Verifying transaction information, especially in a card-not-present environment, is a topic we write about often, and for a good reason. With so much credit card fraud going on around us all the time, merchants who fail to get at least a basic grasp of transaction verification methodology, create a security hole that criminals sooner or later will exploit.
Now, you can never create a system that will protect your online business against all possible fraud-attack scenarios, but you can certainly make it very hard for criminals to use a stolen card on your website and keep improving your defenses as you go.
Industry Transaction Verification Tools
The credit card companies and associations provide several verification services, the use of which can (and should) be automated.
- Verified by Visa and MasterCard SecureCode. These two services are developed by the two Card Associations to help e-commerce merchants verify that the customer is an authorized user of the card that is presented for payment. If a card has been signed up for one of these services, each time the cardholder enters the account number at the checkout of a participating merchant, he or she is asked to enter a pass code in the Verified by Visa or MasterCard SecureCode window that opens up. Only then is the cardholder allowed to proceed with the payment.
- Transaction authorization. The approval or decline of a bank card transaction by the card issuer is called authorization. In a card-not-present environment, authorization occurs when the payment information is submitted on the e-commerce website. You must obtain an authorization approval for all card-not-present payments. It will not protect you against fraud-related chargebacks, but an authorization approval is an important step toward verifying a transaction’s legitimacy.
- Card security codes. These are the three-digit codes that are located in the right ends of the signature boxes on the back of Visa, MasterCard and Discover cards and the four-digit codes that are typically, but not always, located above and to the right of the account numbers of American Express cards. Merchants are not allowed to store these codes, so that when criminals get hold of credit card data, they typically don’t have access to the security codes. Merchants submit the security codes to the issuers as part of the authorization requests. A positive response indicates that the customer is in a physical possession of the card.
- Address Verification Service (AVS). AVS is a service that allows merchants accepting non-face-to-face transactions to compare the billing address provided by a customer with the one on the card issuer’s file prior to processing a transaction. A non-match is seen as a strong fraud indicator. The address verification and transaction authorization processes occur simultaneously and the merchant receives both results within seconds of submitting the requests.
Often the responses you get to your inquiries with the above industry services will not be sufficient. In such cases, you can turn to the web and use directories and reversal services to verify that the provided phone number and address belong to the cardholder. Additionally, you can call the card issuer directly and confirm the name, address and phone number associated with the card number, as well as check whether the cardholder has made a recent address change. Finally, you can call the cardholder at the number on file with the issuer and confirm the transaction.
There are other fraud prevention tools and best practices that you should consider implementing into your system, such as maintaining negative files, using velocity limits and controls, fraud screening procedures, etc. You should always keep an eye out for the latest fraud prevention developments and we will help keep you up to date.
Image credit: Creditcardmerchantintl.com.