Preventing Credit Card Abuse - Anti-Fraud Strategies
http://www.tamingthebeast.net/articles2/credit-card-fraud.htm
By Michael Bloch
Jan 16, 2004, 05:01
Protecting your online business from fraud…
One of the great things about the Internet is anonymity. One of the
worst things about the Internet is anonymity - especially for
etailers. If you utilize payment gateways for credit card
transactions or are considering doing so, it is important to ask the
gateway provider about their pre-screening procedures (this precedes
actual credit card payment processing). Some offer none at all!
Many payment gateway providers use the Address Verification System
(AVS). AVS provides some protection by comparing the billing address
on the web order form to the address held by the cardholders bank -
But:
The transaction may be approved even if the address verification
does not match! The merchant faces the possibility of
chargebacks if the payment gateway decides to continue with the
transaction on a questionable match.
The following strategies are worthwhile considering if you sell
goods and services directly from your site using your own in-house
payment processing and some of the strategies can also be used in
conjunction with third part credit card processing systems.
Request …
While consumers value their privacy and require quick web site
ordering facilities, it is of the utmost importance that you gather
sufficient customer identity details during the ordering process.
The customers name, credit card number and expiry date is not
enough. Tell your customers why you need the and what
you will do with it - after all, it’s in their best interests too.
The fewer chargeback fees you have to pay, the cheaper you can offer
goods and services.
It’s important that each order processed from your site also
contains regarding the IP address of the person placing
the order. This can then be matched up with the from
your server logs or web site traffic reporting applications (see
below). An IP address is a unique network identifier issued by an
Internet Service Provider to a user every time they are logged on to
the Internet. While this is a good anti-fraud mechanism and useful
for tracking fraudsters, please be aware that IP addresses can also
be forged.
Email address awareness…
Fraudsters rarely use their own email address. With the
proliferation of free email addresses, it is now quite easy to
provide false contact details. A false Yahoo email address can be
established within 5 minutes. Increasing numbers of Internet
retailers are refusing to process web site orders that list free
email address services as the primary point of contact, opting to
request from customers their ISP or business email addresses. You
can check an email address quickly by going to the originating
domain and seeing if it provides a free email service.
Shipping addresses…
If the shipping address is different to the billing address, be
wary; although it is not uncommon for people sending gifts to others
to request a different shipping address, or if the billing address
is a post office box.
You’ll rarely find a fraudster sending goods to the legitimate
cardholders address. At the point of ordering, request a telephone
contact number for your customer. State that you need this number in
order to contact them if there are any problems. Many cardholders of
compromised accounts have been alerted in this way. The fraudster
definitely won’t give you his own phone number as he/she can then be
traced! If you are unsure, email the customer or call them to
confirm the authenticity of the transaction. Fraudsters hate
merchant contact of any kind.
Log analysis…
There’s plethora of site traffic tracking utilities available now
that will not only return very valuable demographic data, but can
also assist you in pinpointing the origins of fraud. For further
and a review of a free web site traffic reporting
service, please view:
http://www.tamingthebeast.net/misc/free-traffic-monitoring.htm
Still one of the best ways to analyze your log files is manually. By
examining your logs carefully, you will be able to find out a
suspect order’s originating Internet address. This tracking is made
easier if you include a Time Stamp on each submitted web site order
form. If you find that an order originating from Russia states a
billing address of Sydney on the order form, make further enquiries.
Most commercially hosted domains will have a server log running.
It’s basically a text file that records every single request to the
site, including images. Contained in every request is an originating
IP i.e. the ISP issued address of the computer that “asked” for the
file. If you aren’t sure about how to access your raw server logs,
enquire with your hosting service.
Overseas orders…
Very risky, but an integral part of your online business. It is very
difficult to retrieve goods or apprehend fraudsters once the goods
have left the country. Make further enquiries with the credit card
company if an order seems suspect.
Unfortunately, Eastern Europe is still a very high risk region for
the origin of credit card fraud, with many online business owners
refusing to process orders from Eastern Europe. Other high risk
regions are Indonesia, Egypt, Turkey, Pakistan, Malaysia and Israel.
Unusual orders…
Unusually large web site orders requesting express delivery
definitely warrant further investigation, especially if the customer
has not purchased from you before. Customers are pretty cautious,
and will tend to place small orders in the first instance to test
the efficiency and integrity of your online business, or they’ll
make some sort of contact with you prior to ordering.
When in doubt, call the company…
Call the relevant credit card company BEFORE attempting to process
the order if in doubt… that extra 5 minutes may save you big
dollars! Even if the order has been processed through automated
systems, it’s not too late to follow up before shipping the goods or
providing the services. The idea is to deal with the situation
before the cardholder is issued a statement, notices something on it
that they didn’t purchase and then contacts their bank.
It all sounds like a lot of hassle, but until the credit card
companies, transactions processors and third party processors
improve their security technology - it’s better to be safe than
sorry.
Make your anti-fraud policy visible…
Visual deterrents are still one of the most effective ways of
minimizing crime. In a bricks and mortar store, signs and cameras do
prevent shoplifting to some degree. Why not use the strategy on your
site? Add bold notices to the checkout pages stating your stance on
fraud and that systems are in place to monitor all transactions. Not
only will this decrease attempts at fraud, but will also demonstrate
to your clients that you take transaction security very seriously.
As with anything else related to online business security, nothing
is guaranteed 100% effective, but the above strategies will
definitely assist in decreasing the amount of credit card fraud you
experience, or help you track down credit card fraudsters.
Further learning resources
Payment Gateways and Merchant accounts - a beginners guide:
http://www.tamingthebeast.net/articles2/back-end-ecommerce.htm
Michael Bloch
Taming the Beast
http://www.tamingthebeast.net
Tutorials, web content, tools and software.
Web Marketing, Internet Development & Ecommerce Resources
Visit http://www.tamingthebeast.net for free Internet marketing and
web development articles, tutorials and tools!