Subscribe to the Non-Human & AI Identity Journal
Home FAQ Cyber Security How can merchants reduce fraud without blocking good…
Cyber Security

How can merchants reduce fraud without blocking good customers?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Cyber Security

Use layered controls that reserve strict checks for combinations of risk, not single signals. Combine seasonal baselines, account age, loyalty behaviour, payment provenance, and fulfilment patterns. That approach protects revenue while avoiding the conversion losses that come from blunt, over-restrictive rules.

Why This Matters for Security Teams

Merchants rarely lose fraud decisions because they lack signals. The usual failure is overreacting to one noisy indicator, such as a mismatched geolocation or a first-time shipping address, and turning that into an automatic decline. Current guidance favours layered controls and risk-based decisioning, which is consistent with NIST SP 800-53 Rev 5 Security and Privacy Controls on access, monitoring, and system integrity. The practical challenge is separating suspicious behaviour from normal customer variability across devices, baskets, channels, and fulfilment paths.

That matters because fraud controls do not operate in isolation. They affect checkout conversion, manual review workload, dispute rates, and customer trust. A control stack that is too aggressive can create avoidable friction for legitimate buyers, especially during holidays, travel periods, or when customers place unusually large but valid orders. A weak stack, by contrast, invites card testing, account takeover, and refund abuse. Security teams therefore need a decision model that uses multiple weak signals together rather than treating any single signal as dispositive. In practice, many security teams encounter customer friction only after conversion has already fallen, rather than through intentional control design.

How It Works in Practice

The most effective fraud reduction programs combine preventive, detective, and step-up controls. Instead of blocking on one anomaly, merchants score the transaction context and escalate only when several risk markers align. That can include account tenure, historical purchase behaviour, device consistency, payment instrument reputation, shipping and billing patterns, velocity across attempts, and whether the order fits the customer’s normal basket size.

Operationally, this works best when the fraud engine is tuned to the merchant’s own traffic rather than a generic benchmark. A luxury retailer, subscription service, and marketplace all have different baseline patterns. The same rule set will not perform equally across them. Good practice is to keep hard declines for clearly malicious cases, route medium-risk events to step-up verification, and let low-risk customers pass with minimal friction. Step-up controls should be proportionate, such as requiring re-authentication, 3-D Secure, or out-of-band confirmation only when the overall risk score justifies it.

  • Use seasonality-aware thresholds so holiday surges do not look like attack traffic.
  • Combine identity, payment, and fulfilment signals before deciding on a decline.
  • Prefer adaptive step-up checks over universal friction at checkout.
  • Review false positives by segment, not only at portfolio level.
  • Feed chargeback outcomes and manual review decisions back into tuning.

Merchants should also distinguish fraud types. Card-not-present fraud, account takeover, friendly fraud, and return abuse need different responses. A single blunt rule often catches only the easiest fraud while punishing legitimate repeat customers. The best control programs pair real-time decisioning with post-transaction monitoring so that suspicious behaviour can be contained without blocking the sale outright. These controls tend to break down when a merchant uses static thresholds across highly seasonal businesses because the same behaviour profile can represent either a loyal customer or an active fraud campaign.

Common Variations and Edge Cases

Tighter fraud control often increases checkout friction and manual-review cost, requiring organisations to balance revenue protection against customer experience. That tradeoff becomes sharper for businesses with high repeat purchase rates, low average order values, or international customer bases where IP, billing, and shipping data are naturally less stable.

There is no universal standard for every merchant segment yet, so current guidance suggests treating edge cases as policy exceptions rather than rule failures. New customer accounts may deserve more scrutiny than long-tenured accounts, but age alone is not proof of legitimacy. Loyalty status can reduce friction, but it should not override a clear cluster of risk indicators. Similarly, customer travel, gift purchases, and address changes can look unusual without being fraudulent.

Merchants operating in regulated environments should align fraud controls with broader governance and privacy requirements, especially where payment data or personal identity data is processed. The NIST Digital Identity Guidelines can help when step-up verification is tied to account recovery or identity proofing, while CISA Zero Trust Maturity Model is useful when checkout, account access, and backend fraud tools are being secured as part of a broader trust architecture. Best practice is evolving, but the consistent principle is to make the highest-friction checks contingent on the strongest evidence of risk, not on one isolated anomaly.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the technical controls, while PCI DSS v4.0 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AAAdaptive fraud controls depend on identity assurance and authentication strength.
PCI DSS v4.03.4Payment data protection is central where fraud controls touch cardholder environments.
NIST SP 800-63IAL/AALIdentity proofing and authentication assurance inform when friction is justified.
NIST Zero Trust (SP 800-207)PA, PE, IARisk-based trust decisions map well to zero trust principles for checkout and account access.

Apply continuous verification across users, devices, and transactions instead of relying on a single trust event.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org