Security solution that significantly reduces the fraud of cosmetics e-commerce sites

Company A, a major cosmetics brand that has introduced PG Multi-Payment Service, was suffering from credit card fraud that did not decrease even after various measures such as the introduction of 3D Secure and Security Code. Therefore, we introduced one of the anti-fraud solutions provided by GMO Payment Gateway, "Fraud Prevention Service (Sift)". While significantly reducing the workload of fraud countermeasures, we were able to reduce transactions using fraud credit card information to less than 100,000 yen, which had reached 3 million yen per month at most. In this article, we will introduce the effects and operation methods after introduction along with the voices of the marketers of Company A.

Credit cards that did not decrease despite multiple measures fraud

Cosmetics brand A, which will introduce a fraud prevention service (​Sift) on its official e-commerce site from 2021, has approximately 1 million registered members and sells approximately 3 billion yen annually, mainly skin care products.

As the sales of the e-commerce site grew, Company A was troubled by the increase in credit card fraud. Around​ ​2020, an average of about 50 fraud occurred in one month. When an item becomes a hot topic on social media or during overseas gift seasons, when sales increase, the fraud also increases, and there were 150 card fraud of 3 million yen in the most months.

The "Credit Card Security Guidelines", which is a practical guideline for credit card information protection and fraud measures under the Installment Sales Act, stipulates that merchants whose credit card fraud amount exceeds 500,000 yen for three consecutive months are considered "fraudulent merchants", and multiple fraud We are asking for the introduction of countermeasures. Company A also received a request from an acquirer (credit card merchant contract company) for fraud measures through the GMO Payment Gateway (hereinafter referred to as GMO-PG). In addition to implementing 3D Secure and Security Code, we created our own list of shipping addresses from the past fraud and checked the delivery address for all transactions, but we were unable to reduce credit card fraud.

Fraud prevention service (SIFT) is introduced to improve accuracy through machine learning

In the fall of 2020, when I consulted with the person in charge of GMO-PG because the number of fraud had increased, one of the solutions introduced as "credit card fraud countermeasures that can be introduced with Link Type Plus (Link Type payment)" was a fraud prevention service (Sift).​

▼Overview of Linked payment

The Anti-Fraud Service (Sift) transmits information other than credit card information such as purchased products entered on the e-commerce site, address, and email address entered on the e-commerce site, as well as page transitions, time spent on each page, etc., without modifying the linked payment pages provided by GMO-PG​. How transactions are scored to discover deals that are likely to be fraud credit cards. By providing feedback on the judgment results, there is no need for humans to set rules or tune them, and machine learning can improve accuracy.

"It is a basic premise that it can be used with Link Type Plus, but we decided to introduce it after evaluating the fact that the price was reasonable compared to the comparable solution and that there was no need to use human labor because machine learning improved accuracy​."​​​​ The first meeting was held in a month, and the requirements were defined the following month. In late March 2021, we started test operations.​​

Reducing checking and operation man-hours and drastically reducing credit card fraud

During the operation training period of about one month after the introduction, we operated the operation without setting up transaction decisions based on scores to determine the fraud of credit cards, and had the fraud prevention service (SIFT) proceed with machine learning. Because fraud trends vary from site to site, setting the appropriate threshold will also vary from site to site. During the operational training period, Sift's technical personnel will review the status of transactions and scores in the customer environment, and provide accompanying technical assistance to consider threshold setting and operation methods through trial and error. "At first, it was difficult to decide how to set the threshold, but with the advice of the technical staff at Sift, we solved the problem," said a marketing manager at Company A.

Since May​ ​2021, the number of credit card fraud has been visibly reduced by setting thresholds to automatically block transactions with high scores. "We don't want to cause inconvenience to our customers, so we set the threshold for automatic blocking a little higher, but it still has the effect of preventing fraud."​​

The introduction of the Fraud Prevention Service (SIFT) has greatly reduced the man-hours required to check the shipping address at the time of shipment. Previously, all transactions were checked against a uniquely created blacklist of shipping addresses and the shipment of those transactions was stopped. After the introduction of the Fraud Prevention Service (SIFT), it was limited to transactions subject to visual inspection, significantly reducing the number of man-hours checked. "The deadline for sending same-day shipment destination instruction data to the warehouse is 10: 30 a.m. Previously, even if we started checking at 8: 30 a.m., we could not meet the deadline, but this has disappeared since the introduction of the Anti-Fraud Service (Sift)​." Company Marketer)

In daily operations, we machine learn fraudulent transactions by a fraud prevention service (Sift) based on fraudulent transaction information and delivery suspension information received from GMO-PG. "If the number of transactions increases, such as during the overseas gift season or when the limit on the number of products is relaxed, the number of fraud cases will also increase, but if you let the fraud prevention service (SIFT) learn, it will be able to prevent it immediately.​​​

In addition to the introduction of fraud prevention service (Sift), we continue to take measures such as suspending connections from overseas IP addresses, and since the beginning of 2022, the average number of card fraud transactions has been less than 10 per month, and the amount has increased from 2 ~30,000 yen to 10 even in months with a large amount of 10​ It has decreased to about 10,000 yen. "We have not received a single inquiry or complaint from our customers related to the introduction of the Fraud Prevention Service (SIFT), such as difficulty in using or judgment errors.​ The credit card fraud has also decreased, and I feel that the effect is well worth the cost."​

Use with EMV 3-D Secure for even greater safety

In ​October2022, international credit card brands ended their traditional 3Dsecure services. Merchants who had previously used 3D Secure were required to switch to the successorEMV 3-DSecure (3DSecure2.0).Company A's e-commerce site has also switched to EMV 3-D Secure since September 2022 and is being used in conjunction with the Anti-Fraud Service (Sift).​

As for the procedure for determining and trading when using the Anti-Fraud Service (Sift) and EMV 3-D Secure at Company A, the judgment is first based on the score of the Anti-Fraud Service (Sift), and the transaction with a high score is automatically blocked by Credit card payment. For all other transactions, you will be redirected to the payment page on the GMO-PG website, where you can enter your credit card information and your transaction information will be securely linked to EMV 3-D. EMV 3-D Secure makes a risk assessment based on transaction information, approving frictionless transactions if safe and rejecting transactions if they are dangerous. If you can't say either, ask for additional authentication in challenge mode.

Compared to conventional 3D Secure, which requires additional authentication for all transactions, EMV 3-D Secure is said to have the advantage of reducing the risk of falling out of the cart during the transaction because it can be traded without friction for safe transactions as a result of risk determination.

▼ Combined use of Fraud Prevention Service (Sift) and EMV 3-D Secure in link-type payment

The advantage of using Anti-Fraud Service (Sift) and EMV 3-D Secure together is that the score can block transactions even for credit card numbers that have not registered an additional authentication factor with the credit card issuer (issuer), i.e., do not have a 3D Secure password. ​One of the weaknesses of 3D Secure was that there were few card users who registered their passwords, and in that case, they had no choice but to operate without applying 3DSecure.3D Secure uses risk-based judgments, but it is said that it is difficult to apply it to all transactions at this time. By using it in conjunction with the Anti-Fraud Service (Sift) to block transactions with higher scores first, you can reduce fraud even for credit cards that can't be authenticated with EMV 3-D Secure.

Another benefit is that the Anti-Fraud Service (SIFT) can determine whether to make or reject a transaction based on the merchant's criteria. EMV 3-D Secure risk-based authentication is determined by the credit card issuer (issuer) based on the "likelihood that the credit card is being fraudulently used (risk)", and merchants cannot intervene in the criteria for approving or rejecting transactions. On the other hand, since the Fraud Prevention Service (SIFT) score can judge fraudulent transactions according to the characteristics of the site, it is possible to block transactions such as "the same product has been repeatedly purchased at the same shipping address in a short period of time and is suspected of being resold" based on the merchant's standards. "EMV 3-D Secure has just been introduced, so we will continue to scrutinize its operation in conjunction with the Fraud Prevention Service (Sift) with support from now on," said Company A's marketing manager.

"As an e-commerce site for cosmetics brands, we want to increase sales with plans that differentiate ourselves from stores. We will continue to work on credit card fraud measures so as not to betray our customers," said a marketing representative from Company A. For this reason, even after the implementation of EMV 3-D Secure, we continue to have high expectations for fraud prevention services (SIFT).