Yes, developers should be smarter about escaping and using string values, but this seems like a very easy thing to get wrong.
Machine learning based anti-fraud systems perform asymptotically better as you get more variety and volume of data, and Sift can market it as such ("our network consists of over X merchants"). The 100 dollars of free service they are giving away is likely worth more to them in the data alone. The biggest credit card fraud solution I know of markets itself as a better solution because of its "consortium" of thousands of card issuers: http://brblog.typepad.com/files/falcon_scoring_srvr_2519ms.p...
This arrangement also lets Sift very naturally eases merchants into being paying customers as they grow.
... and is that pageview information predictive, so far?
Assuming you're putting all of the relevant data into Google Analytics, how would you query GA with a pending transaction and figure out the probability that it is fraudulent? This is the sort of thing very few (or no) general analytics products do, but is the domain of fraud prediction software.