Payments processing is as much about risk management as it is managing a value exchange between businesses and their customers. For this reason, CoralCommerce incorporates tools to help manage risk in our system core.
The automated services are set to run daily but may run more frequently if preferred. The values passed into each of the automated services contained within Payserver can be modified as desired.
Here are the automated checks and functions that are incorporated into the Coral Commerce Payserver platform for the management of risk.
In the CoralCommerce service there can be a maximum of 'n' transactions per card/mobile/account per 'x' hour period over the last 'y' hours (cards/mobiles/accounts found to violate the check are blacklisted within the platform and results emailed to a specified email, and if a specific parameter is set the results are logged).
The same card or mobile number or account (EFT) failing more than 'n' different times in different 'x' hour intervals in the last 'y' hours (cards/mobiles/accounts found to violate the check are logged and results emailed to a specified email, and if the parameter is set for such in the admin system, the cards or mobile numbers found are blacklisted).
There are 'n' failed attempts per 'x' hour interval over 'y' hours using a specific card or mobile or account (EFT) that leads to the blacklisting of that card/mobile/account within the CoralCommerce platform (cards / mobiles / accounts found to violate the check are blacklisted and results emailed to a specified email, and if set within the system, the results are logged).
The above rules are varied depending on region and merchant type, and are often merchant specific. It is important to include these velocity checks during negative testing when integrating the first time.
Within the CoralCommerce service we have several behaviour waypoints that can be used to help monitor how a business is trading, and whilst we use these to help companies become healthier and wealthier, these waypoints or milestones also predict an initial behavior pattern for an online business, that we use to monitor any exceptions, for example the expected daily, weekly or monthly sales milestone is suddenly exceeded by a percentage, or the average basket or transaction value is suddenly much higher than anticipated for the business type, and so on. When these waypoints are exceeded by certain levels, the system can generate a soft alert that can inform risk managers of a potential issue.
CoralCommerce connects commerce communities for business to business payment flows, consumer to business payment flows, business to consumer payment flows, wallet applications, and payment rails. This means we orchestrate or route payments and services between commerce clients and partners.
Whilst we recognise that both clients and partners may use their own fraud rules engines (FREs) or their own fraud screening partners, CoralCommerce makes risk management tools available to users of our portals that enables them to create risk prevention rules using the core system's functionality.
These are carefully selected to compliment and enhance the services already used by our clients and partners. Within the user portals the following additional controls can be set:
Several checks can be set on the service as 'velocity limited'. For example: 'View Soft Alert' is a report that shows by record number and time period the volume of soft alerts generated.
'Default Fraud Hunt' is a tool to set both the default and merchant fraud flags by 'Velocity Check', 'Same PAN Misuse' and 'Multi PAN Misuse'.
'Default Fraud Hunt Limits' is a tool set on the CoralCommerce connectors using the value per period limits.
The system will record all user and system activity on the following functions (additional PCI DSS compliant logging is done but not published): Default Options Audit Trail, Supplier Payment Terms Audit Trail, Supplier Commissions Audit Trail, Supplier Options Audit Trail, Default Fees Audit Trail, Default Payment Terms Audit Trail, and Supplier Fees Audit Trail.
IP Filtering - The 'Block IPs' admin function allows us to specify IP number and IP number ranges to block for specific profiles on the CoralCommerce system. The 'Allow IPs' admin function enables us to specify IP number and IP number ranges to specifically enable for client profiles (all IPs that fall outside the IPs/IP ranges specified are blocked, the opposite of Block IPs).
BIN Filtering - The Manage Payment Types function allows us to filter specific BIN or number ranges per card, mobile or account type. All BIN ranges or BIN numbers outside this captured list will be declined and not processed for payment. In addition to this we have the Exceptions admin function that allows us to specify BIN ranges to block for a given merchant or supplier.
Customer Filtering - The CoralCommerce supplier profile enables buinesses to create a curated list of authorised customers to access their payment service, which would apply to businesses who preapprove their customers or who manage subscription services or who operate in regulated markets or industries requiring customer authentication for example.
The CoralCommerce system is built as a fully functional end-to-end payment gateway and so incorporates tools for our clients that can strengthen their financial risk management policies, including the setting of periodic trading limites (by day, week or month) that may trigger soft alerts when exceeded. A further financial risk function is the setting up of rolling reserves per profile when applicable. It is important to know that this measure records the rolling reserve per tx from the moment authorisation is completed successfully, and will remain active until the end of the period set for the rolling reserves of a profile on CoralCommerce, usually recorded against each payment connector set up against that profile. Lastly the system is able to record all fees and commissions set up against a profile if so required.
For every entity (user or customer) that accesses a function on CoralCommerce, there is either access controls or authentication services available. For users access is controlled via user credentials issued at the creation of the user profile and regularly updated through forced renewal requests (PCI DSS requirement).
Technical access is further secured through TLS v1.2 (soon TLS v1.3), a cryptographic protocol designed to provide communication security and used to secure HTTPS.
For customers accessing the payment system to make card payments AVS / CVV / CVC and 3DSV2+ functions are available to ensure the payment is user authenticated before the payment request is processed for authorisation.
Additional to the above, we offer the ability for a partner or client to connect to external risk management tools when requested or required. We partner with many market leading solutions that offer 3rd party management tools for various types of risk. We can share those when requested.
CoralCommerce connects commerce communities for business to business payment flows, consumer to business payment flows, business to consumer payment flows, wallet applications, and payment rails. Each partner and client in a CoralCommerce commerce community is connected to one another via our API to our mutual benefit, growing your health and wealth as a business.
As a payment company you can use our cloud service as your payment and service rails with our team experience added to your own as part of your team. Simple routing rules allow you to direct payments or services through multiple channels to multiple connectors around the world. Our PCI DSS compliant service becomes your technical foundation to boost your sales, grow your presence and help you becoming healthier and wealthier as a business.
If you have complex merchant needs use our payment service as your own embedded checkouts, integrating once to access multiple payment and service providers globally, in multiple currencies consumed through multiple payment types, using one single integration effort only. Our technology and team become yours, reducing your operational costs and technical overhead, leaving more profit on your bottom line.
CoralCommerce partners with leading solutions in the market to ensure our community members have access to products that inform and protect. For the KYC / KYB services our first choice is always iFinancials AMLTrac, an award-winning Anti Money Laundering service and counterterrorism financing solution. In addition to AMLTrac we also recommend WorldCheck by LSEG (Refinitiv), a 3rd party screening service. These services should be the basis of a supplier onboarding flow and we recommend they become a key part of a KYC/KYB process.
Whilst the CoralCommerce platform offers comprehensive risk management tools, the addition of a 3rd party fraud prevention service is highly recommended. These services use custom data resources against which to check a tranche of data points and generate a risk score as a result. Services like Sift, Count and Seon are excellent at helping companies manage payment fraud, and specifically for digital and online channels.
Transaction or payment laundering is the UNAUTHORIZED aggregation of payments online, and should be investigated and blocked as soon as detected and identified. Merchants processing payments on behalf of other merchants can sound innocuous, but can be abused by criminal networks to launder illicit funds, with the US's FTC acting against companies who process on behalf of potential criminal businesses. Payment laundering breaches the operating rules set out by the card brands and should be avoided with best efforts, whilst it should be recognised that detecting criminal intent through transaction patterns can be difficult to do. To this point, managing suspect payments through services like G2 Web Services and OnLayer, as well as Austreme and others can be highly efficient in alerting risk managers to a potential issue.
Online Fraud: Online or digital payment risks may seem daunting at times given the alarms often raised by industry commentators from time to time - remember: bad news always sells. However it is no different to cash management solutions in retail and should also be addressed in the same manner. Industry Bias: It is a historic fact that merchant or industry classifications for online payments were created and controlled by a duopoly (with travel in mind at the time) and can seem biased at times even for compliant businesses trading legally within their own territories, leading to the temptation by businesses to try and sidestep the classification. Gambling businesses most often experience this built-in bias when as registered gambling (7995) merchants they still experience far higher decline rates than standard e-commerce companies do. This is a systemic bias issue and one that the industry as a whole must fix, but companies like ours exist to help businesses be the most efficient within their classification despite these known issues.