Lists identify returning customers, hot lists are for consumers that have had charge-backs on previous orders, warm lists are for habitual returners or consumers with customer-satisfaction problems, and positive lists identify the repeat good customers.
The use of lists is one of the most fundamental elements in any fraud-prevention strategy. If a merchant is doing nothing today, implementing a hot list is the very first thing they should do. If a merchant is doing business today and someone defrauds them, and the merchant has nothing in place to prevent the fraudster from coming back and defrauding them again, the fraudster will come back. Lists in general can also save a company money by allowing them to cut out certain orders before they have to pay for external calls such as authorizations, fraud screening, credit checks and the like.
Things to know about lists are:
Hot lists are excellent at preventing repeat fraud, and are fairly good at catching some forms of identity morphing.
Warm lists are an effective way to stop those customers that continuously make purchases and then just return the goods, or don’t make full payments. Warm lists are also a good way to track return or credit abuse.
Positive lists are an excellent way to reduce the number of orders you have to call out to external fraud screening for. They are also a good way to fast-track orders from a merchant’s best customers if they rely heavily on manual reviews.
THE FRAUD PRACTICE
KEY NOTES
Alternative Solutions - None
Building this In-House - The main thing a merchant needs is a database. Have a Database Administrator set up a database to use, adding the data elements discussed above. Working with the credit or finance group, compile a list of previous charge-backs using the data elements to fill it in. The next step is to set up a call to the database from the e-commerce engine, if a merchant is processing orders in real time, or from their order-processing application if they are operating in batch. Set up the lists so they are optimized for fast queries by presetting stored procedures. Although it is easy to add this directly to the e-commerce engine, I recommend that you create a fraud-prevention strategy first and implement this and other techniques with the end-state “strategy” in mind.
Estimated Cost - Costs vary based on the method you implement. A merchant can get basic hot list capabilities from most fraud-screening services, and they can get it as part of most decision engines. They can also build it internally very easily.
Sample Venders - N/A
HOT LISTS, WARM LISTS, POSITIVE LISTS TECHNIQUE OVERVIEW
Lists are used to identify returning consumers to determine if they have had good business or bad business in the past. Hot lists, sometimes referred to as negative lists, are utilized to reject orders from consumers that have had charge-backs on previous orders. Warm lists are used to either reject or review orders from consumers who have been customer-satisfaction problems in the past. Warm lists aren’t used for fraudsters, just consumers that never seem to be satisfied. Positive lists are used to identify a merchant’s best customers who have successfully closed business with them in the past and are trying to make a new purchase.
Key considerations when implementing or buying this functionality include:
To maximize the effectiveness of using lists, a merchant should make sure they can share data from, and be checked from, all channels (i.e., e-commerce, MOTO and card-present) if possible.
Merchants can exponentially increase the effectiveness of lists by having access to shared fraud lists.
The data fields a merchant uses for these lists are critical, so make sure you can add data elements as well as import and export data into the set. Also make sure you have methods to purge old records.
Plan on maintaining data in a hot list for at least 12 months — I recommend 18 months.
HOW DOES IT WORK?
List checks are fairly simple: A merchant designates a set of fields to maintain in a database and they populate it with records where they want to take some action. When they process a transaction, they check it against the list.
Typically the data element used for list checks are address, state, zip code, phone number, credit card number and e-mail address. Name is not recommended as there are too many people with similar names, and this could really kill a merchant's sales or fill their manual review bins.
When checking new transactions against the database, a merchant is looking for a match on any of the data elements, not just one of them. For address checks merchants will have to use some normalization to be effective. Make sure states are represented in the two-character designation, zip codes are five digits or five-plus-four and all blanks are stripped out of the address line. Look for matches on parts of the address line, not exact matches, as some individuals will change just one digit or letter to make it look like a different address. Set up a process that mandates that all charge-backs that are related to fraud must be input into the hot list.
HOW DO YOU USE THE RESULTS?
Always perform the hot list check first, before any call for an authorization. If a consumer is on the hot list, reject the order.
If using warm lists to catch customer service issues, do this check second, before authorization. If a merchant’s policy is to reject all warm list customers simply cancel the order, otherwise if it is to review, then do this check after you do the authorization.
One of the interesting ways warm lists have been implemented is to catch customers that are constantly returning goods. They can also be used to catch internal fraud rings that do credits to third-party credit cards. The method calls for a connection to their applications that process credits. Using a velocity of use technique, they count the number of credits based on each of the data elements discussed earlier. When they reach a preset number (e.g., more than 3 in 30 days), have that data populated into the warm list.
Positive file checks, unlike the warm list or hot list, must be a 100% match. Address, phone and e-mail — everything — must match before a merchant decides to skip any other fraud checks.