Inside the Black Hole

We have written in previous posts on the credit card acceptance procedures you should follow in a face-to-face setting and I hope that you are following our advice. If you are, I have no doubt that fraud is not an issue that is keeping you awake at night.

Yet, there is more that can be done to further minimize credit card fraud risk and it does not cost you anything. All you have to do is learn how to identify suspicious customer behavior at the checkout and be a little extra attentive to accepting credit cards from such consumers. In this post I will show you how to do that.

Suspicious Customer Behavior at the Checkout

The following five types of customer behavior at the point of sale often (but not always!) betray a consumer who is attempting to commit fraud:

• Buying large quantities of merchandise with little or no concern for size, style, color, or price.
• Not asking about or ignoring free delivery options on large items (for example, furniture or televisions) or expensive purchases.
• Attempting to distract or rush the employee at the checkout.
• Completing purchases, leaving the store, and then immediately returning to make more purchases.
• Shopping either right after the store opens or just before it closes.

Now, it is very important to recognize that each of the above types of behavior can have a perfectly reasonable explanation that has nothing to do with fraud. For example, a consumer may be habitually shopping at a particular store right after it opens in the morning, because that is when she happens to begin her commute to work. Or a football fan may decide to forgo a free delivery option for a new TV, because that would cause it to arrive too late for the Super Bowl. There are plenty of other good reasons for such behavior that I can come up with and I’m sure you can think of many more.

The point is that what these five types of behavior do indicate is a higher probability that fraud may be under way, so you should be on a higher alert and make sure you go through the entire checklist for accepting credit cards. If you still cannot decide whether the transaction is legitimate or not, you will have to make a Code 10 call.

Suspicious Behavior at Gas Stations

Gas stations are unique among card-present types of businesses in that they typically feature a mix of attended and unattended point-of-sale (POS) terminals. Signs of suspicious customer behavior are also different, both at the register and at the pump.

The same caveat applies to suspicious behavior at a gas station as it does elsewhere. The above signs should be seen as indicating a higher probability of fraud, not as a smoking gun and customers should never be treated any differently than those not behaving in such a way.

The Takeaway

Accepting payments in a card-present setting allows you to scrutinize your customer’s behavior and look for out-of-pattern signs. Take advantage of this opportunity! If you run a larger operation, train your employees on how to do that. It is often easier to identify suspicious behavior than it is to recognize a counterfeit card.

As you gain experience, you should add to my list and update it to exclude or modify these items that are not applicable to your particular circumstances. I hope that, as you do that, you will share your experience with us, so others can benefit from it too.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Criminals are constantly improving their strategies and tactics for stealing and then using credit card information for fraudulent purchases. It is a high-stakes arms race between the e-commerce merchants and service providers on one side and the hackers and fraudsters on the other. It is a struggle that can be seen very much in evolutionary terms: you either learn to constantly evolve or you will perish.

Compliance with the requirements of the Payment Card Industry (PCI) Data Security Standards goes a long way towards ensuring that sensitive account data is well protected against hackers. We will review the PCI DSS requirements again in the near future, as there have been some recent changes that need to be examined.

In this post, however, I will focus solely on how to recognize a potentially fraudulent transaction, so that you can flag it for a more detailed examination, before processing it.

9 Telltale E-Commerce Fraud Indicators

Following are 9 of the most typical fraud indicators for e-commerce transactions. Keep in mind that the presence of any single one of them does not necessarily mean that fraud is under way. It simply heightens the probability of the transaction being fraudulent. So if you have identified two of these indicators, the fraud probability rises further and so on. You should develop a policy for investigating such transactions, based on their fraud risk and verify that both the card and the cardholder are genuine before processing the payment. So here are the signs:

1. New customers. Needles to say, you need to be careful here. You need as many new customers as you can get and the last thing you want to do is antagonize them. At the same time, criminals are likely to only use stolen card information once in any given store.
2. Unusually large orders. As the card account whose information is stolen is typically quickly shut down, criminals will try to use up as much of its credit line as possible in this limited time frame. Placing large orders is a way to do that.
3. Ordering multiple identical or similar items. This is another tactic for maximizing profit in a stolen credit card account’s limited life span.
4. Expensive items. Expensive merchandise has correspondingly high resale value, which is what makes it attractive to criminals. Incidentally, this is also a major reason merchants with high average ticket amount are categorized as high risk by payment processors.
5. Overnight delivery or other expensive shipping option. As criminals do not spend their own money and are solely interested in getting their hands on the merchandise as quickly as possible, shipping charges are of no concern to them.
6. International orders. A disproportionately large number of fraudulent e-commerce orders are placed from outside the U.S. Some countries are higher risk than others and you will have to decide whether or not to accept orders from their residents in the first place.
7. Similar card numbers. Fraudulently generated card numbers are often very similar, only different by a digit or two. Your system should be designed to identify such numbers.
8. Multiple orders with the same shipping address. This is a very strong indication that a stolen batch of account information is fraudulently used.
9. Multiple orders with different cards, but from the same IP address. This may be an indication that the orders are placed from the same computer, even if multiple shipping addresses are used.

Your fraud detection system should be able to identify each of the above items. For evaluation purposes you may want to assign different weight to each one of these indicators and adjust it as you collect more data. So if, for example, you discover that orders with overnight shipping result in fraud more often than orders for expensive items, your transaction review process should be adjusted to account for the difference. But don’t stop there, as what holds true this month may well change the next and so should your fraud review process.

Accept credit cards at one flat rate!

Accept credit cards with our flat rate e-commerce merchant account with no fixed monthly fees! You will get:

• One rate for all types of MasterCard and Visa cards (including rewards, commercial, etc.).
• No mid-qualified and non-qualified fees.
• No merchant account application or set-up fees.

Detecting and preventing e-commerce fraud can be quite time consuming if you have not designed and implemented a mechanism to automate the process. There are quite a few third-party vendors to help you do that, but I would suggest that a better approach would be for the management of each e-commerce business to invest the time and develop a proprietary internal system for screening potentially fraudulent transactions. It only makes sense that, as fraud prevention should be at the top of your priorities, you would want to become at least a minor an expert in the field.

Such a proprietary fraud screening mechanism should be able to detect certain preselected high-risk transaction characteristics and suspend the processing of the payment at issue until it is investigated more closely.

8 Characteristics of Potentially Fraudulent Transactions

The following transaction characteristics should be built into your fraud screening mechanism to trigger the suspension of a payment:

1. Negative file match. If you maintain an internal negative file (and you should!), it will store information from transactions previously identified as fraudulent. Your fraud screening system should automatically match information from all new transactions against it.
2. Exceeding your internal velocity limits and controls. You will need to establish review limits on the number and dollar amount of transactions approved for a single customer over a specified time period. These should be continually adjusted, as you accumulate more data.
3. Address Verification Service (AVS) mismatch. AVS verifies whether or not the billing address provided by your customer at the checkout matches the one on file with the issuer. A “No Match” response is a strong fraud indicator and a “Partial Match” should also be investigated.
4. Card security code mismatch. These are the three- or four-digit codes used to verify that the cardholder is in possession of the card during the transaction. All valid payment cards have a security code and a mismatch is a strong indicator of potential fraud.
5. International shipping address. If you do accept orders from some foreign countries, but not from others, you should screen the undesirable transactions.
6. International IP addresses. If you have identified certain international IP addresses as having a higher fraud rate than domestic or other foreign IP addresses, you would probably want to screen them as well.
7. Different shipping and billing addresses. If you do not accept orders with a mismatch between the billing and shipping addresses or accept them, but want to take a closer look at them first, you would want to screen them.
8. High-risk shipping address. A shipping address does not need to be international to be high-risk. There are certain domestic addresses that you may want to screen, such as P.O. boxes, prisons, hospitals, as well as ones found in third-party databases of high-risk shipping addresses.

What your fraud screening system does is separating high-risk from low-risk transactions, based on criteria you have pre-set, so that you don’t waste time reviewing orders that are unlikely to be fraudulent. As data accumulate, you will need to periodically review your selected criteria and make adjustments, as necessary. For example, you may want to add a high-risk shipping or IP address or add a country to your non-shipping list.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Verifying transaction information, especially in a card-not-present environment, is a topic we write about often, and for a good reason. With so much credit card fraud going on around us all the time, merchants who fail to get at least a basic grasp of transaction verification methodology, create a security hole that criminals sooner or later will exploit.

Now, you can never create a system that will protect your online business against all possible fraud-attack scenarios, but you can certainly make it very hard for criminals to use a stolen card on your website and keep improving your defenses as you go.

Industry Transaction Verification Tools

The credit card companies and associations provide several verification services, the use of which can (and should) be automated.

• Verified by Visa and MasterCard SecureCode. These two services are developed by the two Card Associations to help e-commerce merchants verify that the customer is an authorized user of the card that is presented for payment. If a card has been signed up for one of these services, each time the cardholder enters the account number at the checkout of a participating merchant, he or she is asked to enter a pass code in the Verified by Visa or MasterCard SecureCode window that opens up. Only then is the cardholder allowed to proceed with the payment.
• Transaction authorization. The approval or decline of a bank card transaction by the card issuer is called authorization. In a card-not-present environment, authorization occurs when the payment information is submitted on the e-commerce website. You must obtain an authorization approval for all card-not-present payments. It will not protect you against fraud-related chargebacks, but an authorization approval is an important step toward verifying a transaction’s legitimacy.
• Card security codes. These are the three-digit codes that are located in the right ends of the signature boxes on the back of Visa, MasterCard and Discover cards and the four-digit codes that are typically, but not always, located above and to the right of the account numbers of American Express cards. Merchants are not allowed to store these codes, so that when criminals get hold of credit card data, they typically don’t have access to the security codes. Merchants submit the security codes to the issuers as part of the authorization requests. A positive response indicates that the customer is in a physical possession of the card.
• Address Verification Service (AVS). AVS is a service that allows merchants accepting non-face-to-face transactions to compare the billing address provided by a customer with the one on the card issuer’s file prior to processing a transaction. A non-match is seen as a strong fraud indicator. The address verification and transaction authorization processes occur simultaneously and the merchant receives both results within seconds of submitting the requests.

Often the responses you get to your inquiries with the above industry services will not be sufficient. In such cases, you can turn to the web and use directories and reversal services to verify that the provided phone number and address belong to the cardholder. Additionally, you can call the card issuer directly and confirm the name, address and phone number associated with the card number, as well as check whether the cardholder has made a recent address change. Finally, you can call the cardholder at the number on file with the issuer and confirm the transaction.

There are other fraud prevention tools and best practices that you should consider implementing into your system, such as maintaining negative files, using velocity limits and controls, fraud screening procedures, etc. You should always keep an eye out for the latest fraud prevention developments and we will help keep you up to date.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

The check-out page is among the most underrated parts of an e-commerce website. Many merchants feel like by the time a customer is taken to the check-out, the sale is complete and they can move on. Well, this is not exactly the case. The check-out form is very much a part of the sales process and not even the end of it. The sale is not complete until all necessary transaction information is collected, verified and processed successfully. After all, what good is there in a sale that comes back a week or two later as a fraud or chargeback?

The e-commerce check-out process should be designed in a way that allows merchants to collect all information that is needed to verify the validity of both the card and the customer and then to make a well-informed decision on how to proceed with the transaction.

Required E-Commerce Check-out Data Fields

The check-out process begins with the customer filling out a payment form. In order to enable you to verify the validity of the transaction and to identify high-risk orders, customers must be required to populate the following data fields:

• Cardholder name and billing address. If needed, the cardholder’s name and billing address can be verified using reverse directory services.
• Card number and expiration date. These will be verified during the authorization process.
• Shipping name and address. If these are different from the billing information, the transaction’s risk level increases greatly. You have the option of not accepting orders if shipping and billing data don’t match, but this is a bit too drastic of a solution.
• Telephone number. As with names and addresses, if needed you can validate phone numbers using reverse directories.
• Card security codes. These are also referred to as card verification or validation codes. For Visa, MasterCard and Discover, security codes are the three-digit numbers located in the right corners of the signature panels on the back of the cards. For American Express, security codes are the four-digit numbers located above the account numbers on the front of the cards. These numbers are used to verify that cardholders are in physical possession of their cards at the time of the transaction. Merchants are not allowed to store security codes, which makes it very difficult for hackers to obtain them, even if other account data are compromised.

If the customer leaves any of the above fields blank, your system must be designed to prompt him to fill it out, before the transaction information can be processed. You may also want to ask for an email address. Although its validity cannot be verified, a free email address is higher-risk than a paid one (like a business email). Additionally, you can ask for the card’s brand and check whether the first digit of the account number corresponds to the brand’s allocated one. For example, the first digit of a Visa card is always 4, for MasterCard it is 5, for American Express – 3 and for Discover it is 6.

Editing of Check-out Information

If your customer submits incomplete or erroneous information or if the response to your authorization or security code validation request is negative, your system should prompt him to edit the data in real time. More specifically, you should:

• Immediately display in your customer’s browser which required information fields are incorrect or incomplete. You can do that by highlighting the fields using for example a different color, bold font or an asterisk.
• Request that your customer corrects the information if it was incomplete or not provided in the required format.
• If corrections are needed, allow editing of the incomplete fields, while saving all correct information. You can very easily annoy legitimate customers if you send them back to the check-out form and have them fill it out all over again, just because they have made a single error.

Additionally, you should specify the number of corrections a customer is allowed to make, before the system locks him out. You need to do that to prevent criminals from trying to guess a particular piece of information they have not been able to obtain.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).