Legality in fraud detection
The only thing that leads to a higher shopping basket abandonment rate than not offering customers the desired payment methods is to offer them a method in the first step and then exclude it again in a subsequent step – preferably by e-mail after sending an order confirmation. This guarantees a merchant not only the orphaned shopping basket, but also the damage to his reputation that is spread over social networks. And unfortunately, bad news usually spread much faster than good news. So you want to investigate the customer with regard to suitable payment methods and suspicion of fraud before you make payment options available.
Especially with new customers, fraud pattern recognition becomes a data protection egg dance. Typical fraud patterns only emerge when looking at past order attempts – especially those that did not lead to a purchase in the end. With the help of multiple orders, in which details about the own person are deliberately falsified, a customer tries to circumvent the identification by the shop. (Please also read the blog article Fraud in online trade – Challenges for shop operators) This would probably result in an exclusion from purchase on account or direct debit, because e.g. negative payment experiences or information entries already exist. The challenge is therefore to keep an eye on these unsuccessful purchase transactions when evaluating current applications. This is the only way to detect and control fraud patterns on the basis of statistical anomalies.
But is it allowed to store and process data about order transactions not completed with a purchase at all? And if so, how long?
Storage of personal data for fraud pattern detection? Sure!
In principle, the storage and processing of personal data is permitted according to DSGVO article 6 paragraph 1 f) if there is a legitimate interest for the processing body, i.e. the shop, and if the fundamental rights and freedoms of the person concerned, i.e. the customer, do not prevail. For you as a shop operator, this means that you, together with your data protection officer, must weigh up your interests against those of your customers. Further effects of the DSGVO on the treatment of personal data by online shops are also explained in the article DSGVO: Protection against data abuse in the case of purchase on account.
Fraud in eCommerce causes annual costs amounting to billions of euros in Germany alone. A legitimate interest is therefore given if you want to offer your goods under creditor risk (as for example with purchase on account or direct debit). In fact, the real question is how long these data may be kept. Unfortunately there is no clear answer to this question. Rather, it depends on whether they can justify the length of storage in a comprehensible manner. If experience shows that fraudulent multiple purchasers limit themselves to a rather short period of time, longer-term storage is not necessary and the data must be deleted after a short period (e.g. several days). If there are particularly persistent fraud patterns that last for weeks, a correspondingly longer storage period can be comprehensible and justifiable.
Could this be more concrete?
You must weigh up the above-mentioned interests before you store and process personal data for the first time – i.e. possibly before you have even been able to build up know-how in this area. It is therefore important that you find a partner who can support you in weighing up your interests with experience from e-commerce and in identifying fraud patterns from the very beginning. Furthermore, you need a solution that allows you to readjust your fraud pattern detection even at short notice. Be it to prevent new fraud patterns in real time or to be able to reflect changes in data protection regulations. SHS VIVEON has been supporting customers for years in all challenges of customer risk management and is happy to provide advice and solutions. You are welcome to contact me…