Sift Logo Several blue dots forming a sphere to the left of the word Sift in italic font.
  • Products

    Digital Trust & Safety Suite

    Fight fraud without sacrificing growth

    Learn more →

    Passwordless
    Authentication

    Account
    Defense

    Content
    Integrity

    Payment
    Protection

    Dispute
    Management

    Sift
    Connect

    PSD2
    Solution

    New Releases & Enhancements

  • Partners

    Sift Partner
    Program

    Join the leader in Digital Trust & Safety

    Learn more →

    Commerce platform partners


  • Industries

    One solution, many applications

    Learn how Sift can work for your industry

    Learn more →

    Featured industries


    Fintech

    Retail

    Food & Beverage

  • Customers

    See case studies by industry

    Sift works across every use case and region

    Learn more →

    Featured customers


  • Resources

    Explore our resources

    Access trends, guides, and insights from Sift

    Learn more →

    Blog

    Ebooks

    One Pagers

    Demos

    Videos

    Webinars

    Infographics

    Podcasts

    Trust & Safety University

  • Fraud Center
  • Company

    Why leaders choose Sift

    Technology, community, and partnership

    Learn more →

    Our mission: Help everyone trust the internet


    About

    Careers

    News & Press

Request a demo
Products
  • Digital Trust & Safety Suite
  • Passwordless Authentication
  • Account Defense
  • Content Integrity
  • Payment Protection
  • Dispute Management
  • Sift Connect
  • PSD2 Solution
  • New Releases & Enchancements
Why Sift
  • Salesforce
  • Magento
  • Shopify
Industries
  • Fintech
  • Retail
  • Food & Beverage
Customers
Resources
  • Blog
  • Ebooks
  • One Pagers
  • Demos
  • Videos
  • Webinars
  • Infographics
  • Podcasts
  • Trust and Safety University
Fraud Center
About
  • Search Careers
  • Our Company
  • Contact Us
  • Engineering Blog
Request a DemoSign In
  • Blog Home
  • Digital Trust & Safety
  • Fraud
/ next >
Share this article on LinkedIn
Tweet this article
Share this article on Facebook
SOCIALICON
Share this article via email

Why are e-commerce payment forms so complicated?

By Brandon Ballinger  / 

7 Mar 2013

Quick quiz: if your site accepts payments, what do you need to charge a user’s credit card?

forms

Just 20 characters: the credit card number and the expiration date. The three fields shown above comprise a complete payment form.

So why do most e-commerce payment forms on the web look like this?

forms2

The above form requires 14 fields. For my billing information, that’s 131 characters. It asks for my first name, last name, address, country, city, state, postal code, phone, company, security code, and my card type. And it’s hardly alone: the average web site requires 12 fields and 70 characters just to make a payment.

How did payments on the web become so complicated? Fraud.

Credit card fraud and the black market

Every site that accepts payments faces credit card fraud. On the black market, criminals can buy 100 stolen credit card numbers for $40 and use those to purchase expensive goods from unsuspecting web sites. Weeks later, when the cardholder notices the fraudulent charge on their monthly statement, they’ll call up their bank to reverse it, in what’s known as a “chargeback.” For online transactions, the merchant (not the bank) holds liability for all chargebacks due to fraud, and that liability is expensive. Sites across the internet lose more than $3.4B per year due to fraud in the U.S. alone.

To curb these losses, the major credit card companies introduced two anti-fraud measures in the late 90’s:

AVS (address verification service) matches an address entered by the user against a billing address on-file with the cardholder’s bank. Although effective at one point, today AVS is a weak signal. Fraudsters easily buy address information and good users frequently get tangled up in AVS checks. In our data, AVS catches about 28% of fraud, but also flags 8% of regular users. In the  payment form above, 50 of 131 keystrokes were related to the address.

CVV (card verification value). Starting in 1997, MasterCard started printing 3-digit security code on the back of the card, and Visa followed suit soon after.  In theory, the CVV is less likely to fall into criminals’ hands since PCI-DSS rules prohibit storing the CVV. In practice, of course, the black market is flooded with card numbers that have matching CVV codes. Depending on the country and vendor, CVV also goes by the acronyms CSC, CVV2, CVVC, CVC, CCV, or SPC.

Although AVS and CVV are well-intentioned, they have a cost—more friction and lost conversions. Users abandon forms with too many fields. Good users frequently mistype their billing address. After a user moves to a new address, it can take up to six months for the bank to update their information, leading to false rejections. Users often don’t know where on the card to look for the CVV code. One study found merchants who left CVV out of their payment flow reported 40% higher conversion rates.

Fraud or friction? A false choice

Luckily, you don’t have to choose. You can stop fraud without friction. On the internet, everything is measurable, and fraudsters leave behind tracks they’re not even aware of. What IP address is the user coming from? Are they using a proxy? A Tor node? How is the user navigating through the site? How many accounts have originated from this particular physical device? Is the e-mail from a legitimate domain? The most sophisticated sites today gather hundreds signals and combine them into a risk score using a machine learning algorithm.

How to build a frictionless anti-fraud system would take a whole series of blog posts, but if you run a web site, you have options. Sift Science is building a system to fight fraud with machine learning. There are other vendors out there as well, and some sites start by implementing simple IP-based checks.

Two important caveats: check with your payment processor to see whether removing AVS and CVV will affect your transaction fees. In many cases, you can simply request less information (e.g., just the ZIP code) and get the same fee. Processors tend to be stricter about CVV, and sometimes charge about 0.1% extra to process payments without CVV. Second, rigorously measure the tradeoff between revenue and fraud rate when you change your payment form or verification strategy. We think most sites could grow their revenues significantly with less friction, even at the cost of slightly more fraud, but every site has a different tradeoff.

Conclusion

Payments online can be quick, efficient, and frictionless — without opening the floodgates to fraud. So why not remove as much friction as possible from your checkout process? Your customers and your pocketbook will thank you for it.

And if you need help keeping a lid on fraud, join Sift Science’s private beta.

Related

avscvvfraudpayments

Brandon Ballinger

Brandon Ballinger is one of the co-founders of Sift.

  • Blog Home
  • next >
Company
  • About Us
  • Careers
  • Contact Us
  • News & Press
  • Partner with us
  • Blog
Support
  • Help Center
  • Contact Support
  • System Status
  • Trust & Safety University
  • Fraud Management
Developers
  • Overview
  • APIs
  • Client Libraries
  • Integration Guides
  • Tutorials
  • Engineering Blog
Social

Don't miss a thing

Our newsletter delivers industry trends, insights, and more.

You're on the list.

You can unsubscribe at any time. Please see our Website Privacy Notice.

If you are using a screen reader and are having problems using this website, please email support@sift.com for assistance.

© 2022 Sift All Rights Reserved Privacy & Terms

Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.