Antifraud. Fast, cheap ... great (part 1)
This article is a description of an experiment to create a system for detecting fraudulent bank card payments .
In the first part of the article I will explain why the issue of fraudulent payments (fraud) is so acute for all participants of the electronic payments market - from online stores to banks - and what are the main difficulties, because of which the cost of developing such systems is sometimes too high for many ecommerce market participants.
The second part will describe the technical and non-technical requirements that apply to such systems, and how I'm going to reduce the cost of developing and owning an antifraud-system by an order of magnitude (s).
')
The third part will consider the software architecture of the service , its modular structure and key implementation details.
In the fourth part of the article we will discuss in detail the most difficult from the technical point of view and the most intellectual part of the system - the analytical system for recognizing fraudulent payments.
Get Started!
The rapid growth in the number of operations with plastic cards made via the Internet poses ever new and new challenges for the developers of online payment systems associated with the growing scale of such systems and the increasing complexity of approaches to ensuring their reliability and security.
The number of fraudulent transactions and the diversity of types of fraud are no less intensive. Russia, along with England, France, Germany, Spain, is among the top 5 European countries in terms of annual fraudulent operations with bank cards. The total loss from card fraud in 2013 in Europe exceeded 1 billion euros. Russia accounts for 110 million euros, of which 2.4 million euros is fraud when paying via the Internet.
A complete chain of participants in an online payment when purchasing a product / service via the Internet generally looks like this:
Problem
The problem of fraudulent transactions ( fraud , from the English. Fraud) affects all participants in this chain: from buyers to the bank that issued the card to the client (the issuing bank). For all participants except cardholders, fraudulent transactions involve both significant financial costs and reputational risks . For ecommerce industry as a whole, fraud also has tangible negative consequences - this is both lost profits and mistrust on the part of Internet users , which, in turn, prevents the wider spread of electronic payments.
Thus, the presence of a system of recognition of fraudulent payments ( antifraud-system ) for any serious participant in an online payment (again, except for the buyer) is a market necessity. At the same time, a good antifraud system is most often “long, expensive ...”, complexity .
The complexity of the solution
Financial difficulties: cost of development vs fraud penalties
And if, for a bank, the cost of antifraud systems is, on a business scale, quite an acceptable amount; for the payment system - an integral part of the business process; merchants often do not have the financial ability and / or understanding how to create and maintain such systems.
But even a fraud merchant cannot ignore: at best, money for fraudulent payments will not reach the merchant (even if the service has already been provided), at worst, the merchant will also be fined . The amount of the fine, in general, starts at $ 10 and grows in proportion to the volume of fraudulent transactions. In addition, when a large number of fraud MPS (Visa, MasterCard) can impose (I am not afraid of this word) sanctions on the merchant.
An effective way to reduce costs on the merchant side can be the introduction of additionaldifficulties checks for the client and delegation of part / all duties of fraud checks to another participant. The most common method is 3-D Secure (delegation of verification duties to the issuing bank).
But it should be borne in mind that the addition of such steps, which require additional actions from the user, often leads to a dramatic reduction in the number of successfully completed transactions (@Gremnix voiced the figure of reducing the number of successful payments of 20-25% with the inclusion of 3-D Secure for Russia).
Legal difficulties
During the development process, the antifraud system will inevitably have to deal with such a responsible area as the protection of client and payment data, as well as the formal part of this issue - certification for one of the PCI DSS levels.
When developing an antifraud system, it is also necessary to take into account certain legal restrictions on the storage / exchange of customer payment and personal data. In Russia, this is “About personal data” (152-FZ). Details of the provisions of this law will touch later when considering the software architecture of the service.
Technical difficulties
Antifraud system is a business-critical system, since its simple will lead either to stopping the business process, or, if the system does not work correctly, to increase the risks of financial losses for the company.
Hence the increased requirements for reliability, data storage security, fault tolerance, system scalability.
The team involved in the development of antifraud-system, we can distinguish the following roles and responsibilities of these roles:
Merchant Benefits
In the whole chain of online payments, the merchant is in one of the most difficult situations: the merchant, unlike the buyer, is responsible for fraud with his own funds, and at the same time, unlike the bank, he often does not have sufficient resources to effectively counter fraud.
But the merchant also has an advantage - unique information about the buyer of the product / service, which is often not available to other participants of the online payment (for example, the issuer bank or IPU). So ECN sites are likely to have a real name of the payer; Online stores offering delivery service are more likely to know the real country, the payer's residence city, etc.
The name and surname of the account owner, the lifetime of the account, the number of successful payments made through the merchant’s site before, the information about the host from which the http request came, information about the browser is just a short list of the information that is often available to the merchant Significantly improve search fraud transaction efficiency.
We reviewed the main aspects of the problem of fraudulent payments. Obviously, insufficient attention to fraudulent payments leads to significant financial costs . At the same time, the development of a full-fledged antifraud system requires financial expenditures both on infrastructure and on payment for the work of a team of specialists with rather rare competencies .
In the following parts of the article, an experiment will be conducted, the purpose of which will be to create a distributed, highly scalable, fault-tolerant system for detecting fraudulent payments.
An antifraud-system will be available as a web-service and the possibility of connecting to the service of third-party merchants will be provided. The financial goal will be to make the development of the service an order (s) cheaper due to the use of a number of approaches leading to a significant reduction in the initial financial costs of equipment and software, a reduction in the number of specialists and man-hours spent.
Details of the experiment, a description of the software architecture of the service and a detailed analysis of the most critical modules will be described in the following parts of the article .
In the first part of the article I will explain why the issue of fraudulent payments (fraud) is so acute for all participants of the electronic payments market - from online stores to banks - and what are the main difficulties, because of which the cost of developing such systems is sometimes too high for many ecommerce market participants.
The second part will describe the technical and non-technical requirements that apply to such systems, and how I'm going to reduce the cost of developing and owning an antifraud-system by an order of magnitude (s).
')
The third part will consider the software architecture of the service , its modular structure and key implementation details.
In the fourth part of the article we will discuss in detail the most difficult from the technical point of view and the most intellectual part of the system - the analytical system for recognizing fraudulent payments.
Get Started!
The rapid growth in the number of operations with plastic cards made via the Internet poses ever new and new challenges for the developers of online payment systems associated with the growing scale of such systems and the increasing complexity of approaches to ensuring their reliability and security.
The number of fraudulent transactions and the diversity of types of fraud are no less intensive. Russia, along with England, France, Germany, Spain, is among the top 5 European countries in terms of annual fraudulent operations with bank cards. The total loss from card fraud in 2013 in Europe exceeded 1 billion euros. Russia accounts for 110 million euros, of which 2.4 million euros is fraud when paying via the Internet.
A complete chain of participants in an online payment when purchasing a product / service via the Internet generally looks like this:
Who is who?
Merchant - seller of goods / services, is a web application in which the client can pay for the product / service.
A customer is a buyer who pays for a product / service on the merchant's website using his bank card (or other available means).
Electronic payment system (PS) is a service that accepts payment by electronic money, bank cards (and not only) via the Internet (examples of PS: Yandex.Money, WebMoney).
Acquiring Bank - a bank that provides payment card processing services;
The international payment system (MPS) is a settlement system between banks of different countries that use common standards of payment instruments. Examples of MPS: Visa, Master Card, American Express.
Issuing bank - a bank that issued a bank card with which the client is trying to pay for the product / service.
A customer is a buyer who pays for a product / service on the merchant's website using his bank card (or other available means).
Electronic payment system (PS) is a service that accepts payment by electronic money, bank cards (and not only) via the Internet (examples of PS: Yandex.Money, WebMoney).
Acquiring Bank - a bank that provides payment card processing services;
The international payment system (MPS) is a settlement system between banks of different countries that use common standards of payment instruments. Examples of MPS: Visa, Master Card, American Express.
Issuing bank - a bank that issued a bank card with which the client is trying to pay for the product / service.
Problem
The problem of fraudulent transactions ( fraud , from the English. Fraud) affects all participants in this chain: from buyers to the bank that issued the card to the client (the issuing bank). For all participants except cardholders, fraudulent transactions involve both significant financial costs and reputational risks . For ecommerce industry as a whole, fraud also has tangible negative consequences - this is both lost profits and mistrust on the part of Internet users , which, in turn, prevents the wider spread of electronic payments.
Thus, the presence of a system of recognition of fraudulent payments ( antifraud-system ) for any serious participant in an online payment (again, except for the buyer) is a market necessity. At the same time, a good antifraud system is most often “long, expensive ...”, complexity .
The complexity of the solution
Financial difficulties: cost of development vs fraud penalties
And if, for a bank, the cost of antifraud systems is, on a business scale, quite an acceptable amount; for the payment system - an integral part of the business process; merchants often do not have the financial ability and / or understanding how to create and maintain such systems.
But even a fraud merchant cannot ignore: at best, money for fraudulent payments will not reach the merchant (even if the service has already been provided), at worst, the merchant will also be fined . The amount of the fine, in general, starts at $ 10 and grows in proportion to the volume of fraudulent transactions. In addition, when a large number of fraud MPS (Visa, MasterCard) can impose (I am not afraid of this word) sanctions on the merchant.
An effective way to reduce costs on the merchant side can be the introduction of additional
3-D Secure
3-D Secure is a protocol that adds an extra level of security for online credit and debit cards. In essence, it is a two-factor authentication of the cardholder.
But it should be borne in mind that the addition of such steps, which require additional actions from the user, often leads to a dramatic reduction in the number of successfully completed transactions (@Gremnix voiced the figure of reducing the number of successful payments of 20-25% with the inclusion of 3-D Secure for Russia).
Legal difficulties
During the development process, the antifraud system will inevitably have to deal with such a responsible area as the protection of client and payment data, as well as the formal part of this issue - certification for one of the PCI DSS levels.
About PCI PSS
PCI DSS (Payment Card Industry Data Security Standard) is a data security standard for the payment card industry, which is a list of security requirements for storing and transmitting payment data. For those who are interested in the details of the standard: Official PCI Security Standards Council Site .
When developing an antifraud system, it is also necessary to take into account certain legal restrictions on the storage / exchange of customer payment and personal data. In Russia, this is “About personal data” (152-FZ). Details of the provisions of this law will touch later when considering the software architecture of the service.
Technical difficulties
Antifraud system is a business-critical system, since its simple will lead either to stopping the business process, or, if the system does not work correctly, to increase the risks of financial losses for the company.
Hence the increased requirements for reliability, data storage security, fault tolerance, system scalability.
The team involved in the development of antifraud-system, we can distinguish the following roles and responsibilities of these roles:
- expert in the subject area : payment systems, banking systems, payment via the Internet, legal chances of such systems;
- architect : designing a highly available reliable (better yet distributed and scalable) application;
- developer : high-level programming language, asynchronous and multithreaded programming, good mathematical training;
- data scientist : researcher, loves data and math;
- project manager (where without them): development coordination.
Merchant Benefits
In the whole chain of online payments, the merchant is in one of the most difficult situations: the merchant, unlike the buyer, is responsible for fraud with his own funds, and at the same time, unlike the bank, he often does not have sufficient resources to effectively counter fraud.
But the merchant also has an advantage - unique information about the buyer of the product / service, which is often not available to other participants of the online payment (for example, the issuer bank or IPU). So ECN sites are likely to have a real name of the payer; Online stores offering delivery service are more likely to know the real country, the payer's residence city, etc.
The name and surname of the account owner, the lifetime of the account, the number of successful payments made through the merchant’s site before, the information about the host from which the http request came, information about the browser is just a short list of the information that is often available to the merchant Significantly improve search fraud transaction efficiency.
Conclusion To be continued ...
We reviewed the main aspects of the problem of fraudulent payments. Obviously, insufficient attention to fraudulent payments leads to significant financial costs . At the same time, the development of a full-fledged antifraud system requires financial expenditures both on infrastructure and on payment for the work of a team of specialists with rather rare competencies .
In the following parts of the article, an experiment will be conducted, the purpose of which will be to create a distributed, highly scalable, fault-tolerant system for detecting fraudulent payments.
An antifraud-system will be available as a web-service and the possibility of connecting to the service of third-party merchants will be provided. The financial goal will be to make the development of the service an order (s) cheaper due to the use of a number of approaches leading to a significant reduction in the initial financial costs of equipment and software, a reduction in the number of specialists and man-hours spent.
Details of the experiment, a description of the software architecture of the service and a detailed analysis of the most critical modules will be described in the following parts of the article .
Source: https://habr.com/ru/post/253725/
All Articles