Embedded payments can bring a lot of benefits to vertical SaaS platforms, including increased revenue, increased engagement, and reduced churn.
But wherever there’s payment processing, there’s also fraud.
Is your platform protected?
Why worry about fraud
No one thinks about fraud until they’ve been hit by it. In the payments honeymoon phase, most platforms think fraud won’t happen to them.
After falling victim for the first time, there’s a temptation to overcorrect. This might include holding reserves, delaying payouts, and instituting more stringent underwriting requirements.
None of these methods are wrong. But if they’re applied with a heavy hand, they can be irritating to buyers who just want to pay an invoice and disastrous for merchants who rely on timely payouts – both of which are bad for platform growth.
As a platform matures, it’s essential to implement precise fraud prevention methods that identify and halt potential fraud while allowing legitimate payments to flow without friction.
This isn’t something you have to do by yourself. You’ve partnered with a payment provider because you don’t want to take on the regulatory and operational burden of being a payments company. And your payment provider should help you navigate fraud prevention.
This article outlines what SaaS platforms need to know about credit card fraud, and how to work with your payment provider to minimize fraud.
Types of fraud
Broadly speaking, there are two types of credit card fraud: stolen cards and “friendly” fraud. Stolen cards are exactly what they sound like – bad actors making purchases with stolen credit card numbers. Friendly fraud, in contrast, is when a cardholder makes a purchase and receives the goods or services, but then disputes the transaction to avoid paying.
SaaS platforms with embedded payments can be targets for both. This post explains stolen cards and friendly fraud, as well as fraud prevention best practices for SaaS platforms.
Preventing the use of stolen credit card numbers
In order to prevent fraud, we need to understand how it works.
A significant portion of stolen credit card numbers are already deactivated by the time a bad actor obtains them. This means that, before a bad actor can make a payment, they first need to identify the small percentage of stolen card numbers that are still usable. This process is called “card testing”.
When a bad actor has a list of stolen card numbers that they know to be usable, they will attempt to extract value from the card number. There are two common approaches. First, they can use the stolen card number to make a purchase and sell the purchased item for cash. Alternatively, they can enroll themselves as a merchant, and use the stolen card to purchase imaginary goods or services from themselves.
The next three sections describe each scenario in more detail, along with the applicable fraud prevention best practices.
Card testing
Card testers are attackers that have obtained thousands of stolen card numbers. They need to quickly and cheaply figure out which card numbers are already deactivated and which can still be used to make payments. The quickest and cheapest method is to attempt low-ticket purchases from a merchant or platform that’s already online and that they have no relationship with.
Additionally, card testers need to differentiate a true decline from a risk decline. A true decline is significant because it means that the card cannot be used to make a payment. A risk decline, on the other hand, just means that the payment provider has caught them and is automatically declining all their attempts. These cards might still be usable.
Despite the smaller ticket-size, card testing can have dire consequences for merchants and platforms. For the transactions that are processed, there will likely be disputes to get the money back to the cardholder and the merchant or platform will owe fees for every transaction and dispute. If the dispute rate is high enough, card networks might assess penalties as well.
How SaaS platforms can prevent card testing
The first step to preventing card testing is understanding how likely your platform is to be a target. Card testing is a repetitive process, so card testers are less likely to target a platform where they can only make one payment per invoice created, or where they need to log in to make a payment. Instead, they tend to target platforms where they can attempt a large number of small payments without logging in. Card testers often target donation-based platforms where they can choose the payment amount.
For platforms that are likely targets, one way to reduce risk is to make sure that the decline reason is not exposed to the payer. Since card testers need to distinguish between true declines and risk declines, making this information unavailable will also make the platform less attractive.
Lastly, ask your payment provider what steps they take to prevent card testing. For example, Rainforest’s transaction monitoring includes velocity checks specifically designed to detect card testing, and our vertical-specific risk management procedures enables us to apply more stringent transaction monitoring to platforms that are at a higher risk for this type of fraud.
Card cashing
Card-cashers are attackers with a smaller list of known-good cards. Their goal is to turn those cards into money.
Card cashers purchase goods or services from a platform or merchant that they have no relationship with, then sell the goods or services for currency. They target purchases that have durable value, are not tied to the purchaser’s real-world identity, and can be resold before the fraud is caught. This type of fraud is depicted in the 2022 film “Emily the Criminal”.
Merchants can suffer significant losses due to disputes on orders that have already been fulfilled.
How SaaS platforms can prevent card cashing
Card cashers tend to target digital goods and high-value products with quick delivery timelines. Platforms selling cryptocurrency, in-game currencies, virtual gift cards, and high-value consumer electronics are particularly vulnerable.
For platforms selling high-value goods, card cashing fraud can be discouraged by requiring purchasers to authenticate with 3DS, sending zip code and card verification data, and using Level 2 data where applicable.
As with card testing, it’s important to understand your payment provider’s risk management practices. At Rainforest, we work with each platform to make sure you’re collecting the right transaction data to reduce fraud and optimize interchange rates. We also offer 3DS.
Merchant fraud
Merchant fraud is a variation on card cashing. Instead of trying to use some other business’ existing payment flow and selling the goods, these bad actors instead try to get approved to process payments themselves. Once approved, they enter the stolen card numbers into their own checkout flow. Their goal is to get a deposit for the card payments and run away with the money before the disputes get filed and the payment processor tries to claw back the money.
Fraudulent merchants aim to get approved for payment processing with minimal information or using a stolen identity, so it can’t be traced to them. Their goal is to take a large number of high-dollar-value payments and receive the funds into their bank account as quickly as possible.
This type of fraud can be particularly damaging to platforms because it’s nearly impossible to recover losses from fraudulent merchants. And many payment providers hold the software platform liable for these losses.
How SaaS platforms can prevent merchant fraud
Fraudulent merchants generally look for low-friction ways to sign up for payments, where they don’t need a pre-existing relationship with the platform and don’t need to provide a lot of information.
Platforms that allow merchants to self-onboard and collect only the minimum required information are at a higher risk than platforms with a higher-touch onboarding process.
Platforms that require more information from merchants, or require merchants to interact with sales or onboarding personnel, are less attractive to fraudulent merchants.
Rainforest also helps prevent fraudulent merchants by working with each platform client to determine the unique, industry-specific characteristics of a legitimate merchant on their specific platform. This allows us to quickly approve legitimate merchants while flagging potential fraud. We also require that merchants provide a valid Social Security Number (SSN).
Because Rainforest is responsible for merchant underwriting, we take on liability for merchant losses that cannot be collected from the merchant.
Friendly fraud
Where the previous section addressed bad actors trying to extract value from stolen credit card numbers, there’s another type of fraud in which the payment is actually made by the cardholder.
This is called “friendly fraud”. It happens when a cardholder uses their card to buy goods or services and receives the promised good or service, but then files a false dispute to avoid paying for it.
Friendly fraud is common in ecommerce where there is very low trust between the consumer and the merchant. The consumer doesn’t have a personal relationship with the merchant, so they are less likely to feel guilty for filing a false dispute and more likely to do it.
Friendly fraud is also common in high-ticket services where it’s difficult to prove that the service was actually performed.
Since friendly fraud accounts for an estimated two-thirds of all credit card fraud, it’s the most common type of fraud for platforms to contend with.
How SaaS platforms can prevent friendly fraud
Platforms can mitigate the risk of friendly fraud by collecting additional information on all transactions so that, in the event of a dispute, that information is readily available and can be submitted as part of the dispute process.
In an industry with higher rates of friendly-fraud, platforms will benefit from working with a payment provider who provides an easy, self-service method for responding to disputes and submitting the supporting documentation.
Lastly, if the rate of friendly fraud is high enough to warrant it, platforms can also add additional security measures such as 3DS to authenticate purchasers as part of the transaction.
Summary
Fraud prevention requires collaboration between the SaaS platform and payment provider.
Vertical SaaS platforms shouldn’t have to be experts in payment risk management in order to benefit from embedded payments. That’s why Rainforest works closely with our clients to customize the risk model for each platform. We’ll make platform-specific recommendations to reduce risk, and we use custom data from each platform to refine the transaction monitoring decisions for that platform.
Our goal is to let the legitimate transactions flow through unimpeded while catching the fraudulent ones, because we know how important it is for merchants to get paid. And we’re so confident in our vertical-specific underwriting model that we take on liability for merchant losses that can’t be recovered from the merchant.
Next Steps
1. Find out who’s liable
Check your agreement with your payment provider – who’s liable for fraud losses? Make sure you understand the limitations. For example, some payment providers say they cover fraud losses, but consider card testing losses to be out of scope.
2. Understand your risk
Determine if your platform is likely to be targeted for specific types of fraud.
Can buyers make small purchases or donations, without logging in? If so, the platform may be at increased risk for card testing.
Can buyers purchase higher-ticket items that are easy to resell and difficult to trace – such as consumer electronics and used tires? If so, the platform may be at increased risk for card cashing.
Can merchants onboard without talking to anyone or verifying their identity? If so, the platform may be at increased risk for merchant fraud.
Do buyers make online purchases from merchants they don’t have a long-term relationship with? If so, the platform may be at increased risk for friendly fraud.
3. Talk to your payment provider
Once you’ve identified the most likely types of fraud on your platform, ask your payment provider what they do to prevent that specific type of fraud. Ask your payment provider if there are other types of fraud you should specifically be concerned about, and what risk reduction measures they recommend.
If your payment provider can’t answer these questions, or isn’t working with your team to proactively minimize fraud, it may be time to explore other options.
