What is a good method to handle suspected fraudulent transactions with Authorize.net?

Question

I have a client who has, in the past, used the Saved CC payment method on their store (despite attempts to persuade otherwise) for the single purpose of having convenient access to their CC data in the case that they suspect an order may be fraudulent.

They would check each order manually, and for orders from international customers (or other apparent red-flags) they would submit an additional transaction on their CC for a small arbitrary amount ($0.50 - $2.00, say).

For very obvious reasons, this is not a recommended solution to handle these suspected fraudulent transactions.

The best I can see how this should work would end up being quite expensive for the client (for a seemingly boring "feature").

1. Have client sign up with Authorize.net CIM
2. Install Authorize.net CIM payment gateway module in Magento
3. Develop a custom module to allow the client to submit these fraud detecting transactions for a small amount.
4. Assume that the customer will opt to have their CC info saved during checkout so that CIM is available for subsequent transactions with additional communication with the client.

This seems like a fairly tall order. As it stands, I can only assume that the client will opt to continue using the Saved CC payment method since it meets his needs (though obviously introduces other security issues).

Can anyone suggest an alternative way to handle transactions such as this while at the same time minimizing the need for additional communication with the store's customer? To me, this sounds like a big can of worms.

Answer 1

They do not need CIM, and the native Authorize.net integration should work just fine. It will provide (very) basic protection such as AVS (assuming they enable and configure it in their account on authorize.net) and also guarantee that they have a valid and matching CVV submitted with the card. However, this will not prevent fraud transactions. Payment gateways do not detect fraud nor do they claim to. They verify the correctness of CC information.

A fraud prevention system will maintain records of information collected from transactions purported to be fraud and cross-check new transactions against it. Not the only technique employed, but one of many. If a particular IP address, for example, is consistently used for fraudulent transactions, that may be used as a check which would raise the fraud score of a transaction being verified. If the score gets to high (I believe the threshold is configurable) then the transaction will go into a suspected fraud or rejection state.

My suggestion would be to look into using a solution such as Kount. They have a working Magento integration via a module they provide you with and you install. It supports using Authorize.net as the payment gateway too.

One thing to keep in mind is that as with anything eCommerce related, the client will need to be willing to put some effort into learning about fraud and how to deal with it effectively. There are many different types of fraud, and the best approach to combatting it can sometimes be different based on the situation.

Answer 2

this may not be a code-oriented solution, but authorize.net has extensive fraud-screening, including varying levels of screening. for example, you can use AVS on the whole address, just the city/zip, etc. you can get pretty granular. perhaps show them these options and point out that authorize.net, as a payment gateway, is in the best position to determine fraud?