Subscribe to the Non-Human & AI Identity Journal
Home FAQ Identity Beyond IAM How should merchants handle holiday shoppers who look…
Identity Beyond IAM

How should merchants handle holiday shoppers who look risky but are legitimate?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Identity Beyond IAM

Merchants should use adaptive risk scoring that weighs seasonality, customer history, shipping patterns, and login behaviour together. Holiday shoppers often trigger the same signals as fraudsters, so static rules create false positives. The goal is not to remove friction entirely, but to apply it selectively when the broader identity and transaction context supports higher risk.

Why This Matters for Security Teams

Holiday commerce compresses normal review windows and increases the number of transactions that look unusual for benign reasons. A shopper may be using a new device, shipping to a gift recipient, changing address details, or checking out faster than usual. Those signals overlap with fraud tactics, so the practical problem is not spotting every anomaly, but deciding which anomalies deserve friction and which should pass with evidence-based confidence.

Merchants that treat every deviation as suspicious usually create two failures at once: avoidable customer abandonment and poor analyst attention. Good fraud operations separate signal from noise by combining account history, device continuity, payment behaviour, and contextual seasonality rather than relying on a single rule. That approach fits broader control thinking in the NIST Cybersecurity Framework 2.0, which emphasises risk-based protection and response rather than blanket denial. The same logic applies in e-commerce identity decisions, where the question is often whether the session is consistent enough to trust, not whether it is perfectly ordinary.

In practice, many security teams encounter legitimate holiday shoppers only after false declines and support escalations have already damaged revenue and trust.

How It Works in Practice

Operationally, the strongest approach is adaptive decisioning. That means the merchant does not ask one rule, such as “new device equals fraud,” to carry the whole judgment. Instead, the scoring model weighs multiple factors together and adjusts the response. A first-time buyer may still be legitimate if the shipping address is stable, the email account is old, the basket value matches normal patterns, and the payment instrument is consistent with prior behaviour.

Useful inputs usually include:

  • Customer history, including prior successful purchases and account age.
  • Device and session continuity, such as browser consistency and login patterns.
  • Shipping and billing alignment, especially when holiday gifting changes the destination.
  • Velocity signals, such as repeated attempts across cards, addresses, or accounts.
  • Transaction context, including basket mix, order value, and seasonal purchase patterns.

Merchants should then map outcomes to graduated controls: approve, step-up verify, queue for manual review, or decline. Step-up checks are most effective when they are proportionate, for example using out-of-band verification or reauthentication only when the score crosses a meaningful threshold. For identity assurance and authentication strength, the NIST Digital Identity Guidelines remain useful for thinking about assurance levels and transaction risk, even when the process is embedded in commerce rather than a government login.

Fraud teams also need feedback loops. Manual review outcomes, chargeback results, and customer support cases should continuously refine thresholds so the model does not drift into holiday overblocking. Best practice is evolving here: some merchants use machine learning, others rely on rules plus analyst tuning, and many use both. The important point is explainability. If analysts cannot say why a high-value order was challenged, the workflow will be hard to tune and harder to defend. These controls tend to break down in marketplaces with sparse customer history and rapid cross-border shipping because the model has too little trusted context to distinguish gifting behaviour from account takeover.

Common Variations and Edge Cases

Tighter fraud controls often increase abandonment and review workload, requiring merchants to balance conversion against loss prevention. That tradeoff becomes sharper during holidays, when false declines can be more expensive than a narrowly accepted risk.

One common edge case is the brand-new customer who is legitimate but has no behavioural baseline. Another is the returning customer who suddenly purchases from a different location, uses a mobile device, and ships to multiple recipients. Current guidance suggests that merchants should not penalise these patterns in isolation; they should only escalate when several weak signals combine into a credible risk story. There is no universal standard for this yet, so the right threshold depends on fraud tolerance, margin, and support capacity.

Another variation is account takeover. A shopper can look legitimate at the transaction layer while the session itself is compromised. In those cases, identity-aware controls matter more than basket-level rules, which is why session hygiene, reauthentication, and anomaly correlation should sit alongside payment fraud checks. For teams operating across regions, the NIST Cybersecurity Framework 2.0 supports the broader discipline of aligning preventive, detective, and response measures rather than relying on a single gate.

The most reliable operational pattern is to accept that some legitimate shoppers will look risky, then design friction that is selective, reversible, and easy to tune as holiday traffic changes.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Risk-based access decisions map to controlled, context-aware authorization.
NIST SP 800-63AAL2Step-up verification depends on appropriate authentication assurance for risky sessions.

Use contextual risk signals to decide when to approve, step up, or review a transaction.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org