Balancing Act

Cybersource James Hunt  Associate Principal, Managed Risk Services EMEAJames Hunt, associate principal in CyberSource’s Managed Risk Services team, offers advice on striking the right balance between user convenience and fraud prevention for mobile payments. 

Our insatiable love affair with the mobile device shows no signs of abating. With one in seven European smartphone users having completed a retail transaction on their mobile phone, according to ComScore, many organisations are embracing this lucrative new channel. But engaging with consumers through mobile devices is very different to traditional eCommerce; and as such requires a different approach.

This is especially true when it comes to mobile payments. So, what can organisations do to make sure they get their mobile payment strategy right? I believe there are eight golden rules that can help organisations wanting to strike the right balance between making it easy for consumers to purchase, while reducing the risk of fraud.

Understand consumer mobile behaviour
Historically, eCommerce transactions have been made during core business hours, but the widespread use of tablets and smartphones has seen a radical change in consumer buying patterns, with the peak buying time for these types of devices taking place between 8pm and 9pm. (Source: ComScore).

Applying rigid fraud rules outside of normal business hours may impede your mobile strategy and needs to be assessed appropriately. Consumers now use multiple devices at home, and often switch between smartphones, tablets and PCs when purchasing goods. Once you understand your customer, you can then adapt your rules to take into account new personal habits and behaviours.

Evaluate the reliability of traditional data points
Technologies such as IP geolocation have traditionally worked well to track a consumer’s physical location at the time of a purchase, but they can become completely redundant when a mobile device is not connected to a wi-fi network. In this instance, the device’s location would show as the mobile operator’s which isn’t much help if you are attempting to confirm the owner’s location.

Supplement device fingerprint data
Device fingerprinting is an incredibly useful way of  identifying the PC or laptop that the purchase is being made from. It collects a range of information that can help to determine whether the customer is legitimate, including installed applications, software updates, the time zone of the device and whether things such as javascript are turned on for the device.

Unlike PCs and laptops, limited information can be collected from smartphones and tablets – which makes it difficult to collect the most valuable data. Ensure that you amend and adapt your fraud rules accordingly to account for this.

Collect mobile-specific data
Given the nomadic nature of mobile devices, it can be difficult to pinpoint exactly where a purchase originates from. Capturing the GPS location will certainly help when it comes to comparing details such as billing and shipping address proximities. Wherever possible try to collect GPS data to enhance your fraud screening rules.

Connect device with behaviour
If possible, also capture the IMEI and UUID numbers of the mobile device (which is a phone’s unique identity number). These can be another useful tracking element to compare against addresses or credit card numbers. If you have a device that has made multiple purchases with the same card, then this can represent much lower risk. However a device that has attempted to use six different cards to conduct a purchase will need further investigation.

Incorporate mobile as part of your overall cross-channel strategy
Transactions made through mobile devices provide a goldmine of useful information. However, being able to compare these transactions alongside those from your call centre or website is where the real value lies. It can help you spot fraudsters migrating between different channels more quickly.

Take all the data available and create a set of rules specific to mobile transactions. Your mobile fraud screening should then feed into the other orders being placed across the business. This will help you to compare their mobile purchasing information against other known data (such as the website or call centre) to detect further discrepancies.

Track and monitor fraud strategies specifically for mCommerce
How do you know if you are rejecting too many orders? You can’t manage what you can’t measure. You need to be able to collect and analyse your data to make sure your rules are performing to the best of their ability. For instance, are the majority of your rejected transactions coming from mobile devices or call centre transactions? If they are from mobile devices, then perhaps your current rule set needs to be tweaked.

Accommodate consumers using multiple devices
Historically, the more changes in the data, the riskier the transaction. For instance, if a consumer makes a transaction on three or four different laptops, then further investigation should be carried out. But with consumers now using on average six devices at home (source: Oddyssey Systems), you will need to accommodate changing consumer habits. When it comes to mobile devices, you’re adding more complexity to your infrastructure. Be prepared to accommodate the plethora of devices available within your fraud screening plans.

James Hunt is associate principal in the Managed Risk Services team at CyberSource