Fraud Prevention Guidelines for MO / TO Merchants

Fraud Prevention Guidelines for MO / TO Merchants


Mail order and direct order (MO / TO) merchants, just like e-commerce organizations, accept payments in a card-not-present environment. The difference is that, while e-commerce services enable cardholders to enter their account details on the merchant’s website, MO / TO services allow the merchant to complete transactions by entering the cardholder’s account information their customer has provided over the phone or in the mail.


MO / TO merchants must validate the cardholder’s identity and the validity of the transaction, to the best of their ability, and here they have an advantage over their e-commerce counterparts. While e-commerce payments are processed, and must be verified, within seconds, MO / TO merchants have much more time to investigate the provided information. With that in mind, your fraud prevention procedures should include the following actions:

  • Obtain an authorization. Avoid using a $1 authorization to verify if the account is in good standing.
  • Obtain the card expiration date. Include the expiration date in your authorization request. An invalid or missing expiration date can be an indicator that the person does not have the actual card in hand.
  • Obtain the card security code. Card security codes are the three-digit numbers found in the signature panels on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards and the four-digit numbers found above and slightly to the right of the account numbers of American Express (CID) cards. Card security codes were introduced as an additional tool to help ensure that the customer is in a physical possession of the card at the time of the transaction.
  • Use the Address Verification Service (AVS). AVS verifies the validity of the billing address provided by your customer by comparing it to the one on file with the card issuer.
  • Submit the authorization request with the billing address and security code. The authorization response will include the result codes for both.
  • Perform transaction screening. Transactions should be screened, either internally or using third-party tools, for questionable transaction data or other potential warning signs indicating “out of pattern” orders. Transactions with suspicious characteristics should be reviewed for fraud.


When you identify a transaction with high-risk characteristics:

  • Make a Code 10 call. Code 10 is a voice authorization request that alerts the card issuer to the suspicious activity. The issuer’s voice authorization center representative will ask you a series of questions to determine whether or not the transaction is fraudulent and provide instructions on how to proceed.
  • Call your customer. Call your customer at the number they have provided and ask for additional information, e.g., bank name on the front of the card.
  • Confirm the order with your customer. Send a confirmation note to your customer’s billing address, not to the shipping address.


Implementing these suggestions into your fraud prevention procedures will help substantially reduce fraud and the number of customer complaints that lead to chargebacks. It is important that, whenever you get to contact a customer for additional details, you are courteous and polite. Do not tell them that you are attempting to verify the validity of a transaction. If the customer refuses to provide additional information, simply state that this is a standard procedure that your business always takes for such types of transactions to protect cardholders from fraud. Always report suspicious activity to your processing bank.

Add Comment

Read more:
Being Unbanked Is a Choice, but the Alternatives Are Getting Better
Being Unbanked Is a Choice, but the Alternatives Are Getting Better

Close