
Antifraud. Fast, cheap ... excellent (part 1)
This article is a description of an experiment to create a bank card fraud detection system .
In the first part of the article I will explain why the issue of fraud payments (fraud) is so acute for all participants of the electronic payment market - from online stores to banks - and what are the main difficulties due to which the cost of developing such systems is sometimes too high for many ecommerce market participants.
The second part will describe the technical and non-technical requirements that apply to such systems, and how I am going to reduce the cost of developing and owning an antifraud system by an order (s).
INthe third part will consider the software architecture of the service , its modular structure and key implementation details.
In the fourth part of the article , we will discuss in detail the most complex from the technical point of view and the most intelligent part of the system - the analytical system for recognizing fraudulent payments.
Get Started!
The rapid growth in the number of plastic card transactions made via the Internet poses new challenges to the developers of online payment acceptance systems related to the growth of the scale of such systems and the complexity of approaches to ensuring their reliability and security.
The number of fraudulent transactions and the variety of types of fraud are growing no less intensively. Russia, along with England, France, Germany, Spain, is in the top 5 European countries in terms of annual volume of fraudulent transactions with bank cards. The total losses from card fraud in 2013 in Europe exceeded 1 billion euros. Russia accounts for 110 million euros, of which 2.4 million euros are scams when paying via the Internet.
The complete chain of participants in an online payment when purchasing a product / service via the Internet generally looks something like this:

Problem
The problem of fraudulent transactions ( fraud , from the English fraud) affects all participants in this chain: from customers to the bank that issued the card to the client (issuing bank). For all participants except cardholders, fraudulent transactions involve both significant financial costs and reputation risks . For the ecommerce industry as a whole, fraud also has tangible negative consequences - this is both lost profits and mistrust on the part of Internet users , which, in turn, prevents the wider spread of electronic payments.
Thus, the presence of a fraud payment recognition system ( antifraud system) for any serious participant of online payment (again, except for the buyer) - a market necessity. At the same time, a good antifraud system is most often “long, expensive ...” difficulties .
Challenge
Financial difficulties: development cost vs penalties for fraud
And if the bank costs antifraud systems - this, on a business scale, is an acceptable amount; for the payment system - an integral part of the business process; then merchants often do not have the financial ability and / or understanding of how to create and maintain such systems.
But the merchant cannot ignore the fraud: in the best case, the money for fraudulent payments will not go to the merchant (even if the service has already been provided), in the worst - the merchant will also be fined . The size of the fine, in general, starts at $ 10 and grows in proportion to the volume of fraudulent transactions. In addition, with a large number of fraud, MPS (Visa, MasterCard) may impose (I'm not afraid of this word) sanctions on the merchant.
An effective way to reduce costs on the side of the merchant may be to introduce additionaldifficultieschecks for the client and delegation of a part / all of the duties of checking for fraud to another participant. The most common way is 3-D Secure (delegation of verification responsibilities to the issuing bank).
But it’s worth considering that adding such steps that require additional actions from the user often lead to a dramatic decrease in the number of successfully completed transactions (@Gremnix announced the figure for reducing the number of successful payments by 20-25% when 3-D Secure was enabled for Russia).
Legal difficulties
In the process of developing an anti-fraud system, you will inevitably have to face such a responsible area as protecting client and payment data, as well as the formal part of this issue - certification on one of the PCI DSS levels.
When developing an anti-fraud system, it is also necessary to take into account some legislative restrictions on the storage / exchange of payment and personal data of a client. In Russia, this is “On Personal Data” (152-FZ). We will touch upon the details of the provisions of this law later when considering the software architecture of the service.
Technical difficulties
Antifraud system is a business-critical system, because its simple will lead either to a halt in the business process, or, if the system malfunctions, to increase the risks of financial losses for the company.
Hence the increased requirements for reliability, security of data storage, fault tolerance, scalability of the system.
The team involved in the development of an anti-fraud system includes the following roles and areas of responsibility for these roles:
Merchant Benefits
In the entire chain of online payment, the merchant is in one of the most difficult situations: the merchant, unlike the buyer, is responsible for fraud using his own funds, and at the same time, unlike the bank, he often does not have sufficient resources to effectively combat fraud.
But the merchant also has an advantage - unique information about the buyer of the product / service, which is most often inaccessible to other participants of the online payment (for example, to the issuing bank or the IPS). So ECN sites are very likely to have a real payer name; online stores that offer delivery services are likely to know the real country, city of the payer, etc.
The name and surname of the account holder, the lifetime of the account, the number of previously successful payments made through the merchant’s website, information about the host from which the http request came, browser information is just a short list of the information that is often available to the merchant and which is capable of significantly improve the search efficiency of fraudulent transactions.
We examined the main aspects of the problem of fraudulent payments. Obviously, insufficient attention to fraudulent payments leads to significant financial costs . At the same time, the development of a full-fledged anti-fraud system requires financial costs both for infrastructure and for the payment of the work of a team of specialists with rather rare competencies .
An experiment will be conducted in the following parts of the article, the purpose of which will be to create a distributed, highly scalable, fault-tolerant fraud detection system.
The antifraud system will be available as a web service and it will be possible to connect third-party merchants to the service.The financial goal will be to make the development of the service an order (s) cheaper due to the use of a number of approaches leading to a significant reduction in the initial financial costs of hardware and software, reducing the number of specialists and man-hours spent.
The details of the experiment, a description of the software architecture of the service and a detailed analysis of the most critical modules will be described in the following parts of the article .
In the first part of the article I will explain why the issue of fraud payments (fraud) is so acute for all participants of the electronic payment market - from online stores to banks - and what are the main difficulties due to which the cost of developing such systems is sometimes too high for many ecommerce market participants.
The second part will describe the technical and non-technical requirements that apply to such systems, and how I am going to reduce the cost of developing and owning an antifraud system by an order (s).
INthe third part will consider the software architecture of the service , its modular structure and key implementation details.
In the fourth part of the article , we will discuss in detail the most complex from the technical point of view and the most intelligent part of the system - the analytical system for recognizing fraudulent payments.
Get Started!
The rapid growth in the number of plastic card transactions made via the Internet poses new challenges to the developers of online payment acceptance systems related to the growth of the scale of such systems and the complexity of approaches to ensuring their reliability and security.
The number of fraudulent transactions and the variety of types of fraud are growing no less intensively. Russia, along with England, France, Germany, Spain, is in the top 5 European countries in terms of annual volume of fraudulent transactions with bank cards. The total losses from card fraud in 2013 in Europe exceeded 1 billion euros. Russia accounts for 110 million euros, of which 2.4 million euros are scams when paying via the Internet.
The complete chain of participants in an online payment when purchasing a product / service via the Internet generally looks something like this:

Who is who?
Merchant - a seller of a product / service, is a web application in which a client can pay for a product / service.
Client - a buyer who pays for a product / service on a merchant's website using his bank card (or in another accessible way).
Electronic payment system (PS) - a service that accepts payment by electronic money, bank cards (and not only) via the Internet (examples of PS: Yandex.Money, WebMoney).
Acquiring Bank - a bank that provides services for processing payments by bank cards;
The international payment system (MPS) is a system of settlements between banks of different countries that use common standards of means of payment. Examples of MEAs: Visa, Master Card, American Express.
Issuing bank - the bank that issued the bank card with which the client is trying to pay for the goods / service.
Client - a buyer who pays for a product / service on a merchant's website using his bank card (or in another accessible way).
Electronic payment system (PS) - a service that accepts payment by electronic money, bank cards (and not only) via the Internet (examples of PS: Yandex.Money, WebMoney).
Acquiring Bank - a bank that provides services for processing payments by bank cards;
The international payment system (MPS) is a system of settlements between banks of different countries that use common standards of means of payment. Examples of MEAs: Visa, Master Card, American Express.
Issuing bank - the bank that issued the bank card with which the client is trying to pay for the goods / service.
Problem
The problem of fraudulent transactions ( fraud , from the English fraud) affects all participants in this chain: from customers to the bank that issued the card to the client (issuing bank). For all participants except cardholders, fraudulent transactions involve both significant financial costs and reputation risks . For the ecommerce industry as a whole, fraud also has tangible negative consequences - this is both lost profits and mistrust on the part of Internet users , which, in turn, prevents the wider spread of electronic payments.
Thus, the presence of a fraud payment recognition system ( antifraud system) for any serious participant of online payment (again, except for the buyer) - a market necessity. At the same time, a good antifraud system is most often “long, expensive ...” difficulties .
Challenge
Financial difficulties: development cost vs penalties for fraud
And if the bank costs antifraud systems - this, on a business scale, is an acceptable amount; for the payment system - an integral part of the business process; then merchants often do not have the financial ability and / or understanding of how to create and maintain such systems.
But the merchant cannot ignore the fraud: in the best case, the money for fraudulent payments will not go to the merchant (even if the service has already been provided), in the worst - the merchant will also be fined . The size of the fine, in general, starts at $ 10 and grows in proportion to the volume of fraudulent transactions. In addition, with a large number of fraud, MPS (Visa, MasterCard) may impose (I'm not afraid of this word) sanctions on the merchant.
An effective way to reduce costs on the side of the merchant may be to introduce additional
3-D Secure
3-D Secure is a protocol that adds an additional layer of security to online credit and debit cards. In fact, it is a two-factor authentication of the card holder.
But it’s worth considering that adding such steps that require additional actions from the user often lead to a dramatic decrease in the number of successfully completed transactions (@Gremnix announced the figure for reducing the number of successful payments by 20-25% when 3-D Secure was enabled for Russia).
Legal difficulties
In the process of developing an anti-fraud system, you will inevitably have to face such a responsible area as protecting client and payment data, as well as the formal part of this issue - certification on one of the PCI DSS levels.
About PCI PSS
PCI DSS (Payment Card Industry Data Security Standard) is a data security standard of the payment card industry, which is a list of requirements for ensuring the security of storage and transfer of payment data. For those who are interested in the details of the standard: Official PCI Security Standards Council Site .
When developing an anti-fraud system, it is also necessary to take into account some legislative restrictions on the storage / exchange of payment and personal data of a client. In Russia, this is “On Personal Data” (152-FZ). We will touch upon the details of the provisions of this law later when considering the software architecture of the service.
Technical difficulties
Antifraud system is a business-critical system, because its simple will lead either to a halt in the business process, or, if the system malfunctions, to increase the risks of financial losses for the company.
Hence the increased requirements for reliability, security of data storage, fault tolerance, scalability of the system.
The team involved in the development of an anti-fraud system includes the following roles and areas of responsibility for these roles:
- subject matter expert : payment systems, banking systems, payment via the Internet, legal aspects of the operation of such systems;
- architect : designing a highly accessible reliable (better also distributed and scalable) application;
- developer : high-level programming language, asynchronous and multi-threaded programming, good mathematical training;
- data scientist : researcher, loves data and math;
- project manager (where without them): coordination of development.
Merchant Benefits
In the entire chain of online payment, the merchant is in one of the most difficult situations: the merchant, unlike the buyer, is responsible for fraud using his own funds, and at the same time, unlike the bank, he often does not have sufficient resources to effectively combat fraud.
But the merchant also has an advantage - unique information about the buyer of the product / service, which is most often inaccessible to other participants of the online payment (for example, to the issuing bank or the IPS). So ECN sites are very likely to have a real payer name; online stores that offer delivery services are likely to know the real country, city of the payer, etc.
The name and surname of the account holder, the lifetime of the account, the number of previously successful payments made through the merchant’s website, information about the host from which the http request came, browser information is just a short list of the information that is often available to the merchant and which is capable of significantly improve the search efficiency of fraudulent transactions.
Conclusion To be continued ...
We examined the main aspects of the problem of fraudulent payments. Obviously, insufficient attention to fraudulent payments leads to significant financial costs . At the same time, the development of a full-fledged anti-fraud system requires financial costs both for infrastructure and for the payment of the work of a team of specialists with rather rare competencies .
An experiment will be conducted in the following parts of the article, the purpose of which will be to create a distributed, highly scalable, fault-tolerant fraud detection system.
The antifraud system will be available as a web service and it will be possible to connect third-party merchants to the service.The financial goal will be to make the development of the service an order (s) cheaper due to the use of a number of approaches leading to a significant reduction in the initial financial costs of hardware and software, reducing the number of specialists and man-hours spent.
The details of the experiment, a description of the software architecture of the service and a detailed analysis of the most critical modules will be described in the following parts of the article .