Preventing Credit Card Fraud

Q: I got hit with a few large chargebacks last year from fraudulent sales at both my store and on my website. Could you give me an update on all the ways I can prevent credit card fraud at my store and website so I can avoid those losses in the future?

A: Sure, fraud stings and we never want to make the same mistake twice. First, let’s make a distinction between Card Present and Card Not Present transactions in terms of fraud exposure. When a brick and mortar retailer accepts a credit card, it is swiped (Card Present), the charge is authorized, and the merchant will get paid, even if a stolen/fraudulent card is used.

Even if the card does not swipe at the point of sale (bad magnetic swipe), as long as you take a physical imprint of the card to prove the card holder was indeed “present,” you will be protected in a fraud situation.

However, liability for fraud shifts from the card issuer to the merchant for Card Not Present sales (mail order, telephone/fax order, and internet sales). The merchant is generally liable for credit card charge backs, even when the bank has authorized the transaction.

Credit card fraud is something that can never be completely eliminated, but rather something that must be managed through best practices at the merchant level. You must develop a delicate balance between using safeguards to prevent fraud and not creating too many hoops for customers to jump through.

Let’s focus on a few preventative methods and procedures that can you can perform to limit credit card fraud.

Just because you get an “Authorization” does not mean you are safe.
Authorization approval does not mean that the merchant is guaranteed payment. Approval only indicates that at the time the approval was issued, the card hasn’t been reported stolen or lost, and that the card credit limit has not been exceeded. If someone else is using the credit card number illegally, the card holder has a right to dispute the approved charges, i.e. chargebacks.

Always get an Address Verification (AVS).
Address Verification is a simple and easy to implement process to decrease your chances of accepting a stolen credit card. When you process a credit card transaction; make sure you capture the card holder’s billing address and zip code. Manual non-swipe (Internet and MOTO) transactions will require you to capture card holder information. However, card present (swipe) transactions will not. Once you capture the card holder’s billing address and zip code you’re ready to process the sale.

Always use Card Verification Methods (CVM).
Car Verification Value (CVV) is the three-digit code on the back of a credit card (four digits for American Express). Like AVS, CVV is entered at the point of sale. The card holder’s CVV code is verified by the card issuing bank when the credit card sale is being processed. If you do not receive a CVV match you should consider declining the transaction. Online merchants should make CVV a required field.

Since most fraudulent transactions result from stolen card numbers rather than the actual theft of the card, a customer that supplies this number is much more likely to be in possession of the credit card.

Be wary of different “Bill” and “Ship To” addresses.
Require anyone who uses a different “ship to” address to send a fax/email with their signature and credit card number authorizing the transaction. Use Google to search for the numeric street address, street name, and zip code. AnyWho.com integrates telephone numbers, maps, and e-mail addresses. Check for bogus billing addresses like 123 Main Street. Use resources like maps.yahoo.com to see if the address can be verified. If the billing and shipping addresses are different, request telephone numbers for both addresses.

To ship or not to ship…Create your own e-commerce criteria or merchant rules.
Some e-commerce merchants feel this is the best method to catch fraud. The merchant sets up rules to stop or flag specific orders for review. For example, the merchant could set up rules to review all orders from a specific IP address, specific country or if a certain dollar amount is exceeded, or shipping to a specific address. This method may flag valid customers for review, but it will reduce repeat or pattern-specific types of fraud. If the IP address is dynamically assigned by an ISP, a legitimate order could be delayed or rejected.

Ask for copy of credit card and driver’s license.
When a credit card order is received by fax, phone or Web, require the customer to also fax/email copies of both sides of the credit card. This at least provides proof that the customer has possession of the credit card at the time of the order. You could also require a copy of their state-issued ID, or drivers license. It also provides additional proof the person authorized the purchase, preventing a chargeback.

Be extra careful with International Orders.
You must weigh the financial benefits of accepting international orders against the possibility of fraud. Merchants who always refuse any foreign orders could be missing potential good sales. The merchant also needs to perform their checks before orders are shipped.

It is very difficult to apprehend fraudsters or retrieve goods after they have left the country. Always require closer inspection for orders that being shipped to an international address. Pay more attention if the card or the shipping address is in an area prone to credit card fraud.

Check if mailing address is a mailbox or “ship-forward” service.
Fraudsters prefer to stay untraceable but still need to collect physical merchandise. One way is to use a public P.O. box, a private mailbox, or a drop shipment forwarding address as a temporary point of receiving. Never send merchandise to a public rented mailbox, a P.O. Box (except for those you identify as legitimate major companies by phoning their listed number), or shipping forwarder, because the actual location and identity of the receiver is undetectable.

The easiest and best technique: pick up the phone and call the customer.
If you’re suspicious, pick up the phone and call the customer to confirm the order. It will save you a lot of time, and money, in the long run. Calling customers is not only an excellent way to detect fraud, but it can also be a valuable part of your customer service. The telephone call also gives the merchant the opportunity to welcome the customer, answer their questions, and build a solid relationship.


Michael DattomaMichael Dattoma is President of The Bart Group Retail Merchant Services in New York. Michael has been consulting with specialty retailers for over 20 years. The Bart Group Retail Merchant Services delivers broad expertise to Independent Specialty Retailers in areas including Payment Processing, PCI Security Compliance, POS Inventory Control, as well as Mobile Marketing and Social Media. Michael and his team advocate for independent specialty retailers to help empower them with the resources, tools and expertise to thrive in an increasingly competitive marketplace.
 
Ask Michael about payment processing and PCI security
michael@retailmerchantservices.com
www.retailmerchantservices.com
 
Note: MRketplace collects promotional fees from site experts.

Share / Print

  • Facebook
  • Twitter
  • Digg
  • StumbleUpon
  • del.icio.us
  • Yahoo! Buzz
  • Print
avatar About Michael Dattoma

Michael Dattoma is President of The Bart Group Retail Merchant Services in New York. Michael has been consulting with specialty retailers for over 20 years. The Bart Group Retail Merchant Services delivers broad expertise to Independent Specialty Retailers in areas including Payment Processing, PCI Security Compliance, POS Inventory Control, as well as Mobile Marketing and Social Media. Michael and his team advocate for independent specialty retailers to help empower them with the resources, tools and expertise to thrive in an increasingly competitive marketplace.
 
Ask Michael about payment processing and PCI security
michael@retailmerchantservices.com
www.retailmerchantservices.com
 
Note: MRketplace collects promotional fees from site experts.

Comments

  1. These are mostly good points, but allow me to point out two issues.

    First: “require the customer to also fax/email copies of both sides of the credit card.” A word of caution here. While it may be a good raud prevention tactic, asking the customer fax a copy of a credit card could put you in violation of PCI compliance, asking them to email it will definitely put you in violation. It’s a violation of PCI standards and extremely risky for you and the customer. You risk your card accepting privileges by doing this.

    I would also caution you about calling the customer. In these days of disposable, virtually untraceable cell phones, it’s been the experience of many of our members that thieves will use disposable cell phones on fraudulent orders. That way, they can give you all the “right” answers. Calling can certainly be helpful, but be careful that you don’t get a false sense of security.

    You didn’t list a couple of the best on-line fraud prevention methods that all e-commerce merchants should follow.

    Tom Mahoney, Founder/Director
    Merchant911.org
    Protecting over 4,000 merchants from fraud since 2001

    • Hi Tom,

      Thanks for your comments. When I first set down to write about all the ways to prevent credit card fraud this article was 12 pages long! For brevity, at the suggestion at the good folks at MR, it was shortened. So, where does one begin? As you know, the list of best practices for merchants to reduce fraud is constantly evolving.

      At the extreme, where scamsters are creating fictitious credit card numbers using algorithms to produce authentic numbers, it is a huge test of a merchant’s resolve to protect themselves.

      There are many more prevention methods that will be the subject of a future article. For example, many of our clients have made the decision to not accept orders originating from a free, web-based, or email forwarding address as they have be proven to be the breeding ground of much on-line fraud. They are forcing the customer to use only an ISP issued email address. And let’s be frank, most consumers have one. Some merchants may view this is too extreme for their business, but it is an excellent practice to dramatically cut down on fraud.

      It all comes down to best practices that create the best front line of defense.

      So some more items that will be addressed in upcoming articles….

      Check the “Domain Name” of the email address
      Compare the IP address country with the billing address country
      Keep a negative Historical File
      Create a fraud Scoring system
      Use Pattern Detection to stop scams
      Check Bin numbers to validate origin of card
      ….the list goes on and on….

      But in truth, many merchant are still not properly running the basics of AVS and CVM ! It is a constant battle to get them to stress these simple tools with their staff. An inevitably large chargeback hit is the wake up call.

      I applaud your efforts to also educate the merchant community on fraud and the more the word gets out the safer the world will be for all the hard working retailers we serve.

      Regards,

      Michael

Speak Your Mind