Subscribe to the Non-Human & AI Identity Journal

How should merchants handle fraud risk during major sporting events?

Merchants should treat major sporting events as context-heavy buying periods, not as a reason to rely only on static fraud thresholds. The best approach combines timing, itinerary changes, device continuity, account history, and payment reuse so legitimate fan behaviour is not confused with account takeover or card testing. The goal is adaptive review, not blanket friction.

Why This Matters for Security Teams

Major sporting events compress travel, ticketing, hospitality, and retail spend into short windows, which makes normal customer behaviour look unusual if fraud rules are too rigid. Merchants need to distinguish legitimate fan activity from account takeover, card testing, and synthetic identity patterns without creating unnecessary friction. That means using context, not just thresholds, and aligning fraud decisions with broader control design from the NIST Cybersecurity Framework 2.0 and operational identity guidance in the Ultimate Guide to NHIs — Why NHI Security Matters Now.

The core risk is not that event-driven demand exists, but that fraud teams overcorrect and block legitimate surge activity while missing coordinated abuse that blends into peak season traffic. Current guidance suggests treating event periods as temporary risk shifts that require tuned decisioning, stronger telemetry correlation, and faster review loops. This is especially important when payments, loyalty accounts, and order fulfilment signals all move at once. In practice, many security teams encounter the fraud pattern only after chargebacks and manual review backlogs have already spiked, rather than through intentional event-specific tuning.

How It Works in Practice

Effective handling starts by defining the event window, the expected geographies, and the customer journeys most likely to change. Merchants should compare new activity against historical behaviour, then weigh signals such as device continuity, delivery address stability, payment instrument reuse, velocity across accounts, and whether the user’s itinerary plausibly matches the event. This is where adaptive rules outperform static thresholds: a first-time purchase from a travelling customer may be legitimate, while repeated low-value authorisations from many cards and the same device cluster may indicate testing.

Strong implementations usually combine policy, analytics, and human review:

  • Raise sensitivity for card testing, bot bursts, and many-account same-device patterns.
  • Lower friction for returning customers with stable devices, known payment methods, and normal fulfilment behaviour.
  • Use step-up verification only when the combination of signals creates real doubt.
  • Monitor refunds, resales, and delivery changes because fraud often appears after initial approval.

Where identity data matters, the same discipline used in NHI governance applies: know what is trusted, what changes, and what should trigger revalidation. For example, the Top 10 NHI Issues research shows how poor lifecycle control and excessive trust create avoidable exposure, and the operational lesson translates well to customer fraud controls. Merchants should also anchor decisions in security control frameworks such as NIST SP 800-53 Rev 5 Security and Privacy Controls when mapping authentication, monitoring, and incident response responsibilities.

These controls tend to break down when event demand is highly international, because itinerary signals, shipping constraints, and device reputation become less reliable across unfamiliar geographies and proxy-heavy traffic.

Common Variations and Edge Cases

Tighter fraud controls often increase false declines and support load, requiring merchants to balance loss prevention against conversion and customer trust. That tradeoff becomes sharper during playoffs, finals, and ticket-release days, when legitimate bursts can resemble abuse. Guidance is evolving on how much weight to give itinerary data, because privacy expectations and data quality vary widely across regions and payment flows.

Several edge cases deserve special handling. Resale marketplaces can create repeated address changes that are legitimate but risky. Hospitality and travel bundles may legitimately reuse devices across multiple travellers in one group. Season-ticket holders may show unusually high frequency but stable identity signals. Merchants should also watch for mixed-intent behaviour, where a real customer account is compromised and then used for both legitimate purchases and fraudulent add-ons. The The 2024 ESG Report: Managing Non-Human Identities underscores how operational gaps persist when controls are not continuously monitored, and fraud teams can face a similar problem if event playbooks are not tested before peak traffic begins.

For governance, the most practical approach is to predefine exception rules, review triggers, and escalation paths before the event starts. Then measure false positives, manual queue volume, and chargeback outcomes separately for event traffic. That keeps the response adaptive without making it permissive, which is the balance most merchants need.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM-01 Event fraud handling is a risk-management decision, not just a rules-tuning exercise.
NIST SP 800-53 Rev 5 SI-4 Fraud spikes require monitoring and anomaly detection across payment and account activity.
OWASP Non-Human Identity Top 10 Identity lifecycle discipline helps mirror the need to reassess trust when context changes.

Set event-specific fraud risk appetite and review outcomes against defined business impact thresholds.