How to Prevent Payment Gateway Fraud

What is Payment Gateway Fraud?

Payment gateway fraud occurs when a card-not-present transaction is completed using invalid card details. Fraudsters may use stolen credit card details, undertake BIN attacks, use long lists of precisely-calculated false credit card numbers, or even take over a legitimate customer’s account - all as a means of fraudulently completing transactions.

Not only does payment gateway fraud result in merchants dispatching goods to someone whose payment will ultimately fail, it also creates substantial risk of penalties, costs, and even service disruption by downstream payment ecosystem providers: a merchant who lets too many fraudulent payments through can quickly become persona non grata with their payment partners.

This problem is not going away anytime soon. Juniper Research estimated that card-not-present fraud accounted for $38 billion in losses in the US in 2023, with that number growing to $91 billion by 2027. 

Therefore, it is pivotal that merchants take this seriously and take action to prevent payment gateway fraud.

Whose Job is it to Prevent Payment Gateway Fraud?

Merchants often contract with payment processors, that take care of most of the actions involved in processing transactions, from customer detail collection through orchestrating the transfer of funds from buyer to seller. These processors often offer a range of security services that are intended to reduce the risk of payment gateway fraud. However, the processor will hold the merchant responsible if they are successfully attacked: merchants who collect too deep a record of chargebacks, or reversed payments to high-risk countries, may rapidly find themselves seeking new payment partners.

Merchants can also buy security services from third parties, and use them to reduce the risk that they will pass fraudulent transaction requests to their payment gateway partners. Again, while payment goes through the service provider, in the case of failure it is the merchant that must bear the cost of remediation.

Long story short, the merchant will always find themselves accountable when they suffer payment gateway fraud, and should therefore take a very active role in designing their fraud mitigation systems.

Key Payment Gateway Fraud Prevention Techniques

No merchant wants to turn away business unnecessarily, which makes payment gateway fraud mitigation an exercise in optimization rather than total prevention. The ideal mitigation system lets through as many transactions as possible without triggering penalties from payment partners, thus closing the maximum possible number of good deals.

That said, there are core prevention methods that must be considered:

• Address Verification Service (AVS) ensures the address provided matches the address associated with the card. This must be used with some discretion: a wholly unrecognized address may be a solid red flag, where a slight variation (say, a misspelled street name) may only suggest poor typing skills.
• Card Verification Value (CVV) or Card Security Code (CSC) checks the three- or four-digit code on the back of the card. In principle, merchants should never save the CVV/CSC, so requiring its submission for each sale protects customers against having their accounts used fraudulently.
• 3-D Secure (3DS) adds an extra step to the transaction, where the customer confirms directly with their bank that they are who they say they are. The upside to this is that the merchant receives a dedicated code, making it harder for customers to claim fraud. The downside, of course, is that this introduces friction into the buying process, potentially negatively impacting close rates.
• Transaction limits reduce the appeal of a merchant’s service to fraudsters: by setting a maximum that a single card can charge, merchants limit their exposure. Some merchants will simply put a hold on large transactions and require a direct communication with the customer before completing the transaction. This also, of course, places an impediment in front of customers who might otherwise spend more.
• Volume limits track the IP address, and potentially other system fingerprint details, of each transaction and prevent users from repeatedly trying transactions. This reduces the risk of a fraudster executing a BIN attack, or simply trying manufactured credit card numbers over and over again.
• Risk scoring separates the process of evaluating the validity of a transaction from the ability to process the transaction, and executes custom logic on the requested deal before submitting details to the payment gateway. While this can cause frustration to customers, it gives the merchant the most control over their fraud exposure.

Prevent Payment Gateway Fraud with Payment Automation

One of the trickiest elements of preventing payment gateway fraud is that it is most easily undertaken by merchants who use multiple payment processors and/or gateways. While a full-service PSP, also known as an aggregator, may provide a broad array of options, using just one represents a significant business risk, as any reduction, or pause, in service can result in a complete cessation in sales.

Taking charge of payment gateway fraud mitigation is best done by following these three simple steps:

1. Use a third-party tokenization service provider like Basis Theory to securely collect and store credit card information as it is provided, or subsequently accessed, by customers
2. Build automation to scan evaluate the risk of fraudulence (such as using AVS, CSS/CSC, and volume limits, as noted above), and, when the deal is approved, select the right payment processor to handle the transaction.
3. Use the token vault to submit the transaction to the best-suited processor. In the case of a soft decline, evaluate whether to re-submit to a different processor, or to decline the deal.

As the ultimate responsible party for fraud passed into the payment ecosystem, it is crucial for the merchant to be fully in charge of its fraud mitigation efforts. At the same time, it is also key to ensure that each transaction is passed to the processor whose services deliver the most value, at the lowest cost, back to the merchant.