Avoid Fraud

Be on the Lookout

Online retailers are beginning to observe patterns in online fraud.  Here’s some of the “modus operandi” to watch out for:

  • Late night orders-Fraud increases late at night.
  • Orders from certain countries can be suspect.   Fraud areas we have found include Israel, Eastern Europe, and South America
  • Ordering in high volume.  Cybercrooks don’t care how high the bill is, since they won’t be paying for it.
  • Physical address must match the credit card billing address.
  • Orders where the buyer wants to pick up the order at your store.
  • Fake phone numbers.  Verify that a phone number is valid.
  • ISP address.  This must be in the same area as the record of the customer’s address.
  • E-mail address.  Names that have no apparent connection to customer’s name or include random characters could be attempts to mask identity.
  • Free, Web-based, non-ISP e-mail addresses such as @outlook.com, @yahoo.com, @mail.com.  Some merchants are reporting that all of their fraudulent transactions are originating through these addresses.
  • Repeated attempts on the same credit card number.   In the early days of the Internet, criminals obtained fraudulent credit card numbers by using credit card generation software programs such as CreditMaster that are still readily available on the Net.  They would then attempt multiple hits varying the name and expiration date until the transaction went through.  A small merchant, for example, had only 3-4 sales in a period but 3,000 authorization attempts!

23 Fraud Fighting Tips for Online Merchants:

The following are ideas to help fight fraud and chargebacks but must be weighed against the possibility of losing sales.  If your credit card acceptance procedures become too strict you could be losing legitimate sales.  Only the individual merchant can determine which procedures to implement in order to maintain a correct balance between fighting fraud and accepting credit cards from legitimate customers.

  1. Get and stay PCI compliant.  PCI compliance standards protect merchants from many areas of fraud.  In addition, it shows your customers that you are serious about protecting their information.
  2. Make sure your gateway uses tokens. This returns a random number to the merchant is useless to anyone who may want to commit fraud.
  3. Maintain updated shopping cart software. Technology is always improving and usually involves the latest in security features.  Using updated shopping cart software will protect against fraudsters.
  4. Put a limit on the number of declined attempts that are allowed. Many times numerous declined attempts are a sign of fraudulent activity.
  5. Consider not accepting credit cards from the customer unless full information is provided including the complete address and phone numbers.
  6. Create a negative database to identify high-risk transactions and block specific credit card numbers within your system. Phone numbers, shipping address, and email addresses can be checked as well against your database.
  7. Use a site like lookup.net to check that the IP address matches the billing address.
  8. Consider not accepting credit cards from customers who use “free” email address services. Examples include @outlook.com and @yahoo.com.
  9. Submit your customer service telephone number to your credit card processor so it can be included with your merchant name on the customer’s billing statement.
  10. Know your customer. Obtain your customer’s telephone number during a transaction and call to verify the order and the telephone number given to you.  If the person contacted at the phone number provided doesn’t recognize the name of the customer, the order is likely fraudulent.
  11. If they are available, utilize CVC2 (MasterCard®) and CVV2 (Visa®). These two numbers are the three unique digits on the back of a MasterCard or Visa credit card.  These are used in situations where the card is not present, e.g., mail order, telephone order and Internet credit card transactions.
  12. Obtain your cardholder’s signed proof of delivery for every credit card transaction in which the merchandise or service is not delivered immediately at the point of sale.
  13. Accept checks online through VirtualCheck. Merchants can call the account holder’s bank and verify the account number, account holder’s name and current funds to clear the check before processing the order.
  14. Delayed delivery transactions. Use the appropriate wording on the transaction receipt, such as “delayed delivery,” “deposit” or “balance.”  You may process delayed delivery transactions before delivery of the goods or service, but you may not process a deposit or balance transaction receipt before delivery of the goods or service.
  15. Installment transactions.  Disclose to your customer in writing the terms of the installment transaction, including shipping and handling charges and any applicable tax.  The first payment installment must not be processed until the shipment date of goods.
  16.  You may process a prepayment transaction if you advise your customer that he or she will be billed immediately; you may process a full prepayment for custom-order merchandise (goods manufactured to the customer’s specifications).
  17. If a transaction is not made face to face, it is a good idea to send a confirmation directly to the cardholder’s address to help identify the transaction when it appears on a billing statement. Include the business name that will appear on the cardholder’s statement.
  18. Process refunds to your customers’ accounts quickly, always using the same card number from the original sale. Never give a customer a refund by cash or check.
  19. Stop recurring transactions that a cardholder canceled; this will reduce the number of repetitive chargebacks by the same customer.
  20. Always adhere to your return policy and make sure your customer has a clear understanding of the return procedure.
  21. Be sure your merchandise suits the needs of the customer, and ensure the goods are packed properly for shipping.
  22. Limit the number of users that have access to your merchant account for credit card processing and make sure that they are trustworthy.
  23. Change your online merchant account password on a regular basis.

17 Fraud Fighting Tips for Retail (point of sale) Merchants:

Merchants have the right to ensure they are doing business with the rightful cardholder.  In the physical world, merchants can protect themselves against credit card fraud through the following procedures:

  1. Verify the cardholder’s signature to make sure it is the same name embossed on the card. If it does not, merchants can request another credit card or some form of identification as a way to protect themselves.
  2. Merchants can try calling the customer by the name on the card. If the cardholder does not respond, the merchant should ask for another credit card or additional identification.
  3. Credit authorization check confirms the validity of a card number and expiration date and determines that there are adequate funds in the account to cover the transaction.
  4. Signature confirmation visually compares the signature on the card with the signature on the charge slip.
  5. If you are unable to swipe a credit card through your point-of-sale terminal, be sure to obtain a manual imprint of the card; include your customer’s signature and note the authorization code and purchase amount on the slip. This ensures that you are able to prove that the actual card was at the point of sale, which is important if some type of dispute arises.  Imprinting the card allows the merchant to capture the imprinted data from the front of the card in lieu of the data located in the magnetic stripe on the back of a card.
  6. Obtain your cardholder’s signed proof of delivery for every credit card transaction in which the merchandise or service is not delivered immediately at the point of sale.
  7. Delayed delivery. Use the appropriate wording on the transaction receipt, such as “delayed delivery,” “deposit” or “balance.”  You may process delayed delivery transactions before delivery of the goods or service, but you may not process a deposit or balance transaction receipt before delivery of the goods or service.
  8. You may process a prepayment transaction if you advise your customer that he or she will be billed immediately; you may process a full prepayment for custom-order merchandise (goods manufactured to the customer’s specifications).
  9. Ensure that all information on a sales draft is complete, accurate and legible before completing the transaction. Always check the ink cartridge or ribbon on your printer; if an old ribbon or ink cartridge is causing illegible sales drafts, call your credit card processing company and request new ribbons.
  10. Process refunds to your customers’ accounts quickly, always using the same card number from the original sale. Never give a customer a refund by cash or check.  If your return or refund policy is limited, preprint or hand write the restrictions on each sales draft near the signature line, prior to the customer signing the receipt; be sure the information shows clearly on all copies of the sales draft.
  11. Make sure you process only one transaction at a time through your point of sale terminal. Always balance your deposits at the end of the day. If your customer makes more than one purchase or makes two purchases for the same dollar amount within the same day make sure you create one invoice per transaction to describe each purchase.
  12. Do not continue to seek authorization on a declined transaction; do not reduce the amount requested, and do not repeat the request.
  13. Ensure that your customers are aware of your return policy by displaying it prominently at the point of sale, printing it on your sales slips directly above the cardholder signature.
  14. Always adhere to your return policy and make sure your customer has a clear understanding of the return procedure.
  15. Always keep accurate records of each transaction. You may have to provide documentation to your credit card processing company should your customer continue to dispute the transaction.
  16. Check the security features on every credit card, including the holograms that change color in the light, and non erasable signature lines.
  17. Call the credit card processing company with any concerns regarding credit card processing transactions that seem suspicious.

Address Verification Service

Merchants, who accept credit cards when the credit cards are not present, such as Mail order, Telephone and Internet retailers, do not have the ability to confirm the signature.  To protect themselves, they can use the Address Verification Service (AVS).

This service remains useful, but is limited in the anonymous environment of the Internet.  This is especially true when the product or service for sale is electronically downloaded, but the limitations also impact merchants selling physical goods and even auction sites.

AVS works by comparing the billing address (street address and ZIP Code) information supplied by the Internet shopper against information logged in the credit card issuing bank’s database.  The AVS code returned corresponds to different degrees of match when the address and ZIP Code information is compared against the database.

There are limitations inherent in AVS:

  • AVS only works for U.S. addresses.  Since the Internet allows merchants to easily sell internationally, a large (currently 30 percent) and growing percentage of Internet sales go to international addresses.
  • More than 50 percent of the time, AVS data associated with a credit card number is not available (NA), leaving merchants to guess at whether a potential sale is a good risk.
  • AVS results can only reflect a match with information written to the database, so any variation in the way data is treated results in a negative AVS response.
  • For example, both five-digit and nine-digit ZIP Codes are currently valid. If the ZIP Code for a cardholder is entered into the database as a five-digit number and the transaction information presents a nine-digit ZIP Code, the AVS check reports failure on the ZIP Code match.  To protect against this, merchants should set up their systems to include only five digits.
  • There is even more potential for discrepancy in the way street addresses are expressed.  For example, AVS address information for “110 First Street” should be submitted as “110? (AVS address information includes the numeric portion of the street address only), but consumers and banks frequently enter the street address as 110
  • 1ST Street.  The AVS translates this as “1101” and reports failure on the address match.
  • AVS does not protect against thieves with knowledge of both the credit card and billing address, as is the case with stolen wallets, purses or phone scams.
  • Strict adherence to AVS recommendations limits the merchant’s potential customer base.  Since some merchants elect to ship only when AVS returns a good match, many orders that may have been legitimate are unnecessarily declined.  Others, such as the airlines, will ship orders only to the billing address, which can create a problem when, for example, a parent wishes to purchase a travel ticket for a child away at college and have the ticket shipped directly to the child.

We and our technical partners support the credit card industry’s AVS, but we recognize that AVS alone is not enough to combat Internet fraud.

What to Keep in Mind When Buying an Internet Fraud Solution

Does It Reward You for Success?

When your e-commerce business is starting out, contracting with an outside provider to do everything looks interesting from a financial standpoint.  But as volumes increase, per-transaction fees can begin to take a heavy toll.  Payeezy Gateway® products reward you for your success with a functional e-commerce system that gets you online safely and securely, helping your business deliver a rapid return on your investment.

Does the Solution Fit Your Business?

In the retail world, one size does not fit all.  Merchants pride themselves on the qualities that make their businesses unique.  This differentiation is, in fact, what keeps them in business.  Just as their product set, customer base and value propositions are unique, so is the fraud they face.  Fraud varies by industry and geographic location.  Competing Internet fraud screen offerings tend to provide “cookie-cutter” risk assessment methods that presume a similar profile for all merchants and product categories.

Does It Balance the Risk of Fraud Against the Risk of Losing a Customer?

Whether in the physical or virtual environment, every credit card or check transaction is a calculated risk between the potential for revenue and the potential for fraud.  With the high cost of customer acquisition and the potential high lifetime profitability of a valued customer, it is important to be cautious when setting stringent fraud rules and selecting e-commerce products.

Does It Increase Your Expertise?

With the explosive growth of e-commerce, Internet fraud is still new to everyone.   The question is: Will you be the one to get smart or will your competitors?  Is expertise growing inside the corporation or outside?

“Internet fraud is only slightly higher than MOTO,” said Sam Nair, Director of Loss Prevention.  “However, fraud levels vary among merchants and the type of merchandise they sell.”

In the adult entertainment industry, chargebacks range from 10 to 12 percent.  “This is sometimes identified as ‘friendly fraud’ a legitimate user who claims they weren’t there when the bill comes due,” explained Bob Aguirre, manager of the Special Investigations Unit.

“Another level of fraud, however, is the sale of computers and electronics.  This is ‘hostile fraud’, people using card-generation programs like CreditMaster to generate numbers and make fraudulent orders with the intent to convert it into another opportunity for crime.”  Fraud for these high-priced items can run 6 to 7 percent.

Visa® currently has a chargeback-monitoring program with attendant penalties if a merchant exceeds a 2.5 percent ratio of chargebacks to interchange transactions or 1 percent ratio of consumer disputed chargebacks (CDC) to interchange.  MasterCard® International has also launched a chargeback compliance program designed to reduce chargebacks.

“Internet merchants are not keeping enough checks and balances to combat this type of fraud,” said Nair. As a result, our company works hard with our merchants to lower risk by offering them tips for security control, including:

  • Negative database.  Keeping a record of the e-mail address, card number, and phone number of those who have initiated chargebacks
  • Velocity checks.  Monitoring the number of times an individual card is used in a week
  • Credit limit.  Limiting the total amount one card can charge without independent verification
  • Customer Service telephone number .  If you have a question, give the specialists a call

Nair also suggests an e-mail link for the consumer to contact the merchant directly for a dispute or chargeback rather than going to the issuing bank.  He also cautions against overly protective fraud control that might limit profitability and turn away valid customers.

Once fraud occurs, however, they move quickly to stop it before word of vulnerability spreads.  “We’re all learning the basic ground rules of the Internet,” concluded Aguirre.  “We’re trying to make people look at the areas that are more susceptible to fraud so merchants can pick up their security in these areas.  The merchant has to monitor what they are doing. I put a lot of responsibility on the merchants themselves. They have to do due diligence.”

Summary

Accepting credit card orders over the Internet allows merchants to automate Internet sales and reduce costs.  An essential key to success is for merchants to manage the real threat of fraudulent Internet credit card transactions.  The growth in Internet sales is following a steep curve.  Now merchants must begin to build the infrastructure needed to reduce fraud.