Payment fraud is evolving, and merchants can’t afford to fight it alone. AI is making fraudsters more sophisticated, friendly fraud is rising, and outdated fraud prevention strategies are blocking legitimate customers. So, how can merchants stay ahead?
In this episode of Payments Unfiltered, Galit Shani-Michel, VP of Payments at Forter, discusses the biggest fraud challenges today, how AI is changing the game, why false declines are costing businesses more than they realize, and how merchants can fight back without killing conversions.
Video
Transcript
Theo: Hello, and welcome to Payments Unfiltered. Today, I have Galit Shani-Michel, the VP of Payments at Forter, with me. With over 15 years of experience, including membership in the MRC, she is a true expert in fraud prevention. We’ll discuss how fraud has evolved over the last decade, the importance of considering the entire customer journey to combat fraud, and how the latest tools are reshaping the industry.
Let’s jump straight into the conversation. To begin with, I thought we could ask a broad question: What does payment fraud mean to you?
Galit: Great question. I started my career nearly 20 years ago in fraud prevention. Initially, you thought fraud was about stopping fraudsters, but back then, it was mainly about stolen cards and compromised databases. But very quickly, you realize it’s about more than that. It’s also about the good customers you mistakenly label as fraudsters, often your best customers making high-value purchases.
That realization shifted my perspective. It's not just about blocking fraudsters; it’s about ensuring your genuine customers aren’t wrongly flagged or inconvenienced. Managing fraud is intertwined with managing payments because a negative experience, like a legitimate transaction being declined, impacts the customer journey.
Theo: Absolutely. If everything ties back to fraud, there are different types. We often hear about first-party fraud and third-party fraud. Could you explain their differences and share your thoughts on what merchants should consider for each?
Galit: Certainly. First-party fraud, sometimes called friendly fraud or 'own payment method' fraud, occurs when someone uses their card to make a purchase and later disputes it, claiming they didn’t authorize the transaction. On the other hand, third-party fraud happens when someone else uses your card without permission—classic identity theft where the victim is unaware until they see unauthorized transactions.
Theo: How should merchants approach these types of fraud? What strategies can they use to mitigate the associated costs?
Galit: Starting with third-party fraud, the challenge is identifying when someone isn’t who they claim to be. Fraudsters will mimic genuine customers—using similar IP addresses, matching billing information, and more. With AI now more accessible, creating fake identities or imitating real ones has become easier. The focus needs to be on accurately identifying customers without causing unnecessary friction.
Previously, we relied heavily on rules—setting parameters like matching IP and billing info. However, this often blocked legitimate customers, especially those traveling or using international cards. Today, rules are less effective because fraudsters can easily bypass them. AI and machine learning are becoming essential in fraud prevention by focusing on verifying identity rather than just transaction patterns.
Theo: So, has AI been the most significant change in fraud prevention over the last decade?
Galit: Absolutely. AI has improved fraud prevention for merchants and fraud prevention companies alike, enabling better identification of genuine versus fraudulent transactions. However, fraudsters also use AI, so staying ahead is critical. Additionally, data accessibility—whether from the dark web or other sources—makes it easier for fraudsters to operate. Therefore, merchants must utilize advanced technologies to safeguard their customers and business.
Theo: That’s interesting. AI is making fraudsters more sophisticated—giving them easy access to data and tools to create fraudulent collateral. On the merchant side, though, combating this requires more data collection and investment in AI, which means hiring data analysts and machine learning experts, building huge datasets, and managing complex systems.
Is it possible for merchants to fight AI-powered fraudsters alone? And if they try, is it now just incredibly expensive compared to 15 years ago, when simple hardcoded rules like “If IP is X, then block” were enough?
Galit: It’s more expensive—and more complicated. That brings me to the third trend I mentioned earlier: data sharing.
Merchants need to work together to fight fraud. Fraudsters don’t just target one site—they move across different platforms. The same applies to legitimate consumers. If a good customer is shopping on your site for the first time, you don’t have prior data on them. Even with the best technology, you can’t be sure about their legitimacy. But they’ve shopped online on another website before—maybe yesterday or last week.
So, how do you leverage that? This is where fraud prevention networks come in. Companies with large datasets and broad identity coverage can provide that missing context. For example, if a fraud prevention provider covers 98-99% of the UK population, then almost everyone shopping on your site isn’t truly new. If someone like me always buys flights at midnight, the network can recognize that behavior and tell you not to worry.
This shift is crucial. Fighting fraud alone is no longer viable. Merchants understand this and increasingly realize they must tap into a broader fraud prevention network.
Theo: That’s interesting—a community-based approach is no longer a nice-to-have but a necessity. You’re part of the MRC, a community-driven initiative helping merchants tackle fraud and payment challenges. Could you share what the MRC is and how it adds value?
Galit: Sure! The Merchant Risk Council (MRC) is a global community focused on payments and fraud. At its core, it’s a merchant-driven organization that helps businesses in three key ways.
First, it provides connections and knowledge sharing. Merchants can connect with peers through conferences, online forums, and community calls on platforms like Slack and WhatsApp. If something unusual happens in fraud or payments, someone else has seen it, too. The community makes validating trends, sharing insights, and navigating challenges easier. For example, there’s a lot of discussion about Visa’s new fraud programs and the transition to eight-digit BINs—both of which are complex topics that are difficult to figure out alone.
Second, MRC focuses heavily on education. Payments and fraud are evolving at an incredible pace, and staying informed is crucial. MRC offers webinars, sessions, and conferences that help merchants stay ahead of industry changes. If you work in this space, you must keep learning constantly—there’s no way around it.
Finally, MRC plays a significant role in advocating for merchants. Regulations like PSD3 in Europe or Japan’s strict 3DS requirements can be challenging, and regulators don’t always understand the merchant's perspective. MRC helps advocate for businesses, ensuring their needs and concerns are represented. It also allows merchants to interpret and prepare for these regulatory changes, publishing insights on what new rules mean in practice.
The community is incredibly valuable. Sometimes, a single conversation at a conference can lead to a connection that helps solve a problem months later. It makes all of us better at what we do.
Theo: Awesome. So, don’t fight fraud alone. And MRC sounds like a great community. You mentioned 3DS—I’d love to touch on that. What role do you see 3DS playing in fraud prevention?
Galit: That’s a great question. First, I’ll say that 3DS is not a fraud tool. The core function of 3DS is liability shift—it moves the responsibility for chargebacks from the merchant to the issuing bank.
If fraud occurs on a transaction that went through 3DS, and the cardholder disputes it by saying, “I didn’t make this transaction,” the liability falls on the issuer rather than the merchant. Of course, there’s the question of how the fraudster passed 3DS authentication, but in general, once the bank accepts the transaction, the merchant doesn’t lose the money. There are some exceptions, like gambling, but in most cases, liability shifts.
Many merchants initially thought this meant no longer needing a fraud prevention tool. They assumed that fraudsters wouldn’t be able to pass 3DS and that good customers would. The problem is that most 3DS challenges are still SMS-based. Customers receive a one-time code via text, which they need to enter to authenticate the payment. Some digital banks are moving to app-based authentication, especially in countries like Sweden and Denmark, but SMS remains dominant.
Some merchants figured, “I’ll just apply 3DS to everything, and I won’t have to worry about fraud.” But that’s a misconception.
Even though 3DS shifts liability, fraud-related chargebacks still count toward a merchant’s fraud-to-sales ratio. If too much fraud goes through 3DS, you’ll still end up in issuer monitoring programs, face fines, and, in extreme cases, even lose your merchant account. Additionally, excessive fraud sent through 3DS can hurt your authorization rate—banks will see what you’re doing and start declining more transactions.
The other challenge is the assumption that good customers should always pass 3DS without issue. That’s simply not true. I recently worked with a UK merchant who found that forcing 3DS on every transaction led to a 5% drop in conversion—direct bottom-line revenue loss. In some cases, merchants can apply exemptions to 80–85% of transactions, reducing unnecessary friction.
And then there’s the customer experience issue. Take my mom, for example—she just turned 71 last week. When she buys online, she must find her phone, open the SMS, read the code, and figure out how to switch between her browser and messaging app. If she fails the authentication, she simply won’t try again. She’ll go to another website where she doesn’t have to deal with 3DS.
There are also technical issues—sometimes SMS codes don’t arrive on time or at all, especially when customers are traveling. I recently tried booking museum tickets abroad, but the authentication SMS never arrived. After a few failed attempts, I gave up. That’s a lost sale.
Merchants shouldn’t assume that 3DS is the ultimate fraud solution. Instead, they should apply it strategically.
Theo: That’s a pretty bearish take on 3DS! Is there a bullish case for it—where it delivers value?
Galit: Absolutely. When used correctly, 3DS can be incredibly effective.
First, there’s regulatory compliance. Merchants have no choice in some regions, like the EU with PSD2 and Japan with upcoming 3DS requirements. Some banks also prefer 3DS, even when it’s not legally required. For example, some issuers in Sweden have very low authorization rates for non-3DS transactions, so merchants may apply 3DS simply to improve approvals.
The best use case, though, is borderline transactions. You don’t want to apply 3DS across the board, but it can be a powerful tool for transactions that are too risky to approve outright but not fraudulent. Instead of declining those transactions, you can challenge them with 3DS. If the customer passes, you approve the purchase. This approach helps reduce false declines without sending fraudsters through.
Fraud should be declined outright and not sent to 3DS. However, for grey-area transactions—maybe 2-3% of the total volume—3DS adds an extra layer of verification without unnecessary friction for most customers.
Theo: You mentioned Japan. Are you seeing 3DS adoption grow globally? It’s big in Europe, and Japan is introducing new regulations. Some issuers in Brazil seem interested, but the U.S. has been resistant—3DS often leads to poor authorization rates there. Do you think 3DS will gain traction worldwide, or do you see key regional differences?
Galit: 3DS adoption is growing. Europe is leading the way, and other regions are following. Australia was planning to implement stricter requirements but recently delayed them. Indonesia and other APAC countries are also moving in this direction. India also sees high 3DS usage.
For 3DS adoption to truly scale, the technology must improve. The transition from SMS-based authentication to in-app and biometric verification—like Face ID—will make it a smoother experience. Right now, the friction of receiving an SMS, copying a code, and re-entering it on a website creates unnecessary drop-off. Once authentication becomes more seamless, 3DS will be much more effective.
In the U.S., consumers are simply not used to authentication challenges. Many will abandon the transaction if prompted for a 3DS. However, about 65% of 3DS transactions in the U.S. today are frictionless, meaning the consumer isn’t asked to do anything—authentication happens in the background. That’s where we see an opportunity.
Now, let’s talk about friendly fraud because this ties into 3DS adoption in the U.S.
Theo: Yes—let’s dive into friendly fraud.
Galit: Friendly fraud happens when real customers falsely dispute a transaction, claiming they didn’t make the purchase. Sometimes, it’s accidental—maybe they don’t recognize the charge, or their child used their card without permission. But often, it’s intentional—buyer fraud, where someone deliberately lies to get a refund while keeping the product or service.
This is a growing problem because traditional fraud tools struggle to detect it. A fraudster using stolen card details is relatively easy to spot. But how do you identify someone who legitimately buys sneakers for €500 and later falsely claims they never received them?
One of the most effective ways to combat this in the U.S. is using 3DS on high-risk transactions. When banks know they’ll be liable for a chargeback, they push back harder on the customer. They’ll remind them of the purchase details, making it much harder to win a fraudulent dispute. Some merchants have seen friendly fraud chargebacks drop by 50% by implementing 3DS correctly—without harming conversion rates.
The other key strategy is a strong dispute management process. Merchants need solid evidence—delivery confirmations, transaction logs, and fraud prevention data—to fight illegitimate chargebacks effectively. Some handle this in-house, while others rely on third-party dispute resolution providers.
Ultimately, fraudsters and dishonest customers will exploit any weakness in a merchant’s process. If checkout fraud becomes harder, they shift to return abuse. If chargebacks are difficult, they’ll claim the item arrived damaged. That’s why merchants need a holistic fraud prevention strategy for checkout and across the entire customer journey, from account creation to post-purchase behavior.
Theo: That’s a great perspective. I love “buyer liars”—I’m using that phrase again! Galit, thank you so much for all your insights. This has been a fantastic discussion.
Subscribe to Payments Unfiltered on Spotify or Apple Podcasts.
.png)
