How to Build and Use an Internal Negative File

Fraudulent transactions present a constant threat for everyone who accepts credit cards, but especially for e-commerce merchants. Unfortunately, even the best fraud prevention mechanisms are likely to be breached every now and then, allowing a fraudulent transaction to sneak its way through. This is not the end of the road, however, and you should try to make the best of the situation.

In order to protect yourself from falling victim to the same criminal or criminal group, you should build and maintain a negative file. If managed correctly, it will become one of the best tools for fighting fraud that you have at your disposal. Moreover, information stored in your negative file can reveal patterns in fraudulent transactions that can be examined and used in your fraud screening process.

You should be careful, however, to ensure that, when building your internal negative file, only data from fraudulent transactions are stored and recorded. Information that relates to customer disputes or chargebacks should be left out of the negative file. Customer disputes and chargebacks are no less important to deal with, however they require different remedial strategies and mixing them up with fraudulent transaction will be counterproductive and confusing.

Consider the following suggestions when building, managing and using your internal negative file:

• Building and maintaining of an internal negative file. Firstly, you should review your history of fraudulent transactions. Collect and record the details of the fraudulently used accounts to protect your organization from possible future fraud committed by the same person. Consider following these steps:
  • Record all key elements of the fraudulent transactions. In particular, your negative file should include the names, email addresses, shipping and billing addresses, customer identification numbers, passwords, phone numbers and card account numbers. Remember that you are not allowed to store the card security codes (the 3-digit numbers on the back of each Visa [CVV2], MasterCard [CVC 2] and Discover [CID] card and the 4-digit number on the front of each American Express [CID] card).
  • Establish a process for removing from the negative file the account information of legitimate customers whose credit cards have been compromised. Cardholders are just as much victims of fraud as you are and have probably spent just as much time dealing with it as you have. Eventually, when the fraudulent transaction is resolved, they will once again regain control of their accounts and probably have their cards replaced. When this happens, you will want them to remain your customers and should make it as easy as possible for them to update their account information. Make sure that you remove the customer’s name, billing address, customer ID and phone number from your internal negative file. You should ask them to create a new account password and to update their credit card account numbers (if applicable) and shipping address (if changed by the criminal).
  • Using the internal negative file. Your system should allow data in your negative file to be compared to equivalent information in every new order you receive. Whenever there is a match, you should decline the transaction or, at the very least, initiate a more thorough review. Once you decline it, review the order and look for new pieces of information that can be added to your file. Maybe the criminal is using a compromised email address, but the phone number is new.

You may want to share your negative file data with your processing bank. It has a much larger pool of data and much more resources than any single merchant. Hopefully, other merchants would do the same, expanding the database even further.

Image credit: Tweakyourbiz.com.