Fraud is a much bigger concern for e-commerce merchants than it is for their brick-and-mortar counterparts. The challenges of verifying the validity of both the card and the cardholder in a non-face-to-face environment are much greater than they are in a card-present setting. Still, there are plenty of third-party tools that can help you screen fraudulent transactions. But perhaps the better way to prevent fraud from happening is to develop and implement an internal mechanism for screening transactions, which would, if certain predefined high-risk characteristics are found, suspend the processing of the transactions at issue.
If you decide to build your own, proprietary, fraud screening mechanism, consider implementing the following elements to serve as trigger points for suspending the processing of a transaction:
- Transaction data that matches information stored in your internal negative file. Internal negative files should include account information from previous transactions that have been proved to be compromised or fraudulent.
- Transactions that exceed your internal velocity limits and controls.
- Generates an Address Verification Service?á(AVS) mismatch. Implementing this fraud screening element is based on the assumption that you are employing AVS, which you should do! AVS verifies whether or not the billing address that your customer provides during a card-not-present transaction matches the one the card issuer has on file for the cardholder. The AVS verification process provides merchants with a response code for each transaction. A “No Match” response is a strong sign of a potential fraud and can be used as a trigger point in your fraud screening mechanism. The AVS can also generate a “Partial Match” response which, at the very least, should prompt an additional investigation.
- Generates a Card Security Code mismatch. As with the AVS element above, the assumption again is that you are using the security codes for every transaction, which you should do! These are the three-digit codes on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards and the four-digit codes on the front of American Express (CID) cards were introduced as an additional tool to help merchants verify that the cardholder is in a physical possession of the card at the time of the transaction. The Card Security Code verification process, just as the AVS verification process, generates response codes and the same procedures should be followed as with the AVS responses. You should never store these codes in your system.
- International shipping addresses. If your business is shipping abroad, perhaps you should screen international addresses for fraud as well. If you decide to do that, you should take into account the fact that some countries present a much higher risk than others. You may also want to consider not shipping to certain countries at all. Make sure that your processor supports the international AVS.
- Identify international IP addresses as high-risk. Statistical data show that international IP addresses have a substantially higher fraud rate than domestic addresses, particularly when merchants require a U.S. billing address.
- The shipping address is different from the billing address. You may want to require that these two addresses match, especially for big-ticket transactions and transactions for specific merchandise types.
- Screen for high-risk shipping addresses. Apart from international addresses, there are certain addresses that require special attention, such as P.O. boxes, prisons, hospitals and addresses with documented fraudulent activity. There are third-party databases of high-risk shipping addresses that you can use to compare to shipping addresses provided by your customers.
- Previous cardholder purchases should be a favorable factor in your fraud assessment procedures.
You should incorporate into your card processing procedures a mechanism for separating high-risk from low-risk transactions. By doing so you will be able to reduce costs by not having to screen every single transaction and concentrate your resources on the most likely offenders instead. Fraud scoring is a system of predictive fraud detection models or technologies that will help you do just that.
Image credit: Howtopreventfraud.com.