9 Ways to Combat Credit Card Frauds
Internet is fast becoming a major selling channel for the retail sector. It provides a great opportunity for merchants to expand their business. However, with great opportunity comes great risk. It also exposes merchants to a much greater risk of losses due to credit card related fraud, if the orders are not being handled with extra care.
Statistics gather by ACNielsen shows that about 59% of the payments for online purchases are made using credit cards. If you don't accept credit card payment, you practically turn away half of your would-be customer. But if you do, you are susceptible to the fraud risk due to its Card Not Present (CNP) Transaction Nature. Nothing is perfect, in this article we look at 9 ways you can minimize the fraud risk to protect your business profitability.
Are you at risk? |
|
- Merchants with high-volume transactions.
- Merchants selling High Resell Value items such as Mobile Phones, PDA, Laptops etc.
- Merchants selling Digital Goods (E-books, Software, etc) - (Neowave is falling under this category)
|
1. Accept Only Valid ISP Email
You may want to consider not accepting any registration using a Free web-based email services such as Yahoo, Hotmail and Gmail since they are untraceable. Best practice is to obtain an ISP (Internet Service Provider) email (e.g. users@streamyx.com indicates this user has registered with TM Net for their broadband service). Besides, for every order received, you should send an email receipt to the email address supplied, and most importantly, have someone monitor bounced and returned email receipts. If the email is bounced, please check the order with extra care and follow up with phone calls.
2. Get a Fixed Line Number - Both Home and Work
Just like free web-based emails, the majority of mobile phones are not easy to trace, especially the prepaid plan, which requires no user registration to activate the service. (Countries like Malaysia has started requiring the registration to be carried out for prepaid mobile users). For the sake of security, always insist on a fixed line contact from customer. If the order is new or suspicious, always call the phone number supplied to confirm the order details. This is one of the most effective ways to authenticate a legitimate buyer (but can be nuisance to the honest customers too). With VOIP services like SKYPE providing cheap voice calls today, there's no reason for you not to contact your customers to verify their details. After authenticating their identities, you can always add them to Positive List to provide better and faster service for their repeat orders.
3. Manually Reviewing Orders
Manual reviews take time. But a little precaution goes a long way, it works especially well for smaller sized merchants if you process less than 100 orders per day. Asking some of the questions below can help identifying the possible fraudulent orders:
1. Are the goods of high value or easily resalable?
2. Is the sale too easy for a new customer?
3. Is the sale excessively high in comparison with your usual orders?
4. Is the customer ordering many different items?
5. Is the customer reluctant to provide a fixed line number?
6. Does the address provided seem suspicious?
7. Has the delivery address been used before with different customer details?
8. Is it a repeat order shortly after the initial one?
9. Is it an international order that originated from High Risk Country?
10. Is ship-to address same as the billing address?
Get the FACTS
The fact that a transaction is authorized and an authorization code is provided does not guarantee payment. It simply means that the card number does exist in the issuing bank database, has not been reported lost or stolen and that there are sufficient funds available at the time of the authorization. Authorization does not confirm that the genuine cardholder provided the details supplied to the merchant! |
4. Keep a Positive & Negative Lists
Fraudsters always look at ways to maximize their "Return on Frauds". It is not hard to understand why fraudsters will pick on easy targets and will continue to attack businesses until the window of opportunity is closed. Thus, you are encouraged to keep a Negative List which keeps the record of known fraudulent orders, chargeback, refunds, problem customers etc where you can compare the suspicious new order to it to find the matching characteristics. It is a time consuming process but nevertheless an effective way to predict early possibilities of fraud to prevent further losses. On contrary, you should also keep a Positive List as well to authenticate known and trusted customer to speed up the order processing. Else you would run a risk of losing your sales to your competitors who's always just a click away.
5. Be cautious on Overnight Shipping Orders
When it comes to online shopping, price is always an issue. Most legitimate shoppers are very sensitive to shipping costs. You shouldn't wonder why "FREE SHIPPING" is so popular with the online shoppers. So, PLEASE be particularly wary of the customer who demands next day delivery and shows no regard for any additional costs involved. Fraudsters want their items to arrive as soon as possible for the quickest possible resale, and mostly aren’t concerned about extra delivery charges. On top of it, couriers should be instructed to:
- Return the goods if they are unable to deliver to the shipping address
- Always deliver the goods to the specified addressee
- Not deliver goods to a vacant property
- Get signed proof of delivery
- Only send goods by registered or recorded post or by a reputable carrier (UPS, Fedex etc), and insist on a signed and dated delivery note
6. Scrutinize the Country of Origin
One of the key indicators of a fraudulent order is the country of origin. Realizing that, one feature in our webShaper e-commerce software is to let you filter out the countries you would not ship to. If you don't feel comfortable taking orders from that country, don't be afraid to refuse any orders from them. It's your right as a merchant not to sell to certain countries, but make sure it's clearly stated in your policies. Check out the below charts titled "Top 10 Countries outside the US and Canada Cited by Merchants as Highest Risk". source by Cybersource - 6th Annual Online Fraud Report 2005 Edition.
Top 10 Highest Risk Country outside US / Canada
7. Bank Identification Number (BIN) Check
The first 6 digits of the credit card are called the Bank Identification Number (BIN). Since many international credit cards don't support address verification, You can utilize BIN to determine if the credit card holder and the issuing bank for the credit card are located in the same country. If it's not, you probably need to handle the order with extra care. Note that legitimate users sometimes do use a credit card from another country.
There are 2 ways to check a BIN, you can either download a software program called
Mars Banks Base at
http://www.mars-soft.net/banksbase.htm. Just install it on your computer so you can do cross reference anytime without the need to connect to the Internet. Alternatively, you can enter the BIN (First Six Digit of your Credit Card Number) of a credit card number at http://all-nettools.com/toolbox,financial (Update: Unfortunately, this tools has been disabled. click on the link to understand more). The tools will return the bank name, card type, country and phone contact for the BIN as shown in e.g. below.
Sample Result Screen of HSBC Malaysia BIN Query
8. CHECK FOR ANONYMOUS AND OPEN PROXY IP ADDRESSES:
Even though we actually logged the IP address and the matching country inside our webShaper e-commerce software, it's not sufficient. The reality is, IP addresses can also be forged to hide the true location of the fraudster. Organized credit card fraud rings often use anonymous Open Proxies to "cover their track". To find out whether the IP logged by particular customer is originating from an open proxy, please use the tools provided by http://www.all-nettools.com or http://www.openrbl.org. If the IP is listed as an open proxy, be extra careful with the order. However, take note that some legitimate customer (relatively small percentage) does use proxy server when surfing the Internet to protect their privacy online.
A useful web tools by IP2Location to find out where the IP belongs to
9. Card Security Code (CSC) & Address Verification Services (AVS)
The combination of CSC and AVS provide an extra safeguard against fraudulent activity and could save your business the cost of many expensive chargeback. However, unlike a PIN or Signature, neither CSC nor AVS is a full confirmation of the cardholder's identity. It's only meant as a cost effective way to alert merchant of the possibility of fraudulent orders.
So, how does it work?
AVS - When a user makes an online purchase with a credit card their billing address is required. The house number portion and postal code of the billing address they enter is compared to the billing address (where the credit card statement is sent) of the credit card holder with the Issuing Bank.
CSC - Credit Security Code is a credit card verification number. It allows the merchant to ascertain that the shopper does have the credit card. Known as CVV2 for Visa, CVC2 for MasterCard, CID for American Express.
Where is the Credit Security Code?
Unfortunately, not all countries has an AVS system in place. The ability to confirm an address via AVS is ONLY available in the U.S., U.K. and Canada. If you are a merchant from the supported countries, you should choose for a payment solution that supports CSC and AVS. Bottom line is, combination of both will serve as your first wall of defense against fraudulent orders.
Paypal Protection for Sellers
https://www.paypal.com/cgi-bin/webscr?cmd=p/gen/protections-outside
Spooked by the risk you are exposed to as an online merchant? You should be. Fraud is a serious problem that affecting almost everyone from every corner in the world. It can only be minimized if every party (Government, Banks, Merchants, Payment Systems Provider and End-Users) is playing their role right.
Again, the fraud indicator may be quite different from merchant to merchant, depending on the type of business, order type, volume and fraud schemes. A little knowledge is a very dangerous thing. As an online merchant, you will be the most vulnerable if you don't keep updated with the latest know-how and technologies in combating fraud.
More Anti-Fraud Related websites
UK Online Fraud Report 2007
http://www.cybersource.co.uk/resources/downloads_2007/uk_online_fraud_report_2007.pdf
Paypal Protection Tips for Seller
https://www.paypal.com/cgi-bin/webscr?cmd=_fraud-tips-sellers-outside
VISA Fraud Control Basics
http://usa.visa.com/business/accepting_visa/ops_risk_management/fraud_control_basics.html
FRAUD PREVENTION and SECURITY
http://www.visa.ca/en/merchant/fraud_ecom.cfm
Worldpay Fraud Fighting Guide
http://support.worldpay.com/kb/user_guides/fighting_fraud/fighting_fraud_guide.html
Fraud Prevention - Card-Not-Present (CNP)
http://www.discoverbiz.com/resources/data/card_not_present.html
How to Prevent Fraud - by PROTX
http://www.protx.com/downloads/docs/vspfraudprevention.pdf
Internet Fraud Complaint Center
http://www.ifccfbi.gov
Fraudlabs White Paper - How to prevent Credit Card Frauds for Internet Merchants
http://www.fraudlabs.com/docs/FraudLabs_White_Paper.pdf
A New Approach to Payment Security' to be a useful resource
Presented by,
Neowave e-commerce team
Neowave is a software company focusing on developing the best tools to help merchants to sell more. Any comments on this article? We would like to hear from you at ucandobetter@neowave.com.my
Note: This article is for informational purposes only. NEOWAVE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS ARTICLE. Use it at your own risk.
|