as fraudulent by the other party. In this case, reviewing the reason of rejection (by using Dashboard or by contacting the ECommPay specialists) is recommended. If necessary, the following response is due:
    • Update the blacklist—if the operation is definitely fraudulent and it is possible to identify a condition for blocking similar operations in the future.
    • Initiate the operation again with the updated or expanded list of parameters—if the reason of rejection does not prevent a retry and it is certain that the operation is trustworthy, and it was declined due to incorrect or incomplete data.
  • The operation has been processed and finalised, but is deemed fraudulent retrospectively. In this case, revising criteria which were used to flag the operation (by using Dashboard or by contacting ECommPay support specialists) is recommended. If necessary, the blacklist should be updated and the customer affected by fraud should be compensated.

In any unusual case, contact the ECommPay risk management team.

Analysis

To ensure efficient payment processing—with high levels of conversion rates and fraud prevention, merchants should analyse the overall performance on a regular basis. It includes evaluating the ratio of correct and incorrect payment rejections, identifying additional criteria for whitelists and blacklists, determining whether ECommPay should introduce changes to the procedures of customer authentication and operation validation rules, and so on. All aspects of fraud prevention require constant scrutiny, not in the least because fraud patterns in e-commerce continue to develop as perpetrators attempt to circumvent current countermeasures.

To learn more about analysing risk management efficiency, contact your account manager.

Monitoring fraudulent operations

Dashboard allows you to monitor information about attempts and cases of fraud detected by ECommPay and payment systems. Use the payments list in the Payments section (which contains information about all payments) and the fraud register in the Risks section (which contains information about operations flagged as fraud by payment systems). You can use standard filtering tools (learn more) when working with these registers as well as payment information tabs which specify details of individual payments and all operations initiated within them (to open the payment information tab, click the row of the payment you need in the list). Access to fraud information is limited by a separate permissions set and, by default, is granted to user accounts with the Risks and Merchant Admin roles.

Figure: Payments list



Figure: Fraud register in the Risks section



When working with payments lists and fraud register, consider the following:

  • Information in registers and payment information tabs is shown with a time lag which can take up to several minutes. In addition, automatic data refresh is not supported.
  • Payment systems report detected fraud to the payment platform twice a day: before 10:00 and 18:00 UTC+3, which why you are recommended to monitor this information after the indicated times.
  • The fraud register can contain several records about the same operation with different update dates— hen the information about this operation is included into several reports from the payment systems.
  • The number and the order of columns in the registers can be customised which means that with the appropriate set of permissions the registers can be arranged according to individual needs.

To monitor information about the relevant operations, you need:

  1. Go to the required section: Payments or Risks.
  2. Find the operation you need using filters if necessary.
  3. In the Payments list, the operation declined by ECommPay as high risk can be found by payment status decline and the service response status code (such codes include 402 and codes from RCS). Operations flagged as fraudulent by other parties can be found by using the fraud indicator (also with the filter).
  4. Verify the information you need, directly in the list or in the payment information tabs.

    In the fraud register and the Fraudulent payments information located in the payment information tab, you can view the details of the fraud for a certain operation.



Using whitelists and blacklists

Overview

When operations are validated, their parameters are checked in the platform against various rules, including whitelists and blacklists. These lists can be common for all merchants or specific to an individual project of the merchant.

  • Whitelist is a list of criteria matching any of which indicates that an operation is trustworthy.
  • Blacklist is a list of criteria matching any of which flags an operation as fraudulent.
Restriction:

Keep in mind that whitelists have higher priority than blacklists. Thus, if parameters of a certain operation are blacklisted, but at least one parameter is whitelisted, the operation is deemed trustworthy. However, matching the criteria in the whitelist does not exclude the possibility that the operation can be declined following AML (Anti-Money Laundering; matching the person included in the sanctions list) and Compliance (matching the country in the prohibited country list) checks.

Dashboard allows you to manage criteria of whitelists and blacklists applicable both to your specific projects and to all of your projects. The Risks section includes the B/W list subsection which allows you to do the following:

  • View the list of criteria, using filters, if necessary.
  • Add new criteria, one by one or in bulk.
  • Delete criteria, one by one only.

Adding risk assessment criteria is also possible using payment information tabs. However, keep in mind that in this case you can add criteria only to blacklists and only for operations which were flagged as fraudulent by payment systems.

Capability of managing risk assessment criteria can only be accessed with a separate permissions set which, by default, is granted to user accounts with the Risks and Merchant Admin roles.

Figure: Whitelists and blacklists register



Adding criteria using payment information tabs

In the payment information tabs, you can add criteria to blacklists for individual operations—when payments within which they occurred have been flagged as fraudulent by payment systems. This is convenient when individual cases of fraud are reviewed, and it allows you to respond quickly. To add criteria:

  1. Locate the payment within which the target operation was initiated. The target operation is the one whose parameter values should be blacklisted.

    Use Search (learn more) or filters in the registers in the Payments and Risks sections.

  2. Open the payment information tab by clicking the row in the register of the selected section.
  3. Add criteria to the blacklist by doing the following:
    1. Click the Blacklist button on the right of the Payment panel.
    2. Select in the window that opens categories available for this operation (parameters whose values you need to blacklist) and identifiers of projects (to which these changes will apply). If necessary, you can make a note: it will be the same for all added criteria.
    3. Confirm adding criteria to the blacklist by clicking Apply.


    4. Make sure that the criteria have been added to the blacklist.

      Check the register with the list of criteria in the B/W List subsection.

Adding criteria using the form

In the Risks section, you can add various criteria to whitelists and blacklists using the form in the B/W List subsection. This is convenient when different cases of fraud are reviewed and analysed for determining additional criteria of risk assessment, for example, when the need to update whitelists or blacklists does not stem from processing specific operations. To add criteria:

  1. Open the form.

    Go to the B/W List subsection of the Risks section, click the Manage button on the left of the filter panel (if the button does not show, click the () button on the right of the filter panel).

  2. Add the criteria.

    Select the list you need (whitelist and blacklist), specify the required criteria in the target fields, and click Apply.

    If any of the fields is filled incorrectly, the corresponding error message is shown. Correct the errors (or do not complete these fields) and click Apply again.

  3. Make sure that the criteria have been added.

    A notification that the adding request was sent successfully should be shown. You can also verify that the criteria have been added to the criteria list in the B/W List subsection.

Figure: Adding criteria to the blacklist



Adding criteria using the file

How to add criteria

If you use additional sources of information about risks, you can add various criteria to whitelists and blacklists by uploading a file. This is convenient when both whitelists and blacklists need to be updated without referencing specific operations and with no limitations of how many criteria should be added. To add criteria with the help of a file,

  1. Create and prepare the file with the information about criteria in the specified format.

    Note that you can specify criteria for both whitelists and blacklists in the same file. You can find the file requirements with the template and a file sample below.

  2. Open the form of adding criteria in bulk.
    1. Go to the B/W List subsection of the Risks section.
    2. Go to the B/W List subsection of the Risks section.
    3. Click the Manage button on the left of the filter panel (if the button does not show, click the button on the right of the filter panel).
    4. Go to the Mass adding tab.
  3. Upload the file with the list of criteria to add.

    You can either drag the file or use the Browse button to upload. After the file has been uploaded, click Apply to add the criteria.

    If any of the fields is filled incorrectly, the corresponding error message is shown. Correct the errors in the file, reupload it, and click Apply again.

  4. Make sure that the criteria have been added.

    A notification that the adding request was sent successfully should be shown. Also you can verify that the criteria have been added to the criteria list in the B/W List subsection.

Figure: Adding criteria using the file



File upload requirements

To prepare the file, you can use the template available for download on Dashboard or here. Having downloaded the template, you can fill it in any CSV file editor, for example, Microsoft Excel. Each file used for adding criteria in bulk must meet the following requirements:

  • The data files must be uploaded in CSV format and the character encoding must be UTF-8 without BOM (Byte Order Mark string).
  • The file size cannot exceed 128 MB.
  • The first row must contain the names of parameters. The order of parameters can be random.
  • The subsequent rows must contain values of target parameters. Specifying values for optional parameters is not required.
  • If operation parameters are specified in strings (not in the table format), parameter values in each row must be separated by a semicolon (";"). In addition, the fields without values are separated by semicolons in the same way as the fields with values, and two or more ";" characters can follow one another, for example:


    If you use Microsoft Excel to create and prepare the file, use a different editor, for example Notepad, to check it for errors.

Available parameters

When adding data to files, you can use the following parameters.

merchant_id
integer, required

Merchant identifier assigned by ECommPay at the stage of integration.
Example: 644

project_id
integer, required

Project identifier assigned by ECommPay at the stage of integration. It identifies the project to which the added criterion applies. When the IP address of the customer is added, the ID of any merchant project can be specified.
Example: 1020

list_type
string, required

List type. The value can be whitelist or blacklist.
You can specify criteria for both whitelists and blacklists in the same file.
Example: whitelist for the whitelist

category
string, required

Category of the criterion:

  • email—email address of the customer
  • customer_id—the customer ID
  • pan—card number of the customer
  • ip—IP address of the customer


When the ip category is used, the criterion is added to the lists applicable to all projects of the merchant, regardless of the specified project ID.
Example: email

value
string, required

Value of the criterion.
Example: joe.doe12@sunmail.com for email

reason
string, optional

The reason of adding a certain criterion.
Example: The customer requests a refund for each purchase

Deleting criteria

You can delete criteria included in the whitelists and blacklists in the Risks section. Keep in mind that they should be deleted one by one.

  1. To go to the Criteria subsection, click the B/W Lists button in the Risks section.
  2. Find the record you need using filters if necessary.
  3. To delete the record, click the button in the corresponding line.
  4. Make sure that the record has been deleted from the list.