If you really care about your customer you should be worried about false positive. I hope as a business you do not cancel customer orders because your fraud detection system has flagged them.
Depending on your scale you may using 3rd parties like Sift science, Stripe Radar or Roll your own fraud detection system.
Flagging orders as potential fraud is the easier part these days. The difficult part is how to come up with a process to verify these flagged orders. This process need to be simple and quick. Because essentially you are saying to your customer we think you are a fraud and can you prove that your not.
Banks merchant checks to verify flagged orders is extremely cumbersome. They require you to call a special phone number (which is different for each bank) provide customer Name, Billing Address, Billing Phone and Credit Information. Then they can only give you a response whether it is a match or not. They can't tell you whether it has been reported stolen or anything else for privacy reason. At scale this is a very time consuming process. It becomes even more cumbersome if you are security conscious business and do not store customer credit card information. In that case you have to communicate with the customer asking them to call you to provide your credit card information again.
There are solutions like 3D Secure but they are not widely supported and adds its own problems. It is high time credit card companies start providing merchant with a 2nd factor check for transaction. For example maybe once a transaction is placed with a merchant. They can trigger a 2nd factor check where by the bank automatically send a code to their email/phone number on file. If the customer is able to provide a correct code merchant can proceed with the order.
Fraud detection will always remain a point of contention between customer and businesses. I just hope business make sensible decision based on their situation. For example I have seen legitimate customer with all the above cases mentioned in the article.
The OP has written extensively about this subject in the past, and I get the sense that he is intimately aware of the risk of false positives, however catching a high volume of fraud could for him literally be the difference between staying in business and not. His fraud tolerance is going to be much much lower than a large vendor.
Reading all of these issues I'm really flabbergasted that you have such issues. Like, my bank offers me temporary non-physical credit cards with small limits for 1€/month/piece and that's what I use to do all my online purchases with, do US banks really not have that option? Second thing that I often use (where possible) wire transfer, it requires my ID-card and the payment is done in seconds.
This thread has honestly made me really appreciate what I have available to me compared to some countries.
Very few banks have that option, and the ones that do are bordering on user hostile, and the temporary cards don't have usable/tolerable features for this.
A wire costs $50-100 (or more for international) per transaction, no matter what the amount.
> For example maybe once a transaction is placed with a merchant. They can trigger a 2nd factor check where by the bank automatically send a code to their email/phone number on file. If the customer is able to provide a correct code merchant can proceed with the order.
That is not what 3dsecure provides ? with 3d secure, I receive a code from my through SMS, I then transmit this code to the payement processor.
Depending on your scale you may using 3rd parties like Sift science, Stripe Radar or Roll your own fraud detection system.
Flagging orders as potential fraud is the easier part these days. The difficult part is how to come up with a process to verify these flagged orders. This process need to be simple and quick. Because essentially you are saying to your customer we think you are a fraud and can you prove that your not.
Banks merchant checks to verify flagged orders is extremely cumbersome. They require you to call a special phone number (which is different for each bank) provide customer Name, Billing Address, Billing Phone and Credit Information. Then they can only give you a response whether it is a match or not. They can't tell you whether it has been reported stolen or anything else for privacy reason. At scale this is a very time consuming process. It becomes even more cumbersome if you are security conscious business and do not store customer credit card information. In that case you have to communicate with the customer asking them to call you to provide your credit card information again.
There are solutions like 3D Secure but they are not widely supported and adds its own problems. It is high time credit card companies start providing merchant with a 2nd factor check for transaction. For example maybe once a transaction is placed with a merchant. They can trigger a 2nd factor check where by the bank automatically send a code to their email/phone number on file. If the customer is able to provide a correct code merchant can proceed with the order.
Fraud detection will always remain a point of contention between customer and businesses. I just hope business make sensible decision based on their situation. For example I have seen legitimate customer with all the above cases mentioned in the article.