Overview of Zuora Fraud Protection

Introduction

Powered by Microsoft, Zuora Fraud Protection grants you pre-integrated access to the Microsoft Dynamics 365 Fraud Protection portal. In the Microsoft portal, you can define rules to determine the validity of the fraud and prevent any unwanted activities from reaching your payment gateways.

By enabling this fraud protection service in Zuora, you give consent to Zuora to share the data with Microsoft. Zuora continuously submits all rejected transactions to Microsoft on your behalf at no additional cost to consistently increase the accuracy of the machine learning model for your organization.

In Zuora, you can configure whether to screen the following types of data:

• Transactions initiated through Zuora Hosted Payment Method (HPM) pages
• Transactions submitted by any operations that create payments through the Zuora UI, APIs, or payment runs

Screening means each individual fraud evaluation that is performed by third-party Microsoft using their Purchase API. Each transaction undergoes a single screening. Before the transaction data is sent to the gateway side, Zuora Fraud Protection is triggered and transaction data is sent to Microsoft for evaluation via their Purchase API. This evaluation process is known as a screening. 

If the response received from Zuora Fraud Protection is Reject, Zuora sets the payment processing status to Error, which means the purchase transaction will not be sent for payment processing. If the response received from Zuora Fraud Protection is Review or Approve, Zuora sends the purchase transaction data to the payment gateway for normal processing. Review means an inconclusive result from Zuora Fraud Protection. Approve means the transaction passed the Zuora Fraud Protection review. 

If the transactions of screening new payment methods do not reach the gateway or the Verify New Payment Method setting of the gateway instance in Zuora is not enabled, the payment method validation will not be returned to Zuora and Microsoft's Bank event will not be sent to Zuora Fraud Protection, resulting in an Unknown status for the Purchase screening.

Zuora Fraud Protection and Microsoft Dynamics 365 Fraud Protection

The following image shows how Zuora Fraud Protection works with Microsoft Dynamics 365 Fraud Protection to evaluate transaction data.

Microsoft Dynamics 365 Fraud Protection provides a suite of innovative and advanced services to protect your business from fraud. Velocity checks identify the patterns of activities during attacks and restrict the frequency of events that can occur. Lists define the collections of values to flag transactions based on certain criteria. The machine learning score generated by AI models is a single assessment score indicating the overall risk of an event. The utilization of velocities, lists, and machine learning scores is the most effective way to fight fraud, especially in subscription and adding payment instrument scenarios. 

Zuora pre-integrates the Device Fingerprinting service with Payment Pages 2.0. With Device Fingerprinting, more attributes such as operating system, screen resolution, language, IP location, and linkage are valuable for the calculation of the machine learning score. You can enhance your fraud protection with additional values in the following scenarios:

• Detect scenarios where a customer is adding a payment instrument on file, which might be a sign of account takeover or identity theft.
• Monitor the number of attempted transactions by device or IP, which can indicate suspicious activity and potential card testing.
• Create lists of known good or bad devices or IPs, which can be used in rules.
• Identify embargo countries, which can be used in rules to reject or review transactions.
• Identify bad actors and mitigate fraud for products that have higher fraud rates, by collecting and analyzing device and location attributes.
• Benefit from the Fraud Protection network, which can help you gain a broader awareness of fraud patterns and trends across merchants.

Without Device Fingerprinting, you will have to rely more on other data points, such as emails or payment instruments, to monitor the frequency of events and create velocities.

In the following table, the effectiveness of Zuora Fraud Protection in different front-end integrations is indicated by the colors: green for the most effective, yellow for less effective, and red for ineffective.

Zuora Fraud Protection and security measures for HPM

For transactions initiated through hosted payment method pages (HPM), before the transaction request is evaluated by Zuora Fraud Protection, security checks enabled in Zuora for your pages are performed.

• If 3D Secure is implemented on the hosted payment page and the 3D Secure challenge is triggered, Zuora Fraud Protection screening will be bypassed, as 3D Secure is already the optimal method for detecting fraud.
• Regarding other security settings described in Security measures for Payment Pages 2.0, such as rate limiting checks, token expiration, and Google reCAPTCHA validation, Zuora screens the transaction through the fraud protection service after passing all checks of these security settings.

Zuora Fraud Protection in Multi-Org and Multi-Entity hierarchy

Multi-Org manages all Org units within a single Zuora tenant. A single Multi-Org tenant corresponds to a single Zuora Fraud Protection environment.

Multi-entity oversees multiple Zuora tenants under an umbrella. Each entity has its own Zuora environment. The parent Zuora Fraud Protection environment can be used to extend rules, velocities, lists, and settings to the child environments and the children cannot override these configurations. Alternatively, each child environment can have its own set of rules, velocities, lists, and settings that are independent of other environments. Configurations in a child environment cannot be extended upward.

Related information

Enable and configure Zuora Fraud Protection