SEON Compliance Whitepaper

Regulatory compliance isn’t a luxury - it’s a necessity. SEON will always ensure that our customers’ experience with our products is safe and secure. This means customers can access the information they need and remain comfortable when managing data and utilizing multi-function analytics in the cloud. Our mission is to create a fraud-free world.

We are committed to helping our partners fight against fraud. This also means implementing a privacy and security control environment with administrative and technical measures to protect customers’ data from security incidents and personal data breaches.

Did you know: SEON is GDPR, UK GDPR, PCI-DSS compliant, and ISO 27001 certified.

GDPR

1. Privacy Matters - At SEON, we have been fully aware of the GDPR and other regulations such as PSD2 since their inception. This has allowed us to plan accordingly and to ensure our entire solution was designed around compliance with this regulation.
2. Must SEON comply with the GDPR? - Yes. We are contracted with AWS EU, and our cloud infrastructure, including servers and databases, is based in the EU (Dublin, Ireland), which we can confirm via a certificate.
3. Are SEON’s data processing activities lawful? - Yes. We are registered as a data processor, and detecting & preventing fraud is a legal basis for processing personal data according to the GDPR and other applicable laws (e.g., Prevention and Combating of Money Laundering and Terrorist Financing).
4. Can I share user data with SEON? - We recommend SEON Customers’ Terms to inform their clients about data pro- cessing for fraud management services. We are happy to help them draft this document as needed.
5. What is the data retention policy? - We make it very clear that our client data can be stored for up to 12 months and easily erased upon request or by using SEON’s Erase API.
6. How safe is the data I share with SEON? - At SEON, we are proud to have a Director of Compliance, Chief Software Architect, and Information Security Operations and DevOps Engineers. These roles oversee SEON’s security compliance and security operations while ensuring only our Chief Technology Officer has access to the production database (through dedicated, whitelisted VPN and encrypted keys with unalterable audit trails).
7. What happens if there is a data breach? - In the unlikely event that infrastructure or even data becomes impacted, the SEON Terms, our standard service agreement, and data processing addendum (DPA) include taking responsibility for data privacy, so our Customers can use the platform with complete peace of mind. GDPR also contains data security and data breach reporting requirements which SEON is fully compliant with.

Confirmation of fraud cases must be followed with these actions:

• Blacklist directly related data points:
  • User ID
  • Phone number
  • Email address
  • Cookie hash, browser hash - recommended for desktops, and if connected customers are all suspicious
  • IP (recommended for a maximum of 90 days)
• Identify the fraud ring and clones. Mark all transactions of the customer and connected accounts (clones) as declined and assign the right label to it. Make sure to analyse all customers of a suspected fraud ring.
• Create rules to match patterns based on the found clones or connected similar transactions based on indirect related data points, some example data fields to combine: 
  • IP country, IP ISP, IP score > 7
  • BIN number, card issuer bank, card country
  • Useragent, canvas hash, webgl vendor
  • Number of found online profiles, email domain, data breach existence, email score > 7
  • Transaction amounts exceeding a specific limit
  • Item name or type 
• Think about rules that cover fraudulent attempts using parameters from these indirect data points with the highest coverage and least amount of false positives. 
  Rule tester and filtering with statistics information can be very efficient. 
  Make sure to avoid duplication of rules and try to use rule tester and filter functions. 
  Keep an eye of new transactions to turn off unnecessary rules.
• See if any default velocity rules have been triggered, if yes, worth consideration to finetune to uplift score, or copy it to a new rule with more parameters as other suspicious data points from indirect related data points.
  • Contact SEON’s team of experts for more insight and help.

What to do if you think the transactions are legitimate and the score is still high (= false positives)

Questions to ask to determine whether the applied score should be decreased:

• Which rules have applied?
• Is there any rule (especially velocity rules) that makes no sense or seems duplicated?

Note: It can be also useful to create rules, which decrease the fraud score to cover legitimate or low risk patterns. This can be tied to an item name, transaction amount, payment method (e.g. not reversible payment), or in case hard KYC / 3D Secure was passed, etc.