Validating Cardholder Information in E-Commerce Transactions
E-commerce merchants are responsible for verifying the validity of their customers’ personal information prior to processing card payments online. A failure to do so may cause you to lose your re-presentment rights if a transaction is charged back and it will certainly increase your fraud risk exposure. The ultimate financial responsibility for fraudulent transactions is born by the merchant.
The cardholder validation process should be carried out in concurrence with the card verification process, so that the merchant ensures that both the card is authentic and the cardholder is an authorized user of the card. The two validation processes complement each other. They represent the two sides of the same coin and should both be implemented in every e-commerce merchant’s risk management strategy.
The process of validating a cardholder consists of checking the correctness of the provided telephone number, physical address and email address. The following simple verification steps will help you identify errors or potentially fraudulent transactions:
- Provide separate fields for stationary and cell phones. For landlines, check the telephone number’s area code and telephone prefix of the phone number provided by the customer to make sure that they are valid for the entered city and state. Identify mismatches and allow the customer to re-enter information if desired. For cell phones, call the number provided when it does not match the above mentioned characteristics.
- Use directory services to verify that the provided ZIP code is valid for the provided city and state. Consider allowing customers to override alerts, as information may be valid due to recent updates or wrong data.
- Check the validity of the provided email addresses by sending order confirmations. If the email comes back as “undeliverable,” this can be an indication of a fraudulent activity. At the same time, some customers do not provide valid email addresses for fear they would be used for telemarketing purposes or sold to third-party entities.
- If you have reasons to suspect fraud or unauthorized card use, contact the card issuing bank directly and:
- Confirm the name, address and telephone number associated with the card number.
- Confirm whether the cardholder has made a recent address change or added an alternative address.
- Call the cardholder to confirm the transaction and resolve any discrepancies that may still remain. Tell your customer that this confirmation is performed as a protection against fraud.
The validation process should be designed to enhance the fraud prevention tools provided by the credit card companies and associations and by your processor:
- Transaction authorization. All card-not-present transactions have a floor limit of zero, which means that they all require authorization. Always obtain authorization before completing a transaction and take into account the authorization result code.
- Card expiration date. Your website’s payment acceptance forms must have a mandatory field for the card’s expiration date. Direct marketers should have the same field available in their printed payment forms and should insist that customers provide it.
- Card verification codes. Card verification codes are the three-digit numbers that are found in the signature panels on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards and the four-digit numbers that are found slightly above and to the right of the account numbers of American Express (CID) cards. You should always ask the customer to provide this code as a way to prove that he or she is in a physical possession of the card.
- Address Verification Service (AVS). AVS enables merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement for that account) provided by a customer with the billing address on the card issuer’s file before processing a transaction. After comparing the provided address with the one they have on file for their cardholder, the card issuer responds by issuing an AVS response code. Address verification and transaction authorization occur simultaneously and, within seconds, the merchant receives both results.
Image credit: Wprost.pl.