By: Rick Olson
Despite the media attention given to the miniscule risks of consumers being defrauded by online merchants, it is usually the merchant who is the victim of Internet credit card fraud. The incidence of fraud perpetrated by online merchants against consumers is fairly rare. Consumers are typically only liable for the first $50 of any fraudulent transaction, and even this liability is often waived by the credit card issuers.
On the other hand, credit card fraud can be important depending upon the online merchant. Some claim they have had no problems at all while others claim significant losses (especially sellers of digitally delivered products). For digitally delivered goods, there is no time to check out the validity of the information provided by the customer, and the e-mail identity and address may be as fraudulent as the credit card number.
Things To Know About Fraud
Here are some important things every merchant should know about credit card fraud:
The verification process a merchant starts by swiping the card through the terminal or key in the credit card number if the credit card software program does not provide fraud protection. All this verification process does is check that the card has not been reported stolen and that it has sufficient free credit available to fund the purchase.
The Internet makes credit card fraud easier in some ways. Lists of stolen credit card numbers and even programs to generate valid new numbers are readily available online. The lack of face-to-face or voice contact on the Internet tends to make a thieves more daring. Also, a thief can keep on trying various combinations until he succeeds on the net without fear of being confronted.
The current techniques for credit card fraud prevention that use signatures on anti-tamper tape, holograms and now even the etched image of a card's owner are of no value when it comes to CNP (cardholder not present transactions) transactions, as the merchant never gets to see the credit card and verify the signature.
In offline POS (Point of Sale) purchases, merchants are sometimes asked to call an authorizer (a human being) who asks the merchant some questions or requests to speak to the cardholder, for example, if an "out-of-pattern" purchase tips off the consumer buying habit computer model or other anti-fraud device, such as sophisticated risk models or heuristics.
Unfortunately, none of the 7 Tips above are possible online in "real-time". If an online merchant is willing to forego many purchases by failing to provide for real-time credit card authorization, they could resort to manually checking each credit card request. But this can get very burdensome as an online business grows.
Internet credit card transactions fall under the heading of MOTO (Mail Order / Telephone Order) transactions, also called CNP (cardholder not present transactions). Most credit card merchant account agreements leave the merchant 100% liable for fraud committed via this type of transaction. Thus, any fraudulent transaction results in a chargeback. In addition, many agreements also require them to pay a $15-$25 chargeback fee.
Further, if a merchant experiences a high level of chargebacks they are often hit with an increase in the discount rate they have to pay on each transaction or may even have their account terminated. And once lost, a merchant account can be almost impossible to obtain again.
Online merchants that become victims of a fraud will probably receive very little support from the police. The police are likely to view the amount involved to be too small to bother about, or in the case of international orders, to be out with their jurisdiction.
Still want to do business online with credit cards? :)) Well, it is a necessity if you are serious about e-commerce. So, what to do?
Obviously, all online merchants should seriously consider what protections they should take to prevent them from being defrauded-before a fraud attempt occurs.
Ways to Limit Your Exposure to Fraud
Here are a number of way to limit your exposure to fraud:
1. Always verify the customer's billing address. This can be done automatically with the Address Verification System ("AVS"). The AVS system compares the statement billing address on file with the credit card issuer with a customer's billing address provided with each order. It gives added assurance that customer is the legitimate cardholder. Check to see if the processing equipment or software provided by your merchant provider supports AVS.
AVS was developed to help MOTO (Mail Order / Telephone Order) merchants avoid fraud, but is relatively limited in its prevention of online fraud. One of the major opportunities that the Internet brings is the ability to accept orders from all around the world, but AVS only works for addresses in the USA.
Another major advantage of the Internet is that it allows "soft" goods such as software to be purchased and downloaded instantly. AVS provides no protection here as all a thief has to do is to obtain a valid address that corresponds to a stolen credit card number. This is certainly not hard to do. It matters not that the address is not the thief's, as nothing will be physically delivered anyway.
And even with "hard" goods there is still a problem as thieves can supply a valid address for a stolen credit card as the "bill to" but then request a different "ship to" address.
2. The shipping address & billing address should match. Some merchants don't accept orders where the "ship to" address differs from the "bill to" address from international customers and some carry out additional checks even for domestic orders.
For example, I have had to call the credit card company to verify that it was actually me who wanted a computer shipped to the office, but charged to my personal credit card for which the billing address was my home.
3. Be wary of orders from free e-mail addresses. Once a thief has a stolen credit card number and a stolen address they need one more thing to complete their fraud portfolio - an untraceable e-mail address to hide behind. That's why a high proportion of fraudulent orders come from free e-mail addresses. As a result, many merchants refuse to accept orders from them or at least perform additional checks.
You can find a list of free e-mail domains on the AntiFraud Web site at http://www.antifraud.com/redflag.htm
4. Check out the customer's Web site, where it is possible. This often possible to determine the URL of a customer's Web site by simply putting "www" in front of the second part of their e-mail address. For example, if a customer provides an e-mail address of "firstname.lastname@example.org" then typing www.somedomain.com into a Web browser usually leads to their Web site.
Things to look out for include empty or "under construction" Web sites or sites where the contact information differs significantly from the order information. For example, the Web site might display a U.S. business address but the order requests delivery to be made to Eastern Europe.
Some merchants go even further and check out who owns the domain name. Information on the ownership of US domains is available on the Network Solutions Web site at http://www.networksolutions.com/cgi-bin/whois/whois
5. Watch out for unusual orders. Thieves tend to place orders that differ significantly from what legitimate customers typically order. Things to look out for include orders for "big ticket" items, orders for unusually high quantities and orders where the customer is prepared to pay a lot for expedited delivery.
6. Phone the customer if you have doubt. A quick telephone call can often be enough to establish whether an order is legitimate or not.
7. Collect all possible order data: When trying to detect fraudulent orders or trying to recover money lost through fraud, the more data you have available the better. This includes the customer's address and telephone number, the name of bank that issued the credit card, and the IP address of the computer from which the order was placed. (Of course this conflicts with the concept of asking for no more information from your customer than needed, but you will need to judge how important preventing fraud is for your product and your target audience.)
8. Warn visitors of anti-fraud devices and consequences of fraud. Stating clearly on a Web site that the merchant has anti-fraud safeguards in place and will pursue prosecution for all fraudulent orders can be enough to scare of some would-be thieves.
9. Never process (factor) for someone else. It is illegal as well as a breach of your agreement It could cost you big time.
10. If using a real time service, ensure it's reliable.
11. Contract for a sophisticated anti-fraud service such as CyberSource's ( http://www.cybersource.com ) if fraud is likely to be or becomes a problem. These services can automate many of the checks you might do manually, and reduce your incidence of fraud well below what you could do by yourself. Do not let credit card fraud limit your growth! There are effective ways to manage this risk. For much more on this, see "Automate Your Credit Card Anti-Fraud Efforts" at http://ibizcenter.com/members/credit_card_fraud_automate.htm
12. Utilize SET (Secure Electronic Transaction) or the Microsoft Wallet approach with digital certificates which authenticate the web site visitor. But, are you going to forego a sale if a customer does not have the appropriate software on his computer? Most merchants won't.
Top quality daily ASP, PHP and .NET articles, tutorials, news, reviews, interviews AND FREE EBOOKS! devArticles is the ultimate online resource for the serious web developer. Visit
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More How To Articles
More By Developer Shed