Ecommerce can sometimes feel like the Wild West. The unfortunate reality is that fraud costs the ecommerce industry billions of dollars a year worldwide.
Here at Toggle, we do everything we can to help protect you against it.
What is going on?
There are two cases:
Friendly fraud. A customer purchases something online and then requests a chargeback. This is known as ‘friendly fraud’ (though it isn’t very friendly!) and is a case of customers abusing the chargeback process.
Identify theft. This is where criminals use stolen credit cards to purchase goods and services online. For Togglers, this means a gift card could be purchased using a stolen credit card, sold on or used. Then the owner of the credit/debit card realises and a chargeback is issued.
Why is it a problem?
In both the cases, the end result for Togglers is the issuance of a chargeback. This will appear in your Stripe account as a dispute. The chargeback request has come from the payment card issuer, along with a £15 (at the time of writing) fee which is deducted from your Stripe balance.
Disputes mean time spent dealing with them all, and chargeback fees mounting up. If Stripe deems your account high risk, they may also withhold some of your balance to cover the cost of these disputes. This makes it harder to predict when gift card sale takings will be deposited into your bank account.
And on top of all that, you don’t really want to sell gift cards to fraudsters!
What Toggle does for you
When 3D secure is used, during checkout, your customers are asked to verify their identity with their bank before completing a purchase. By default, Toggle has configured Stripe to request 3D secure authentication for all payment cards that have it supported. Currently, this service is provided by Visa under the name of ‘Verified by Visa’ and MasterCard with the name of ‘MasterCard SecureCode’. This means that the liability for the chargeback shifts away from you, the merchant.
However, it doesn’t stop all fraudulent chargebacks, because not all payment card issuers participate in 3D secure.
Address & CVC checks
Toggle collects billing address details as well as CVC from all payments and passes these to Stripe. This allows the card issuer to verify the billing address against the one registered against the payment card to detect possible fraudulent purchases and reject them. You can also use the built in Stripe Radar tool to reject cards that don't have postcode/zip verification available via the issuing bank. If you haven't already done this, read more on our set-up guide under "additional recommended settings".
But sometimes criminals have all the address and CVC details for a stolen card too. And it certainly doesn’t help you with ‘friendly fraud’.
What else can you do about it
Stripe Radar for Fraud Teams
At this point, we have to hand over to Stripe. Stripe have recognised chargebacks as a problem and have an additional product called Radar For Fraud Teams that you can deploy.
Switch on Radar for Fraud Teams under Settings.
Stripe Radar is a combination of their own machine learning which will detect suspicious payments and block them and a set of additional manually configured rules which allow you to block or place payments into review.
Once switched on, you should make sure you have some common rules configured to block the most common attempts. Try these for starters:
If you continue to have issues, you can add a rule which will reject all cards that don’t support 3D secure, protecting you completely from chargebacks:
Block if :card_3d_secure_support: = 'not_supported'
Or reject all cards from a certain country, for instance.
If you want to check how adding a rule would have affected your previous customer payments, you can use the 'Test Rule' button before applying the rule. Stripe's interface also gives you a commentary over whether their system thinks the rule is too harsh or too lenient.
Head on over to Stripe Radar to configure your rules. Their support team will also be able to help you get set-up if you are unsure of how to use the rules.
Handling payments that go into review
When one of your Radar rules (e.g. an elevated fraud risk) is triggered and a payment goes into review as a result, Toggle will keep both you and the purchaser informed. You will receive an email letting you know a payment has gone into review:
Additionally, your purchaser will not receive a receipt email and will instead receive an email notification:
For payments in review, no order will be created until you manually approve the payment.
At this point, the purchaser will receive their normal receipt and the order will be created. If you choose not to honour the order and refund it instead, the purchaser will receive a notification to let them know;