What Are False Declines?

In the world of ecommerce, false declines are legitimate credit card purchases that are incorrectly declined by the credit card issuer.

Also known as false positives, false declines are what happens when an online shopper makes a legitimate purchase using a valid credit card, but that purchase is declined when it should have been approved.

It’s a simple concept, but the results are multifold—and unpleasant:

• For consumers, false declines are both a nuisance and an insult. They are a nuisance because the consumer can’t buy the intended product or service but must instead look elsewhere to make the purchase. And they are an insult because they imply, explicitly or implicitly, that the shopper is guilty of wrongdoing or fraud. In fact, a Sapio Research study revealed that a full 33% of American consumers would “never place an order with that merchant again” if their order was declined.

• For online merchants, false declines are also a nuisance because they result in lost revenue for the merchant. A purchase that is declined by the bank is a sale that the merchant never makes. Plus, false declines typically anger customers, and increase the number of customer complaints and customer service calls that the merchant must field by phone, email and chat.

• False declines are costly. According to the Global Fraud Survey published by the Merchant Risk Council, the average online store declines 2.6% of all orders because they suspect fraud. The higher the purchase price, the higher the percentage of declines. Merchants decline roughly 3.1% of orders over $100, for example. 

If one does the math, it’s easy to see that this high percentage of declines means plenty of lost revenue for online merchants. For a business with $10 million in annual online sales, this amounts to up to a whopping $260,000 in lost revenue annually—lost sales that could have been prevented.

To understand why false declines happen at all, we must first understand the world of online fraud.

Welcome to the real world of false positives

False declines are a peculiar byproduct of the online economy, in which merchants must approve credit card transactions in which the credit card is not physically present.

In a typical bricks-and-mortar retail purchase, a shopper hands over a physical credit card during the transaction. If the card is valid and not stolen, the transaction is usually approved. But online, the card is never present, just the name, card number, expiry date and security code. In hundreds of portals on the dark web, stolen credit cards are sold to online crooks, who use them to make purchases anonymously. This is the main reason that online credit card fraud is so common—it’s easy, anonymous, and is hard to deter.

This type of fraud (using stolen credit card credentials to make purchases online) is called card-not-present (CNP) fraud, and costs online merchants more than $6 billion per year. Because of this, an entire industry exists of software companies who offer apps, shopping cart plugins, tools, and services to spot card-not-present fraud before a transaction is approved.

These tools use a mixture of rules and machine learning to either approve or decline credit card transactions, typically automatically. And here is where the false declines happen. Some automated CNP fraud detection tools are overzealous, declining valid credit card transactions as well as fraudulent ones.

To understand how false positives happen, take a look at a typical online purchase:

Step 1: Shopper visits online store.

Step 2. Shopper places product in shopping cart and enters credit card details. So far, the order has neither been approved nor declined.

Step 3: Payment gateway processes order (a payment gateway validates the customer's card details securely, ensures the funds are available and eventually enables merchants to get paid). Depending on how it is configured, the payment gateway may run the order through fraud filters. These filters are typically highly automated and unsophisticated. In other words, they cannot assess gray areas, such as unusually large purchases made by a legitimate customer using a valid credit card for a special occasion, such as a wedding.

Step 4: Third-party fraud protection system processes order. If the merchant uses a third-party fraud-protection system, the system uses an additional layer of automated filters to conduct a more in-depth analysis of the order. It may use advanced machine learning techniques to learn the specific fraud characteristics of a business. But these automated systems are also fallible. They struggle with holiday scenarios, for example, when customers place more orders than usual to be delivered to multiple addresses.

Step 5: Issuing bank authorizes order. Banks also have automated processes to identify fraudulent orders. When they decline a transaction, banks provide a response code to indicate the reason, but these codes are sometimes vague and do not help merchants avoid similar transactions in the future.

Step 6: Settlement of the payment. At this point, the transaction has been approved, but technical issues between the customer and the bank may still disrupt the process.

How false declines happen

Between step one and step five, there are literally hundreds of ways the purchase can be declined. This is because fraud filters are powered by complex algorithms that use the common characteristics of fraud as inputs. These include:

• Location of the shopper (Is it different from where they usually shop from?)

• Delivery address (Is it to a different country from the one the card holder lives in?)

• Shipping speed (Is the shopper requesting the fastest shipping method, perhaps to receive the goods before the fraud is detected?)

• Inconsistent order data (the zip code and city entered don’t match, for example).

• Larger than average order

• Multiple shipping addresses (buyer makes multiple purchases under one billing address, but ships the products to multiple addresses)

• Multiple orders from many credit cards

• Missing card information

• Strings of orders from a new country

Some types of fraud are so common that the filters used to spot them have names:

• Daily Velocity Filter: Limits the number of transactions that can be processed in a day from the same IP address.

• Shipping and Billing Mismatch Filter: Identifies transactions submitted with different shipping and billing addresses.

• High-Ticket-Purchase Filter: Identifies purchases that are above a set dollar threshold.

• IP Address and Shipping Address Mismatch Filter: Compares where order is coming from with the shipping address provided.

For obvious reasons, credit card companies don’t publish the criteria that their complex algorithms use to detect fraud and catch fraudsters. But some industry analysts estimate that fraud-detection systems weigh up to 500 factors when determining whether to approve or decline orders.

False declines happen when any of these hundreds of criteria are too stringent. For example, most online shopping carts allow a shopper to enter an incorrect credit number more than once. All shoppers are clumsy sooner or later, and either enter their credit card numbers incorrectly, or type the expiry date incorrectly. A system that declined all orders after the first mistake would result in an unacceptably high number of declines.

This goes for plenty of the other criteria that fraud-detection tools use when detecting fraud. When they are set too strictly, they result in an unacceptably high level of false declines. Some tools, for example, arbitrarily decline all orders from high-risk countries automatically. Other tools automatically decline all orders not requiring a signature on delivery.

The cure for false positives

The cure for false positives is obviously not to stop using anti-fraud tools. 

What merchants must do is create smarter filters that spot fraud by understanding context. This typically means analyzing the data behind declined transactions and disputes. Additionally, merchants can avoid false declines by refusing to (or choosing a fraud protection provider who refuses to) auto-decline any orders, instead conducting an expert manual review of any flagged transactions. One caveat: This manual review must be done with the customer experience fully in mind. Wait too long to verify the customer’s details, or act accusatory when contacting them, and the transaction—and the customer relationship—is all but guaranteed to be cancelled.

False declines can be extremely damaging. Fortunately, by finding similarities and correlations between legitimate transactions that are consistently flagged as fraudulent, merchants (and the companies who make fraud filters) can create accurate fraud filters that lead to more legitimate transactions being approved, and fewer genuine transactions being declined. And by ensuring that their fraud prevention service always has the human touch, they can keep their customers happy…and coming back.  

This blog post was contributed by Rafael Lourenco, EVP and Partner at ClearSale