Tiered Identity Verification for E-commerce

  • Identity Verification

In their 2013 Online Fraud Report, Cybersource Corporation estimated $3.5B in lost revenue for e-commerce merchants.Despite the enormity of the impact many e-commerce merchants are hesitant to implement identity verification methods due to concerns regarding user experience.

As the occurrence of online fraud increases e-commerce merchants will need to start looking at transactions differently. All customers are not the same, and orders should likewise not all be treated the same. By acknowledging that some transactions involve a higher level of risk than others merchants can put controls in place without impacting the user experience (and order completion rates) for the majority of users.

Visa provides a list of indicators for fraud in card not present (CNP) transactions like e-commerce. These behaviors reflect the transactions that comprise the greatest level of risk (and therefore would need the highest level of identity verification to mitigate risk). While not included on Visas list, transactions where the ship-to address and bill-to address are different also involve a higher level of risk than transactions where the bill-to and ship-to addresses are the same (although comparably moderate risk relating to the other fraud indicators).

Considering the three levels of risk (low, moderate, high) for various transactions, I would propose that e-commerce merchants should incorporate the following levels of identity verification to avoid fraud:

  • Low Risk (e.g. same ship-to and bill-to address, repeat customers) for low risk transactions name and address verification should be sufficient to avoid the majority of fraudulent activity. Some payment processors provide address verification for CNP transactions, or a 3rd party solution, such as Identifraud Consumer, can be utilized.
  • Moderate Risk (e.g. different bill-to and ship-to addresses) for moderate risk transactions a secondary layer of identity verification should be involved, such as verification of Drivers License information. While this step does involve minor intrusiveness to the user experience, if messaged correctly the minimal impact should not degrade checkout completion rates.
  • High Risk (e.g. high ticket item purchases, non-verifiable addresses) for high-risk transactions the level of confidence needed in the users identity is significantly higher.When other methods of verification either fail or are insufficient then it becomes necessary to ask users to put forth additional effort, such as providing responses for dynamic Knowledge Based Authentication (KBA). For most e-commerce merchants high risk transactions should represent a fraction of their overall user base, meaning the vast majority of their users will never have to complete this step.

Every merchant is different, so the definitions and approaches represented above may need to be customized for each, but addressing identity verification is the right long-term play for all e-commerce merchants. As consumers increasingly consider security above convenience merchants that can provide a more secure shopping environment will come out ahead.