Keeping Subscription Boxes Secure From STEM To Stern

From clothes to toys, there are 200 children’s subscription boxes on the market. But when it comes to security vulnerabilities, nothing is child’s play, with fraudsters testing stolen cards and staging full-on account takeovers. In this month’s Subscription Commerce Tracker, Bill Onderdonk, COO of the STEM-focused children’s subscription box company KiwiCo, discusses how the company develops risk assessment profiles and performs velocity checks to box out bad actors.

There are approximately 200 different children’s subscription services in the U.S. Stitch Fix Kids, for example, sends out a selection of kids’ clothing each month, while GiftLit focuses on curated children’s books.

Such boxes represent a small segment of the broader subscription market, but they face the same challenges, including fraud attempts like card-and-wallet tests and account takeovers (ATOs). Box-of-the-month services constantly struggle to secure their payment processes and remain a step ahead of bad actors.

KiwiCo, a monthly science, technology, engineering, and math (STEM) subscription box for children, is improving its security practices by partnering with third-party providers. Bill Onderdonk, the company’s chief operations officer, recently spoke with PYMNTS about KiwiCo’s subscription model, and how it keeps customers’ data safe from bad actors.

Generating Data Through Product Tests And Surveys

KiwiCo was founded in 2011 and offers seven different subscription boxes focused on different age groups or interests. The Tadpole Crate is geared toward children between the ages of 0 and 3, while the Tinker and Doodle Crates are designed for those aged 9 through 16. The boxes are available a la carte, but the majority of KiwiCo’s business is conducted via monthly subscriptions.

“As a business model, the advantages of subscriptions in terms of creating a recurring revenue stream is pretty obvious,” Onderdonk explained. “[But we also] think it’s a better experience. [Kids are] getting the continuity of projects that really build on each other and help [them] develop skills.”

Children test each box before it is released and provide feedback to the company’s designers, with further feedback coming from surveys sent to customers.

“It creates a nice incoming data stream for us on what’s working and what’s not working,” Onderdonk said. “That lets us tailor future product development, whether that’s incorporating that feedback into brand new products or improving existing products.”

Keeping Fraudsters Out Of The Box

Kiwi partnered with a number of third-party payments providers to protect against bad actors, ultimately settling on the Netherlands-based global payments platform Adyen.

“We did a bunch of [requests for proposals] and felt that they offered the best combination of services, capabilities and price,” Onderdonk said. “They’re built with the international transaction footprint in mind, and they have a more modern [application programing interface] and integration framework, so it’s a bit easier to work with than the previous providers we were using.”

Adyen allowed KiwiCo to develop a number of tools that flag and analyze transactions, including a risk assessment profile that assigns scores to orders based on how likely they are to be fraudulent. Transactions that are deemed too risky are either automatically denied or passed to human associates for further inspection.

KiwiCo also leverages a system that prevents card-and-wallet tests, which see fraudsters rapidly testing the validity of hundreds of stolen credit details. Mail-order subscription businesses are tempting targets for these tests as they quickly process credit cards and addresses and can immediately inform fraudsters if their stolen data is genuine.

“They’re looking for ways to [confirm] that what they have is a valid card ZIP code or card address match that they can then use somewhere else,” Onderdonk explained. “They’re not intending to buy a good, receive the good and resell it.”

KiwiCo has velocity checks in place that prevent scenarios in which one person is running tens or hundreds of transactions.

“They’re just sort of pinging our system and trying to see if they can find a valid card or card address match,” he said.

Online businesses often struggle balancing security with seamless customer experiences, as well.

“The two lenses for us, in general, are managing your payment risk and your approval rates,” Onderdonk said. “You can have zero risk and low approval rates, or you can have high risk and 100 percent approval rates, but the business judgment call is also really just where to dial that in.”

Credit card chargebacks are key monitoring points that determine how effective KiwiCo’s security measures are, he explained. The company can use them to define acceptable risk levels and adjust security measures in ways that do not alienate customers. The only customer-facing security measure KiwiCo currently utilizes is passwords.

“Fortunately, given the price point … of our product, we don’t see a lot of fraud attempts,” Onderdonk said. “So, we’ve been comfortable where we have currently set the level of risk.”

A Product-First Approach In A Competitive Market

KiwiCo is well aware of the fierce competition within the subscription box space — some estimates state that the market has grown by almost 800 percent over the past five years. The subscription model is only a means to an end for KiwiCo, which puts the product first.

“I would be bullish on subscription in general for products where it makes sense,” Onderdonk said. “First and foremost, it’s about the product being awesome. I don’t think the benefits of a subscription as a format such as convenience or surprise are going to overcome a product experience that is subpar. However, if the product pays off, I think the benefits of a subscription can be real value-add for the customer.”

Onderdonk’s theory will surely be put to the test as the subscription economy continues to grow.