TD WL Fraud Prevention Webinar-en
- Hello, everyone. And thank you for joining us for our fraud mitigation webinar today. My name is Kym from Worldline, and I'll be your host. Today's panel format will involve discussing key topics with fraud and risk specialists from TD Bank and TD's payment gateway provider Worldline. First, we have Hannan from TD, who will introduce themselves. Hannan.
- Thanks, Kym. Hello, everyone. My name is Hannan Ning. As a solution consultant with TD Bank for nearly 12 years, I have helped several commerce businesses implement effective and efficient fraud prevention and detection solutions.
- Next, we have Carlos from Worldline.
- Thanks, Kym. My name is Carlos Guzman. I'm a fraud analyst for Worldline. I've been with Worldline for nine years. And I'm happy to participate in this panel.
- Great. Thanks. Before we begin, let's review some housekeeping items. We welcome questions throughout this online seminar. And please, use the Q&A tool to post your anonymous questions. You can find the icon to open the side panel of the Q&A at the top of your screen. At the end of this panel, we'll answer questions from you, our audience. If we don't get to your question, no worries. We are going to follow up after the seminar and will include responses to those questions. We are recording this presentation, which will be available on the TD website for future use.
All right. And on to the agenda. You've met all of us. We're going to move to talk about common fraud schemes and how you as the merchant can prevent fraud, as well as chargebacks, measurable actions you can take if you experience fraud, key takeaways, and of course, a Q&A.
Did you know that 65% of organizations were victims of payment fraud attempts in 2022? Sadly, nearly half of those were unsuccessful in recouping any of the stolen funds. Also, in 2022, the Canadian Anti-Fraud Center reported a 40% increase in victim losses from 2021, reaching $530 million. Nearly half of small businesses have experienced a random cyber attack in 2022, and 27% have experienced a targeted attack. And according to the Canadian Federation of Independent Businesses, only 11% of those businesses surveyed had offered mandatory cyber security training to their employees over the past year. Only 8% providing optional training.
So panel, given this significant percentage of businesses that are affected by fraudsters, can you please tell us about key fraud schemes merchants should be aware of? Hannan, how about we start with you?
- Thanks, Kym. Some of the most popular schemes we see include refund schemes, friendly fraud, internal fraud, and interception. I'll begin with refund schemes.
Fraudsters obtain a refund and make false claims to not return the goods. They can also request a refund on a different method of payment than what they originally used, or they want cash. Long story short, you should always refund on the original method of payment.
Second, we have friendly fraud. This is when a cardholder makes a false or misleading dispute claim. They either forget what they bought or know about it, but don't recognize the transaction, or simply don't want to pay. Such a dispute may result in a chargeback. Friendly fraud is actually on the rise at 16% of all fraud disputes. An interesting fact, 23% of consumers who have disputed a purchase have filed a chargeback in the last year using fraud as a reason for doing so even though they received the item and were satisfied with the purchase.
Third, we have internal fraud. In essence, one of your employees is processing unauthorized transactions, either skims or steals credit card information for future use.
Last, but not least, we have interception. Now, interception occurs when fraudsters make online purchases using stolen credit cards. They ship to the valid billing address linked to the stolen credit card, which will bypass checks that look for discrepancies between billing and shipping addresses, then they try to intercept the package.
Apologies, Kym. You're on mute.
- Of course. Carlos, what about carding, account takeover, and fake stores?
- Some of the most instances we see of carding are front-end and back-end carding. Front-end carding is the most common, and it does happen at checkout. The fraudsters tend to buy something from your store and run through a laundry list of cards. They run it until one of them works. The personal information generally stays the same. The purchase amount does not change, but credit card information changes.
The second one is back-end carding, which is very rare. This is when someone with many stolen credit cards tries to test their validity by running a small transaction on a random merchant account. They do it by guessing your merchant ID number, then sending a request to process transactions to your payment provider using the merchant ID. Once we detect back-end carding, we notify merchants at once. Your information is safe and secure, and your account has not been breached.
Another popular scheme is merchant account takeover, or ATO. Fraudsters gain access to your login credentials to steal the funds or information to make fraudulent transactions. This can be done by telephone, internet, social media, or mail. They can also break into your account by taking control through schemes like using phishing or malware, like a lawyer scam or a CEO scam or a CR scam text.
Another scheme could be fixed source or triangulation. This is important to be aware of. A fraudster has a fake store or another platform, like eBay or Etsy, and is using the stolen credit card information to buy from a legitimate storefront and have the goods shipped to the fraudster client's address. Then they get paid by the third-party platform, and the legitimate storefront gets the chargebacks. Back to you, Kym.
- Great. Thank you. So now that we're all aware of the key methods that fraudsters use, can you both share with us your recommendations for merchants to protect themselves? Carlos, back to you.
- We always recommend implementing a stronger verification of transactions by collecting more information about them. This could include additional information on the payment method, like browser, device, or IP address.
Address validation. Include address validation in your website as an important part of your transaction. CVV validation ensures-- it is customary practice to request the CVV code and ensure it is a cardholder.
Promote digital wallets. Digital wallets such as Apple Pay are more secure payment methods due to the device biometrics and tokenization. The information is heavily encrypted.
Validate orders that are over your normal business threshold. Does this transaction make sense? Are they within their normal checkout ranges?
And finally, check for red flags. When reviewing your transactions, look for anything outside of the usual processing patterns. Larger than usual purchases or small transactions that can pose risk. Transactions with different billing and shipping addresses or international purchases. If something seems to-- stands out or looks even slightly off, take time to review it and reach out to the customer. Don't move forward until you feel comfortable.
- Great advice. Thank you. Hannan, how about you?
- For sure, Kym. I completely agree with Carlos. It's very important to really audit your website platform security regularly. And you can do this as a merchant by complying with the PCI DSS rules. For those who do not know, PCI DSS, the Payment Card Industry Security Standards Council, has established security standards regarding the protection of cardholder data, which is applicable to any entity processing cards. And they must comply. This includes merchants, acquirers, et cetera.
Second, every merchant needs to comply with the Payment Card Industry Security Standards rules, regardless of the size. The PCI DSS also applies to any agent or third-party provider that you may use to store, process, or transmit cardholder data. You also have to look out to really try to mitigate against carding activities. And we recommend the use of CAPTCHA. And it is really something that you should tune depending on how you want to minimize the impact to legitimate customers. And make sure if it's available by your e-commerce or shopping cart provider. You should also force manual entry of specific fields in your payment form, such as credit card numbers, to prevent carding scripts.
Second, really protect the cardholder information. So try to collect the minimum amount of information on the customer and limit access to the information internally. Finally, implement fraud detection tools to support consistent, sustainable processes.
- Hannan, that's an excellent segue into our next topic, which is, what tools offered by TD Online Mart help prevent fraud and chargebacks? Over to you, Carlos.
- There are seven main tools available to you. And I'm going to start with the first three, and I will pass to Hannan to cover the second half. Now, the first one is checkout and custom checkout. These are hosted solutions that will help minimize your PCI scope and help make sure your checkout is secure.
Secondly, we have secure payment profiles. They lower your PCI scope and keep customer data safe by storing payment information using tokenization and reusing it once you do a recurring transaction. Secure payment profiles use tokenized service that encrypts the data and store it in our PCI level one server to help prevent automated credential stuffing or account takeovers.
The next one will be risk thresholds. These ones are enabled by Worldline, but you as a merchant decide what works better for your business. Please, note that we need to the IP address from the merchant customer so we can run risk thresholds effectively. If you have a concern about friction or false claims, you can start with a lower threshold and then bring it up later. Over to you, Hannan.
- Thanks, Carlos. The remaining tools include a number of different things. We have a digital wallet, like Apple Pay or Click to Pay. And they really offer user convenience, better authentication, and possible liability shift. Now, Click to Pay is available for checkout and custom checkout. And it's a digital wallet by EMVCo, which accepts Visa, Mastercard, and American Express cards. Apple Pay is also available with custom checkout. Just note that there are steps needed to register with Apple and create a certificate. And the certificate will be needed for the activation in Online Mart.
Second, we have the Azure Verification Service and Card Verification Value. These two features really provide better authentication and can be turned on in the Account Configuration page. You can define it if the transaction should be declined if the information is not accurately provided. One thing to keep in mind is that we do live in Canada with both French and English. Addresses can be written in a diverse number of ways. So address verification has components, including full address and postal code. Some merchants decide to implement postal code validation or verification only, essentially, to try to mitigate against the multiple ways addresses can be inputted, which helps reduce false declines.
Third, we have EMV 3DS. So EMV 3D Secure is an extra layer of security provided for online transactions. Using transaction data, a risk-based authentication is performed. And the cardholder may receive a challenge question from their financial institution for further authenticate if the transaction is considered high risk. It provides a user-friendly checkout experience and may provide fraud-related liability shift to the issuer if the transaction is accepted by them. If you use checkout, you can simply turn it on.
Last, but not least, we also have User Management. Now, Online Mart provides the User Management feature allowing you to define user rights on features accessed and protect data visibility. As an example, a user may be allowed to perform purchases only and have no access to payment information after the transaction has been entered.
- Excellent overview. It's also important to note that all features that Hannan and Carlos have highlighted are included in the current TD offering.
So we have covered substantial ground so far and have learned much about the causes and mitigation methods. But in today's ecosystem, it's inevitable that instances of fraud will continue to affect merchants, despite all of our best efforts. So panel, what is the process for a merchant to report an instance of fraud?
- Yeah. I can take this one, Kym. Just from a general recommendations and TD Touch Points perspective, and then Carlos can certainly supply further detail on when you would want to reach out to Worldline directly or why they would want to reach out to you directly.
First and foremost, if you suspect fraud, such as refund scheme, interception, or fake stores, do not send the item or provide any services until you are confident that the transaction is legitimate. If you are suspicious at all, reach out to the customer using any information provided during checkout, such as the phone number or email address, to confirm that they are aware of the purchase. If you are still not comfortable with the transaction, you should either void it or refund it and send notification of a cancellation notice to the customer. This will help reduce chargebacks and lower financial or product losses due to fraud.
Account takeover, if this ever occurs, please contact Worldline as soon as possible through the support number of email provided in the takeaways. They will assist you in changing the login credentials and will review your user permissions to help prevent future further instances.
And lastly, we also have the friendly fraud chargebacks. Generally, the merchant will see a chargeback. Now, you should gather any information that you have about the transaction. This can include a number of different things such as the original invoice, shopping confirmations-- shipping confirmations-- my apologies-- address verification service matches, email with the customer, proof of refund when applicable, et cetera, and submit a dispute to the team specified in the chargeback notification.
We also have address carding-- addressing carding, if you will. The payment card network, TD, or Worldline may be able to identify potential carding instances. So it is important to note that TD and Worldline are not able to guarantee identification of all instances of fraud. So it could have a number of different scenarios.
First, you have identified by TD. So through internal transaction monitoring or payment card network monitoring and communications from the PCNs. If you have a dedicated account team, they will be included in all communications. Alternatively speaking, if it's reported by you, please contact Worldline by email at support@onlinemart.ca, or by phone. Include email address, phone number on the slide and noted on our website. As a merchant, you should be contacting Worldline to aid in making security changes on your account. So for example, getting the initial setup for risk thresholds in place. As for the Worldline piece, I'm going to pass it over to Carlos to supply further details on your monitoring.
- Thanks, Hannan. As you mentioned, our Fraud and Risk team at Worldline uses a combination of tools and hands-on monitoring. And may reach out to you directly if they detect potential instances of fraud. This would be most likely of instances of front-end carding and back-end carding, which is extremely rare. Carding activity is monitored 24/7 by our various teams. And we will reach out with actions that we have taken on the account to mitigate carding, as well as offer solutions to help prevent future activity.
When front-end carding is detected, to protect yourself as a merchant from experiencing this excessive impact, we might temporarily disable the account that is compromised. In instances of carding, whether brought forward by you or by one of our teams, you will also want to reach out to your shopping cart provider or website developer.
- Thanks. That wraps up our panel questions for today. And I want to thank you both very much for sharing your insights into the current fraud landscape and equipping our audience with actionable behaviors and tools to help them protect their businesses from fraud and reduce risk. Before we open the conversation to respond to questions from the audience collected throughout this panel, let's leave you with some key takeaways here. We'll show you how hot-- we have shown you how fraud mitigation may help, how you can contact us for fraud-related and certainly all technically-related questions, and resources available to you in the future.
All right. So let's look at the Q&A and address the questions that have come in. We do have some time, so this is great. And thanks, everyone, for taking the time to ask these questions.
OK. Carlos, let's start with you. Can you block an individual by name, address from purchasing on our platform?
- We cannot, but we can block by IP address and phone card number. Expanding on the reasoning, we don't recommend blocking by name or email address as most of the time the fraudster is using fake information that belongs to someone else and potentially can cause issues in future with customers doing legitimate transactions.
- Interesting. Thank you. OK. Hannan, I'm going to throw this one to you. Is it possible for a fraudulent order to be placed that had a successful challenge for 3D Secure?
- Short answer is yes, it can be. So I want to take a step back and say 3D Secure really is a protocol that allows for better authentication of transactions. So with the additional transaction information provided through 3D Secure, the card issuers can decide to accept the liability of the transaction or not. While it helps reduce fraud, fraudsters can still perform transactions. So if 3D Secure is used and the liability is accepted by the issuer, the merchant is not responsible.
- OK. Thanks. Carlos, back over to you. Can you explain why sometimes the card owner name is different than the billing name?
- It is rare, but it's a possibility. This happens when maybe somebody actually purchases something on behalf of someone else. However, any of these cases should trigger a further review by yourself or maybe reach out to the actual customer to review the transaction.
- Good advice. Thanks. Ping pong over to you, Hannan. Here we go. Would it be possible to review or provide a list of what the response code numbers mean, as well as the CVD and AVS results?
- Sure. Absolutely, Kym. They're all available in the Worldline specification. So it's all available within that deck. Yeah.
- Great. Carlos, how accurate is the IP info under pre-authorized transactions?
- It is very accurate. So it will provide the actual IP address where the transaction is generated. So if you use our checkout or custom checkout, the field is actually populated on our transaction confirmation receipt. So it is as accurate as a purchase, or as it could be, though.
- Thank you. I'll take this next one. Will this deck be sent out to the attendees? Absolutely. We'll be sending this out shortly. And thanks for asking.
OK, this is going to go back to you, Carlos, actually. How can I block a person from purchasing through our gateway? In other words, is there a way to block by name and address?
- I think, it's very similar to the prior question that we responded. It is, unfortunately, not a possibility to do so. We have other methods that we can block a person. Like I said, card number or like IP address. But we do not recommend to do a blockage by name and address, regardless.
- Gotcha. Another 3DS question. I'm going to throw to you, Hannan. Does 3DS generate a lot of challenge questions or one-time password requests to authenticate the customer?
- Yeah, that's a great question. It really depends on the card issuer and the transaction history of the card holder. So if the card issuer believes that the transaction does not fit the purchasing patterns of the card holder, they may request the card holder to authenticate. What I'm trying to get at is, really, it's the issue of the card holder that decides. I would like to add, though, that some transactions may be challenged for authentication. Visa confirms that the usage of 3D Secure drives higher transaction approval rates for merchants.
- OK. Thank you. This is a clarifying question for you, Carlos. Can you please define front-end carding?
- I'm just retaking a little bit of what we said in the presentation. Front-end carding is like a script that is run on your checkout page. It could be like a JavaScript or any type of script that a fraudster put in there that runs a list of cards through your website. They are trying to test them to see if they work. It's normally a small amount, like $1.00, $0.50, et cetera. And what it does is when they get an approval or a response to it, then they go and use that card somewhere else. That's why CAPTCHA is very important in this case because CAPTCHA actually prevents them from running that script, or at least makes it slower, the script, so they get a little bit desperate on testing these cards.
The second part of it is like-- it's to define that your account is not compromised in any way when this happens. It's just on top of your checkout page. So they are using your payment page to perform that transaction, but none of your data is compromised.
- CAPTCHA's a great tool, isn't it? OK. Hannan, I'm going to give this to you. And I can tell you the word "most" is in all caps, so this is important. What is the most practical feature you provide against fraud?
- So long story short-- we keep talking about 3D Secure, and the long sort of answer is 3D Secure really is the gold standard when it comes to general fraud-related chargeback protection. So that would be my short answer.
- Well, speaking of chargebacks, I'll give you this next question, then. How can we as the merchant prevent chargebacks?
- Really, you can't prevent chargebacks because they're really driven by the cardholder. But what you can do is, by adopting EMV 3D Secure, you basically have fraud-related chargeback protection by diverting the chargeback back to the issuing bank. So ultimately, you don't have to pay.
- Well, speaking of chargebacks, Hannan, the next question happens to be, why is the bank processing chargebacks without validating the transaction?
- That's also a great question. So the chargeback validation is really done through 3D Secure. So if a merchant has not adopted EMV 3D Secure, meaning that they haven't had any way to consume an ECI value back to the front-end solution, then general liability is going to be on the merchant.
- OK. Let's continue talking about 3DS Secure in the next question, shall we? Hannan, can you add 3D Secure if you don't have an online store and are manually entering cards via Worldline?
- So this is going to be a mixed answer. So you don't have to have an online store, but it cannot be a manually-entered card. So we do have a number of different solutions that you can leverage, such as Checkout Link Builder, where it's a cardholder-initiated transaction, which gives you access to EMV 3D Secure. The key takeaway for you as a merchant is that, if you want to adopt EMV 3D Secure, it has to be a cardholder-initiated transaction and cannot be a merchant-initiated transaction.
- OK. I have to give you a couple more 3DS questions, Hannan. This is a popular topic. Next one, is the merchant never responsible if 3DS is used?
- No. There is no never. So ultimately, it's all about that ECI value. So if EMV 3D Secure is enabled and implemented, as long as you get an ECI value that's accepted by the issuing bank, then you get general fraud-related chargeback for those transactions only for the authentication.
- OK. Also, is there any TD service to implement 3D Secure by TD if we do not have a skilled IT folk in this area?
- We definitely do have specialists, like myself, who can talk to you about this type of solution. If you don't have anybody skilled in IT, we can always enable it on just simple checkout. We can talk about that later on offline.
- Great. Thank you very much. I'm going to give you a break for a moment and throw it back to Carlos for the next question. Next couple of questions, I think. Ready, Carlos? OK, this looks like a case study. Here we go. Why is it that if a customer changes the shipping address and it does not match the billing address, they can easily win a chargeback claim that they did not receive the package, even if we, as the merchant, can prove that it shipped?
- That's a little bit of a interesting question. And what I mentioned is like that is a case-by-case basis. Chargebacks are assessed on that sense. And when you dispute it, they are assessed in a case-by-case basis, too. What I could say is like any transaction that has a billing address and a shipping address not matching should trigger a review of the merchant. So before you ship the products, you should confirm where this goes. So that's what I will recommend. After a chargeback is generated, it will depend on the issuing bank, who is addressing that dispute. So I will not have a realistic solution or medicine to tell you why.
- That's understandable. Thank you. I'm going to give you another scenario question. Ready for it? I work for an insurance brokerage. We use TD Online Mart to process policies that we issue agency bill. Only I, the office manager, and one other staff member have access to process payments. All we obtain to process these payments is the credit card information, and then we go ahead and process the payment. The question is, should we be doing more on our end in processing these transactions?
- When you process transactions manually or over the phone, like the question mentioned, address verification and CVV verification is available to you. So you can always enter more information on the actual web terminal to process these transactions. You can add the address. You can add the CVV number. And you will get an actual validation response of these two saying if they were a match or not on the transaction confirmation. So you could use these tools to help prevent further fraud.
We also recommend that you have a pre-authorized form where the customer actually allows you to process this transaction and say that they authorized you to process their credit card over the phone. It's an extra layer of security there.
- Excellent. A pad form is important. Thank you. OK. Let me give you another one, too. From what I've heard, Worldline or TD never fully guarantees the merchant, even if all that you have said here is implemented. Is that correct? Carlos.
- Yes, that's correct. There is no 100%-- there's not a tool that 100% prevents you from fully be of fraud or not receiving fraud or chargebacks. Nothing guarantees. Unfortunately, in our ecosystem of today's world of payments, everything-- you're subject of receiving chargebacks or subject of fraud. So there is not a 100% guarantee on this matter, so it's correct.
- No silver bullet. OK. Next one, another 3DS question. So Hannan, get ready. I'm coming back to you. Does 3DS implementation by merchants provide full chargeback protection regardless of the fraud scheme? I think I know the answer.
- Yeah. I'm sensing a theme, Kym. I'm going to reiterate what Carlos had said on the previous answer. No, it doesn't provide full chargeback protection regardless of the fraud scheme. To be clear, it is a gold standard. And it is a layered approach that helps you try to prevent fraud-related chargebacks, but no, it doesn't provide chargeback protection regardless of the fraud scheme.
- Gotcha. OK. This question is specific to us at Worldline. So Carlos, I'll throw this to you, please. Is there a development group within Worldline or actually, TD that we can have our website service provider contact in order to help implement these 3DS features, IP risk, and other fraud mitigation features?
- Yes, 100%. We have a support group and a tech support group that will be more than happy to assist you with any questions. And if they want to reach out, I believe, the phone number and email address are in the presentation. So more than happy anytime.
- Great. We have just a few short minutes, so let's get through a couple of more questions before we have to bid you farewell today. This one relates to digital wallets. So Hannan, how about you take this one? Simply, what digital wallets are supported?
- Sure. Simply, we support Apple Pay, as well as Click to Pay.
- Thank you. I'll keep with you, Hannan. Does Worldline, TD currently offer 3DS for all card brands?
- It is offered by Visa, Mastercard, and American Express.
- Excellent. Thank you. OK. Sticking with you, Hannan, and the 3DS theme. Where can we get more information about 3D Secure?
- For sure. In the development documentation that will be sent out. Everything's there. Yeah.
- Absolutely. It would be good to bookmark that link once you receive it. And Hannan, this person would like to know if and how do we add Apple Pay and/or Click to Pay?
- For sure. I don't want to get into too much details, but it's in that documentation. Long story short, with Apple Pay, you'll have to generate a certificate that's going to be uploaded into Online Mart. Click to Pay, there's just a process. So it's all going to be there. Yeah.
- Good stuff. Let's go to this one. This is a MOTO question. I want to give it to you, Carlos. So as a business, we're taking payments over the phone. What steps should we be taking to protect ourselves with these transactions in mind?
- I think, I'm just going to recall the answer that I previously did. It is important for you to collect the address and the CVV number. You can verify the response and those verifications when you receive the receipt of the transaction. And if you have something recurring, a customer that you charge on a recurring basis, always get a pre-authorized form.
- OK, that's great. So I'm going to give out one more question, and I'm going to throw it to you, Hannan. I'm really choosing these by random, so here we go. Do I have to have a TD account to use the Worldline Portal? That's a good question.
- Yeah, that's a great question. Short answer is no. However, we would love the opportunity to earn your business.
- That's great. That's a great answer, too. Well, thank you, gentlemen, and thank you, audience. This does conclude today's panel discussion. As mentioned, the responses to these questions, as well as the presentation itself, will be sent to you shortly. Thank you, again, for joining us. And I bid you a great rest of the day. Take care. Thank you.