Fraud is costing e-commerce merchants 8% of their annual revenues on average, according to a new study by Javelin Strategy and Research.

The study, commissioned by Vesta, the Portland-based secure payments and fraud management provider, is based on an online survey carried out since June of 497 e-commerce merchants earning $1 million or more annually.

Fraud losses to chargebacks are only a small proportion of total fraud costs, the survey found. This sample of merchants spent on average 10 times as much preventing fraud as they were losing to chargebacks.

Of the 8.0% of revenue that the average merchant lost to fraud in 2017, 5.9% represents fraud management costs, which includes investments in areas such as technology and personnel, while 0.6% represents the revenue lost to fraud-related chargebacks, and 1.5% is due to false positives.

The sample included three segments, merchants selling only digital goods, those selling only physical goods and 200 ‘hybrid’ merchants, selling both types of goods. The digital goods only merchants had higher fraud costs, losing 9.7% of revenue on average to fraud, an increase of 13% since 2016.

Although fraud management costs may seem high relative to actual losses, chargebacks have been growing strongly in 2017. They were up 60% for digital goods merchants and 75% for physical goods merchants, as a result of increased sophistication of fraudsters and exposure to the EMV fraud liability shift for some physical goods merchants.

False positives have continued to grow as well, albeit more slowly. They were up 25% for digital goods merchants and 27% for physical goods merchants.

Card-not-present fraud is an increasing concern for merchants, the survey found, as card fraudsters frustrated by the EMV rollout shift to the digital channel.

Merchants continue to rely heavily on vulnerable usernames and passwords, with the primary authentication tool, used by 75% of CNP merchants, being the weak pair of username and password, broadly exploited via data breaches and malware.

The survey gives details on adoption by merchants of more advanced security measures.

3D Secure is increasingly popular since the introduction of 3-D Secure 2.0, with its promise of greater fraud prevention and reduced disruption to the customer experience, persuading many merchants to give the solution a second chance. About 63% of merchants – some of which have an international presence – expect to have the solution in place in the coming year, with particular interest in implementation for the mobile channel.

The study gives percentages for trial and adoption (as well as non-adoption) of the full range of security measures. As with 3D Secure, adoption of behavioral analytics and device fingerprinting is expected to come on particularly fast in the near future.

However, nearly a third of merchants test or adopt advanced solutions but do not continue using them, the study found, and in interviews some merchants told the researchers they prefer to keep fraud reviews manual as their business is highly “conversion sensitive”.

Merchant spending on fraud management grew more than 15% in 2017, but some of this was down to EMV rollout and therefore a one-off cost.

However average fraud management spend by purely digital goods merchants was up 42% year over year.

The study found that 24% of merchants are currently outsourcing some or all of their fraud mitigation efforts and nearly half of digital goods and hybrid merchants expect to do so in the near future. With 21% of operational spend allocated to fraud management in 2017, the researchers say, merchants are looking hard at the benefits of hiring an expert third party to manage fraud on their behalf.