<a href="https://colab.research.google.com/github/mutumaian29/payments-intelligence/blob/main/Project_Shield_and_Scale.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# üõ°Ô∏è Project Shield & Scale: iGaming Payments Fraud & Monitoring Analysis

## üìå Project Background
As our betting company continues to expand across multiple regional markets, we face an increasingly complex payments environment. This growth has introduced two major risks:

1.  **Sophisticated fraud activity**, including multi-accounting and coordinated transaction abuse.
2.  **Operational inefficiencies**, such as provider timeouts and technical failures that lead to lost or delayed revenue.

A preliminary review of 20,000 recent transaction attempts suggests exposure to both fraud-driven losses and significant technical leakage. **Project Shield & Scale** has been initiated to move the organization from a reactive payments risk posture to a proactive, data-driven strategy. The insights from this analysis will support an upcoming executive briefing focused on protecting revenue while maintaining a seamless experience for legitimate users.

---

## üéØ Business Objectives
* **Quantify fraud exposure** across providers, regions, and channels.
* **Identify coordinated abuse patterns** using device and IP intelligence.
* **Measure revenue loss** caused by non-fraud technical failures.
* **Provide actionable recommendations** for risk mitigation and performance optimization.

---

## üß© Dataset Overview
* **Source:** iGaming payments dataset (Internal Logs)
* **Volume:** ~20,000 transaction attempts
* **Key Fields:**
    * `user_id` / `transaction_id`: Unique identifiers.
    * `provider`: Payment gateway (e.g., Card, MPesa, PayPal).
    * `channel`: Access method (Web, Android, iOS).
    * `status`: Transaction outcome (`success`, `failed`).
    * `failure_reason`: Reason for failure (e.g., `fraud_suspected`, `timeout`).
    * `device_id` / `ip_address`: Hardware and network fingerprints for entity linking.
    * `created_at`: Transaction timestamp.

---

## üß™ Workstream 1: Fraud & High-Risk Deep Dive
**Objective:** Identify high-risk corridors contributing the most fraud exposure.

* **Provider Risk Matrix:** Calculate Fraud Rate ($\frac{fraud\_suspected}{total\_transactions}$) and Value at Risk.
* **Geographic Hotspots:** Distribution of fraud by country and channel.
* **Transaction Thresholds:** Analysis of average fraud transaction values to detect "testing" patterns.

> **Key Business Question:** If we had to disable one provider‚Äìchannel‚Äìcountry combination to protect revenue, which would save the most money?

---

## üß† Workstream 2: Entity Intelligence & Multi-Accounting
**Objective:** Detect coordinated abuse using shared device and network signals.

* **Device & IP Clustering:** Identifying entities linked to $>3$ unique users.
* **Success-After-Failure Audit:** Quantifying "at-risk" revenue from devices previously flagged for fraud that were later allowed to transact.
* **Velocity Tracking:** Identifying users with $>5$ attempts within a 60-minute window.

> **Key Business Question:** How much of our ‚Äúsuccessful‚Äù revenue is coming from previously flagged devices or networks?

---

## ‚öôÔ∏è Workstream 3: Operational Health & Revenue Recovery
**Objective:** Identify revenue loss caused by technical and provider-side failures.

* **Failure Reason Breakdown:** Categorizing non-fraud failures (e.g., `insufficient_funds` vs. `timeout`).
* **Technical Investigation:** Identifying time-of-day or provider-specific performance degradation.
* **Recoverability Analysis:** Tracking if failed transactions successfully retry within 24 hours.

> **Key Business Question:** How much revenue is lost due to technical issues, and which providers are responsible?

---

## üìä Visualization & Deliverables
The project will conclude with two primary dashboards:
1.  **Fraud Exposure Dashboard:** Focusing on risk rates, value at risk, and blacklisted entities.
2.  **Operational Health Dashboard:** Focusing on failure rates, timeout trends, and conversion funnels.

---

## üõ†Ô∏è Tools & Workflow
| Stage | Tool | Purpose |
| :--- | :--- | :--- |
| **Cleaning** | `google sheets/sql` | Data type conversion and missing value handling. |
| **Analysis** | `SQL/Python` | Grouping, clustering, and KPI calculation. |
| **Visualization** | `Matplotlib / Seaborn` | Executive-ready charts and heatmaps. |
| **Reporting** | `Markdown` | Structured business storytelling. |

---

**Step.1 Uploading our data and saving into a database for easier querying with SQL later**

In [1]:
from google.colab import drive
drive.mount('/content/drive')  #We start my mounting our drive. All the data files and databases of this project will be store on my drive

Drive already mounted at /content/drive; to attempt to forcibly remount, call drive.mount("/content/drive", force_remount=True).


In [2]:
from google.colab import auth
import gspread
from google.auth import default
import pandas as pd
import sqlite3
import os

# 1. Authenticate
auth.authenticate_user()
creds, _ = default()
gc = gspread.authorize(creds)

# 2. Open the Sheet (Make sure this name is exact)
sheet_name = 'igaming_payments_20k'
sh = gc.open(sheet_name)
worksheet = sh.get_worksheet(0)

# defining the db path
db_path = '/content/drive/MyDrive/Project_Shield_Scale/shield_scale_database.db'

def sync_live_data():
    # Pull live data from sheets
    print(f"üîÑ Pulling latest data from {sheet_name}...")
    data = worksheet.get_all_records()
    df = pd.DataFrame(data)

    # 2. We now connect the live data to our db
    conn = sqlite3.connect(db_path)
    df.to_sql('payments', conn, if_exists='replace', index=False)
    conn.close()
    print(f"‚úÖ Success! {len(df)} rows synced.")



##‚ö†Ô∏èWe will use this code cell to run the sync everytime we want to refresh our db

In [3]:
sync_live_data()

üîÑ Pulling latest data from igaming_payments_20k...
‚úÖ Success! 20000 rows synced.


##Data Validation and extraction- SQL

1.   Ensure the data is clean and no null or duplicates trx_ids
2.   Simple aggregation to understand the cashflow
3.   Explore the player distribution across different markets
4.   Create a view of the clean data and export it to python for further anlysis




**Installing sqlite dependencies and extensions**

In [4]:
# 1. Install dependencies quietly and include the missing jedi package
!pip install -q prettytable==3.11.0 jedi>=0.16 --upgrade --no-deps

# 2. Load the SQL extension
%load_ext sql
# 3. Connect to Drive database file
%sql sqlite:///{db_path}

In [5]:

#checking of the data was imported correctly
%%sql

SELECT * FROM payments
LIMIT 10;

 * sqlite:////content/drive/MyDrive/Project_Shield_Scale/shield_scale_database.db
Done.


transaction_id,user_id,provider,transaction_type,amount,currency,status,failure_reason,channel,country,device_id,ip_address,created_at,full_country_name,currency_fixed,standard_amount(USD),provider_clean,transaction_type_clean,status_clean,channel_clean
TRX000001,U4952,Card,deposit,8981.88,KES,failed,provider_error,web,KE,DEV53940,192.168.212.239,2025/01/18 05:53:00,Kenya,KES,69.16,card,deposit,failed,web
TRX000002,U2669,Card,deposit,850.89,USD,success,,ios,KE,DEV77207,192.168.237.189,2025/01/03 10:40:00,Kenya,KES,6.55,card,deposit,success,ios
TRX000003,U3325,Card,withdrawal,110.96,KES,success,,android,KE,DEV50084,192.168.76.23,2025/01/21 06:33:00,Kenya,KES,0.85,card,withdrawal,success,android
TRX000004,U2534,MPesa,deposit,1363.64,USD,failed,fraud_suspected,android,NG,DEV72945,192.168.51.154,2025/02/19 05:21:00,Nigeria,NGN,1.01,mpesa,deposit,failed,android
TRX000005,U1911,MPesa,deposit,980.45,EUR,success,,ios,UG,DEV53115,192.168.233.85,2025/02/24 15:15:00,Uganda,UGX,0.27,mpesa,deposit,success,ios
TRX000006,U3193,Card,deposit,6605.09,KES,success,,android,KE,DEV41288,192.168.37.46,2025/02/19 20:20:00,Kenya,KES,50.86,card,deposit,success,android
TRX000007,U4696,Card,withdrawal,4679.11,KES,success,,android,KE,DEV14626,192.168.167.28,2025/01/21 04:18:00,Kenya,KES,36.03,card,withdrawal,success,android
TRX000008,U3022,Skrill,withdrawal,13422.94,KES,success,,ios,KE,DEV17113,192.168.172.170,2025/01/05 10:21:00,Kenya,KES,103.36,skrill,withdrawal,success,ios
TRX000009,U2169,MPesa,deposit,5833.22,KES,success,,ios,KE,DEV78698,192.168.229.209,2025/01/09 15:35:00,Kenya,KES,44.92,mpesa,deposit,success,ios
TRX000010,U4614,MPesa,deposit,12033.94,KES,success,,ios,UG,DEV61365,192.168.237.50,2025/01/11 15:03:00,Uganda,UGX,3.37,mpesa,deposit,success,ios


##üü¢ Data Quality Audit: payments Table
This query performs a comprehensive health check on the payment data to ensure reliability for downstream reporting.

Checks performed:

* Completeness: Identifies missing (NULL) IDs, providers, and channels.

*   Value Consistency: Detects invalid transaction types or statuses outside of the standard business rules.
*   Financial Integrity: Flags NULL or negative transaction amounts in USD.
   
**Target Outcome: All validation columns should ideally return 0**

In [6]:
%%sql

SELECT COUNT(*) AS total_rows,
       SUM(CASE WHEN transaction_id IS NULL THEN 1 ELSE 0 END) AS missing_trx_id,
       SUM(CASE WHEN user_id IS NULL THEN 1 ELSE 0 END) AS missing_user_id,
       SUM(CASE WHEN "standard_amount(USD)" IS NULL THEN 1 ELSE 0 END) AS missing_amount,
       SUM(CASE WHEN "standard_amount(USD)" < 0 THEN 1 ELSE 0 END) AS negative_amount,
       SUM(CASE WHEN provider_clean IS NULL THEN 1 ELSE 0 END) AS missing_provider,
       SUM(CASE WHEN channel_clean IS NULL THEN 1 ELSE 0 END) AS missing_channel,
       SUM(CASE WHEN transaction_type_clean NOT IN('deposit', 'withdrawal') THEN 1 ELSE 0 END) AS invalid_transaction_type,
       SUM(CASE WHEN status_clean NOT IN('success', 'failed') THEN 1 ELSE 0 END) AS invalid_status
FROM payments;

 * sqlite:////content/drive/MyDrive/Project_Shield_Scale/shield_scale_database.db
Done.


total_rows,missing_trx_id,missing_user_id,missing_amount,negative_amount,missing_provider,missing_channel,invalid_transaction_type,invalid_status
20000,0,0,0,0,0,0,0,0


##üìä Financial Performance:
**Net Cash Flow by Country**
This analysis calculates the liquidity and net revenue per market by comparing total successful deposits against withdrawals.

Metrics Definition:Total Amount:
* Total volume of all successful transactions ($Deposits + Withdrawals$).
* Total Withdrawals: Total value of successful payouts to users.
* Net Cash Flow: The actual capital retained ($Deposits - Withdrawals$).

**Note:** Only success transactions are included to ensure we are looking at settled amounts only.

In [7]:
%%sql

WITH cashflow AS (

SELECT full_country_name, ROUND(SUM("standard_amount(USD)"),2) AS total_amount,
       ROUND(SUM(CASE WHEN transaction_type_clean = 'withdrawal' THEN "standard_amount(USD)" ELSE 0 END),2) AS total_withdrawals
FROM payments
WHERE status_clean = 'success'
GROUP BY full_country_name
ORDER BY total_amount DESC
)
SELECT full_country_name,
       total_amount,
       total_withdrawals,
       ROUND((total_amount-total_withdrawals),2) AS net_cashflow
FROM cashflow;

 * sqlite:////content/drive/MyDrive/Project_Shield_Scale/shield_scale_database.db
Done.


full_country_name,total_amount,total_withdrawals,net_cashflow
Kenya,504319.58,133516.52,370803.06
Nigeria,19544.27,5568.12,13976.15
Tanzania,7690.5,2149.08,5541.42
Uganda,5668.21,1579.23,4088.98


##üåç Market Reach: Successful User Count by Country

This analysis identifies our primary markets by measuring the unique number of users who have successfully completed at least one transaction.

**Key Definition:**

* Total Users: A count of unique $(Distinct) User IDs$. This prevents the data from being skewed by "Power Users" who make hundreds of small transactions.

* Success Filter: Only includes users where $status = 'success'$, filtering out users who tried to pay but failed.

**Business Insight**: this provides an idea of where marketing efforts are most effective at converting sign-ups into active paying customers.

In [8]:
%%sql

SELECT full_country_name,
       COUNT(DISTINCT user_id) AS total_users,
       ROUND(SUM("standard_amount(USD)"),2) AS total_trx_volume,
       ROUND((SUM("standard_amount(USD)"))/(COUNT(DISTINCT user_id)),2) AS avg_amount_per_user
FROM payments
WHERE status_clean = 'success'
GROUP BY full_country_name
ORDER BY total_users DESC;


 * sqlite:////content/drive/MyDrive/Project_Shield_Scale/shield_scale_database.db
Done.


full_country_name,total_users,total_trx_volume,avg_amount_per_user
Kenya,3534,504319.58,142.71
Nigeria,2311,19544.27,8.46
Uganda,1954,5668.21,2.9
Tanzania,1911,7690.5,4.02


##üõ†Ô∏è Data Extraction for python: Creating the clean_payments View

To streamline the transition from SQL to Python **(Pandas)**, I created a standardized View. This ensures that all downstream analysis uses the "Cleaned" version of the dataset without having to write complex SELECT statements repeatedly.

Key Benefits:

1. Abstraction: Hides the messy raw columns (like original uncleaned provider names) and only exposes the _clean versions.

2. Security & Efficiency: Limits the dataset to only the necessary columns, reducing memory usage in Pandas.

3. Consistency: Every team member using this view will be looking at the exact same "Single Source of Truth."

In [9]:
%%sql

DROP VIEW IF EXISTS clean_payments;

CREATE VIEW clean_payments AS

SELECT transaction_id,
       user_id,
       provider_clean,
       transaction_type_clean,
       "standard_amount(USD)",
       currency_fixed,
       status_clean,
       failure_reason,
       channel_clean,
       full_country_name,
       device_id,
       ip_address,
       created_at
FROM payments;


 * sqlite:////content/drive/MyDrive/Project_Shield_Scale/shield_scale_database.db
Done.
Done.


[]

##üì• Data Ingestion: Transferring SQL View to Pandas

This step executes the final bridge between my SQLite database and the Python environment. By loading the clean_payments view into a DataFrame, I enable the use of Python's libraries to anlyze the data.

**Process:**

1. Connect: Opens a secure gate to the shield_scale_database.db.

2. Fetch: Pulls the pre-filtered, cleaned data using the View created earlier.

3. Terminate: Immediately closes the connection to preserve system resources and prevent file locking.

**Inspect:** Displays the first 5 records to verify data was exported correctly.

In [10]:
conn = sqlite3.connect(db_path)
df = pd.read_sql_query("SELECT * FROM clean_payments", conn)
conn.close()
df.head()

Unnamed: 0,transaction_id,user_id,provider_clean,transaction_type_clean,standard_amount(USD),currency_fixed,status_clean,failure_reason,channel_clean,full_country_name,device_id,ip_address,created_at
0,TRX000001,U4952,card,deposit,69.16,KES,failed,provider_error,web,Kenya,DEV53940,192.168.212.239,2025/01/18 05:53:00
1,TRX000002,U2669,card,deposit,6.55,KES,success,,ios,Kenya,DEV77207,192.168.237.189,2025/01/03 10:40:00
2,TRX000003,U3325,card,withdrawal,0.85,KES,success,,android,Kenya,DEV50084,192.168.76.23,2025/01/21 06:33:00
3,TRX000004,U2534,mpesa,deposit,1.01,NGN,failed,fraud_suspected,android,Nigeria,DEV72945,192.168.51.154,2025/02/19 05:21:00
4,TRX000005,U1911,mpesa,deposit,0.27,UGX,success,,ios,Uganda,DEV53115,192.168.233.85,2025/02/24 15:15:00


In [11]:
df.info()
df.describe()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 20000 entries, 0 to 19999
Data columns (total 13 columns):
 #   Column                  Non-Null Count  Dtype  
---  ------                  --------------  -----  
 0   transaction_id          20000 non-null  object 
 1   user_id                 20000 non-null  object 
 2   provider_clean          20000 non-null  object 
 3   transaction_type_clean  20000 non-null  object 
 4   standard_amount(USD)    20000 non-null  float64
 5   currency_fixed          20000 non-null  object 
 6   status_clean            20000 non-null  object 
 7   failure_reason          20000 non-null  object 
 8   channel_clean           20000 non-null  object 
 9   full_country_name       20000 non-null  object 
 10  device_id               20000 non-null  object 
 11  ip_address              20000 non-null  object 
 12  created_at              20000 non-null  object 
dtypes: float64(1), object(12)
memory usage: 2.0+ MB


Unnamed: 0,standard_amount(USD)
count,20000.0
mean,30.799698
std,35.894544
min,0.0
25%,2.98
50%,8.85
75%,57.8175
max,115.49


##üîç Dataset Profile & Statistical Summary

After loading the data into Pandas, I conducted an initial inspection of the dataframe structure and the distribution of transaction values.

**Data Structure & Completeness**

1.  Total Records: 20,000 transactions.

2. Columns:  the data contains 13 columns (comprising identifiers, categories, and financial metrics).

3. Data quality: There are zero missing values across the entire dataset (20,000 non-null entries for all columns). This indicates a very high level of data cleanliness from the source.

Memory Usage: Approximately 2.0+ MB.

**Statistical Analysis: standard_amount(USD)**

The financial volume per transaction shows the following characteristics:

1. Average (Mean): ~$30.80 per transaction.

2. Median (50%): ~$8.85.

**Insight:**  Since the mean is significantly higher than the median, the data is right-skewed. This means we have a large volume of small transactions and a few much larger transactions pulling the average up.

4. Transaction Range: Transactions vary from a minimum of USD 0.00 to a maximum of 115.49.

5. Volatility (Std Dev): $35.89, showing a wide spread in how much users are transacting.

** Technical Observations**
Data Types: Most columns are stored as object (strings). The financial column standard_amount(USD) is correctly formatted as a float64 for calculation.

*‚ö†Ô∏è Note on Temporal Data: The created_at column is currently stored as an object.*

**Action:** Convert this column to a datetime64 format in the next step to enable time-series analysis

In [12]:
from re import error
##converting the created_at column to datetime64
df['created_at'] = pd.to_datetime(df['created_at'], errors='coerce')
df['created_at'].info()

<class 'pandas.core.series.Series'>
RangeIndex: 20000 entries, 0 to 19999
Series name: created_at
Non-Null Count  Dtype         
--------------  -----         
20000 non-null  datetime64[ns]
dtypes: datetime64[ns](1)
memory usage: 156.4 KB


**Data quality guard-rail**

In [13]:
#Ensuring no data is lost and if lost, We immediately receive an alert
assert len(df)>=20000, f'Critical data loss, Expected at least 20,000 but only {len(df)} were returned.'

#Ensuring transaction_id has only unique value
assert df['transaction_id'].is_unique, 'Error: duplicate transactions detected'

#Enforcing business financial logic
assert df['standard_amount(USD)'].min() >=0, 'Error: Negative amounts detected'
assert df['standard_amount(USD)'].max() <=1000, 'Alert: Unexpected large amount detected'

##üõ°Ô∏è Risk Analysis: Fraud Incidence Rate by Provider
This analysis quantifies the security risk associated with each payment provider by calculating the percentage of transactions flagged as fraud_suspected.

**Methodology:**

1. Numerator: Total count of transactions where the failure_reason is explicitly categorized as "fraud_suspected".

2. Denominator: Total volume of all transaction attempts (regardless of status) per provider.

3. Output: A percentage-based "Risk Score," sorted in descending order to highlight the most vulnerable providers at the top.

*Strategic Objective:* Identify high-risk providers that may require additional security layers (e.g., 3D Secure, stricter velocity checks, or manual review) to protect the platform's bottom line.

In [14]:
#Total transactions by provider
total_transactions = df.groupby('provider_clean').size()

#Fraud rate by provider
total_fraud_cases =df[df['failure_reason']=='fraud_suspected'].groupby('provider_clean').size()

#Fraud rate
fraud_rate = (total_fraud_cases/total_transactions*100).round(2).sort_values(ascending=False)
fraud_rate

Unnamed: 0_level_0,0
provider_clean,Unnamed: 1_level_1
paypal,3.52
skrill,3.39
airtelmoney,3.28
card,3.22
mpesa,3.17


PayPal is identified as the most vulnerable provider with a fraud rate of $3.52\%$, whereas M-Pesa is the most secure at $3.17\%$. The narrow variance of $0.35\%$ between the highest and lowest providers suggests there is almost a uniform distribution of fraud attempts across all payment channels.