Overview

ACME's native fraud shield is integral to keeping compliance with the card networks to provide competitive card transaction pricing and to ensure cardholders' safety and financial health for all. The fraud shield is natively built into ACME's integrated stack to help reduce overall transaction costs from our vendors. We require fine-tuned behavior versus generic shields, which tend to solve for online retail use cases that are not our use cases. 

ACME also collaborates closely with Visa/Mastercard and others to understand how to enhance the shield as technologies evolve. The card networks have been integral to keep us abreast of what is going on in their vast networks, fraud-wise, and therefore guide us so we can evolve accordingly.


TABLE OF CONTENTS


How Does The ACME Fraud Shield Work?

The ACME fraud shield helps reduce the chargeback rates by detecting and preventing fraud in real-time for our online checkouts. This fraud often materializes itself as a card testing pattern, whereby batches of stolen cards are tried against our online checkout flows to see what cards are valid so they can be used elsewhere to buy.


In order to block such attacks in real-time:

  • We implemented mechanisms in each primary layer of our technology stack. It starts at the DNS layer by ensuring all requests are DNSSec based, which protects from DNS impersonation. If you have a branded URL with us, we also strengthen the encryption to be on par with our standard eCommerce product by issuing a new joint SSL certificate between yours and ours to encrypt end-to-end. 
  • We then compute a reCAPTCHA score at the browser level which helps assess whether the UX interaction is bot-based or not. 
  • We measure the browser IP velocity against checkout to rate limit frequent attempts which a human would not do.
  • Then we drop into our API servers to first evaluate AVS (Address Verification Service) as a method to make it harder to authorize the card by requesting more card data information that is not in the stolen card itself.  
  • We will block if the reCAPTCHA score indicates a bot. Finally, we measure the velocity of the card against declines in a time duration period and temporarily block cards that decline too often.


All of the checks above are recorded in our data center logs from which we trigger alerts and, when appropriate, notify our security ops teams to check for abnormal patterns. If a pattern is suspicious, we then decide to investigate and proactively will trace down the sources of the attack so we can block sources to the origin. Those blocks are not real-time and often will give us the learnings to improve our shield as attacks evolve in nature over time. In particular, each layer of the fraud shield is configurable so we can adjust the scoring criteria to strengthen the shield in specific instances.


ACME fraud shield is in place for those of you who take advantage of our checkout features via online API integrations. This ensures that you stay compliant with our integration requirements.


Learn more about EMV 3DS that provides an additional layer of security for ecommerce transactions prior to authorization while also helping to satisfy the requirements of PSD2 SCA.