Card-not-present transactions present merchants with fraud prevention challenges that are either non-existent or much easier to address in a card-present environment. E-commerce merchants are required to verify the validity of all bank cards submitted for payment on their websites, just as their brick-and-mortar counterparts are required to do in their physical stores. However, they lack the advantage that store-front retailers have in being able to physically examine the card’s features, in order to determine whether or not it has been tampered with.
Still, web-based merchants are not entirely helpless in their fraud prevention efforts and have at their disposal plenty of tools to assist them in the card validation process and should implement the following best practices:
- Use the Mod 10 algorithm. Developed by IBM scientist Hans Peter Luhn, the Mod 10 algorithm was designed to validate a variety of identification numbers. In the payment card industry, the Mod 10 algorithm is used to verify credit card numbers before submitting transactions for authorization. The Mod 10 algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits. To implement the algorithm in your fraud prevention system:
- Contact your processor and ask for the Mod 10 algorithm that lets you check the validity of a card number.
- Use the Mod 10 algorithm to check all e-commerce transactions before submitting them for authorization.
- Immediately notify your customer if the card fails to pass the Mod 10 check. Display the following message on the customer’s screen “The card number you entered is invalid. Please try again.” or a similar message.
- Do not submit the transaction for authorization until the card number passes the Mod 10 check.
Using the Mod 10 algorithm for checking the validity of your customers’ card numbers will help protect your business against fraud or an error on the part of the cardholder and minimize related disputes and losses.
- Display only the last four digits of a repeat customer’s card number. When showing on your website the account information of a returning customer, only display the last four digits of his or her card number. The truncation of the sixteen-digit account number and the displaying of only the last four digits helps minimize e-commerce fraud risk, but it also assures customers that you are taking concrete measures to securely handle their personal information. The last four digits of a card account provide customers with enough information to enable them to identify their card and to determine whether or not to use it or to select another payment method.
- Use the card security codes. Card security codes are the three-digit numbers found in the signature panels on the back of Visa (Card Verification Value 2 — CVV2), MasterCard (Card Verification Code 2 — CVC 2) and Discover (Card Identification Number — CID) cards and the four-digit numbers found slightly above and to the right of the account numbers of American Express cards (Card Identification Number — CID). These numbers are generated when the card is issued, by hashing the card number and expiration date under a key known only to the card issuer. Card security codes help merchants verify that their customers are in a physical possession of their cards at the time of the transaction. To use the card security codes, follow these steps:
- Ask your customer for the card’s security code. Make sure you explain where the code is to be found on the card.
- Include the number your customer provides in your authorization request.
- Evaluate the result code you receive and take it into consideration when determining the validity of the transaction. Be advised that the card security code response is separate from the authorization response.
Image credit: Wikimedia Commons.