Merchant Refund Fraud Feature

MATCHED REFUNDS LITE (MRF) 

TL;DR

Matched Refunds Lite (MRF) at Paymentsense (Dojo) eliminated £513,000 per month in direct settlement losses – targeting a confirmed annual fraud exposure of £500,000–£700,000 across the physical terminal estate. Dojo was the only card payment platform in the UK allowing unmatched refunds: any terminal operator could issue a refund to any card, at any value, with no prior transaction required. A tap-based transaction-matching mechanism, built within the existing Authorisation Gateway, closed that gap in one quarter without ML infrastructure, vendor dependency, or PCI DSS re-scoping.

CONTEXT

Paymentsense (rebranded Dojo) is a UK payment gateway and acquiring platform serving tens of thousands of SME merchants through physical card terminals. Dojo settles net with its merchant base – refunds issued by merchants are funded directly from Dojo’s settlement pool when merchant liquidity is exhausted. Card-user fraud was outsourced to FeatureSpace, a third-party ML provider. Merchant-initiated refund fraud sat entirely outside that arrangement. Criminal groups posing as merchants, and rogue merchants who had identified the vulnerability, had been exploiting the unmatched refund path for an extended period before detection controls were prioritised. The unmatched refund path in essence is the vulnerability where DOJO terminals would allow refunds that are not linked to a previous transaction. 

PROBLEM

User problem

Any operator with physical access to a Dojo terminal could issue a refund to a random card at a random value – with no requirement that the card had ever transacted with that merchant. There was no verification step, no transaction history check, and no amount constraint. Legitimate merchants shared a platform with rogue operators exploiting the same infrastructure, with no isolation or detection.

Business problem

Finance, collections, and treasury data triangulated confirmed annual losses at £500,000–£700,000. Prior research mapped unmatched refunds onto cards that had never transacted with the originating merchant, on accounts that had entered debit or experienced liquidity shortages – in a limited dataset, this pattern accounted for 90% of all unmatched refund activity. Two fraud patterns drove the majority of losses: established corner-shop merchants issuing refunds that routinely exceeded their own monthly terminal revenue, and newly onboarded merchants receiving terminals and immediately issuing refunds to unknown cards before processing a single legitimate sale. Dojo was, at the time, the only card payment platform permitting unmatched refunds – a structural competitive and reputational exposure beyond the direct P&L loss.

Technical / regulatory / operational problem

The Authorisation Gateway was built for routing and approval decisioning, not stateful analysis across transaction history. Card terminal transactions carry no line-item detail – only card identifier, amount, and timestamp – so any matching logic had to operate on amount aggregates rather than itemised records. A further complication was expired card handling: a refund to an expired card is technically valid if the underlying account remains active, because the card is mapped to the account via a PAR (Payment Account Reference). Any solution had to handle the expired card scenario correctly – blocking refunds only where the account was inactive, not where the card had simply expired. This required the solution to work at the tap layer, reading the card’s PAR and transaction history at the terminal, rather than operating purely at gateway level. Finally, any new cardholder data storage would have triggered a PCI DSS scope expansion and QSA re-assessment – a constraint that ruled out a server-side transaction history database.

APPROACH

The programme opened by converting the fraud loss into a monthly cash drain and modelling the expected value of detection against the cost of false positives.

Dojo’s net settlement model made the loss arithmetic direct. A fraudulent refund of £X is a £X immediate cash loss – not a credit risk, not a chargeback to be recovered, but a real-time drain on settlement capital. The confirmed annual range of £500,000 – £700,000 translated to a monthly burn of £42,000 – £58,000. The success hypothesis was set at 80% fraud elimination:

Target monthly recovery = £500,000 – £700,000 × 80% ÷ 12 = £33,000 – £47,000/month

At £513,000 recovered per month post-launch, the actual fraud surface was an order of magnitude larger than the triangulated estimate – back-office reconciliation had captured roughly 8 –10% of true run-rate exposure.

The business case was structured around expected value of detection:

EV(detection) = P(fraud identified) × Average refund loss avoided − [False positive rate × LTV cost per declined legitimate refund]

The false positive cost was the controlling variable. Declining a legitimate refund at a physical terminal creates immediate, visible merchant friction. Merchant LTV was modelled as:

LTV(merchant) = (Average monthly net revenue per merchant × Gross margin %) ÷ Monthly churn rate

Even a 0.5% false positive rate across the terminal estate translated to meaningful LTV destruction if affected merchants churned. Phase 1 thresholds were set conservatively – maximising precision over recall – with tightening scheduled as false positive data accumulated.

The solution was designed as two tiers:

Matched Refunds Lite (MRF) – the Phase 1 delivery. The cardholder taps their card at the merchant terminal. The terminal reads the card’s transaction history and compares cumulative spend at that merchant against the requested refund amount. If the card has no prior transaction with the merchant, the refund is blocked. If the refund exceeds cumulative card spend over the 90-day lookback window, the refund is blocked. The PAR mechanism means this logic applies correctly to expired cards: if the underlying account is still active, the refund proceeds to the expired card and the issuer accepts it. If the account is inactive, the issuer rejects and returns the funds via positive chargeback.

Matched Refund (Phase 2 scope) – full transaction-level matching, where the original sales transaction is identified and the refund is issued specifically to the originating card. This was deferred: it required deeper transaction record linkage than terminal memory alone could support, and the MRF Lite mechanism was sufficient to address the primary fraud patterns within the Phase 1 timeline.

The FeatureSpace contract was reviewed and deliberately not extended. FeatureSpace held no merchant transaction history and was trained exclusively on cardholder behaviour. The MRF tap-based approach was faster, auditable, and operable within the existing PCI DSS boundary – extending FeatureSpace scope would have added at least one quarter to the timeline with no marginal accuracy gain for this fraud type. This was documented as a build-vs-buy governance decision.

The programme ran within a 9-engineer squad over one quarter.

ARCHITECTURE

The diagram below shows the MRF Lite refund authorisation flow – from terminal tap through transaction-history matching to the settlement or block decision, including the expired card PAR routing.

MERCHANT REFUND FRAUD DETECTION — AUTHORISATION GATEWAY DECISION FLOW
PAYMENTSENSE (DOJO) · MATCHED REFUNDS LITE (MRF) · PHYSICAL TERMINAL ACQUIRING
MERCHANT TERMINAL AUTH GATEWAY PAR / ISSUER 01 Merchant initiates refund request Cardholder taps card 09 REFUND CONFIRMED Issued to cardholder 02 Read card PAR + transaction history 90-day lookback 08 Relay approval to merchant terminal 03 RULE 1 Card match check Prior txn on this card? 04 RULE 2 Amount match check Refund <= 90-day spend? 05 EXPIRED CARD? PAR lookup Account still active? 07 APPROVED Settlement proceeds BLOCKED Unknown card BLOCKED Exceeds 90-day spend 06 PAR lookup Is account active? REJECTED +ve chargeback issued Funds returned to Dojo tap card at terminal submit for auth check NO MATCH PASS EXCEEDS PASS EXPIRED NOT EXPIRED INACTIVE ACTIVE — proceed approval response refund confirmation
SWIMLANE DIAGRAM · MATCHED REFUNDS LITE (MRF) · DOJO AUTHORISATION GATEWAY · PAYMENTSENSE SOLID ORANGE = FORWARD  |  DASHED = RESPONSE  |  RED = BLOCKED  |  GREEN = APPROVED  |  AMBER = PAR / EXPIRED CARD PATH

This diagram shows the full MRF Lite decision flow from terminal tap to settlement outcome, including the PAR-based expired card path. The tap-based design – reading transaction history at the terminal rather than via a server-side lookup – was chosen specifically to stay within the existing PCI DSS scope boundary: no new cardholder data storage was introduced, no QSA re-assessment was triggered. The alternative, a centralised transaction history database, would have resolved the scope constraint only with significant compliance overhead and a longer delivery timeline. The expired card branch was a required addition once PAR mechanics were mapped: issuing a refund to an expired card with an inactive account produces a positive chargeback, returning funds to Dojo – a recoverable outcome, but one that needed explicit handling to prevent reconciliation noise.

OUTCOMES

Quantified results

  • £513,000 per month in fraudulent refund losses eliminated across the physical terminal estate
  • Success hypothesis set at 80% fraud elimination – outcome exceeded the hypothesis
  • Delivered in one quarter within a 9-engineer squad, within existing PCI DSS scope, without FeatureSpace contract extension
  • Dojo ceased to be the only UK card payment platform permitting unmatched refunds – a structural competitive and reputational exposure closed
  • PAR-based expired card handling defined and documented – covering a refund scenario previously unaddressed in any internal governance model
  • FeatureSpace and Authorisation Gateway fraud responsibilities formally separated in the governance model for the first time

What was learned

The gap between the triangulated annual estimate (£500,000–£700,000) and the actual monthly recovery (£513,000, implying circa £6 million annually) revealed that back-office reconciliation undercounted true fraud exposure by a factor of roughly eight. Losses that never escalate to collections – absorbed in settlement reconciliation – are invisible to finance reporting. Any fraud detection programme should instrument at the authorisation layer, not downstream. The 90% unmatched refund rate observed in the research dataset was confirmed by post-launch data, validating the original fraud hypothesis at scale.