From October 1st, 2019, online businesses accepting Visa cards will have to comply with stricter anti-fraud regulations. All monthly compliance thresholds (including the ones established by VCMP Standard program) will be lowered from 1% to 0.9%, which will affect all entities accepting cards issued under Visa brands, especially companies from high-risk industries.
The new fraud and chargeback monitoring policy poses challenges, especially for companies operating in industries such as dating, travel, online video games, betting and gambling, nutraceuticals, pharmaceuticals and adult, as well as those offering digital goods.
At the moment, the VFMP’s (Visa Fraud Monitoring Program) monthly compliance thresholds are set to a 1% fraud-dollar-to-sales-dollar ratio. Similarly, the VCMP’s (Visa Chargeback Monitoring Program) are set at a 1% ratio of disputes-to-sales-transaction count. These figures relate to MATCH (Member Alert to Control High-Risk Merchants) – a system designed by Visa to monitor businesses experiencing excessive fraud attacks as well as encourage them to incorporate measures targeted at preventing fraudulent transactions. Companies get listed on MATCH after exceeding the thresholds consecutively for several months.
Companies that are currently dangerously close to the 1% threshold will, after the changes, fall into chargeback monitoring programmes with a danger of joining the high-risk category. Hubert Rachwalski, CEO of Nethone, explains how to minimize this threat:
“The new, stricter thresholds do pose a challenge to companies but there is a way to overcome this problem. The starting point is redefining one’s risk management strategy: the updated one might make use of deep profiling of users, which aims at understanding fully customers in digital channels, based on accurate fraudster identification.
“Only KYU performed in real time combined with innovative PSP’s processing that use this kind of sophisticated analytics will enable high-risk entities to continue growing.”
The tightened threshold will increase the penalties for companies that unsuccessfully set up their risk management strategies. Straal’s CEO Michał Jędraszak translates the threat into specific numbers:
“These fees range from $50 per chargeback up to a $75.000 monthly non-compliance fee, depending on the threshold exceeded and non-compliance severity.
“For, say, a digital goods merchant processing high volume of low-value transactions or a company selling high-value digital or semi-digital services such a situation might lead even to bankruptcy.”
Both experts emphasise that online companies should now work closely with PSPs to develop effective risk management strategies, capable of matching the tightened monitoring thresholds. Moreover, the new regulations will also affect acquiring banks as their fraud thresholds will be lowered, too. As a result, this party will also get involved in working on more effective fraud prevention.
“First of all, the key question is about the responsibility for effective fraud prevention. Is this burden on the company’s shoulders or maybe on the PSP’s? Should an online company search for third party providers of FDP solutions on their own or expect such support from their payment gateway? At Straal, we believe that in most cases the latter makes more sense,” explains Michał Jędraszak.
“While in low-risk industries a set of simple anti-fraud rules should do the job, in industries balancing on the brink of the threshold detection of fraudulent behaviour requires more sophisticated tools and smooth cooperation between the gateway provider and the anti-fraud solution.”
Efficient fraud detection and prevention relies on collecting and crunching huge amounts of meaningful data.
Rachwalski explains: “To protect a business against fraud, one has to establish effective data gathering processes. It’s crucial to collect quality, meaningful data that will help to understand the context of fraudulent transactions.
“It is recommended to gather detailed user data as well as rich information about transactions processed by the PSP. Joining forces at this stage translates into better fraud prevention results, meaning more accurate detections and fewer false positives.”
As Machine Learning (ML) is the most efficient way to spot differences between legitimate users and fraudsters with high accuracy and in real time, collecting big amounts of meaningful data and providing its smooth flow between systems is paramount. The key principle of ML is the more data it gets, the more accurate predictions it gives.
“The more data a model receives, the better results Machine Learning generates. In this context, it means better fraud prevention thanks to more accurate predictions. However, training a model takes time – it is worth commencing the process now so that it is perfectly ready when the new regulations take effect,” says Michał Jędraszak.
Both experts agree that online companies approaching the current 1% fraud threshold should instantly contact their PSP and ask what is going to change once the new regulations come into force. It may also be necessary to agree on a new risk management strategy, or just find a PSP cooperating closely with a quality fraud-fighting partner.