By: Rick Olson Introduction
Despite the media attention given to the miniscule risks of consumers being defrauded by online merchants, it is usually the merchant who is the victim of Internet credit card fraud. The incidence of fraud perpetrated by online merchants against consumers is fairly rare. Consumers are typically only liable for the first $50 of any fraudulent transaction, and even this liability is often waived by the credit card issuers.
On the other hand, credit card fraud can be important depending upon the online merchant. Some claim they have had no problems at all while others claim significant losses (especially sellers of digitally delivered products). For digitally delivered goods, there is no time to check out the validity of the information provided by the customer, and the e-mail identity and address may be as fraudulent as the credit card number. Things To Know About Fraud
Here are some important things every merchant should know about credit card fraud:
The verification process a merchant starts by swiping the card through the terminal or key in the credit card number if the credit card software program does not provide fraud protection. All this verification process does is check that the card has not been reported stolen and that it has sufficient free credit available to fund the purchase.
The Internet makes credit card fraud easier in some ways. Lists of stolen credit card numbers and even programs to generate valid new numbers are readily available online. The lack of face-to-face or voice contact on the Internet tends to make a thieves more daring. Also, a thief can keep on trying various combinations until he succeeds on the net without fear of being confronted.
The current techniques for credit card fraud prevention that use signatures on anti-tamper tape, holograms and now even the etched image of a card's owner are of no value when it comes to CNP (cardholder not present transactions) transactions, as the merchant never gets to see the credit card and verify the signature.
In offline POS (Point of Sale) purchases, merchants are sometimes asked to call an authorizer (a human being) who asks the merchant some questions or requests to speak to the cardholder, for example, if an "out-of-pattern" purchase tips off the consumer buying habit computer model or other anti-fraud device, such as sophisticated risk models or heuristics.
Unfortunately, none of the 7 Tips above are possible online in "real-time". If an online merchant is willing to forego many purchases by failing to provide for real-time credit card authorization, they could resort to manually checking each credit card request. But this can get very burdensome as an online business grows.
Internet credit card transactions fall under the heading of MOTO (Mail Order / Telephone Order) transactions, also called CNP (cardholder not present transactions). Most credit card merchant account agreements leave the merchant 100% liable for fraud committed via this type of transaction. Thus, any fraudulent transaction results in a chargeback. In addition, many agreements also require them to pay a $15-$25 chargeback fee.
Further, if a merchant experiences a high level of chargebacks they are often hit with an increase in the discount rate they have to pay on each transaction or may even have their account terminated. And once lost, a merchant account can be almost impossible to obtain again.
Online merchants that become victims of a fraud will probably receive very little support from the police. The police are likely to view the amount involved to be too small to bother about, or in the case of international orders, to be out with their jurisdiction.
Still want to do business online with credit cards? :)) Well, it is a necessity if you are serious about e-commerce. So, what to do?
Obviously, all online merchants should seriously consider what protections they should take to prevent them from being defrauded-before a fraud attempt occurs. Ways to Limit Your Exposure to Fraud
Here are a number of way to limit your exposure to fraud:
1. Always verify the customer's billing address. This can be done automatically with the Address Verification System ("AVS"). The AVS system compares the statement billing address on file with the credit card issuer with a customer's billing address provided with each order. It gives added assurance that customer is the legitimate cardholder. Check to see if the processing equipment or software provided by your merchant provider supports AVS.
AVS was developed to help MOTO (Mail Order / Telephone Order) merchants avoid fraud, but is relatively limited in its prevention of online fraud. One of the major opportunities that the Internet brings is the ability to accept orders from all around the world, but AVS only works for addresses in the USA.
Another major advantage of the Internet is that it allows "soft" goods such as software to be purchased and downloaded instantly. AVS provides no protection here as all a thief has to do is to obtain a valid address that corresponds to a stolen credit card number. This is certainly not hard to do. It matters not that the address is not the thief's, as nothing will be physically delivered anyway.
And even with "hard" goods there is still a problem as thieves can supply a valid address for a stolen credit card as the "bill to" but then request a different "ship to" address.
2. The shipping address & billing address should match. Some merchants don't accept orders where the "ship to" address differs from the "bill to" address from international customers and some carry out additional checks even for domestic orders.
For example, I have had to call the credit card company to verify that it was actually me who wanted a computer shipped to the office, but charged to my personal credit card for which the billing address was my home.
3. Be wary of orders from free e-mail addresses. Once a thief has a stolen credit card number and a stolen address they need one more thing to complete their fraud portfolio - an untraceable e-mail address to hide behind. That's why a high proportion of fraudulent orders come from free e-mail addresses. As a result, many merchants refuse to accept orders from them or at least perform additional checks.
You can find a list of free e-mail domains on the AntiFraud Web site at http://www.antifraud.com/redflag.htm
4. Check out the customer's Web site, where it is possible. This often possible to determine the URL of a customer's Web site by simply putting "www" in front of the second part of their e-mail address. For example, if a customer provides an e-mail address of "john.doe@somedomain.com" then typing www.somedomain.com into a Web browser usually leads to their Web site.
Things to look out for include empty or "under construction" Web sites or sites where the contact information differs significantly from the order information. For example, the Web site might display a U.S. business address but the order requests delivery to be made to Eastern Europe.
Some merchants go even further and check out who owns the domain name. Information on the ownership of US domains is available on the Network Solutions Web site at http://www.networksolutions.com/cgi-bin/whois/whois
5. Watch out for unusual orders. Thieves tend to place orders that differ significantly from what legitimate customers typically order. Things to look out for include orders for "big ticket" items, orders for unusually high quantities and orders where the customer is prepared to pay a lot for expedited delivery.
6. Phone the customer if you have doubt. A quick telephone call can often be enough to establish whether an order is legitimate or not.
7. Collect all possible order data: When trying to detect fraudulent orders or trying to recover money lost through fraud, the more data you have available the better. This includes the customer's address and telephone number, the name of bank that issued the credit card, and the IP address of the computer from which the order was placed. (Of course this conflicts with the concept of asking for no more information from your customer than needed, but you will need to judge how important preventing fraud is for your product and your target audience.)
8. Warn visitors of anti-fraud devices and consequences of fraud. Stating clearly on a Web site that the merchant has anti-fraud safeguards in place and will pursue prosecution for all fraudulent orders can be enough to scare of some would-be thieves.
9. Never process (factor) for someone else. It is illegal as well as a breach of your agreement It could cost you big time.
10. If using a real time service, ensure it's reliable.
11. Contract for a sophisticated anti-fraud service such as CyberSource's ( http://www.cybersource.com ) if fraud is likely to be or becomes a problem. These services can automate many of the checks you might do manually, and reduce your incidence of fraud well below what you could do by yourself. Do not let credit card fraud limit your growth! There are effective ways to manage this risk. For much more on this, see "Automate Your Credit Card Anti-Fraud Efforts" at http://ibizcenter.com/members/credit_card_fraud_automate.htm
12. Utilize SET (Secure Electronic Transaction) or the Microsoft Wallet approach with digital certificates which authenticate the web site visitor. But, are you going to forego a sale if a customer does not have the appropriate software on his computer? Most merchants won't. Top quality daily ASP, PHP and .NET articles, tutorials, news, reviews, interviews AND FREE EBOOKS! devArticles is the ultimate online resource for the serious web developer. Visit
http://www.devarticles.com today!
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More How To Articles
More By Developer Shed  developerWorks - FREE Tools!
|
This demonstration gives you an overview of IBM® Rational® Build Forge Express Edition, a global offering that provides a framework to automate and execute software processes. Rational Build Forge provides a software assembly line that can support all of your tools, technologies, and platforms so you can achieve a repeatable, reliable, and traceable build and release process.
FREE! Go There Now!
| | | |
Join us for this web seminar to learn how you can defend your web applications from attack. Learn about the 3 most common web application attacks, including how they occur and what can be done to prevent them. We’ll also discuss manual versus automated approaches for scanning and identifying web application vulnerabilities and how IBM Rational AppScan, an automated vulnerability scanner, can help you automate more of what you are doing manually today.
FREE! Go There Now!
| | | |
IBM Enterprise Modernization solutions help organizations evolve core IT systems towards modern architectures and technologies—reducing the burden of maintenance and freeing up resources to develop new business requirements and capabilities. With the IBM Enterprise Modernization Sandbox for System z you can evaluate IBM Enterprise Modernization solutions focused on five key areas: Assets, Architectures, Skills, Processes and Infrastructures, and Investment. Each solution is based upon real customer experiences and offers a proven path to get you started with your modernization projects.
FREE! Go There Now!
| | | |
Listen to this webcast to get an overview of Info 2.0 and a technical demo of how to quickly build an enterprise mashup. IBM's Info 2.0 technology leverages emerging Web 2.0 technologies such as mashups, feeds, AJAX, and JSON in order to simplify assembly of information using feeds and services. Come learn about the technical elements of Info 2.0 including the Feed Generation framework, Mashup Engine, and mashup assembly components. Learn how to pull information from databases, departmental information, and the Web to create mashups critical to your company’s success. We will also discuss best practices to help you get started.
FREE! Go There Now!
| | | |
This webcast outlines the best practices that must be instituted to gain the maximum benefit from SOA while maintaining high quality of service. Whether you are deploying new applications or managing and monitoring your existing infrastructure, learn how you can ensure high quality of services with SOA based solutions from IBM. All registrants who attend this live Web Seminar will receive complimentary access to a white paper titled “Maintaining QoS in an SOA Environment”.
FREE! Go There Now!
| | | |
Because access to government information continues to be an area of concern for many U.S. citizens with disabilities, the U.S. government enacted Section 508 of the Rehabilitation Act in 2001 to ensure that government agencies create accessible Web content, enabling all citizens to access the information they need. A fully accessible Web site makes Web content accessible to all individuals, including those with disabilities, who may be accessing Web content via a variety of user agents. Common user agents include standard Web browsers, text-only browsers, assistive devices and mobile devices such as cell phones or personal digital assistants (PDAs).
FREE! Go There Now!
| | | |
This whitepaper provides areas to consider when evaluating any software configuration management solution. It addresses how the IBM solutions (Rational ClearCase and Rational ClearQuest) meet the needs and requirements of both project leaders and developers to provide successful Software Change and Configuration Management.
FREE! Go There Now!
| | | |
The Eclipse community is constantly working to extend Eclipse's functionality. In this webcast, learn about some of the most important and feature-rich projects under development. From multi-language support to plug-in development, tune in to see what Eclipse is capable of now.
FREE! Go There Now!
| | | |
WebSphere Process Server delivers a unique integration framework that simplifies existing IT resources. Often, as IT assets grow to support business demand, so too does their complexity and manageability. In this webcast, we’ll discuss how WebSphere Process Server helps deliver an SOA infrastructure that provides a common model to orchestrate, mediate, connect, map, and execute the underlying IT functions. Discover how WebSphere Process Server simplifies integration of business processes by leveraging existing IT assets as reusable services without the complexities of traditional integration methodologies.
FREE! Go There Now!
| | | |
Explore how Rational and WebSphere software enable enterprise documentation in SOA environments. Specifically, a new integration between IBM WebSphere® Business Modeler and IBM Rational® Method Composer software can help technical writers more easily keep enterprise operations manuals in sync with changes that are made to business processes, resulting in more accurate and timely documentation that benefits the entire enterprise.
FREE! Go There Now!
| | | |
All FREE IBM® developerWorks Tools!
| |
