Every online retailer will, at some point, be faced with fraud. It is as inevitable as taxes, but far more sinister!
Your credit card processor is going to give you two pieces of information to help combat fraud: the 3 or 4-digit “security code” and an AVS response.
The CSC code should never be stored in a merchant’s database. It is only printed on the card itself. So, if someone has stolen credit card info electronically, they wouldn’t have this number (in theory). Therefore, if someone places an order on your website and the CSC doesn’t match, NEVER accept the order. However, CSC is only a first line of defense against fraud. If a dishonest waiter is swiping credit card info, he’ll have unfettered access to the CSC.
AVS = Address Verification System. When a transaction is placed, you’ll receive two YES/NO values: one for the street address and one for the zipcode. They tell you whether the billing address the customer entered matches with what the issuing bank has on file for the customer.
AVS is a guideline, not gospel. International banks rarely support AVS, some US banks don’t support it, and the data isn’t always current. Customers that have recently moved may have old info on file. So, you’ll often receive false negatives. Basically, don’t decline an order based upon AVS info. Rather, use it as part of your overall risk assessment.
So, let’s assume that an order has come through. The CSC matches, the AVS is Y/Y, but the shipping address doesn’t match the billing address. Now YOU have to make the call and determine the likelihood that the order is fraud.
Here are some things to look for:
- Are they shipping via an expedited method? It isn’t the fraudster’s money and the quicker they can get the goods before the card is cancelled, the better for them. Check for the ratio of money spent on shipping versus the value of the goods. Would a “real” customer pay $60 to ship $30 worth of merchandise?
- Are you able to contact the customer via email? If they’re responding via email, that’s a good sign that it isn’t fraud. Fraudsters typically provide bogus email addresses or simply never check the multitude of accounts they possess.
- Is the billing address in the US and the shipping address in a foreign country? This can be a red flag for fraud.
- Where was the order placed? There are free IP address geolocation tools that you can integrate into your order fulfillment package. If the IP address is in Belgium, but the billing address is in Florida and the shipping address is in California, perhaps you need to do more detective work.
- If you’re capturing a phone number, where does that phone number originate? Again, there are free APIs that will tell you the city and state. Do these match with the billing address or shipping address?
- Use whitepages.org or anywho.com to determine the accuracy of the address information provided.
- What is the customer’s email address? Do they use a “shady” free email service that you’ve never heard of before? Or is the email address from a .edu, .k12, or .mil domain? The harder it is to get an email address at a particular domain, the less likely the order is fraud. Of course, just because they entered that email address, it doesn’t mean it’s an active email account.
- Fraud is more rampant in certain countries than other. For instance, never ship to Nigeria.
- Don’t assume that an inexpensive order isn’t fraud. Fraudsters aren’t stupid. They obviously want to get as much from a store as they can before the stolen card is shut down, but if they’ve ascertained that $25 is your threshold, they will exploit it.
There are many other metrics you can use to assess risk. Some will be more relevant than others depending on your type of business.
If you’re not sure about an order, contact the customer. They’ll appreciate your commitment to security. Sometimes we tell a customer that we can only ship to their AVS-verified billing address. Other times, we ask customers to send us a photograph or scan of their credit card so we can verify that it is in their possession. In some instances, we ask for scans of passports or other government-issued IDs to prove that they live at the address to which they want us to ship. Some customers are uncomfortable with this, but the majority have no problem complying. Remember, you’re the one on the hook if it is fraud.
To mitigate your risk of fraud, you must look at every order and assign a level of risk. If you receive too many orders to do this manually, then you need software. If you must, hire a programmer. It’s worth the expense. If a fraudster starts hitting your website, you won’t know for days or weeks. In that time, you could get hit with thousands of dollars worth of charges.
Your job is to do everything in your power to stop 99.9% of preventable fraud and simply chalk up the rest to the world we live in. This requires your vigilance. You must constantly update your fraud system because fraudsters have blogs, too. They share and flout their conquests.
Take solace in knowing that you’ve become a worthwhile enough target for fraud! You’re popular! If law-abiding citizens love your product, there are going to be criminals that do, too.