Roger Lester, Payments Subject Matter Expert, explores the specific risks acquirers face throughout the merchant onboarding process and shares tips on how advanced behavioral profiling can help detect fraudsters before they cause harm.
What is merchant onboarding?
Merchant onboarding describes the process merchants follow when applying for payment facilities which enable them to accept credit/debit cards as payments for their goods and services. The typical providers of these facilities would be banks or other acquirers, i.e. Worldpay.
The onboarding process is a prime target for individual fraudsters and organized criminal groups alike. Unlike data breaches which directly affect consumers, onboarding fraud rarely makes the headlines, however the negative impact for merchants can be hugely damaging.
To protect themselves from onboarding fraud, it helps merchants to start by understanding the motivation and strategies behind it.
What’s in it for fraudsters?
There are a number of reasons for fraudsters to commit onboarding fraud, but the ultimate motivation is always financial gain for the criminals, whereas the methods of attack vary. In my experience working in payments fraud management and from speaking to merchants and acquirers who are trying to tackle onboarding fraud, some of the key ways in which criminals abuse the merchant onboarding process are:
- Business format change: businesses applying for credit/debit payment services may provide incorrect information in order to ensure they receive card facilities, whereas, if they provide the correct details their application for facilities may get declined or they will have tighter controls enforced due to the perceived risk of the type of business (e.g. a business selling digital goods is perceived as higher risk than a physical goods retailer). If this activity is not discovered, acquirers not only risk supplying a merchant with services they would not normally receive, but their reputation might also suffer within the industry.
- “Bust-outs” – also known as Merchant Identity Fraud: fraudsters fill in their application for services to accept credit/debit card payments with incorrect details (such as an incorrect Average Transaction Value). They then sell goods to unknowing consumers without the intention of sending them out and then disappear (“bust-out”) before the transaction can be charged back by the consumer. In these instances, the acquirer is left with the fraud cost as they have already settled funds to the (fraudulent) merchant.
- Account Takeover: in this type of attack, a fraudster temporarily assumes the identity of a legitimate merchant, entering into an acquiring relationship for the sole purpose of committing criminal fraud.
In addition to fraudsters directly targeting acquirers, merchant onboarding fraud is often a gateway for organized gangs to facilitate mass card fraud against card issuers. This type of fraud is attractive to fraud gangs because it enables them to by-pass some of the controls which are in place to monitor new merchants, making further fraudulent activities easier. The activity is tough to detect as it is usually only picked up on after fraudulent spending begins and the cardholder has detected the fraud.
How can you reduce the risk?
To keep these types of fraud losses to a minimum, it is crucial for acquirers to identify fraudsters throughout the merchant onboarding process, particularly at the first touchpoint, which is typically the application stage.
Many existing fraud systems which rely heavily on business rules make it easy for fraudsters to take advantage of the anonymity of digital channels to bypass these systems and fly under the radar.
Luckily, we’re seeing a shift taking place in the industry, with many acquirers starting to invest in fraud systems which offer in-session monitoring, a feature that enables them to identify behavioral anomalies even at the application stage, including bot attacks, multiple applications with the same information, suspicious IP location, etc.
Advanced machine learning systems use behavioral profiling to analyze each merchant applicant’s behavior in real-time and detect anomalies at the point of application. This enables acquirers to investigate suspicious accounts as soon as an alert is raised.
In addition, fraud systems using Adaptive Behavioral Analytics can look up past alerts to check if certain details have been used in previous applications. Depending on the amount and quality of data available, a smart fraud prevention system can also use external information to flag up information given in an application and show if there is an association with other suspect activity.
Criminals are also known to “test the waters” to figure out the best way to successfully launch a fraud attack. Advanced fraud prevention systems use link analysis to find existing accounts that might be linked to new suspicious activity, ensuring that all potentially fraudulent accounts are captured.
How does Featurespace help?
Featurespace’s real-time machine learning ARIC™ Risk Hub offers all the tools you need to limit the inherent risks in merchant onboarding and protect your business from fraud attacks. ARIC Risk Hub identifies and stops organized fraud immediately. When a fraudulent account is captured, associated accounts can be spotted and closed before they cause a problem. This prevents acquirers from playing catch-up with criminals.
Roger has worked in the payments industry for more than 30 years and is a Featurespace Subject Matter Expert in Payments. Having worked both with issuers and acquirers, Roger brings his financial services industry expertise and insight to his role, ensuring that Featurespace’s ARIC™ Risk Hub enhancements match the risk management needs and requirements of acquirers, merchants and payment processors in the financial services sector.