Privacy protection for customer data

Fraud protection is a knowledge-intensive task. Microsoft Dynamics 365 Fraud Protection processes data about payment transactions, online account activities, and devices interacting with Fraud Protection customers' ecommerce properties to help:

  • Prevent and identify fraudulent payment transactions.
  • Discern legitimate transactions to drive down "false positives."
  • Improve customers’ online shopping experience.

Designed with compliance, security, confidentiality, and privacy in mind, Fraud Protection uses machine learning, artificial intelligence, and data de-identification techniques to evaluate payment transactions, certain account activities, and other events for risk and provides customers insights about the health of their commerce operations.

Important

Microsoft is not a consumer reporting agency. The fraud insights generated by Fraud Protection are not intended to be used as credit reports or any indicator of credit worthiness or eligibility. Your use of Fraud Protection is subject to the use restrictions detailed in the Microsoft Online Services Terms.

What data does Fraud Protection process?

Fraud Protection processes three types of customer data to provide the service:

  • Payment transaction data. This is information about a customer’s online payment transactions (past and present). Payment transaction data may include:

    • The transaction amount and information about the goods contained in the order.
    • The name, email address, shipping address, and other geo-location information associated with a payment transaction.
    • The outcome of a payment transaction, such as a chargeback.
    • Information about the payment instrument. Note that Fraud Protection does not collect full payment instrument details, such as complete credit card number.
  • Device data. This is information associated with a customer’s end users’ past and present account activities, such as requests to create a new customer account or updates to an existing customer account. Account activity data may include:

    • Device attributes such as plugins installed, processor class, etc.
    • Operating system attributes such as OS information.
    • Browser-related attributes if applicable, such as browser language, font etc.
    • Network attributes such as IP address, signature hash, etc.
  • Account activity data. This is information about the devices visiting our customer’s e-commerce properties, for example:

    • The account name and email address.
    • Information about when the account was created.
    • Information about events associated with the account, such as when the shipping address or email associated with the account changes.

Payment transaction data and account activity data are provided to Fraud Protection by customers in two ways:

  • Customers use the Fraud Protection API to transmit data associated with real-time payment transactions or account activities.
  • Customers upload data about past payment transactions and account activities to the service.

Device data is collected and transmitted to Fraud Protection when a customer installs a device fingerprinting script into their e-commerce properties. This instructs Fraud Protection to collect data on its behalf from devices visiting the customer’s e-commerce properties.

How does Fraud Protection process customer data?

Fraud Protection processes the customer data described above for the sole purpose of providing the service pursuant to the instructions provided in the Microsoft Online Services Terms and those configured by the customer in its administration of the service. To provide the service, Microsoft uses customer data to secure, improve, and troubleshoot the service, as well as to generate fraud insights from hashed data (see below) from all Fraud Protection customers within the Fraud Protection Network (the “Fraud Network”).

Fraud Protection enriches and normalizes customer data

Payment transaction data, account activity data, and device data are enriched and normalized to aid the service’s application of machine learning and artificial intelligence. For example:

  • Transaction amount is converted into US dollars using the current exchange rate.
  • Addresses, such as the billing or shipping address, associated with a transaction, are converted into a canonical format. For example, "One Microsoft Wy" may become "1 Microsoft Way.”.
  • Device data collected from a single device is converted to a fuzzy identifier.

Fraud Protection hashes certain customer data to be processed in the Fraud Network

Fraud Protection hashes customer data containing personal data that can identify a data subject prior to transmitting it into the Fraud Network where it is processed to generate fraud insights. The hashing technique used by Fraud Protection turns this customer data into unique tokens, or strings of characters. For example, the email address “JohnDoe@outlook.com” will always map to the same string of characters, like “TK239732.” This technique serves the following purposes.

The technique produces the same output for an input (it’s reproducible). The de-identification technique, which uses a salt specific to the Fraud Network and unique salts for each customer, ensures the same input value always maps to the same output token. For example, the email address “JohnDoe@outlook.com” will always map to “TK239732” (say) when the salt specific to the Fraud Network is used, no matter which customer provides the input and at what point in time. This property enables Fraud Protection to identify patterns of fraud, and make connections between tokens, across all customers of Fraud Protection within the Fraud Network. By processing customer data with a unique salt only assigned to one customer, Fraud Protection is also able to provide customers with information about their own patterns of fraud, as Fraud Protection can make connections between tokens for a single customer. In this context, a “salt” is a random value added to a one-way hashing technique that further randomizes the output.

The technique produces (practically) a one-to-one mapping. Although the hashing technique is technically not a one-is-to-one mapping for any given salt, the probability that two distinct input values will result in the same output value (called a “hash collision”) is vanishingly small. This means that for practical purposes we can rely on the connections made between the tokens.

The technique is practically irreversible. This process makes it practically impossible to reverse engineer a token back to the original input, identify a data subject from the tokens, or otherwise “rehydrate” this customer data without access to the hash function and the salt. Reversing engineering the technique to rehydrate the data, and render it identifiable, would require a highly sophisticated, brute force attack.

The technique gives customers added assurance that their customer data will not be shared with other Fraud Protection customers. The tokens in the Fraud Network cannot be linked to any specific Fraud Protection customer without access to the hash function, salt, and raw data in that customer’s merchant space.

Fraud Protection applies artificial intelligence to the tokens in the Fraud Network to generate fraud insights for Fraud Protection customers

Fraud Protection uses artificial intelligence to understand patterns of fraud which enables the service to generate fraud insights for new real-time payment transactions and account activities for customers. These fraud insights include a risk score for the real-time event and reason codes for the score. For example, within the Fraud Network, Fraud Protection may detect a suspiciously high volume of payment transactions, within a noticeably short period of time, associated with a particular token (which could represent a billing address or IP Address). If Fraud Protection detects that token in new, real-time payment transactions, it may provide the customer with a higher risk score and a reason code that indicates that Fraud Protection has detected a suspiciously high volume of transactions for a data attribute associated with the transaction.

Fraud Protection processes customer data in accordance with business rules set by the customer

Customers can set business rules within Fraud Protection to automate its own analysis of a real-time transaction or account event, regarding the risk score and reason codes. For example, in addition to the fraud insights provided by Fraud Protection, customers apply their own business rules to approve a payment transaction based on any number of factors, including the transaction amount, the payment instrument used, or the content of the order. Each customer’s business rules are treated as customer confidential information and customer data. Fraud Protection will process such data on behalf of the customer, in accordance with the business rules set, to make a recommendation on accepting or rejecting the transaction or event.

Fraud Protection enables customers to share Transaction Trust Knowledge with participating banks

Customers can choose to use the Transaction Acceptance Booster by opting into the feature. This feature allows customers to instruct Microsoft to share certain customer data, called Transaction Trust Knowledge, with participating banks when a payment transaction is initiated with a payment instrument issued by the participating bank. Transaction Trust Knowledge is a small payload of customer data which includes Fraud Protection's assessment of the transaction, location, and device identifier along with transaction-specific details including trimmed card number and amount that helps banks match against the right purchase transaction.

By opting into this feature, a customer directs Fraud Protection to transmit Transaction Trust Knowledge on its behalf to a participating bank when a payment transaction is initiated on the customer’s ecommerce property with a payment card issued by such bank. For any given payment transaction, a customer’s Transaction Trust Knowledge is only shared with the participating bank when a payment card issued by that bank is used to initiate that payment transaction.

Fraud Protection uses customer data to provide tools to help customers understand how fraud is impacting its ecommerce business. Such tools include reporting functionality, graphical displays, and support services features.