Merchants should escalate only when the full signal set supports it, rather than forcing manual review on every unusual booking. This means using device intelligence, behavioural history, and journey context to reserve friction for patterns that are truly inconsistent with legitimate travel demand. Good governance reduces both loss and conversion drag.
Why This Matters for Security Teams
Fraud prevention often fails when merchants optimise for one outcome only: stopping abuse at the point of payment. That approach can create avoidable friction for legitimate customers, especially in travel, digital goods, and high-value commerce where genuine behaviour is inherently variable. The practical challenge is to distinguish suspicious patterns from normal edge cases without turning every outlier into a manual review. NIST’s control guidance in NIST SP 800-53 Rev 5 Security and Privacy Controls supports a risk-based control model, while NHIMG’s Ultimate Guide to NHIs shows how weak identity governance widens the attack surface across automated and customer-facing systems.
For merchants, the issue is not just chargeback loss. Excessive step-up authentication, unnecessary reviews, and overbroad declines can reduce conversion, increase abandonment, and erode trust. Good fraud governance aligns detection thresholds, identity signals, and operational workflow so that friction is reserved for cases that truly warrant it. In practice, many security teams encounter this only after false positives have already damaged conversion and support queues.
How It Works in Practice
Balancing fraud prevention with customer experience starts with signal quality, not with harsher rules. Merchants should combine device intelligence, account history, velocity checks, payment behaviour, geolocation consistency, and session context to form a risk score that reflects the full journey. The goal is to make low-risk transactions almost invisible while escalating only when multiple signals align. That is consistent with risk-based governance in NIST SP 800-53 Rev 5 Security and Privacy Controls and the identity assurance mindset in eIDAS 2.0 — EU Digital Identity Framework, where confidence in identity and transaction context should be proportionate to the risk.
A practical operating model usually includes:
- Tiered friction, such as silent approval, passive monitoring, step-up verification, or manual review.
- Clear decision rules for when a customer can self-remediate, for example re-authentication, proof of possession, or address confirmation.
- Feedback loops from chargebacks, confirmed fraud, and false positives so thresholds can be tuned over time.
- Separation between fraud operations and customer support so legitimate exceptions do not become permanent policy gaps.
Merchants also need identity governance for the systems that enforce these decisions. The same operational weaknesses that affect NHI programmes, such as weak secrets handling or inconsistent access control, can undermine fraud tooling and case management. NHIMG’s Ultimate Guide to NHIs is useful here because fraud platforms often depend on service accounts, APIs, and automation that must be tightly controlled. These controls tend to break down in high-volume flash-sale environments because latency constraints push teams toward blunt, static rules.
Common Variations and Edge Cases
Tighter fraud controls often increase false declines and support burden, requiring organisations to balance loss reduction against customer abandonment. There is no universal standard for this yet, because the right tradeoff depends on product mix, fraud rate, geography, and customer expectations. Best practice is evolving toward contextual friction rather than one-size-fits-all verification.
Some environments need special handling. Travel and ticketing often involve unusual device locations, rapidly changing itineraries, and shared payment methods, so a normal-looking booking can still be high value. Subscription businesses may see account takeover attempts that look like routine login activity until payout or redemption occurs. Marketplaces and fintech platforms may also need to account for beneficiary risk, mule behaviour, and regulatory obligations under AML and KYC expectations, where fraud controls and identity checks must work together rather than in isolation. For those scenarios, the operational question is not whether to add friction, but where to add it without disrupting honest users. FATF’s FATF Recommendations provide a useful reference point for risk-based screening where identity, payment integrity, and suspicious activity monitoring intersect.
Merchants should also remember that automation is only as good as its governance. If review queues are poorly tuned, or service credentials are overexposed, legitimate traffic can be blocked at scale while true abuse slips through a weaker path. That is why the best programmes review fraud policy and identity controls together, not as separate workstreams.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST AI RMF and FATF Recommendations set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM | Fraud tuning is a risk-management decision balancing loss, friction, and customer impact. |
| NIST SP 800-63 | IAL/AAL/FAL | Identity assurance levels help match verification strength to transaction risk. |
| OWASP Agentic AI Top 10 | Automated decisioning and tool use can amplify prompt or workflow abuse in fraud systems. | |
| NIST AI RMF | GOVERN | Fraud scoring and step-up logic need accountable governance and monitoring. |
| FATF Recommendations | Payments and onboarding controls often overlap with AML and KYC risk screening. |
Set fraud thresholds by risk appetite and review them against conversion and loss outcomes.
Related resources from NHI Mgmt Group
- How should financial institutions balance fraud prevention and customer completion in IDV?
- How should financial institutions balance DORA compliance with customer authentication experience?
- How should marketplaces balance fast onboarding with fraud prevention?
- How should iGaming operators balance player acquisition with fraud prevention?