Verifying Ecommerce Orders the Right Way

Every eCommerce shop deals with the eventual scenario of a risky customer order. There might be some red flags through past experiences, or another fraud tool alerts you about risky behavior. Usually, this happens because a customer’s velocity, IP, device, amount, or one of many other factors triggered a review for the order. At Trust Swiftly, we have seen through multiple clients that the fraud systems and rules are too strict, leading to refunds and declined sales. For many businesses, you might be better off turning off more fraud checks to increase revenue. Instead of delving into the pros and cons of ways to balance fraud and orders, we will look into cases of what to do when you believe you have a chance of eCommerce fraud.

To start, we will assume you are already past the point of outright accepting or rejecting the order. You are stuck in the middle, looking for a clue to decide the outcome of the customer. To do this, most eCommerce stores have their customer support or dedicated professional fraud review the order. Once you have reviewed the order, there is an option to verify the individual through additional friction. We will only cover post-checkout verifications as they can usually be swapped into any point of a customer’s purchase journey. There are non-additional friction methods such as 3rd party data sources; however we have found those don’t always give a clear answer. Shopify details some basic fraud verification tips. Having another data point might be enough to tip the scale into a decision about the order finally. So, what are these verification options, you might ask?

  1. ID Verifications – This is the most common we see eCommerce stores asking to complete an order. However, this is a huge ask for most e-commerce transactions. Many customers will be offended by a store that thought to ask them for their ID. It depends on your industry and customers to know if you can get away with the request. For age-restricted purchases such as drugs and alcohol, this is an understandable request. However, it is excessive and not even a problematic deterrent for most fraudsters for most other transactions.

  2. Credit Card Last 4 – Another less privacy-invasive method to verify but one that can result in substantial security compromises. Typically a merchant will have the first six and last four digits of a card. This verify method attempts to check physical possession of the card used in your shop. As long as the shop can verify the credit card picture with the name and numbers expected, they can approve the order. However, you now open yourself to bigger security issues as some users will make mistakes and not cover up the entire card number representing a potential PCI issue. Tools like Trust Swiftly can automatically detect whole card numbers in the image and reject them, forcing the customer to upload the card image properly.

  3. Bank Receipt – Requesting a bank receipt or app image of the recent bank activity is another way to prove ownership of a credit card. In this case, the customer will take a screenshot of their transaction, which should show unique identifiers like your merchant name, URL, and phone number. This is a preferred method by many customers as they are not giving up any sensitive data, and you can confirm their ownership by checking some data from the image. You should ascertain that their bank name matches the expected card and that all the merchant identifier data is similar to your store. There are a few downsides to this method as bank receipts vary significantly between apps and websites. Sophisticated fraudsters can also try to forge a fake pass. Next, some transactions might not show up if the bank takes time to display the information. This can be deterred by using a dynamic statement to match an expected description with the transaction.

  4. Trust Swiftly Card Verify – We have built a unique card verification system that securely verifies ownership of a credit card. Using 3DS2 combined with a random authorization debit, we can ensure the security of the transaction. This technique results in the quickest and most automated method for verifying an eCommerce customer. This method goes explicitly after most fraudsters' stolen credit card operations. They will have all the cardholder details, and even some use 3DS interception tools to get the 2FA code. However, with Trust Swiftly’s method, they would need access to the user's statement activity which is extremely difficult.

  5. Misc Verification – Calling the customer to ask about the transaction to confirm it is a quick method. As well as sending an SMS to verify their phone exists and populate any data from it. Both these methods can also be automated by Trust Swiftly. Even a simple email or live chat session can uncover a fraudster vs a genuine customer.

In the end, each of these methods can be applied in certain situations. However, we do not advise using ID verifications right off the bat unless necessary. Just look at some eCommerce stores reviews that collect IDs as part of their fraud prevention. Trust Pilot will show plenty of 1-star reviews from mad customers about the verification process. We just touched the tip of verification options available to eCommerce stores. Trust Swiftly has over 15 different methods now that can be tailored for your unique situation.