Cooking Out Friendly Fraud with EMV 3-D Secure | Jordan Harris, Ticketmaster


September 09, 2019

There are two things I really love in life: cooking and fighting fraud. Both have extremely satisfying results that are tangible and can be shared with others for satisfaction and validation. Unfortunately, with fighting fraud, just like with cooking, there can be unexpected consequences despite all the preparation, care, and time that went into crafting the masterpiece before you.

The other day I was making a low-carb lasagna with zucchini sliced into thin pieces using a mandolin. The secret to the dish is that you need to get the moisture out of the zucchini before you bake it. Those slices sat for 2 hours between napkins and in the end, I still wound up with a puddle of water on the surface on my otherwise flawless meal. The same thing can happen with fraud; you could build the most precise rule or train your model 3 times a week to spot bad actors and eliminate false positives, but 45 days later you still might get that infamous "it wasn't me" claim in your chargeback queue on a good account. It's frustrating.

There's nothing you really could have done, right? With my lasagna I could have waited even longer or used a food dehydrator, but my end product would have been less appetizing. The same goes for fraud. You could crank up the heat and manually review every single order, make the customer pay with ACH only, or mail in cash. But that doesn't really solve any problems, does it? The fact of the matter is that my lasagna water is just a cost of doing business with low-carb living and friendly fraud chargebacks are just a cost of doing business in the eCommerce world.

After EMV transition we all felt it. We knew we were going to and we all did less than we probably should have to prepare for the waves of fraud that shifted to eCommerce merchants. We all stayed focused on keeping the conversions high, the rejects low, and the chargebacks under 1% (.9% in October). Might as well make that your team motto right now. We used our rules engines and presented our manual review teams with shiny new tools to do identity checks deeper and more cleverly than ever before. Some of us dumped in some black box machine learning software that we kept hearing about. And life went on. But the fraudsters did the same. They started using machine learning, better botnets, and synthetic IDs. It all got harder, faster, and even more sophisticated. And then outside all of that, fraud cases still rolled in, even when we knew it was the real cardholder that did it! All-in-all: chargebacks kept coming.

Enter EMV 3-D Secure.

Just like low-carb eating, 3-D Secure is by no means new and works best when combined with something else. 3-D Secure should never be considered a "fraud prevention" tool. You still need to be able to identify fraud on your platform and be able to stop it if needed. I think 3-D Secure, especially EMV 3DS 2.0, is fantastic to get the loss dollars down. But to me, despite its usefulness, it is not the magic answer we all seem to be searching for. It is great not seeing fraud chargebacks rolling in your queue on transactions you shifted, but I feel for the more engaged, it can remove a valuable piece of information you need to be effective with your job. What it does well is preventing financial loss from those chargeback abusers who deceptively claim fraud. For example, it is effective for the person who buys a VIP package to a festival and posts pictures on Instagram and Facebook clear as day enjoying the festival -- with their face in every single one -- but still calls their bank and says, "I have no idea what this charge is!" Or the kid who took mom's credit card to buy those K-Pop tickets without asking and then said "I have no idea, momma" when the statement comes in the mail. It is nice not having to try to fight those only to lose when we all know darn well they did it!

It's also important to remember that the old phrase "out of sight, out of mind" applies here. You won't see liability-shifted chargebacks, but they still exist on your merchant account. You can still wind up in an excessive chargeback program even though you did not take a loss. It is a balancing act and you very much need to still be involved every day in monitoring activity on your platform. 3DS is just another layer in the lasagna that is your multi-layered fraud prevention approach. You might be able to relax calls to any step-up services, but you still need to be screening transactions like you normally would and blocking items, with or without a liability shift, or you might wind up in a world of hurt.

The other problem is the feedback loop. Unless you can get an easy to digest report that shows exactly what transactions were shifted but resulted in a chargeback, you can lose one of your most valuable tools, the negative feedback loop. When training a machine learning model, you need to provide it with the "bad" so it knows what to look for. You need to do this often. The same goes for people who use only rules engines, too. You need to be able to add the accounts, emails, credit cards, etc. to a negative list. You need to quickly review those shifted items to spot patterns and make new rules for when they come back. You cannot just treat it as a "Well, I don't get the chargebacks, so I don't care" because you should. You still get the hit on your merchant ID, and if you ever make a change that shifts away from 3-D Secure, you are going to want to be ready, just in case.

As our time here together is winding down and my next masterpiece is almost finished in the oven, I would like to leave you by stating, I love EMV 3-D Secure I really do. It is a fantastic product to limit the exposure and make finance teams happy everywhere. I especially love that it removes the most annoying type of chargeback, friendly fraud. We all know they did it, they are just wasting our team's time to prove, once again, that it was them. With that noise gone, our people can focus on the important parts of their jobs, protecting innocent consumers from becoming victims of fraud on our platforms. For us at Ticketmaster, it is also getting tickets into the hands of real fans who paid with their own hard-earned money for access to a memory they will have for the rest of their lives. That, like my lasagna, is the real reward in the end.

Jordan Harris, Head of Chargebacks, Ticketmaster
Thanks for your time and happy hunting!

And for those that want the recipe for my lasagna. Note: I cook it in the oven at 375 degrees for 45 minutes.

Jordan Harris is the Head of Chargebacks at Ticketmaster.