6 steps to help prevent fraudulent payments.

Jun 29 2020 | PayPal editorial staff

You might think your ecommerce website is too small to be of much interest to online criminals. Sadly, you’d be wrong.
In 2018, small businesses in the U.S. reported losing an average of $28,313.33 to online fraud.1 And the Federal Trade Commission reported that, from 2017 to 2018, credit card fraud increased by 24% and online shopping and payment account fraud increased by 18%.2

An attack like that can be very damaging. At the very least, if you accept a fraudulent payment, you could be held financially responsible for the loss. But there are steps you can take to help minimise your risk, and we’ve outlined them below.
 

How fraudsters operate.

Before we talk about what you can do to minimise your risk, it’s helpful to understand common tactics fraudsters use. Generally, online fraudsters usually use two methods to steal money:
  • Account takeover: You probably provide customers with accounts that store personal information, financial information, and purchase history. Fraudsters often hack into these accounts through phishing schemes. One of the most common approaches is an email sent by the fraudsters to trick your customers into revealing usernames and passwords. The fraudsters then log in to your customers’ accounts, change the passwords and make unauthorised purchases.
  • Identity theft: Although most businesses take many precautions to secure customer data, fraudsters still manage to hack into databases and steal usernames, passwords, credit card numbers, and personal information.
Fraudsters often sell credit card numbers to other fraudsters who open accounts with online retailers and use the stolen numbers to pay for purchases. This type of fraud is difficult to detect because many people don’t check their credit card statements thoroughly — and because victims typically have no idea someone opened an online account in their names.
 

Managing your risk.

Although the potential for fraud is high in online transactions, it doesn’t mean you have to accept it as part of doing business online. By putting the right tools and processes in place, you can help keep your business and your customers secure – and reduce your chances of chargeback fees and lost revenue. Below are six tips to help you get started and once you’ve checked these off, make sure to review the 12 signs of potential fraud every business should be aware of.

1. Monitor transactions and reconcile your bank accounts daily.
Nobody knows your business as well as you do. You know your biggest spenders and their buying patterns. Monitor your accounts and transactions looking for any red flags, such as inconsistent billing and shipping information, as well as the physical location of your customers — there are tools such as PayPal’s fraud tools, that trace customers’ IP addresses and alert you to those from countries known as a base for fraudsters.

Also, check to see if your customers are using free or anonymous email addresses (such as Hotmail or Yahoo email addresses), as there’s a much higher incidence of fraud coming from free email service providers than from paid.

2. Consider setting limits.
Using your unique knowledge of your business, set limits for the number of purchases and total dollar value you’ll accept from a single customer in a day. It can help keep your exposure to a minimum should fraud occur.

3. Use the address verification system (AVS).
AVS compares the numeric parts of the billing address stored within a credit card to the address on file at the credit card company. This is a fraud tool included in most payment processing solutions, but check with your payment processor to be sure it’s supported.

4. Require the card verification value (CVV).
You’re familiar with this three-digit or four digit security code printed on credit cards. What you might not know is that PCI rules do not allow you to you store the CVV along with the credit card number and card owner’s name. (That’s why it’s so effective – it’s virtually impossible for fraudsters to get it unless they’ve stolen the physical credit card.) Most processors include a tool to require CVV as part of their checkout templates. Use it.

5. Get tougher with password requirements.
Fraudsters employ sophisticated programs that can run through all the permutations of a password. It won’t take them long to crack a four digit, alpha-numeric password (such as, “abcd”). Best practices these days call for (at least) an eight-digit alpha-numeric password that requires at least one capitalization and one special character (for example, “P0r$che9!!”). Your customers might grumble, but it’s better safe than hacked.

6. Keep your platforms and software up to date.
Make sure you’re running the latest version of your operating system (OS), as OS providers continually update their software with security patches to protect you from newly discovered vulnerabilities, as well as the latest viruses and malware.

Likewise, install and regularly update business-grade anti-malware and anti-spyware software (free, limited-feature, and consumer-strength anti-virus software are not sufficient) to prevent attacks that exploit outdated software vulnerabilities.

Note: If your site is hosted on a managed solution, such as BigCommerce, automatic security patches help ensure that any vulnerabilities are quickly resolved.

Once you’ve taken these steps, learn the 12 signs of potential fraud every business should be aware of
 
Disclosure: The contents of this site are provided for informational purposes only. You should always obtain independent professional accounting, financial, IT and legal advice before making any business decision.
 
1 48% of Businesses Think They’re Not Big Enough to be Targeted for Fraud, Small Business Trends, 10 March 2019.
 
2 Consumer Sentinel Network Data Book 2018 – February 2019, Federal Trade Commission, 2019.

Frequently asked questions.

Fraud Protection is an integrated risk management solution that uses PayPal intelligence and advanced machine learning to help you fight fraud. It allows you to customize fraud filters based on your unique tolerance for risk and business needs, helping you to better balance chargebacks and declines.

To launch Fraud Protection, go to your App Center, then All Apps on the left.

The tool includes:
  • Dashboard: visually displays high-level information about payments, revenue, and chargebacks for a selected time period.
  • Filters: displays a list of filters along with their conditions that can be used to help approve or reject incoming payments. Changes made to filters can be tested on your historical transaction data to help you understand the impact of those changes before activating them.
What are Fraud Protection filters?

Filters are used to automatically stop fraudulent purchases and approve genuine ones. Transactions are evaluated against filters and get declined if any of the filter conditions are satisfied. A set of customized filters are provided to you out-of-the-box and are tailored for your business by considering various attributes, such as business category, average payment volume, and past chargebacks. 

What filters do I get with Fraud Protection?

How do I enable/disable Fraud Protection filters?
  1. Click Filters.
  2. In the Enable column, click the toggle against the filter you want to enable or disable.
  3. Click Test to test the performance after updating the selected filter.
  4. Click Save if you want to keep the changes.
How do I edit Fraud Protection filters?
  1. Click Filters.
  2. Click Edit next to the filter you want to update.
  3. Enter values into the available boxes.
  4. Click Test to test the performance after updating the selected filter.
  5. Click Save if you want to keep the changes.
What are filter recommendations and how do I apply them?

Behind the scenes, Fraud Protection constantly learns from payments across the PayPal network and provides recommendations to filters aiming to maximize your revenue. The initial set of recommendations will take at least 45 days after you’re onboarded to appear. 
 
  1. In the Recommendations panel, click View.
  2. Select the checkboxes for the filters you wish to update.
  3. Click Apply.
  4. Click Test to view your simulated Approvals/Rejections.
  5. Click Save to update your filters for future payments.
When reviewing the recommendations and selecting the checkboxes, you can click the dropdown arrow to view the Performance Forecast. This gives you an idea of how it will improve your fraud decisioning performance. 

You can also click Recommended Filter Update next to each Individual filter if you want to review each one separately. 
 
How does the filter testing feature work?

Your historical transactions are used to test filters based on the time period you select in the Time Filter. This is available on the Filters page in the upper right-hand corner. 
The filter testing feature helps to simulate filter changes over your past transactions. This doesn’t guarantee future performance of your transactions. However, because these changes apply to live transactions within 5 minutes of saving, you are required to test any changes before saving. 
 
Can I add my own filters?

The filter set provided is based on your business metrics. They’re best suited to your transactions and we don’t provide the option to create new filters as that might lead to more declines. 
 
What if I have a genuine transaction declined by Fraud Protection?

You are unable to approve a transaction that has already been declined. If you think that a similar transaction could be rejected by Fraud Protection, you may change the filter settings or even switch off the filter that you believe resulted in the rejection of that transaction. Remember to switch the filter back on once the transaction is complete.
 
What happens if I receive a dispute or chargeback that was approved by Fraud Protection?

Fraud Protection serves as an added layer of security to decline transactions that can result in potential chargebacks. If you receive a chargeback on an approved transaction, it will fall under your PayPal Terms and Conditions. PayPal is not liable for any chargebacks even after Fraud Protection is enabled. 
 
How do I disable Fraud Protection if I no longer want to use it?
  1. Click the Gear icon within Fraud Protection.
  2. Click Disable Fraud Protection.
Fraud Protection provides the following filters:
 
  • Transaction Risk Score 
    • Based on PayPal's machine learning risk model, this filter detects risky transactions derived from historical fraud trends seen across all transactions processed by PayPal.
  • Street Address or Postal Code does not match
    • Postcode (5 or 9 digit) or street address did not match during the AVS check. To use this filter, just turn it on and don't change the pre-set value/codes.
  • Street Address or Postal Code not verified
    • Could not verify the street address or postal code during AVS check. To use this filter, just turn it on and don't change the pre-set value/codes.
  • Street Address or Postal Code not provided
    • Postal code or street address was not provided. To use this filter, just turn it on and don't change the pre-set value/codes.
  • Postal Code does not match
    • Address matches but the postal code does not match during the AVS check. To use this filter, just turn it on and don't change the pre-set value/codes.
  • Issuing bank does not support AVS
    • AVS not supported by issuer. To use this filter, just turn it on and don't change the pre-set value/codes.
  • AVS system error
    • Transaction ineligible for address verification or edit error found in the message that prevents AVS from being performed. To use this filter, just turn it on and don't change the pre-set value/codes.
  • CVV or CSV does not match
    • The CVV provided does not match the information on file with the cardholder's bank. To use this filter, just turn it on and don't change the pre-set value/codes.
The below filters reject transactions with values higher than the value set on this filter. The default value is only directional, please use the test feature to assess the impact:
 
  • Number of transactions across PayPal from the buyer's phone number in the last 1 day
  • Number of issuer declines across PayPal for the buyer's phone number in the last 7 days
  • Number of fraud chargebacks across PayPal from the buyer's phone number in the last 90 days
  • Number of transactions across PayPal from the buyer's email ID in last 1 day
  • Number of issuer declines across PayPal for the buyer's email ID in the last 7 days
  • Number of fraud chargebacks across PayPal from the buyer's email ID in the last 90 days
  • Number of transactions across PayPal from the buyer's email domain in the last 1 day
  • Number of issuer declines across PayPal for the buyer's email domain in the last 7 days
  • Number of fraud chargebacks across PayPal from the buyer's email domain in the last 90 days
  • Number of transactions across PayPal from the buyer's IP in the last 1 day
  • Number of issuer declines across PayPal for the buyer's IP in the last 7 days
  • Number of fraud chargebacks across PayPal from the buyer's IP in the last 90 days
  • Number of transactions across PayPal from the buyer's card in the last 1 day
  • Number of issuer declines across PayPal for the buyer's card in the last 7 days
  • Number of fraud chargebacks across PayPal from the buyer's card in the last 90 days
Here's more information about Fraud Protection:
What is Fraud Protection?

As a financial service company, PayPal is required by law to retain information related to the provision of financial services to our customers for a certain time, during which the data may not be erased. 

We retain data to comply with the law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce a site’s terms and conditions, protect PayPal from legal risks, and take other actions otherwise permitted by law. 

Your data may be automatically erased once the retention time has ended and there’s no other legal reason to keep it longer. 

 

You have the right to request that your data is deleted. PayPal will delete your personal data if it’s lawful for us to do so.  

Contact us to submit your request. We can only accept erasure requests from the owner of that data, or to a party authorized by the account holder.  

As part of any request to erase data, we’ll conduct reasonable ID and verification checks to make sure you’re the account holder. We can usually authenticate you when you log into your account but reserve the right to disallow access to data if we’re unable to verify your identity, if there’s a conflicting legal obligation, or if doing so would put PayPal or other parties at risk. To ensure the security of your personal data, in these very specific and infrequent cases, we’ll conduct reasonable ID and verification checks as part of any request to access data to make sure you’re the account holder.  

As a licensed financial services provider, PayPal is required by law to retain financial transaction information of our customers for a certain time, within which, data may not be erased. 

We retain data to comply with the law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce a site’s terms and conditions, protect PayPal from legal risks and take other actions otherwise permitted by law in the countries where we operate. 

The contents of this site are provided for informational purposes only. The information in this article does not constitute legal, financial, IT, business or investment advice of any kind and is not a substitute for any professional advice. You should always obtain independent, professional accounting, financial, IT and legal advice before making any business decision.