[Editor’s Note: The following is a guest post by PayPal’s Peter Martin, who has managed the Risk consulting teams for the company’s Merchant Services, Debit Card and Credit business units, working with both large merchants and the digital goods merchant segments. Before joining PayPal, Peter managed risk for Wells Fargo Bank, Consumer Deposits Group and Barclays Global Investors.]
As a merchant, there’s a lot to like about the selling of virtual goods. The category is exploding, and projected to reach $1.6 billion this year in the US, according to the Inside Virtual Goods report. According to the research firm Forrester, 15 percent of U.S. consumers purchased software and games online to play on their PCs, and 8 percent purchased games to play on their mobile phones.
But while digital goods is a fast-growing business that is wide open to innovation, the reality of selling online is that – just like any business – there exists some level of risk. For digital goods, a faster sale/delivery cycle gives the bad guys a faster getaway, and a “borderless” customer base can attract a global community of fraudsters. In addition, digital goods merchants are often newer to the market and less experienced in combating fraud.
Digital goods vendors generally face three kinds of threats: account takeover, stolen financials and “not-so-friendly fraud.”
The good news is that many of the best practices used in curbing online fraud work well for digital goods merchants, too. The situations and economics are different, but the approach is similar: be aware of the vulnerabilities and act to prevent them.
Account takeover tends to harm the user experience and reputation of your brand. Here, a customer’s user name and password are compromised, and their account is taken over. The perpetrator goes online and starts transacting, buying goods and selling on the open market. Other virtual currencies make it easy for third parties to facilitate the exchange. It all happens very fast, typically with the help of a scripting language.
The first bar of prevention is better password authentication. The higher bar entails a better understanding of a user’s behavior. If I only log into my account at home or work, a login from a different machine should attract some attention—and some challenge questions. The same is true if my IP address would indicate I live in North America but appear to be logging in from Iceland, or if my usual browser is set to American English but this one is set to Cyrillic. There are several of these identifiers, all of which can be used to better secure the login.
Compared with account takeover, which is restricted to your customers, stolen financial information casts a much wider net. Here, the fraudster sets up a “legitimate” account using stolen information, purchases virtual goods, then turns those purchases into real-world cash. This cycle also relies on scripting language, which in turn speeds up the process.
Typically after the legitimate cardholder reports the fraudulent transaction, the merchant will refund the money. But because the markup on digital goods is so high and the unit costs so low, digital goods vendors routinely tolerate a level of chargebacks that would sink a vendor selling jewelry or electronics.
The solution: be extra vigilant in verifying credit card information by using the Address Verification System, which matches the billing address provided by the customer with the one on file with the credit card company. Even better, require entry of the Card Security Code found on the back of the card. Most stolen card data on the Internet still doesn’t include that number. A third layer of protection is a NAP check: validating a customer’s name, address, and phone number, which can then be cross-checked with the customer’s IP location.
The industry calls the third threat “friendly fraud,” but for merchants, it doesn’t seem all that friendly. Not-so-friendly fraud is usually buyer’s remorse. A player gets wrapped up in a game, spends $200 and then wakes up the next day with a financial hangover. Instead of vowing to live a more sober online life, he denies making the charge. That’s the usual scenario. Variations include a child using a parent’s credit card, or a malicious player buying digital goods with the intent of later denying it. Because chargeback rules were designed for physical goods, people can abuse the system, knowing that most digital goods vendors won’t take the time to push back.
Whatever the form, not-so-friendly fraud is a growing threat for social networks. The best solution is a combination of fraud scoring and community negative files. Fraud scoring analyzes a merchants’s own internal data to try and determine the likelihood that any transaction will be fraudulent. For example, a game operator could determine from usage data the average velocity of a sword purchase, and then identify outliers—purchases that are well outside that norm. Community negative files are shared intelligence between vendors, so that a fraudster’s history begins to follow him or her from merchant to merchant.
Securing Your Site
Best practices only work if you implement them. Merchants we work with have reduced fraud by purchasing risk mitigation services from third-party vendors or developing their own in-house. Stamping out fraud is part of PayPal’s DNA, as well, and you will see more of safety measurements from us in the future.
PayPal maintains a microsite for digital goods vendors, including links to best practices guide and list of partners, as well as information on micropayments for digital goods.