Back to Projects

Payment Authentication Platform

In progress

Leading the build of credit card payment authentication at Zego, aimed at heading off roughly $16M in chargeback liabilities.

January 15, 2024
TypeScriptNest.jsReactMySQLNode.js

Overview

I'm leading the build of credit card payment authentication at Zego, aimed squarely at fraud and chargebacks. The goal is to head off roughly $16 million in chargeback liabilities and make authentication a core part of the company's risk story.

The Problem

Chargebacks are a quiet but serious cost center. Fraudulent transactions slip past basic validation, payment disputes erode property managers' trust, and the existing system doesn't speak modern authentication standards.

What We're Building

We're taking a layered approach. 3D Secure 2.0 covers card-present and card-not-present flows and shifts liability to the card issuer on authenticated transactions. A real-time risk scoring engine weighs device fingerprinting, behavioral signals, historical transaction patterns, and velocity checks. And a configurable rules engine lets the risk team respond to new fraud patterns without waiting on a deploy.

The Tricky Parts

Friction is the enemy. Challenge every transaction and you tank conversion, so we're using adaptive authentication that only steps up when something looks risky. It also has to slot into the existing payment flows without disrupting anything live, and the risk scoring has to finish in under 100ms so checkout never feels slow.

What We're Targeting

These are the outcomes the project is built to hit, not results booked yet:

  • ~$16M in chargeback liabilities avoided
  • ~60% reduction in fraudulent transactions
  • Stronger client retention as managers trust the platform more
  • More sales downstream as that confidence grows

What I'm Taking From It

Fraud work is never really finished. The patterns keep moving, so the system has to keep watching and adapting. The clearest lesson so far is that data beats static rules every time: behavioral history catches things a hand-written rule never would. And it's worth saying early that the most secure flow is useless if people abandon it, so good UX has to be a security feature, not a tax on one.

This project is in active development.