If you work on e-commerce, beside making sure the online payment is smooth, another critical task is to deal with fraud! Fraud shares lots of common characteristics with (information) security. Good guys and bad guys are always fighting endlessly, just like Marvel comics: super heroes vs. super villains.
Credit: Marvel Comics
Most company either builds an in-house solution or use some market available solution. So what is the hard core of a fraud management system?
Before answering this question, maybe we can go through a simple e-commerce checkout flow (you know in reality, it will be much more complex):
In last 5 years, I have worked on three fraud management systems. In a plaintext, we gather all possible “evidences” of fraudsters and try to convict the “crime”. Translate the previous sentence to technical words: a payment transaction comes to a rule engine, it will run bunch of rules at real time, then outputs a decision like reject, approve, review, etc. Based on the configuration and the business model (Merchant on Record or not, etc.) , the payment system will take corresponding action.
To build the rule engine, Drools is a popular choice. Of cause, we can build a similar in-house version too. The key is the rules. Here is a list of some rules:
- Any machine learning, data mining or AI technology
- logistic regression
- CVV AVS for credit card
- Bank Identification Number (BIN) lookup
- 3-D Secure
- Velocity check
- Device Fingerprint
- GeoIP lookup
- Black list and white list
- any other third party domain specific data
Any single item above in details can be an individual post. But hope you get some basic ideas.