In the first part of this article, I outlined some frightening statistics regarding credit card fraud and chargeback fees to merchants. It's worthwhile reviewing if you haven't read it as yet; as is my guide to chargebacks
Protecting your online business from fraud.
One of the great things about the Internet is anonymity. One of the worst things about the Internet is anonymity - especially
if you're an ecommerce merchant. If you
utilize payment gateways for credit card transactions or are considering doing so, it is important to ask the gateway provider about their
screening features (this precedes actual credit card payment processing). Some offer none at
all or may not have certain features switched on by default!
CVV2 takes things a step further. A CVV2 number is the three last digits located on the back of a credit card, or the four stand-alone digits on the front of an Amex card.
It's certainly very useful for further minimizing fraud, but fraudsters can get hold of this information,
so again, don't rely on this alone. Fraud screening really needs to be
While consumers value their privacy and require quick checkout processes, it is of the utmost importance that you gather sufficient customer identity details during the ordering process. The customers name, credit card number and expiry date is not enough. Tell your customers why you need the information and what you will do with it - after all, it's in their best interests too. The fewer chargeback fees you have to pay, the cheaper you can offer goods and services.
Check the IP address
It's important that each order processed from your site also contains information regarding the IP address of the person placing the order. An IP address is a unique network identifier issued by an Internet Service Provider to a user every time they are logged on to the Internet.
The IP address can be easily traced using free tools such as Geobytes IP locator - it's the most accurate I've come across in terms of free services and there are other premium products around that offer additional features.
If the order has a billing address of the USA, and the IP originates in Africa, you can be fairly certain it's fraud.
While this is a very good anti-fraud mechanism and useful for tracking fraudsters, be aware that IP addresses can also be forged.
Check your payment gateway interface
Depending on the type of payment gateway service you use, you may have access to a log of all attempted transactions, including declines - these will appear in the unsettled transactions list for the current day or you can run a search on previous dates. Look for a series of declined transactions around the time the order was made. These will usually be within a few minutes of each other and may note a variety of names and card details - but all a common IP.
When fraudsters obtain a list of credit cards from wherever; these are often distributed to other fraudsters as well. They go to work on them right away and as a consequence, some cardholders are alerted early on and their cards cancelled. Fraudsters using old data will often have to try multiple sets of details before finding a set that is still active.
Email address awareness.
Fraudsters rarely use their own "real" email address and with the proliferation of free email services, it is quite easy to establish a fake email account in under a minute.
Some online businesses now refuse to process online orders that list free email address services as the primary point of contact, opting to request from customers their ISP or business email addresses. This comes at a price; i.e. reduced sales.
You can check an email address quickly by going to the originating domain and seeing if it provides a free email service.
If the shipping address is different to the billing address, be wary; although it is not uncommon for people sending gifts to others to request a different shipping
address, or if the billing address is a post office box.
At the point of ordering, request a telephone contact number from the purchaser. State that you need this number in order to contact them if there are any problems. Many cardholders of compromised accounts have been alerted in this way. The fraudster more than likely won't give you his own phone number as he/she can then be traced. If an order is suspect, try to confirm the phone details provided are indeed that of the customer by checking a relevant online phone directory; then call the customer to confirm the authenticity of the transaction. Fraudsters hate merchant contact of any kind.
There's plethora of site traffic tracking services and software available now that will not only return very valuable demographic data, but can also assist you in pinpointing the origins of fraud.
Still one of the best ways to analyze your log files is manually. By examining your logs carefully, you will be able to find out a suspect order's originating Internet address if it's not included on your order receipts (but most will these days). This tracking is made easier if you include a Time Stamp on each submitted order. If you find that an order originating from Russia states a billing address of Sydney on the order form, make further enquiries.
Most web hosts will have a server log available for your account. It's basically a text file that records every single request to the site, including images. Contained in every request is an originating IP i.e. the ISP issued address of the computer that "asked" for the file.
If you aren't sure about how to access your raw server logs, enquire with your hosting service. Learn more about interpreting server logs.
Can be risky, but an important part of your online business - by refusing to ship outside your country, you may be leaving a lot of money on the table.
It is very difficult to retrieve goods or apprehend fraudsters once the goods have left the country, so don't hesitate in making further enquiries with the customer or credit card company if an order seems suspect.
Unfortunately, Eastern Europe is still a very high risk region for the origin of credit card fraud, with some online business owners refusing to process orders from that region. Other high risk regions are Indonesia, Egypt, Turkey, Pakistan, Malaysia, Vietnam, Africa and Israel.
Unusually large orders requesting express delivery definitely warrant further investigation, especially if the customer has not purchased from you before. Customers are pretty cautious, and will tend to place small orders in the first instance to test the efficiency and integrity of your online business, or they'll make some sort of contact with you prior to ordering.
When in doubt, call the cardholder or bank.
I can't stress this enough - call the relevant credit card company or cardholder BEFORE attempting to process the order if in doubt... that extra 5 minutes may save you big dollars! Even if the order has been processed through automated systems, it's not too late to follow up before shipping the goods or providing the services. The idea is to deal with the situation before the cardholder is issued a statement, notices something on it that they didn't purchase and then contacts their bank.
Ask for photo identification
If you're dealing with high value items, I don't think it's overkill to ask for photo identification to be emailed to you if an order seems suspicious. You just need to weigh up the risks - possibly lose a couple of hundred dollars profit from a disgruntled client not willing to provide photo ID, or lose the couple of hundred dollars, plus the product, plus the chargeback fee and possibly your merchant account if you decide to go ahead with the transaction.
Make your anti-fraud policy visible.
Visual deterrents are still one of the most effective ways of minimizing crime. In a bricks and mortar store, signs and cameras do prevent shoplifting to some degree, especially amongst amateur criminals. Why not use the strategy on your site?
Add bold notices and third party security seals to the checkout pages stating your stance on fraud and that systems are in place to monitor all transactions. Not only might this decrease attempts at fraud by wannabe fraudsters, but will also demonstrate to your clients that you take transaction security very seriously.
As fraudsters are often overseas in countries where English isn't the primary language, look for things like the incorrect spelling of common words, mixing up first name and last name fields, incorrect spelling of common names and street names, nonsensical email addresses and poorly structured additional comments. Again, none of these on their own indicate definite fraud, but it helps you to build a more accurate picture and better assess the risk.
Utilize specialist fraud screening services
Like so many online business owners, perhaps you don't have time to carry out rigorous fraud screening. With the increase in fraudulent transactions, many companies such as preCharge have sprung up to act as screening services to help minimize credit card fraud risks to merchants. preCharge offers a global screening service that's totally transparent to your customers, can be implemented with any type of cart setup and also offers a guarantee.
As with anything else related to online business security, nothing is guaranteed 100% effective, but the above fraud screening strategies will definitely assist in decreasing the amount of credit card fraud you experience - over time you'll also develop a gut vibe on transactions; so when your "spidey sense" tingles, ensure you take heed and investigate further.
Further learning resources
paid cash taking online surveys - free to join online
In Loving Memory - Mignon Ann Bloch
copyright (c) 1999-2011 Taming the Beast Adelaide - South Australia