Merchants should use risk-based controls that add friction only where evidence warrants it. That means preserving low-friction checkout for trusted customers while escalating verification for unusual device signals, abnormal fulfilment changes, repeated support contacts, and high-risk claim patterns.
Why This Matters for Security Teams
Merchants are not choosing between conversion and fraud prevention so much as deciding where to place friction. If controls are too aggressive, legitimate customers abandon checkout, support queues grow, and revenue impact appears quickly. If controls are too permissive, account takeover, card-not-present fraud, refund abuse, and synthetic identity abuse move through the same pathways intended to reduce drop-off. NIST SP 800-53 Rev 5 Security and Privacy Controls is useful here because it reinforces the need for risk-based, adaptive control selection rather than one-size-fits-all hardening.
The practical challenge is that fraud teams, identity teams, and customer experience teams often optimise different metrics. A step-up verification that looks minor to a security analyst may be a major conversion blocker at the moment of purchase. The balance depends on data quality, fraud appetite, customer segment, and the merchant’s ability to detect anomalies before fulfillment or payout. Good controls are usually invisible for low-risk traffic and decisive for high-risk events.
In practice, many merchants discover their weakest control paths only after fraud losses, chargeback disputes, or customer complaints have already exposed the gap.
How It Works in Practice
Effective balancing starts with risk tiering. Merchants assign a confidence score to each session or transaction using signals such as device reputation, velocity, geography, payment history, behavioural patterns, and account age. Low-risk customers proceed with minimal interruption. Higher-risk activity triggers proportionate controls such as step-up authentication, CVV re-entry, one-time passcodes, delivery address confirmation, or delayed fulfilment review.
This is not just a payments problem. Identity assurance, account recovery, and post-purchase fulfilment all affect fraud outcomes. A merchant can reduce checkout friction and still preserve security if the strongest checks are shifted to points where fraud value increases, such as login, password reset, shipping change, gift card redemption, or refund initiation. That approach aligns with the broader control logic in CISA Zero Trust guidance, where trust is continuously evaluated instead of assumed once at the front door.
Operationally, the best programmes combine prevention, detection, and review:
- Use allowlists and trusted customer profiles only where account takeover risk is low and monitoring is strong.
- Apply step-up only when risk signals cross a threshold that justifies the extra user effort.
- Separate high-value fraud controls from low-value nuisance checks, so the same friction is not imposed on every customer.
- Instrument false-positive review loops so the business can see where controls suppress good orders.
Merchants should also validate that analytics, rules, and manual review decisions are consistent across channels. A customer who passes web checkout but fails in-app or through a call centre creates avoidable complexity and inconsistent trust outcomes. The implementation should map cleanly to operational controls such as logging, access review, and incident handling, which are covered in the NIST SP 800-53 Rev 5 Security and Privacy Controls catalogue.
These controls tend to break down in guest checkout, high-volume flash sales, and marketplace environments because the merchant has too little identity continuity and too much time pressure to distinguish loyal customers from fraud rings.
Common Variations and Edge Cases
Tighter fraud control often increases abandonment, review workload, and support overhead, requiring organisations to balance loss reduction against customer experience and speed. There is no universal standard for this yet, so current guidance suggests tuning controls to transaction context rather than applying the same friction everywhere.
One common edge case is returning customers using new devices or changing fulfilment details. That behaviour may be legitimate, but it can also signal account takeover. Another is low-value fraud that is individually small but operationally noisy. In those cases, a merchant may prefer lightweight checks and faster response rather than expensive manual review. A third case is high-risk geographies or payment methods where conversion pressure is high and the fraud signal is imperfect. Best practice is evolving toward layered verification, not hard blocking, unless loss patterns clearly justify it.
Merchants should also avoid over-relying on a single control type. Strong authentication helps, but it does not solve refund abuse, triangulation fraud, or social engineering of support staff. That is why PCI DSS v4.0 guidance remains relevant when payment data, authentication, and account lifecycle controls intersect. Where merchants operate across regions, local privacy obligations and consent rules can also constrain how aggressively behaviour is profiled or retained.
The most resilient approach is to treat fraud controls as a portfolio: a little friction at the right moments, richer signals behind the scenes, and clear escalation for cases where the risk truly justifies intervention.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack surface, NIST CSF 2.0, NIST AI RMF and NIST SP 800-63 set the technical controls, and PCI DSS v4.0 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Risk-based identity assurance supports adaptive checkout and step-up decisions. |
| NIST AI RMF | Fraud scoring and decisioning need governance, validation, and monitoring. | |
| OWASP Agentic AI Top 10 | Automated fraud workflows can be manipulated through unsafe tool use or prompt inputs. | |
| NIST SP 800-63 | IAL/AAL | Identity assurance levels help match verification strength to transaction risk. |
| PCI DSS v4.0 | 8.3 | Strong authentication requirements affect payment flows and step-up design. |
Document model purpose, test outputs for bias and drift, and monitor fraud decisions continuously.
Related resources from NHI Mgmt Group
- How can security teams balance user experience with stronger identity controls?
- How should payment teams balance compliance and fraud controls in APAC P2P systems?
- How can merchants balance fraud prevention with customer experience?
- How should merchants improve approval rates without weakening fraud controls?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org