Speed Limits on the Information Superhighway

7 May 1998

A "How-To" Guide for Online Gaming Companies: The Value of Velocity Controls for Online Credit Card Payment Processing

What, exactly, are velocity controls? You've probably been hearing a lot about them lately if you process online credit card payments.

The term itself sounds like it is more suited to a discussion of the automobile or aerospace industries than to a discussion of online credit card processing and fraud prevention. And, actually, the "automobile" analogy is a good one. If you think of your online gaming company as a motor vehicle, then velocity controls are an anti-fraud braking system for your sales.

Velocity controls are, simply put, limits on the speed and volume at which certain types of credit card transactions are allowed to take place. The most commonly limited transactions are those taking place for the first time on any credit card number. Velocity controls continuously monitor all purchases made on a company's Web site for patterns and indicators of possible fraud. Controls and limits can be set based upon total number of purchases, dollar value of purchases, types of purchases, and any number of other criteria. The sophisticated technology involved allows the merchant to determine which indicators and patterns are monitored, and how to weigh the significance of any element in the decision to accept or deny a sales transaction. In addition, the flexibility available with these types of controls allows the merchant to alter the rules at any time, and to create new rules, finely "tuning" their system based upon actual experience. A transaction is only sent to the bank or financial institution for processing if it passes all of the local tests defined in the velocity controls.

The concept of "velocity control" has been in use with ATM cards and bank debit cards for many years now. Usually the usage of these types of cards has limits. This type of control is very simple and very direct, almost primitive. It is based solely on dollar amount. The average limit is $300 in debit purchases and cash withdrawals on a card in any twenty-four hour period. Period. Technology has advanced significantly over the years and today the more advanced credit card transaction velocity controls can be "tiered," or elaborately configured to fit the specific monitoring and regulating needs of any particular type of business.

At first glance, with your eye fixed on the immediate bottom line performance of your company, you may say "Whoa! Won't these charging limits impact my profits negatively and actually hurt my business? I mean, if my customer can't spend as much as he or she wants, won't I first be denied the extra profit in that particular instance—and then deprived of a return visit from my customer because they felt they had in some way been rejected by my company? Won't they go somewhere that they can charge as much as they want? This method seems to be throwing the baby out with the bath water in some ways."

Good points, all of them. But the hard truth is that in the world of online payment processing, you are constantly struggling to find a balance between risks and returns. You have to do something. Recent studies have shown that losses from fraudulent and stolen credit cards can regularly exceed 50% of total sales for some Internet sales applications that have no fraud protection systems in place. In the online gaming business, the risks are much higher. And a deeper look reveals that, compared to other types of businesses dealing in risky "non-face-to-face" or "card-not-present" transactions like POS, Direct TV, Pay-Per-Call and Audiotext, velocity controls are actually a well-suited and very effective way for the online gaming industry to address and counter fraud.

Consider this: A new customer is, according to recent studies of online purchasing behavior, not likely to charge huge sums on a first visit to any Web site. There is still a lot of skepticism among the general public. It takes time and the development of some familiarity with a particular online business to build trust in that business, and to forge the confidence level at which huge purchases - of a product, a service, entertainment or gaming chips - can be comfortably made.

An online crook, however, is much more likely to want to charge huge sums quickly. Think about it. If someone is using a stolen or lost credit card, doesn't it make sense that he or she is going to want to charge as much as possible as quickly as possible before the theft or loss is reported and the card is cut off? The online impostor is going to want to max it out as soon as they can and get rid of it... and leave you holding the bill.

So if a very large volume of purchasing is attempted during a first use of a credit card on your site, the odds are more likely that the use is fraudulent than legitimate. And by not allowing huge charges to be racked up during a first use of a card on your site via the use of velocity controls, you are more likely to be thwarting criminal activity and protecting your profits than cutting off and aggravating a real customer.

Given the unique nature of online gaming purchase processing and the higher than usual risk of fraud involved, the evidence suggests that, if velocity controls are properly set, the legitimate business you will be denied or lose will be small compared to the money you stand to lose by not having this type of system in place. What good are a lot of "feel good" big sales right now, if a few months down the road you are going to have to sit and watch as all your profits and investments evaporate in an explosion of credits and chargebacks?

Velocity controls are not, of course, the sole answer to the problem. Think of this technology as one front, one angle of attack, in the ongoing battle of your business, indeed your entire industry, against the devastating effects of credits and chargebacks brought about as a result of credit card fraud. Velocity controls work best when implemented as one part of a well-tailored package of fraud protection measures, working in sync with things like Secure Socket Layers (SSL), Password Verifications, Address Lockouts, Hacker Alerts and Address Verification Systems.

There are two ways of getting velocity controls set up as a standard part of your credit card processing security protocol. You can hire an expert to develop and install your own in-house proprietary systems or you can use a third party vendor to provide you with services from theoutside. If you decide to use a third party vendor, be careful and be alert. Make sure that they understand the security parameters you require and are able to implement them effectively. For example, if your provider sets your parameter too tightly, nothing will get through and you will be, in effect, sabotaging your own business. Make sure they understand the delicate "risk versus returns" balance you require a balance unique to every business. And make certain that they are actually providing you with authentic velocity controls rather than other less sophisticated systems that they are inaccurately calling "velocity controls."

Remember, credit card fraud is a problem in the online gaming industry. But today it is also preventable, controllable and reducible to near non-existent levels. Advanced velocity controls, properly established and administered, can play an important role in guaranteeing the security and the integrity of every sale you make.

Christine Bednar is a partner at Signature Card Services, (213) 930-0050. Signature Card has assisted several online gaming clients obtain merchant accounts using Ecash and is available to answer questions regarding your online business.