By: Rick Olson Introduction
Despite the media attention given to the miniscule risks of consumers being defrauded by online merchants, it is usually the merchant who is the victim of Internet credit card fraud. The incidence of fraud perpetrated by online merchants against consumers is fairly rare. Consumers are typically only liable for the first $50 of any fraudulent transaction, and even this liability is often waived by the credit card issuers.
On the other hand, credit card fraud can be important depending upon the online merchant. Some claim they have had no problems at all while others claim significant losses (especially sellers of digitally delivered products). For digitally delivered goods, there is no time to check out the validity of the information provided by the customer, and the e-mail identity and address may be as fraudulent as the credit card number. Things To Know About Fraud
Here are some important things every merchant should know about credit card fraud:
The verification process a merchant starts by swiping the card through the terminal or key in the credit card number if the credit card software program does not provide fraud protection. All this verification process does is check that the card has not been reported stolen and that it has sufficient free credit available to fund the purchase.
The Internet makes credit card fraud easier in some ways. Lists of stolen credit card numbers and even programs to generate valid new numbers are readily available online. The lack of face-to-face or voice contact on the Internet tends to make a thieves more daring. Also, a thief can keep on trying various combinations until he succeeds on the net without fear of being confronted.
The current techniques for credit card fraud prevention that use signatures on anti-tamper tape, holograms and now even the etched image of a card's owner are of no value when it comes to CNP (cardholder not present transactions) transactions, as the merchant never gets to see the credit card and verify the signature.
In offline POS (Point of Sale) purchases, merchants are sometimes asked to call an authorizer (a human being) who asks the merchant some questions or requests to speak to the cardholder, for example, if an "out-of-pattern" purchase tips off the consumer buying habit computer model or other anti-fraud device, such as sophisticated risk models or heuristics.
Unfortunately, none of the 7 Tips above are possible online in "real-time". If an online merchant is willing to forego many purchases by failing to provide for real-time credit card authorization, they could resort to manually checking each credit card request. But this can get very burdensome as an online business grows.
Internet credit card transactions fall under the heading of MOTO (Mail Order / Telephone Order) transactions, also called CNP (cardholder not present transactions). Most credit card merchant account agreements leave the merchant 100% liable for fraud committed via this type of transaction. Thus, any fraudulent transaction results in a chargeback. In addition, many agreements also require them to pay a $15-$25 chargeback fee.
Further, if a merchant experiences a high level of chargebacks they are often hit with an increase in the discount rate they have to pay on each transaction or may even have their account terminated. And once lost, a merchant account can be almost impossible to obtain again.
Online merchants that become victims of a fraud will probably receive very little support from the police. The police are likely to view the amount involved to be too small to bother about, or in the case of international orders, to be out with their jurisdiction.
Still want to do business online with credit cards? :)) Well, it is a necessity if you are serious about e-commerce. So, what to do?
Obviously, all online merchants should seriously consider what protections they should take to prevent them from being defrauded-before a fraud attempt occurs. Ways to Limit Your Exposure to Fraud
Here are a number of way to limit your exposure to fraud:
1. Always verify the customer's billing address. This can be done automatically with the Address Verification System ("AVS"). The AVS system compares the statement billing address on file with the credit card issuer with a customer's billing address provided with each order. It gives added assurance that customer is the legitimate cardholder. Check to see if the processing equipment or software provided by your merchant provider supports AVS.
AVS was developed to help MOTO (Mail Order / Telephone Order) merchants avoid fraud, but is relatively limited in its prevention of online fraud. One of the major opportunities that the Internet brings is the ability to accept orders from all around the world, but AVS only works for addresses in the USA.
Another major advantage of the Internet is that it allows "soft" goods such as software to be purchased and downloaded instantly. AVS provides no protection here as all a thief has to do is to obtain a valid address that corresponds to a stolen credit card number. This is certainly not hard to do. It matters not that the address is not the thief's, as nothing will be physically delivered anyway.
And even with "hard" goods there is still a problem as thieves can supply a valid address for a stolen credit card as the "bill to" but then request a different "ship to" address.
2. The shipping address & billing address should match. Some merchants don't accept orders where the "ship to" address differs from the "bill to" address from international customers and some carry out additional checks even for domestic orders.
For example, I have had to call the credit card company to verify that it was actually me who wanted a computer shipped to the office, but charged to my personal credit card for which the billing address was my home.
3. Be wary of orders from free e-mail addresses. Once a thief has a stolen credit card number and a stolen address they need one more thing to complete their fraud portfolio - an untraceable e-mail address to hide behind. That's why a high proportion of fraudulent orders come from free e-mail addresses. As a result, many merchants refuse to accept orders from them or at least perform additional checks.
You can find a list of free e-mail domains on the AntiFraud Web site at http://www.antifraud.com/redflag.htm
4. Check out the customer's Web site, where it is possible. This often possible to determine the URL of a customer's Web site by simply putting "www" in front of the second part of their e-mail address. For example, if a customer provides an e-mail address of "john.doe@somedomain.com" then typing www.somedomain.com into a Web browser usually leads to their Web site.
Things to look out for include empty or "under construction" Web sites or sites where the contact information differs significantly from the order information. For example, the Web site might display a U.S. business address but the order requests delivery to be made to Eastern Europe.
Some merchants go even further and check out who owns the domain name. Information on the ownership of US domains is available on the Network Solutions Web site at http://www.networksolutions.com/cgi-bin/whois/whois
5. Watch out for unusual orders. Thieves tend to place orders that differ significantly from what legitimate customers typically order. Things to look out for include orders for "big ticket" items, orders for unusually high quantities and orders where the customer is prepared to pay a lot for expedited delivery.
6. Phone the customer if you have doubt. A quick telephone call can often be enough to establish whether an order is legitimate or not.
7. Collect all possible order data: When trying to detect fraudulent orders or trying to recover money lost through fraud, the more data you have available the better. This includes the customer's address and telephone number, the name of bank that issued the credit card, and the IP address of the computer from which the order was placed. (Of course this conflicts with the concept of asking for no more information from your customer than needed, but you will need to judge how important preventing fraud is for your product and your target audience.)
8. Warn visitors of anti-fraud devices and consequences of fraud. Stating clearly on a Web site that the merchant has anti-fraud safeguards in place and will pursue prosecution for all fraudulent orders can be enough to scare of some would-be thieves.
9. Never process (factor) for someone else. It is illegal as well as a breach of your agreement It could cost you big time.
10. If using a real time service, ensure it's reliable.
11. Contract for a sophisticated anti-fraud service such as CyberSource's ( http://www.cybersource.com ) if fraud is likely to be or becomes a problem. These services can automate many of the checks you might do manually, and reduce your incidence of fraud well below what you could do by yourself. Do not let credit card fraud limit your growth! There are effective ways to manage this risk. For much more on this, see "Automate Your Credit Card Anti-Fraud Efforts" at http://ibizcenter.com/members/credit_card_fraud_automate.htm
12. Utilize SET (Secure Electronic Transaction) or the Microsoft Wallet approach with digital certificates which authenticate the web site visitor. But, are you going to forego a sale if a customer does not have the appropriate software on his computer? Most merchants won't. Top quality daily ASP, PHP and .NET articles, tutorials, news, reviews, interviews AND FREE EBOOKS! devArticles is the ultimate online resource for the serious web developer. Visit
http://www.devarticles.com today!
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More How To Articles
More By Developer Shed  developerWorks - FREE Tools!
|
Visit IBM developerWorks to download a free trial version of IBM Rational Business Developer V7.1. Rational Business Developer offers rapid and simplified development of business applications and services through Enterprise Generation Language (EGL) tools, generating Java or mainframe solutions while shielding developers from technical complexities.
FREE! Go There Now!
| | | |
Learn how to implement a build management system that uses and extends your existing automation technologies. This tutorial shows, step-by-step, how to install and configure IBM Rational Build Forge to manage builds for Jakarta Tomcat from source code.
FREE! Go There Now!
| | | |
This whitepaper provides areas to consider when evaluating any software configuration management solution. It addresses how the IBM solutions (Rational ClearCase and Rational ClearQuest) meet the needs and requirements of both project leaders and developers to provide successful Software Change and Configuration Management.
FREE! Go There Now!
| | | |
This paper is about the critical role that a discipline called integrated requirements management can play in helping to ensure that your business goals and IT investments are continuously aligned—whether you are sourcing, integrating, building or maintaining software. It also looks at ways that automated IBM Rational® products can work together to help you use requirements in the very best way.
FREE! Go There Now!
| | | |
Get a free trial download of the latest version of IBM Rational Functional Tester V7.0.1. Rational Functional Tester is an automated functional and regression testing solution for QA teams concerned with the quality of their Java, Microsoft Visual Studio .NET, and Web-based applications.
FREE! Go There Now!
| | | |
Try the latest version of IBM Rational Manual Tester V7.0.1 by downloading a free trial from IBM developerWorks. This manual test authoring and execution tool promotes test step reuse to reduce the impact of software change on testers and business analysts and addresses the needs of teams performing at least a portion of their testing manually.
FREE! Go There Now!
| | | |
Whether you are creating new applications or modifying existing ones, managing integration of new components with traditional z/OS elements is a critical part of building and deploying modern applications. Listen to this webcast to see how IBM can help you optimize your development process using an IDE like Rational Developer for System z that integrates with management tools, such as ClearCase to manage your application development on mainframes.
FREE! Go There Now!
| | | |
Join this Rational Talks to You teleconference, to hear how Enterprise Generation Language (EGL) eliminates the need for tedious and error-prone low level coding, so developers can focus on business requirements. EGL extends the Rational software development platform with a simplified programming language that enables developers who have little or no experience with Java, Web technologies or Service Oriented Architecture, to create enterprise-class applications and services quickly and easily. It also allows developers who may have little or no mainframe programming experience to quickly create traditional mainframe components.
FREE! Go There Now!
| | | |
Join the IBM Watchfire team for an informative discussion on techniques and best practices to proactively manage Web application security and how to effectively build application security testing into the software development lifecycle (SDLC). In this Software Delivery Platform webcast you will learn: How to better understand potential web application security vulnerabilities, best practices and how to effectively integrate application security testing into the software development lifecycle, the importance of detecting and removing software vulnerabilities during application development.
FREE! Go There Now!
| | | |
User communities play an important role in communication and collaboration around products, solutions and other areas of special interest to members. Successful communities are able to provide the right mix of content and services to deliver a value proposition that resonates with each audience. Join Tom Inman, VP of Marketing for Information and Platform Solutions as he introduces the new LeverageINFORMATION community. During this webcast, learn about the value provided by the community and how customers and partners derive value from the community in addressing their own technical and business challenges.
FREE! Go There Now!
| | | |
All FREE IBM® developerWorks Tools!
| |
