Monitoring and controlling transactions of online merchants connected to a payment processing platform is an integral part of the daily routine of any payment service provider who cares about the safety of their business. And by this we don’t mean protection of online merchants from fraudulent payments which is also very important in itself.
We mean security measures undertaken by the company, for protection against intentional or unintentional actions of their online merchants that might cause minor or major troubles.
Does it sound too vague? Alright. Let’s put it this way. The world is not perfect. And, despite the fact that most Internet merchants are honest entrepreneurs seeking to run their business adequately, e-commerce is still full of adventurers, swindlers, and simply irresponsible individuals who willingly receive money from buyers, but don’t always fulfill their obligations before them.
Providing services of online payment accepting and processing to such Internet merchants (especially in case of transactions with bank payment cards) can result for a payment service provider in financial losses, severance of relations with acquiring partners and unpleasant conversations with law enforcement authorities.
Naturally, most dubious and suspicious Internet merchants are barred at the stage of their applying for the service of online payment acceptance and processing owing to the well-known rule in payment industry “know your customer”.
But no matter how well your risk manager exercises due diligence, you still need to monitor carefully and check each merchant connected to the online payment acceptance and processing system later on.
When one deals with cash flows, one should always be slightly paranoid. Besides, the payment service provider should constantly monitor their merchants throughout the service to detect as soon as possible if something goes wrong. And to take timely corrective measures together with the online merchant, or in an extreme case, to disconnect them from the online payment acceptance and processing service.
Signs of problems. Start monitoring your online merchants’ transactions
The payment service should begin exercising control over their Internet merchants with monitoring their transactions. Believe us, the constantly growing array of data constituted by payment transactions, refunds and chargebacks of an Internet merchant, is a great source of information about their current activities, provided you know what to look for and what to pay attention to.
Let us give you an example. It is common knowledge, but it might be useful to say it again: a payment service provider should constantly monitor the level of refund and chargeback transactions for each integrated online store. If the number of such transactions exceeds some specified amount, it is clear that something is not right. It’s just because buyers and customers who are satisfied with the purchased product or service, do usually not ask for a refund.
Another alarming symptom of possible problems is when among transactions of an online store there are payments in amounts that do not coincide with the variety of prices on the corresponding web-site. In 99% of cases this behavior means aggregation. Simply put, the Internet merchant uses the processing system of the payment service provider to accept money for something different than what they claimed when connecting to the payment service. It usually means something illegal.
Here’s another situational pattern that should raise suspicion of risk managers and make the payment service provider look into the matter:
Attempts (however successful) of an Internet merchant to accept a relatively large number of payments over a relatively short period of time from different customers holding different cards issued by the same bank. The issuing bank in this case is determined by the BIN of the card. Typically, this means that:
- Either it is a cybercriminal who somehow managed to connect to the processing system of the payment service provider and who is now trying to “cash out” money from a bunch of stolen bank payment cards;
- or it is a respectable Internet merchants who fell victim to carders, seeking to do the same.
Of course, there is a chance that the issuing bank announced a campaign saying “pay with our card on a certain web-site within an hour and get a gift.” But until you know for sure, the situation looks strange and requires special attention.
By the way, that’s a real-life example: carders once tried to use a bunch of credit cards issued by a British Bank in one small online store from Estonia.
You can and should track such situational pattern not only by BIN, but also by many other transactional characteristics: the buyer’s email, name, phone number, IP address, and so on.
We have given just a few examples, showing how important it is for the payment service provider to monitor and analyze transaction flows of their online merchants.
In reality, there are many more transaction behavioral patterns that might signal a potentially dangerous situation for a payment service. And of course, it is simply impossible to track and locate them manually. That is why modern, advanced processing systems for payment service providers (for instance, beGateway, a WLS platform based system developed by eComCharge) have built-in tools to monitor and analyze transactions of online merchants automatically in real-time, and notify the risk manager of the payment service immediately in case of detecting anything suspicious.
Important capabilities of the payment processing platform. Detect, block and decline unwelcome transactions based on predefined characteristics
However, transactional pattern analysis is only a part of the measures available to a payment service provider to control their online merchants. Another important component of such control is the ability of the payment service, or rather its processing systems, to detect, block or decline unwelcome transactions of their online merchants based on predefined characteristics.
The characteristics are numerous:
- The presence of the bank card or the buyer in so-called “black lists” which, incidentally, the payment service provider processing system must support.
- An attempt to pay from a country with a potentially high level of probability of subsequent chargeback transation, i.e. from the so-called high-risk countries.
- A simply suspicious transaction, when the IP address is in one country, the billing address is in another, and the issuing bank is in a third country.
In short, the variety of signs of a suspicious single transaction is on a par with the diversity of transactional patterns of potentially dangerous situations which we discussed above. Consequently, the appropriate tools in the processing system of a payment service provider should have quite flexible settings to work effectively with both the former and the latter.
beGateway, a WLS platform designed for quick creation of online payment acceptance and processing systems, proudly features such a monitoring tool to control online merchants: beProtected, a risk management and anti-fraud system. Being part of beGateway, beProtected can be used as a separately installed software that works with any processing system.
beProtected can work with more than 40 transaction characteristics, including BIN and digital fingerprint of the device used for the transaction. It allows risk managers of the payment service provider to create the so-called transactional analysis and validation rules in the format of “If …, then …”. This format enables to describe virtually any situation requiring a risk manager’s reaction, and to program the payment service processing system for immediate notification in the event of its occurrence.
Risk managers of the payment service should be able to use third-party programs and methods to analyze transactions if needed, however beautiful and perfect monitoring and analysis tools the payment service provider processing system boasts. For this purpose, the risk manager needs to be able to export transaction data in a file for subsequent work with them.
BeGateway can export all information about the transaction into MS Excel file format.
Flexible account activation and deactivation of a merchants and their online stores
And finally, there is one more thing we would like to mention. We mean activation and deactivation of a merchant account and their online stores in the payment service provider processing system.
Most processing systems offer only 2 statuses for the merchant’s account and their stores:
- “Enabled”, i.e. all operations available in the processing system are allowed.
- “Disabled” which in case of a store means that any transaction type for it is completely banned, and if the Internet merchant’s account is disabled, it’s impossible to enter the back office.
Based on the experience of our clients (payment service providers that lease beGateway and use it as their own processing system) we know that such a binary approach is not very convenient. Sometimes you need more flexibility. And beGateway platform provides this flexibility.
The payment processing platform beGateway can restrict admission of new online store payments, but leave the opportunity to conduct refunds. Or ban any transaction types for the Internet merchant, but leave this option for the payment service provider staff. Or allow the online merchant to log in the back office only to get the relevant statistical information on the transactions, but ban doing anything else.
Full control exercised by the payment service provider over their Internet merchants and their transactions is the foundation of business security.