“Ask an Expert” is an occasional feature where we ask ecommerce experts questions from online merchants. For this installment, we address a question about credit card fraud detection. It comes from Jamie Salvatori, the founder and owner of an online novelty gift store called Vat19.
For the answer, we turn to , an ecommerce consultant, trainer and speaker, and regular blogger and contributor to Practical eCommerce.
If you’d like to submit a question, email Kate Monteith, staff writer, at firstname.lastname@example.org and we’ll attempt to address it.
Jamie Salvatori: “We seem to spend too much time reviewing orders to try to detect cases of fraud. Beyond using the address verification system (AVS) info (which is sometimes stolen along with credit card numbers), how are larger businesses handling it? We are a gift store, so we can’t limit our shipping only to the customer’s billing address. That would kill our business.
“Credit card companies put all of the onus on the merchant, yet they seem to provide very little information to help us detect fraud. Should we be writing custom software to look for ‘red flags,’ such as expedited shipping or international locations? Or, is there anything else we can do?”
Pamela Hazelton: “The AVS and Card Security Code (CSC, which is commonly referred to the CVV/CID numbers on the credit card) were both introduced to help deter fraud. The idea was that AVS helped protect consumers by matching the billing address entered to the address on file with the credit card company, and that only the cardholder would have access to the three or four digits on the front or back of the card. This made thieves work harder to get their hands on all details necessary in order to submit a successful transaction; in turn, identity and mail theft went on the rise.
“There are a few quick and easy steps you can take to help identify fraud, and it starts with the payment gateway.
“Be sure to look at your daily reports from your payment gateway before processing orders. The transaction list will show you all transaction attempts, including declined ones. Since a number of thieves use online stores as a testing ground (trying to find balances and cards that are still active), several attempts placed on a single order may be an indicator of card testing and fraud.
“If your shopping cart supports it, you could also utilize a failed-attempt lockout feature. This functionality uses IP- and/or cookie-based protocols to ‘lock out’ a customer if the card number entered fails a defined number of times. For example, you could configure the system to lock the visitor for an hour if the gateway returns three successive declines.
“You may also consider paying for add-on fraud services. Many payment gateways offer these services, which run additional searches on a card number (beyond standard AVS and CSC) to determine if the card has recently been reported stolen or has a reputation of frequent chargebacks and fraud reports. While anti-fraud services aren’t perfect, many users report a significant decrease in fraud. Expect to pay an additional $20 to $30 per month, as well as a per-transaction fee.
“You might also consider offering additional payment options that take some of the burden off the merchant. For example, Amazon Payments connects customers with their own Amazon accounts, so customers are charged by Amazon and Amazon pays the merchant. The benefit is the orders run through Amazon’s checkpoints, which utilizes several high-end, anti-fraud tools, and you pay fees similar to those already incurred by your merchant account. It could also increase sales, since many online shoppers feel more comfortable giving their payment information to a single, trusted source.”