There are dozens of credit card fraud prevention services. Some cost money, some are free, and their approach to fraud prevention can vary. So, what are small merchants to do to prevent fraud and how much money should they spend in the process? A fraud prevention expert is here to address that for us. He is John Hammond, technical account manager with Authorize.Net, the credit card payment gateway company.
Practical eCommerce: Give us a realistic idea of the type of credit card fraud these businesses face.
John Hammond: “Card testing is one of the biggest ones. What that entails is either an individual utilizing just a small number of phony credit card numbers or using a large number of credit card numbers and passing them through the merchant’s website or shopping cart services.
“There’s also the data threats, which is store data being compromised; so, if a merchant is accidentally or improperly storing data, that information could be compromised.
“Then there’s friendly fraud, which, simply put, is just merchant fraud; meaning that the merchant themselves have an intention of setting up an account and utilizing that account to do charge-backs on their own credit cards so that they could obtain funds.
“Then there are the shopping cart website attacks, which are malicious attacks on their payment forms due to the information on their websites being accessible as far as their secure data.”
PeC: Does the risk factor for fraud depend on what items you sell?
Hammond: “In the overall scheme of things, there’s really no specific industry, only specific practices which allow for fraud. However, there have been businesses, for instance, charities and donation sites, which do seem to become targets along with being easily compromised websites.
“Any website that does not properly secure their payment form or access to their shopping cart information can be easily compromised; but, card testing is really the most prevalent issue that we see on the small business side. And it’s also the most easily deterred just by keeping a close eye on your transaction activity and utilizing all the services that are available, especially the free services. Probably the biggest service available is address verification and card code verification, which is a free service provided on just about every platform out there.”
PeC: Do the perpetrators of card testing typically have those numbers?
Hammond: “No. They’re usually just system generated. That’s another important thing about security–the amount of information you ask on your payment forms. If you ask for just the barebones minimum and you have a site that is easily accessible or could be compromised, it’s really not going to cause any slowdown for the fraudster to just pass that information through. But, if you’re requiring specific fields other than just the barebones minimum, then the best thing is to have specific address information, specific shipping information, so there is something to compare. This makes it more difficult for the fraudsters to actually get into the account.”
PeC: In order to minimize fraud, some smaller merchants will ship only to the U.S. and Canada, and some merchants manually review every single order. Is that overkill?
Hammond: “Absolutely not. A manual review provides you an understanding of who the customers are and makes it easier for a business owner, later on down the road, to recognize whether this is a regular customer or if it’s somebody that could be maliciously purchasing items for fraud purposes.
“With only a few transactions processed, there’s a minimal savings there, but if you’re not knowledgeable the credit card industry itself, you really should be utilizing as many fraud tools that are available to you, especially anything that is free.
“Even if you’re processing a high number of transactions, you really should consider adding some additional fraud tools, even if it’s an additional cost to your company. Compare and contrast the amount of charge-backs that you get with regard to what you’re going to pay out for a very usable fraud tool that might cost you $10 a month at most.”
PeC: What other steps should a small merchant take to protect his or her business from fraud?
Hammond: “Utilize all the free services that are out there and ensure that security has as much emphasis on the website as you can possibly place so the site doesn’t get compromised. If fraudsters go into an account, they’re going to look for the simplest process put into place and hit that particular merchant. But, if you’re requiring a considerable amount of information in order for a customer to process a transaction and feel safe about it, then you’re really not going to have too many fraudsters out there that are going to waste their time. They’re just going to walk away.”
PeC: What fraud prevention products does your company offer to its merchants?
Hammond: “Authorize.Net has built-in, free tools for address verification services, card code verification, and a daily velocity filter. If used properly, these tools can decrease a great percentage of fraudulent transaction activity.
“An additional product that we have is a paid service, the Advanced Fraud Detection Suite. It costs only $10 a month and it allows merchants to fully customize 12 different filters and the way those filters handle suspicious transactions. It is inclusive of the address verification and the daily velocity filter. It really is one of the best fraud services that we have available.
“[I also recommend] reading the best practices and the whitepapers available on our corporate website.”
PeC: Anything else on your mind for our readers today?
Hammond: “The primary themes are know your customer and be diligent about utilizing the built-in services that you have available to you (whether it’s with your gateway service, with Authorize.Net, with your shopping cart, with your website, with your developer, or whoever can set specific parameters that checks and watches all fraud capability or potential capability of being hit to your account). Utilize everything that you possibly can.
“And, if you do have fraud that is coming across on your account, get in contact with your [payment gateway] customer support immediately. Also, one of the best resources out there (at least covered by the government) is the Internet Crime Complaint Center.”