5 Tips for Managing Fraud and Risk in Mobile Payments

Nov 5th, 2009
Business, Mobile, monetization, Payments, Social Games, VirtualGoods

mobilepay[Editor's Note: The following is a guest post by Martine Niejadlik, who leads mobile payment company Boku's efforts around fraud, safety and risk. With mobile payments, users purchase digital items, approve a confirmation of the purchase on their phone, and bill their mobile phone accounts. It's a popular alternative to buying virtual currencies and other items in games using credit cards -- which means fraud happens sometimes. Below, Niejadlik shares 5 tips for how developers can help mobile payment customers have a more secure experience in their applications.]

It’s an unfortunate truth of business that where there is money to be made, there are people trying to do bad things to get their hands on it. If you’ve taken payments from customers then chances are you’ve encountered some of these risks. Cash and checks can be counterfeit, checks can bounce due to insufficient funds, credit card numbers can be stolen, etc.

I’ve managed risk and fraud teams at PayPal, eBay and Amazon, and now at Boku; I’ve seen countless fraud attempts from around the world. Mobile payments are a new, rapidly growing form of payments and like all forms of payments they come with risks that need to be understood and managed. Based on my experiences in the industry, here are my top 5 merchant risk and fraud tips for mobile payments. Note that some of these are useful for all types of payments.

Tip #1 – Know the rules

There are two types of rules for mobile payments. The first set of rules are legal requirements (which may vary by jurisdiction), such as ensuring that:

  • payments are not being processed for online gambling or otherwise illegal activity or content (such as child pornography)
  • payments that indicate potential money laundering are reported to the proper authorities
  • any licensing requirements or payment regulations are complied with
  • there is proper consent and disclosures under the Children’s Online Privacy Protection Act (COPPA)

These rules should come from a lawyer (I am not one) and will vary by business. For example, whether or not you need to comply with COPPA will depend specifically on the type of primary customers for your business.

The second set of rules come from the carriers and include things such as:

  • Spend limits – each carrier has varying restrictions on how much a user can spend on a particular mobile service. These limits may be applied to transaction amounts or spend amounts over a given timeframe. Additionally, spend limit notifications are also sometimes needed.
  • Terms and Conditions – specifics on what needs to be disclosed, how it needs to appear in the payment flow, etc.
  • Payment flow experience – where the pricing should be displayed, what size fonts should be used, proximity of information (e.g., price near phone number entry field)
  • Customer support – what hours need to be supported, what methods of support must the service have (email, phone, etc.), local language requirements, voice mail requirements, etc.
  • Compliance – what kinds of businesses and content are allowed and the caveats for specific services (for example, disclosures that state when a service will have ongoing messages delivered)
  • Dispute/Refund rates – process for handling and associated fees and penalties

These rules can vary not only by country, but also by the carrier within a country and the list of rules goes on and on. If you’re interested in learning more about mobile compliance, a great place to start is with the MMA Best Practice Guidelines, which can be found in this PDF.

Since the rules are very specific and they change over time, you should not assume that what’s okay for one web site or service is okay for another; make sure you check with your payment provider before offering mobile payments on new features or businesses.

Tip #2 – Set user expectations and provide good customer service

One of the common complaints from customers is that they don’t receive the product or service they were offered or that it was not as expected when it was received. When either happens, like credit cards, it can result in a “chargeback” (reversal of the proceeds from the transaction, possibly with some fees added on, too!). To avoid chargebacks, make sure that you set clear expectations on what is to be delivered and when, and ensure that you provide timely customer service to resolve complaints quickly.

  • Be clear about timeframes on fulfillment. If it normally takes several hours before a user might see a credit in their account, let them know that up front
  • Specify any restrictions on the product being purchased. For example, if credits are being purchased that can’t be used on all products or be transferred if a user “upgrades” their account

You can also avoid issues by educating your customers on how to prevent fraud. If you need help with this, you can reference this blog post (link) with some helpful tips for customers.

BOKU_FINAL

Chances are that no matter what you do, though, you’ll still have some number of issues that arise over time. When you do encounter them, particularly chargebacks, make sure you carefully track them in as much detail as possible. Which customers charged back? How many times? What percentage of their activity resulted in a chargeback? Why did they issue a chargeback? You’ll see why in a bit.

Tip #3 – Know who has the liability (and if you do, then make sure you mitigate it)

Whenever anyone asks me about risk, one of the first questions I ask in response is “who has the liability?” In the payment space liability often lives with the merchant; in mobile payments this can vary significantly depending on the market and the carrier. For example, in most European countries refunds are not often issued and when they are, the carrier is not passing these back as chargebacks; in most Asian markets, chargebacks come in the form of “discrepancies” which include bad debt, refunds and billing system issues and no details are provided; in the United States, refunds from almost all carriers are charged back and the details behind them (MSISDN, amount, date, etc.) are typically provided.

Make sure you know if you have liability and how it’s structured and do this at the point you’re setting up a mobile payments service, not when the liaiblity hits you. Are there chargebacks? When should I expect to see them? What information is provided? Are there any penalties or fees in addition?

Once you know about the liability, you now need to know about mitigation. Your mobile payment provider may have fraud systems in place to help you reduce risk and if they do, that’s great. But, if the liability lives with you then it’s probably a good investment of time to create your own systems and rules (and don’t wait for your first chargeback to do it).

Developing a complex risk engine isn’t simple, but one basic thing you can do is to utilize negative files. If accounts have too many chargebacks, if there is evidence of fraud or any other abuse (such as abuse of a promotion), don’t just close the customer’s account – instead, add all the information you have on that customer (name, email, account information, etc.) to a negative file and look for matches to that file when new activity occurs. Be careful, though…you don’t want to blacklist an entire IP address just because one customer who used it was bad. You also don’t want to decline John Smith just because another John Smith abused a promotion. Instead, use this data as a strong indicator of potential risk. Also, if you can, look for similarities among negative files and not just exact matches, particularly with string variables; wouldn’t it be nice if the computer could find a match between “123 Main St #1” vs. “123 Main street, apt 1”, for example?

Tip #4 – Secure your systems and your password

Okay, so we’ve all done it before but using a password of “password” or using the same password on many web sites simply isn’t secure, especially if you are the merchant. Imagine that someone was able to break into your merchant account, change the bank account to his bank account and start receiving your funds!

Select your password carefully. Don’t use a word from the dictionary, your company name, your birthday, your kids’ names or anything that could be easily guessed. Instead, choose one that’s relatively long (at least 8 characters) and that contains numbers or special characters

Keep your password safe. You might have multiple people in your business that need access to the account, but share it only on a need-to-know basis and change it often. You don’t want a disgruntled or former employee accessing or changing sensitive information for your business.

In addition, make sure you understand what security is in place when communicating with payment providers and be sure to follow their guidelines carefully. Also, make sure you keep your anti-virus software up to date and that you run regular scans of your systems. Of course, depending on your size you may not have a security expert on staff, so consider hiring a security consultant to assess your systems’ vulnerabilities of being attacked.

Tip #5 – Watch out for social engineering

Look out for (and train your employees to look out for) unusual requests, as these might be attempts to “socially engineer” you to provide information that you wouldn’t normally give out. A few examples: requests for customer data, any information related to your account or login or any sensitive information about your company (e.g., “I’m looking for the CFO”). If someone calls you and claims to be from a partner or authoritative agency then get evidence of that before you release anything sensitive.

Also, it’s important to note that these requests can come in any form. You may be familiar with spam that points you to spoof web sites but what about calls to your customer service department, SMS messages to your employees or chat applications? Bad guys are using a variety of techniques these days and some of them are quite convincing!

Summary

Keep in mind that risk management is not about having 0% fraud rates; it’s about being aware of what the risks are, tracking them regularly and carefully and taking the necessary steps to mitigate them on an ongoing basis. Don’t let your first chargeback scare you and cause you to take drastic actions such as shutting out an entire country; instead, use the scalpel approach. Also, make sure you look at all aspects of cost when evaluating your business and choosing providers to work with; don’t just look at the surface cost and payout rates but also take customer service, risk management, tools, refund rates and other “back office” functions into consideration as they could have a big impact to your bottom line.

The customer base for mobile payments is huge, really huge… over 1 billion people already, around the world. Following these tips can help you take advantage of this market for your own business.

Martine brings over fifteen years of experience creating and leading risk management, fraud prevention, and analytics for payments leaders across the web. Prior to Boku, she spent over five years at PayPal and eBay, where she managed the team responsible for proactive detection of fraud, credit risk and policy compliance. She joined Amazon.com in 1999 as part of the Accept.com acquisition and thereafter was an instrumental player in the design and development of Amazon’s risk detection engine, covering payments for both the company’s retail site and its payments platform.

AppData - Facebook application stats and data from Inside Network

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Inside Social Games Sponsors
TinyCo Kontagent maudau Frima SocialClicks Peak Games 6waves
Featured Company
Jobs of the Day

Northwestern University
Evanston, IL

TinyCo
San Francisco, CA

Squarespace
New York, NY

More Research & Information from Inside Facebook

Sign up for free email updates beyond today's news.

 

Popular Right Now

Sponsor Highlights

WebMediaBrands
Mediabistro | All Creative World | Inside Network
Jobs | Education | Research | Events | News
Advertise | Terms of Use | Privacy Policy
Copyright 2012 WebMediaBrands Inc. All rights reserved.