Selling Digital Goods: Stay Safe and Reap the Rewards

[Editor’s Note: The following is a guest post by PayPal’s Peter Martin, who has managed the Risk consulting teams for the company’s Merchant Services, Debit Card and Credit business units, working with both large merchants and the digital goods merchant segments. Before joining PayPal, Peter managed risk for Wells Fargo Bank, Consumer Deposits Group and Barclays Global Investors.]

As a merchant, there’s a lot to like about the selling of virtual goods. The category is exploding, and projected to reach $1.6 billion this year in the US, according to the Inside Virtual Goods report. According to the research firm Forrester, 15 percent of U.S. consumers purchased software and games online to play on their PCs, and 8 percent purchased games to play on their mobile phones.

But while digital goods is a fast-growing business that is wide open to innovation, the reality of selling online is that – just like any business – there exists some level of risk. For digital goods, a faster sale/delivery cycle gives the bad guys a faster getaway, and a “borderless” customer base can attract a global community of fraudsters. In addition, digital goods merchants are often newer to the market and less experienced in combating fraud.

Digital goods vendors generally face three kinds of threats: account takeover, stolen financials and “not-so-friendly fraud.”

The good news is that many of the best practices used in curbing online fraud work well for digital goods merchants, too. The situations and economics are different, but the approach is similar: be aware of the vulnerabilities and act to prevent them.

Account Takeover

Account takeover tends to harm the user experience and reputation of your brand. Here, a customer’s user name and password are compromised, and their account is taken over. The perpetrator goes online and starts transacting, buying goods and selling on the open market. Other virtual currencies make it easy for third parties to facilitate the exchange. It all happens very fast, typically with the help of a scripting language.

The first bar of prevention is better password authentication. The higher bar entails a better understanding of a user’s behavior. If I only log into my account at home or work, a login from a different machine should attract some attention—and some challenge questions. The same is true if my IP address would indicate I live in North America but appear to be logging in from Iceland, or if my usual browser is set to American English but this one is set to Cyrillic. There are several of these identifiers, all of which can be used to better secure the login.

Stolen Financials

Compared with account takeover, which is restricted to your customers, stolen financial information casts a much wider net. Here, the fraudster sets up a “legitimate” account using stolen information, purchases virtual goods, then turns those purchases into real-world cash. This cycle also relies on scripting language, which in turn speeds up the process.

Typically after the legitimate cardholder reports the fraudulent transaction, the merchant will refund the money. But because the markup on digital goods is so high and the unit costs so low, digital goods vendors routinely tolerate a level of chargebacks that would sink a vendor selling jewelry or electronics.

The solution: be extra vigilant in verifying credit card information by using the Address Verification System, which matches the billing address provided by the customer with the one on file with the credit card company. Even better, require entry of the Card Security Code found on the back of the card. Most stolen card data on the Internet still doesn’t include that number. A third layer of protection is a NAP check: validating a customer’s name, address, and phone number, which can then be cross-checked with the customer’s IP location.