Controlling Credit Card Fraud Online..A MUST READ

Many people ask "why is credit card processing over the internet such a high risk venture"?

Well, just think about it...you take a credit card order over the internet for $200.00, process it in the normal fashion, then 60-90 days later your customer calls his credit card issuing bank and states that he never ordered anything from your company and now wants a credit issued for that "erroneous" charge. You don't have his signature and can't prove whether or not he received the product or service. It's your word against his.

His bank then issues him his refund for the $200.00 sale and charges your business bank account for $200.00 (plus chargeback fees). You only have $125.00 in your checking account so that $200.00 charge comes back to the processor marked "NSF-Insufficient Funds".Now, who is going to pay for that disputed charge? The processor who set up your merchant account has to pay! and will make every effort to get the money back from you, the merchant. This is why the the processors consider these types of accounts to be "high risk", and "high liability"!!

If over 3% of your monthly charges are disputed for over 2 consecutive months, your merchant credit card processing account may be subject to termination and it may be possible that these poor percentages may cause derogatory information to be posted to your personal credit report through the national credit reporting agencies! Unfortunately, the rules are not written to favor the merchant. Read on...about how our programs are geared towards helping you to control fraud.

From all the media hype surrounding electronic commerce, a newcomer could be forgiven for thinking that making money on the 'Net is easy. Trust me, it's not. A successful Web merchant has to carefully select the product or service they are going to sell, choose an e-commerce solution, and then build their store. But that's just the start of it: they then have to promote their store to encourage people to visit it and then convert these visitors into purchasers and then hopefully on into repeat purchasers.

So whatever way you look at it, building an online business takes a lot of work. Imagine then, how an online merchant feels when they see the profits from their hard work being lost through credit card fraud!

There has been much discussion in the media about the impact of Internet credit card fraud from a consumer perspective. This is somewhat surprising really as the incidence of fraud perpetrated by online merchants against consumers is fairly rare and consumers are typically only liable for the first $50 of any fraudulent transaction, and even this liability is often waived by the credit card issuers.

In fact it is usually the merchant who is the true victim of Internet credit card fraud. This is because Internet credit card transactions fall under the heading of MOTO (Mail Order / Telephone Order) transactions, also called CNP (cardholder not present transactions). Most credit card merchant account agreements leave the merchant 100% liable for fraud committed via this type of transaction as well as requiring them to pay a $15-$25 chargeback fee. And as if to rub salt in to the wound, if a merchant experiences a high level of chargebacks they are often hit with an increase in the discount rate they have to pay on each transaction or may even have their account terminated. And once lost, a merchant account can be almost impossible to obtain again.

So just how big a problem is Internet fraud? Global credit card fraud is estimated at over a billion dollars per year, but with Internet transactions making up a tiny percentage of all credit card transactions it is possible to come to the conclusion that Internet credit card fraud is not really a big issue. This might help to explain why banks and card issuers have in general been slow to try and fix the problem.

On the other hand, reports from individual merchants vary. Some claim they have had no problems at all while others claim significant losses. Whatever today's reality is, one thing is clear: the problem is only going to grow as Internet usage and e-commerce continue their rapid expansion.

Indeed, the Internet itself makes the process of credit card fraud easier in many ways. Lists of stolen credit card numbers and even programs to generate valid new numbers are readily available online. And once armed with stolen or false credit card information, the lack of face-to-face or voice contact on the Internet tends to make a thief more brazen than ever.

It would be wise therefore for all online merchants who have not yet been the victim of a fraud attempt to make the assumption that they will experience an attempt to defraud them at some point soon.

It is important for merchants to understand that if they become victims of a fraud they will probably receive very little support from the police authorities. The authorities are likely to view the amount involved to be too small to bother about, or in the case of international orders to be out of their jurisdiction. So it is therefore vital for merchants to put in place fraud prevention processes now and not wait until a fraud attempt occurs.

Before moving on to discuss fraud prevention techniques, one common misconception needs to be cleared up. Some merchants make the assumption that the verification process they initiate when they key a card number in to an electronic swipe terminal provides sufficient fraud protection. This is not the case as all this verification process does is to check that the card has not been reported stolen and that it has sufficient free credit available to fund the purchase.

So why are existing anti-fraud techniques not sufficient? Current techniques for credit card fraud prevention include the use of signatures on anti-tamper tape, holograms and now even the etched image of a card's owner. These are all of no use when it comes to CNP transactions, as the merchant never gets to see the credit card. About the only existing anti-fraud technique that is of any use to the online merchant is AVS - Address Verification Service.

So why is AVS relatively ineffective against online fraud? Read on and find out....

AVS was developed to help MOTO merchants avoid fraud. It works by comparing a portion of the billing address and Zip code with the records held by the card issuer. However, AVS has some serious limitations when it comes to Internet transactions:

• One of the major opportunities that the Internet brings is the ability to accept orders from all around the world, but AVS only works for addresses in the USA.
• Another major advantage of the Internet is that it allows "soft" goods such as software to be purchased and downloaded instantly. AVS provides no protection here as all a thief has to do is to obtain a valid address that corresponds to a stolen credit card number.
• And even with "hard" goods there is still a problem as thieves can supply a valid address for a stolen credit card as the "bill to" but then request a different "ship to" address.

I mentioned above that the banks and card issuing authorities were doing very little to combat online fraud. This is not strictly true as they are investing large sums of money into a new system known as SET. SET is the Secure Electronic Transaction protocol developed by Visa and MasterCard specifically for enabling secure credit card transactions on the Internet. It uses digital certificates to validate the identities of all parties involved in a purchase and encrypts credit card information before sending it across the Internet. However it is likely to be several years (if ever) before the use of SET becomes widespread.

Not surprisingly then, merchants have been quick to develop and introduce a number of ways to limit their exposure to fraud. Here's a list of some of them:

• Using AVS whenever possible: OK so it only works in the US and the system can be beaten, but it's still a useful way of weeding out the less sophisticated fraudster. Non-use of AVS will cause your normal discount fee for those transactions to increase by over 1.5%
• Asking for the Signature Panel Code--this is the last 3 digits on the back of the credit card near the signature line. If the customer has this number, he most likely has the card in his posession. But this does not rule out the possibility that the card he has is not a stolen card!
• Being particularly wary of orders from free e-mail addresses: Once a thief has a stolen credit card number and a stolen address they need one more thing to complete their fraud portfolio - an untraceable e-mail address to hide behind. That's why a high proportion of fraudulent orders come from free e-mail addresses and as a result many merchants refuse to accept orders from them or at least perform additional checks. You can find a list of free e-mail domains on the AntiFraud Web site.
• Checking out the customer's Web site: it is often possible to determine the URL of a customer's Web site by simply putting "www" in front of the second part of their e-mail address. For example, if a customer provides an e-mail address of "john.doe@somedomain.com" then typing www.somedomain.com in to a Web browser usually leads to their Web site. Things to look out for include empty or "under construction" Web sites or sites where the contact information differs significantly from the order information. For example, the Web site might display a US business address whilst the order requests delivery to be made to Eastern Europe. Some merchants go even further and check out who owns the domain name. Information on the ownership of US domains is available on the Network Solutions Web site or alternatively Unix wizards can use the "whois" command.
• Taking special care where the "ship to" address differs from the "bill to" address: Some merchants don't accept these types of orders from international customers and some carry out additional checks even for domestic orders.
• Watching out for unusual orders: Thieves usually have the "might as well be hung for a sheep as a lamb" mentality and therefore tend to place orders that differ significantly from what legitimate customers typically order. Things to look out for include orders for "big ticket" items, orders for unusually high quantities and orders where the customer is prepared to pay a lot for expedited delivery.
• Phoning the customer if in any doubt: A quick telephone call can often be enough to establish whether an order is legitimate or not.
• Collecting all possible order data: When trying to detect fraudulent orders or trying to recover money lost through fraud, the more data you have available the better. This includes the customer's address and telephone number, the name of bank that issued the credit card, and the IP address of the computer from which the order was placed. To confirm some of these elements, try a "people search" on the internet.
• Firing a warning shot: Stating clearly on a Web site that the merchant has anti fraud safeguards in place and will pursue prosecution for all fraudulent orders can be enough to scare off some would-be thieves.

So which of these checks should a merchant employ? How can they be automated? Read on and find out more....

Although it might be tempting to employ all of the methods above, there is a problem: each of these checks takes time (and therefore money) to perform. The best strategy therefore for most merchants would be to construct a tiered matrix that stipulates the level of checking that should be performed on different order categories.

The contents of such a matrix will depend entirely on the nature of what the merchant is trying to sell, where in the world they are located and how much risk he or she is willing to take, but here's an example:

Sample Matrix

Although this approach will reduce the risk of fraud considerably, it still has some problems associated with it. For not only do these checks take time and money to perform, they also prevent the use of real-time credit card processing which could in turn lead to lost sales. And most important of all, these methods are difficult to scale successfully: a merchant might be able to perform these checks on a small number of orders per day, but how would they cope when the number of orders grows?

One solution to this quandary is to employ some automated checking tools. There are a number of these available, but for the purposes of this article I am going to focus on two AntiFraud and another less used one .

AntiFraud is by far the lower costing of these two products, but it has the limited capability to match. It costs just under $10 per month and provides a number of tools:

• Automatic screening of free, Web based or e-email forwarding addresses. AntiFraud provides access to a custom script that automatically checks the buyer's e-mail address against a list of "Red Flag" domains. The list currently has over 2000+ domains listed, and it is updated regularly.
• IP tracking automatically captures the IP address of the computer from which the order was placed.
• Instant Fraud Attempt Alerts that allows members to notify each other about fraud attempts.
• A regular newsletter.

At the other end of the scale, The other's IVS solution (including full payment processing capability) costs $1495 to set up and has a per transaction fee of $0.39, with a monthly minimum of $195.
The other claims that its IVS system has reduced fraud levels to just 0.5% of sales for many of its merchants. IVS is based on an artificial intelligence engine and works by analyzing numerous characteristics of each transaction including shipping address, network address and at what time of day or night the order was placed. IVS then assigns weighted scores and compares these against a merchant's pre-defined threshold to determine if a transaction should be declined or accepted.

My final message: Internet credit card fraud is growing and will continue to do so and as things stand just now, you, the merchant, are going to have to bear the cost of it. So whatever anti-fraud methods you choose to employ, please start work on implementing them today.

Reader Feedback...Controlling Credit Card Fraud

Here are other ideas for trying to verify overseas orders.

• Visa and MasterCard each put an extra 3 digit number on the back of the card on the signature strip. This is called the Signature Panel Code, also known as the CVV2 code. Simply asking for the 3 digit number "for the customer's protection" is one way to help weed out anyone who doesn't have the card in their possession. If they don't respond, you know it is fraud. Most Gateways now can verify this code and you can have the system "Decline" a transaction which does not match this code. Again, this is only good for US issued bank cards.

• "Another method is to ask them to fax or mail a photocopy of the card. This shows that they actually have the card in their possession. It may even constitute a signature and offer some real protection against a chargeback because you actually have a copy of the card. To be diplomatic about asking for this information, I always state that "Due to the potential for international credit card fraud, our bank requests that we get this information as a protection for both the consumer and the merchant"

• "We have come to a verifying method that made us quite comfortable. After we charged the card, we credit back an undisclosed "thank you" amount between $0.50 and $2.00. We request the card holder to verify the exact amount credited prior to shipping anything. It does cause a bit of delay to the customer but offers us the protection we need, and is a much better solution in our minds than making customers send a check drawn from a US bank, or lose the sale and make a potential customer unhappy."