It is an annual event for online retailers to plan for lower fraud-related losses in the New Year. It is a daunting task, to be sure, as criminals plan for just the opposite and are equally determined to achieve their goal. The two opposing sides are also fairly evenly matched, even if the merchants can typically rely on much bigger budgets than their antagonists.
What the criminals lack in financial resources, they are able to make up for with ingenuity and persistence. So e-commerce fraud keeps on happening and retailers have come to scale back their ambitions from eliminating to simply minimizing fraud.
But why is fraud so difficult to combat and should you really be forced to accept sharing a portion of your profits with criminals? Is that just the cost of doing business online?
Well, there is no simple answer to these questions, however one obvious risk factor present in all online sales is the lack of physical interaction between the seller and the buyer of the item. You can’t examine your customer’s credit card to make sure it is valid, nor can you ask for an ID, if you doubt the cardholder’s identity. There are tools to help you get around this obstacle and I have listed them below.
The bigger issue, I think, is that many merchants are not willing to take the threat seriously and address it adequately. The problem is that, even though e-commerce fraud is so widespread, many retailers do not invest enough resources into sufficiently educating their staff about fraud prevention. It doesn’t matter how sophisticated your infrastructure is, if your staff cannot make a good use of it, it will never live up to its potential.
With that in mind, here are my suggestions for fighting fraud in 2011:
- Educate staff on e-commerce fraud risk. Everyone in your organization needs to be fluent on your business policies, operational practices, fraud detection and prevention tools you have implemented and security controls. Staff members should understand the risks associated with e-commerce transactions and be able to follow your established risk management procedures.
- Select the right payment processor. When choosing a processor, you need to look beyond the transaction rates and fixed monthly costs. A good merchant account provider will give you better risk management support and help you understand the specific e-commerce fraud risk and liabilities that you need to address.
- Create and maintain an internal fraud prevention structure. Your e-commerce business needs a strong internal system of tools and policies for minimizing fraud and we will list some of them below.
- Design a fraud screening process. Your fraud prevention system needs to be designed to automatically flag for further review transactions displaying certain suspicious characteristics.
- Protect your merchant account from intrusion. We have previously written on how to protect e-commerce merchant accounts from intrusion, but the key is that you achieve and maintain PCI compliance (see below).
- Participate in Verified by Visa and MasterCard SecureCode. The two Credit Card Associations have developed these security features to require cardholders to authenticate themselves to their card issuer through the use of a preselected personal code. The password is verified by the issuer and, if correct, the transaction is allowed to be completed. Merchants using Verified by Visa and MasterCard SecureCode are not liable for most fraud-related chargebacks.
- Use the Address Verification Service (AVS). AVS enables e-commerce merchants to verify the validity of the billing address provided by their customers by comparing it to the one on file with the card issuer. AVS requests are typically processed simultaneously with, although separately from, the authorization requests.
- Use the card security codes. Card Security Codes are the 3-digit numbers located on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, in or around the signature panel, and the 4-digit numbers located on the front of American Express (CID) cards, above the card account number. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction. Similarly to the AVS, the merchant includes the security code with the authorization request and the issuer replies with a response code, confirming or rejecting the validity of the provided number.
- Secure transaction authorizations. Your authorization requests must be submitted in a secure manner to ensure that transmitted data are adequately protected. PCI compliance will again help you achieve that goal.
- Establish a process for handling authorizations responses. Your staff needs to be well trained in handling authorization responses. Crucially, everyone needs to understand that a declined authorization means that the transaction must not be forced through the system and the customer needs to be asked for an alternative payment method.
- Set up transaction velocity limits and controls. You need to establish limits on the number and dollar amount of transactions approved for a customer within a specified period of time and adjust them as you accumulate data over time.
- Build and maintain an internal negative file. A fraudulent transaction is bound to sneak its way through your fraud prevention system on occasion, but you can use the occasion to learn from it. You should build and maintain a negative file, where such transactions are recorded and future orders are run through it. Whenever there is a match, you should decline the transaction or, at the very least, initiate a more thorough review.
- Achieve and maintain PCI compliance. The Payment Card Industry (PCI) Data Security Standards (DSS) are a set of requirements for security management, policies, procedures, network architecture, software design and other protective measures, intended to help organizations proactively protect customer account data. PCI compliance is now mandatory and it is in your own best interest to ensure that your business meets the industry data security requirements.
So this is my fraud prevention list for 2011. It is by no means comprehensive but it includes what I think are the most important features of a strong fraud-prevention system. Do you believe that I’m missing something important? If so, share your thoughts in the comments below.
Image credit: Smsintel.ru.