Practical Ecommerce

Interview: Authorize.Net President On Fraud Prevention

Authorize.Net, a CyberSource Solution, is a leading payment gateway company with many years experience in combating credit card fraud. We asked Roy Banks, President of Authorize.Net, about common errors that merchants make with fraud prevention.

PeC: What’s the biggest fraud-prevention mistake made by ecommerce merchants?

Roy Banks

BANKS: Failure to use the Address Verification Service. It’s a free option from most payment gateway companies and will potentially lower a merchant’s processing costs when used. Unfortunately, many merchants don’t use it. Another common mistake is merchants don’t always require the card verification code from the cardholder at the time of sale. This is also a service that is free from most payment gateway providers. By using both AVS and Card Verification Code, merchants will be able to better detect and prevent thieves who attempt to purchase with a stolen credit card number.

PeC: Where can a merchant turn if he’s confused or has questions related to fraud prevention?

BANKS: The merchant account provider is a great resource. Payment gateway companies can help, too.

PeC: Beyond using AVS and requiring Card Verification Code, what other fraud prevention efforts would you suggest?

BANKS: Remember it’s important to know your customer and know your order. By that, I mean to pay attention to order characteristics such as recognizing when an order is coming from a locale that doesn’t really fit your customer profile or the shipping address belongs to a country with high incidences of fraud.

Avoid post office boxes. When in doubt, call the customer ordering the product to confirm order detail and information.

There are also some very sophisticated fraud detection tools available to help merchants make better decisions about order acceptance. With these services, a merchant can potentially exclude orders that don’t fit acceptable order criteria. Merchants can also exclude orders from certain countries or not process transactions during certain times of the day. He can even suspend and investigate suspicious order activity. There are many other rules and filters a merchant can set up with these advanced tools.

Practical Ecommerce

Practical Ecommerce

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

  1. Legacy User April 24, 2008 Reply

    I've had several chargebacks where everything matched. AVS and CV are correct. But the criminal was able to make the changes to the address and other card information.

    — *Frank*

  2. Legacy User April 24, 2008 Reply

    We use Authorize.net on our site http://www.envirosafety.com and we have discovered that there is no perfect solution. Our government customers often have no idea where there credit card gets billed to and results in a declined transaction. Also, with the CVV code we also have found numerous banks that do not support it and many of our older customers get confused when entering it. I know one site that does over $30mil a year and they do not use either the AVS or CVV since it declined so many of their orders. However, they review every order over $250 to see what information did match up correctly.

    — *Scott Newton*

  3. Legacy User April 24, 2008 Reply

    The AVS system is flawed. Functionality varies from bank to bank. While the system is supposed to parse out the numeric portion of the address, many banks have their systems set up incorrectly to read both alpha and numeric. This cause false negatives, and customers get declined when they should not.

    Yes, it is free, and it is flawed. Maybe that is why it it free. I know of at least one very large bank that does not have their system set up correctly. AVS needs to be standardized, so that all of the banks implement it in the same way.

    — *RH*

  4. Legacy User April 24, 2008 Reply

    Good comments on Internet security. I am disappointed that Authorize.net doesn't offer the sophisticated fraud prevention such exclude countries or transactions by time of day that was mentioned. In order for someone to take advantage of such features, you would have to integrate your site with a supplier like MaxMind. If people know of other providers, let me know. Thanks.

    — *James*

  5. Legacy User April 24, 2008 Reply

    It is quite surprising how many online buyers do not update their billing information with their cc company when they move to a new address. When I used the address verification tool and there was not a match, the buyer just assume my cart/site had an error and abandoned the purchase. My cart would send the order but the payment would not show up. I can access the declined transaction and immediately see the address did not match. I was able to call the customer and try to salvage the order. Using the CVC tool is the most important factor. Your customer has the card in hand. Not just a 12 or 13 number copy. I have been lucky; since 12/99, only one chargeback and that was reversed because the customer lied to Visa. Documentation is everything. Hard copy of the order, shipping confirmation, delivery confirmation. Having said that, I have seen there is even a bigger issue with PayPal and unconfirmed addresses. 1 of every 4 orders I receive via PayPal has an unconfirmed address. No disputes; yet. Fortunately, the product I sell is not a hot item for thieves to try to resell or whatever….they can only eat it.

    — *Chuck*

  6. Legacy User April 24, 2008 Reply

    As an Authorize.Net user, I know these services help us at http://www.gThankYou.com

    If a transaction bounces because of a bad address, the only thing to do it get to the bottom of it. Sometimes it's a simple mistake (e.g. home vs. workplace address for the credit card) other times, when you say the address is incorrect, the "customer" knows the jig is up and disappears.

    Thank you for an informative post. Rick

    — *Rick Kiley/ http://www.gThankYou.com*

  7. Legacy User April 24, 2008 Reply

    I was very surprised to hear that many merchants do not use AVS. We have had a few orders declined because of AVS mismatch (forget about P.O. boxes or international addresses), but have always been able to salvage the sales by email or telephone. And after having many attempts at fraudulent orders that were thwarted by AVS and CVV matching, I would never disengage those features. I also think that customers prefer buying from sites that check the veracity of their card information; it gives them confidence that we will protect that information.

    — *Kristen*

  8. Legacy User April 25, 2008 Reply

    We here at http://www.ZenosPizza.com use Authorize.net also. For us it has been great, the AVS & CVV code as been OK. We have had like others here have stated difficulties with the verification though. Orders have been declined and with us we have noway to save them at least at this time. We also have an inherent problem with the bank only verifying only the street # & zip. This is a potential problem we see in some of our new and up coming markets. Over all though we are happy once our clients know why these declines on occasion happen and explain it to them they are OK with it and have always come back. This is not the most perfect systems available however it is the best at this time and it works OK for now. They (Authorize.net) are (on there own at their end) as well as we (ZenosPizza.com) are (on our own internally, at our end) working to improve things all the time. But there will always be a criminal somewhere trying to break through.

    — *PJQ*

  9. Legacy User April 25, 2008 Reply

    The great thing about the Internet is that you can reach customers from anywhere around the world without the presence of the physical store. However, given the ease of buying things online and the anonymity offered by the Internet, fraud has become rampant. As long as the fraudsters have access to the credit card information, traditional checks such as AVS and CVV will not work as well.

    Often times, you can look at other characteristics about the transactions to get a sense of the risk of the order. For example, you can take a look at the customer's IP address and compare that against the billing address to get a sense of where they are located and how risky that transaction may be. For example, if the user is located in Nigeria but is using a US credit card, then the transaction statistically would be considered suspect. It'll depend on your tolerance for risk whether or not you want to deal with such a transaction.

    There are many companies out there that provide these type of solutions.

    — *Ed*

  10. Legacy User April 25, 2008 Reply

    I am new to this, but I would like to hear more or suggest companies that use IP addressing to locale of purchaser? Little off the subject.. but always wondered why credit card companies do not have pins for all credit cards and not just debit cards – to easy to just sign. One more question – if I get a new credit card, there should be a mandate that the credit card ask you for a question and answer. Then when you buy at a site. That question would come up on the checkout process and your answer would be typed in as a verifier along with the CVV, AVS, and IP addressing with local. A thief would not know the question/answer part?? Am I close or way off??

    — *chris*

  11. Legacy User April 30, 2008 Reply

    I treat all international orders as fraudulent. Our policy is to offer bank wires as the only form of payment. Indonesia, Malaysia, Nigeria, and India are 99.9% fraudulent transactions. I do make certain concessions with Australia and New Zealand, I haven't had any issues down under.

    The fraudulent orders I have received from these countries have all had valid CVV codes. You have to wonder how they get these. Typically the AVS are not supported overseas.

    What we need is an internet based bank wire transfer system that will work with international orders. If there is such an animal, please post it!!!

    — *Louis*