By NHI Mgmt Group Editorial TeamPublished 2026-02-06Domain: Identity Beyond IAMSource: Riskified

TL;DR: Chargeback losses at two luxury brands that paused in-store fraud reviews rose to $1.3M+ and $800K+ within six months, then returned to near zero after protection was reinstated, according to Riskified. The lesson for practitioners is that suppressed fraud can look invisible until controls are removed, at which point the operational and financial exposure becomes measurable fast.


At a glance

What this is: Riskified’s analysis shows that pausing in-store fraud protection at leased registers quickly translated into large chargeback losses, despite a prior appearance of low risk.

Why it matters: For fraud, IAM, and identity verification teams, the case shows why control decisions should be based on blocked-loss evidence and not on the absence of visible incidents.

By the numbers:

👉 Read Riskified’s analysis of in-store fraud protection and chargeback losses


Context

In-store fraud often appears lower risk than card-not-present fraud because the checkout experience is controlled and card-present signals can create a false sense of safety. The problem is that effective fraud prevention removes bad activity before it becomes visible, so the lack of obvious losses is not evidence that the risk has disappeared.

That matters for identity and fraud governance because prevention controls are often judged on what merchants can see, not on what they stop. In leased-register retail models, responsibility can shift across brands, which makes fraud decisioning and chargeback accountability part of the operating model rather than a back-office concern.


Key questions

Q: What breaks when in-store fraud review is removed from a leased-register model?

A: When in-store fraud review is removed, suspicious transactions pass through the same checkout flow that would normally suppress them, so chargebacks become the first visible signal of risk. In leased-register models, the break is not only financial. Support tickets, dispute workload, and accountability all shift suddenly to the wrong part of the organisation.

Q: Why can low in-store fraud loss rates be misleading for merchants?

A: Low loss rates can simply mean the fraud control is working well enough that the merchant never sees the avoided cases. That is why teams should look at blocked activity, historical decline patterns, and projected loss if controls were removed. Without that counterfactual view, leaders may underfund protection because they mistake suppression for absence.

Q: How do security teams know whether a fraud control is actually working?

A: A fraud control is working when prevented loss, avoided chargebacks, and reduced dispute volume move in the right direction together, while legitimate approval rates remain stable. If only realised loss is measured, the team cannot tell whether the control is effective or merely obscuring the underlying exposure.

Q: Who is accountable when partner brands opt out of in-store fraud protection?

A: Accountability belongs to whichever party owns the financial loss, dispute process, and decision rights in the operating model. If the host retailer controls the register environment but the brand chooses whether to fund protection, both sides need explicit ownership for reviews, chargebacks, and exception handling before the control is changed.


Technical breakdown

Why fraud can look absent when protection is working

Fraud controls change the evidence surface. When a decision engine blocks suspicious transactions early, merchants stop seeing the fraud that would otherwise have shown up as chargebacks, disputes, and manual reviews. That creates an optimisation trap: leaders may read low loss rates as low exposure, when the real driver is an effective suppression layer. In a leased-register environment, this becomes sharper because each brand may interpret its own transaction stream as a complete view of risk, even though the control is filtering the outcome before it reaches finance and operations.

Practical implication: measure prevented loss, not just realised loss, before deciding to remove fraud review at the register.

How chargeback guarantees change accountability

A chargeback guarantee is not just a commercial wrapper. It shifts part of the financial risk from the merchant to the fraud provider and can make operational ownership clearer when disputes rise. But the guarantee does not eliminate the underlying fraud pattern. It simply changes who absorbs the cost and who runs the dispute process. That distinction matters in retail models where partner brands, host retailers, and payment teams may each assume another party is covering the control gap.

Practical implication: document who owns fraud losses, disputes, and escalation paths before outsourcing in-store decisioning.

Why forecasted fraud exposure matters more than intuition

The strongest part of this case is not the loss figures alone, but the fact that Riskified translated blocked fraud into projected chargeback exposure before the brands opted out. That kind of forecast turns an abstract control debate into a budget and risk decision. For identity and fraud teams, this is the same governance pattern seen in secrets management and access control: when a control suppresses incidents well, only forward-looking modelling shows what would reappear if it were removed.

Practical implication: use scenario modelling to test what happens when fraud controls are paused, not only after losses begin.


Threat narrative

Attacker objective: The attacker objective is to convert apparently legitimate in-store purchases into chargeback losses that merchants must absorb.

  1. Entry occurs through normal in-store purchase flows where fraudsters can exploit the appearance of low-risk card-present transactions and the operational trust attached to leased registers.
  2. Escalation happens when fraud decisioning is removed or paused, allowing suspicious transactions to pass without the review layer that would have filtered them out.
  3. Impact is realised as chargebacks, dispute workload, and financial losses surge until protection is reinstated.

NHI Mgmt Group analysis

Visible loss is a poor proxy for fraud exposure: when a control works, it suppresses the very evidence teams use to judge whether it is needed. That makes in-store fraud look smaller than it is, especially where card-present assumptions and network protections create a false sense of safety. Practitioners should treat blocked transactions and forecasted loss as core governance inputs, not secondary metrics.

Chargeback assurance is a risk allocation mechanism, not a risk eraser: shifting cost coverage can make fraud economics easier to manage, but it does not remove the underlying abuse pattern. In leased-register retail, the governance question is who owns decisioning, who absorbs losses, and who carries the operational burden when disputes rise. Teams should align control ownership to financial accountability.

Proving ROI requires counterfactual analysis, not anecdote: this case works because the brands removed protection and then saw the projected losses materialise. That is a strong example of how fraud teams should validate control value. The same logic applies in identity programmes where prevented incidents are invisible unless teams model the scenario without the control.

Leased-register retail creates a governance boundary that fraud teams often underestimate: multiple brands, shared locations, and separate staffing models can fragment decision authority. That fragmentation makes it easier to underfund protection and harder to see where accountability sits. Practitioners should treat the register model as a shared-control environment with explicit ownership for reviews, disputes, and exceptions.

Fraud suppression has a lifecycle, not a single implementation moment: once a control is removed, risk can reappear quickly and at scale. The operational lesson for identity and fraud governance is to review controls as living dependencies, especially where the business assumes low visible loss means low residual risk. Teams should keep scenario testing tied to periodic review cycles.

What this signals

Counterfactual fraud modelling is becoming the deciding governance tool in programmes where prevention is effective enough to hide the problem. Teams that only watch realised loss will consistently understate the value of controls and delay coverage decisions until the first expensive miss. The better pattern is to pair blocked-transaction analytics with scenario testing so control removal is evaluated before it happens.

This topic also reinforces a wider identity governance lesson: controls that prevent abuse often make their own value hard to prove, which is why periodic review must include loss avoidance evidence. Where leased-register or shared-service models exist, ownership boundaries should be explicit and auditable, not inferred from contract language.

For teams already aligning security operations to NIST Cybersecurity Framework 2.0, the useful lens is governance and protection, not just detection after the fact. The register model needs a named owner for prevention, dispute handling, and exception review, especially when protection is funded by different parties.


For practitioners

  • Model the cost of removing fraud reviews Run a counterfactual analysis using historical approvals, previously declined transactions, and known fraud patterns so business owners can see projected chargeback exposure before any control is paused.
  • Separate loss ownership from checkout ownership Define which party owns dispute handling, reimbursement, and escalation in leased-register or franchise-style operating models so no team assumes another control layer is absorbing the risk.
  • Track suppressed fraud as a governance metric Report blocked transactions, avoided chargebacks, and dispute workload alongside realised losses so leadership sees the full effect of fraud controls rather than only the residual incidents.
  • Test removal scenarios before changing coverage Before shifting fraud protection costs to brands or business units, simulate the operational and financial effect of opting out entirely and compare the outcome against the protected baseline.

Key takeaways

  • This case shows that low visible fraud can reflect strong suppression controls, not low underlying risk.
  • The six-month losses and post-reinstatement recovery demonstrate how quickly exposure reappears when fraud reviews stop.
  • Practitioners should model prevented loss, ownership, and dispute handling before removing protection at the register.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access and transaction decisioning map to this prevention-focused fraud control case.
NIST SP 800-53 Rev 5AC-6Least-privilege thinking applies to who can waive or bypass fraud controls.
GDPRArt.32Where personal payment data is processed, security of processing still matters.
ISO/IEC 27001:2022A.5.15Access control governance supports shared responsibility in leased-register models.

Treat fraud review changes as security-of-processing decisions and document risk evaluation.


Key terms

  • Chargeback Guarantee: A chargeback guarantee is a commercial and operational arrangement where a provider agrees to absorb eligible fraud-related chargeback losses for a merchant. It changes financial accountability, but it does not remove the underlying fraud risk or the need for strong detection and review controls.
  • Leased-Register Model: A leased-register model is a retail operating structure where partner brands run their own staffed checkout points inside a larger host location. It creates shared security and accountability boundaries because the host retailer, the brand, and the payment stack may each own different parts of the fraud response.
  • Suppressed Loss: Suppressed loss is the fraud that never becomes visible because a control blocks it before it turns into a chargeback, dispute, or manual investigation. It is a useful governance concept because it shows why realised incident counts often understate the value of prevention controls.

What's in the full article

Riskified's full article covers the operational detail this post intentionally leaves for the source:

  • Individual brand-level projections showing expected chargeback costs if in-store fraud protection is removed
  • The leasing-model decision point that shifted fraud protection cost from the host retailer to partner brands
  • The post-reinstatement comparison between protected and unprotected periods, including the before-and-after loss pattern
  • The commercial framing of how the chargeback guarantee affects who bears the loss and who manages disputes

👉 Riskified’s full post includes the brand-level forecasts, chargeback outcomes, and leasing-model context behind the test.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and lifecycle control patterns that help practitioners manage hidden exposure. It is suitable for identity and security teams that need a stronger governance model for assets, credentials, and access dependencies.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org