When Anti-Fraud Blacklists Cost Merchants Customers

Card-not-present fraud is a huge and growing problem for ecommerce, and one way merchants try to prevent it is with blacklists. These databases contain names, email addresses, phone numbers, and credit card accounts linked to confirmed fraud.

It used to be that such blacklists, updated internally or bought from a data provider and updated every few months, were a reasonably good layer of fraud protection. Now, as fraudsters develop ever-more sophisticated strategies and have access to a growing cache of stolen consumer information from data breaches, the quality and structure of blacklists matter more than ever. A dynamic blacklist can be a valuable tool for fraud prevention, but static blacklists can lead to more fraud and more false declines for merchants.

False declines are already a big problem for ecommerce. Ecommerce merchants decline 45% of their orders, and 22% of those declines are false, according to the Lexis Nexis True Cost of Fraud Survey for 2017. False declines cost the US ecommerce industry more than $8 billion in lost sales in 2016 alone. Customers declined in error are likely to take their business elsewhere, rather than go back to merchants who wouldn’t take their money. But how can blacklists, which are supposed to prevent bad actors from making purchases, sometimes cause good customers to be rejected, too? The answer hinges on the difference between static and dynamic data.

One-way fraud data deteriorates over time

One-way data is data that only goes one way: from the source to the list. This data is static – once it’s on the list, it stays on the list. Consider the example of a phone number that was used in a confirmed fraudulent transaction at an online jewelry boutique. The merchant adds that phone number to its internal (in-house) blacklist so that no future orders with that phone number will be approved. Or consider a delivery address on a list that the jewelry shop buys from a third-party data provider. It’s on the list for fraud, so no orders to that address will be approved either. The risks of relying on single data points to screen transactions quickly becomes clear: people change phone numbers and physical addresses all the time, so good customers might eventually own those data points. (From a statistical perspective, a static blacklist that’s never cleaned or updated would eventually include data on every consumer—obviously not helpful for merchants.)

Even higher quality data can become less useful for fraud detection over time if it’s one-way, static data. A comparatively high-quality third-party blacklist may combine datapoints like address, phone, and email from different transactions for a more comprehensive list of fraudulent profiles. For example, a hotel chain may sell data that includes email addresses, phone numbers, and billing addresses that have been validated through their reservations process, proving that the datapoints are related. But if the hotel providing that data doesn’t learn what happens when its data clients use their list for fraud validation, there’s no way to verify the data’s quality over time, as clever fraudsters find ways to link fraudulent account numbers to valid consumer information stolen in data breaches.

Two-way fraud data becomes more reliable

The highest quality data providers have processes in place to learn if their lists of combined data yield good or bad transactions over time and to continuously update their lists. This list management approach solves two problems: keeping up with fraudsters to avoid approving transactions that use corrupted consumer data, and avoiding declines of  good orders simply because they look suspicious, come from a region with a higher-than-average fraud risk, or contain a bad data point—such as a billing address or phone number that was used in fraud in the past. The quality of this dynamic type of list improves over time, as more completed transactions are analyzed and more datapoints are combined to get a clearer, more current picture of customer behavior, even as fraudsters try to cloak their scams with stolen valid data.

Blacklists are one of several layers of protection that ecommerce merchants should have in place to guard against transaction fraud. For the best fraud prevention, each layer must perform optimally. In the case of blacklists, two-way, combined data that’s frequently updated is the best possible option for preventing fraud and for avoiding costly false declines.

Rafael Lourenco is Executive Vice President at ClearSale