MERCHANT CREDIT CARD FRAUD – 31 WAYS TO MINIMIZE CREDIT CARD FRAUD
INTRODUCTION: This article suggests preventative methods and post-order procedures that merchants can perform to minimize credit card fraud.
When a brick and mortar merchant accepts a credit card, and the charge is authorized, and assuming the merchant conforms to regulation, the merchant will get paid, even if a stolen card is used.
Liability for fraud shifts from the card issuer to the merchant for ‘Card Not Present’ sale (mail order, telephone/fax order, and internet sales). The merchant is generally liable for credit card charge backs, even when the bank has authorized the transaction. After a merchant is stung by a fraud, the credit card processors often hike their rates, citing increased risk. The merchant also risks losing their accounts with the card companies if their fraud rate gets too high.
Everyone points fingers at everyone else (processors, banks, VISA/MasterCard, and the merchants). Law enforcement and government agencies tend to only investigate big cases. No one takes the blame for credit card fraud.
Forbes claims most credit card numbers are still stolen the old-fashioned way. Unethical retail store clerks and restaurant employees steal card numbers often using hand-held skimmer devices. A scam artist can go through the trash of any merchant (brick and mortar or e-commerce) or customer garbage, get valid credit card numbers, and use them on the Internet.
Industry analysts and e-merchants claim the credit-card companies have yet to come to grips with the full scope of the problem. None of the credit-card associations disclose exact loss-rate figures for fraud – Visa, MasterCard and American Express claim to have a handle on the problem overall.
Credit card fraud is something that can never be completely eliminated, but rather something that must be managed. Merchants must develop a delicate balance between using safeguards to prevent fraud and not creating too many hoops for customers to jump through. This article concentrates on preventative methods and procedures that merchants can perform to limit credit card fraud.
After a credit card processor or registration service approves an order, the merchant needs to perform additional checks, as fraudulent orders sometimes are approved. The merchant should not depend on the credit card company, or the registration service, to stop all fraudulent orders.
Using a combination of the following methods and techniques can be the best defense against credit card fraud. Do not rely too much an any one technique or tool to prevent and detect credit card fraud.
FOLLOW THE MERCHANT RULES: Follow the procedures recommended by your payment processor and the credit card companies. You can loose your merchant account for failing to follow their rules.
If a merchant suspects a fraudulent order, contact the registration service, so they can cut reduce the total number of charge backs. Registration services with a large number of charge backs will likely be charged higher services fees, which will be passed on to merchants. Everyone wins when the registration service, the card issuing bank, and the card holder are notified of a fraudulent or suspected fraudulent order.
AUTHORIZATION: Authorization approval does not mean that the merchant is guaranteed payment. Approval only indicates that at the time the approval was issued, the card hasn’t been reported stolen or lost, and that the card credit limit has not been exceeded. If someone else is using the credit card number illegally, the card holder has a right to dispute the ‘approved’ charges.
ADDRESS VERIFICATION SYSTEM (AVS): AVS is only available for the U.S. and partially available in four European countries. In the US, AVS checks if the cardholder’s address and zip code matches the information at the card-issuing bank. AVS only uses the zip code and numeric portion of the billing street address. There are many reasons why AVS may fail (recent address change, AVS computers down, etc.). If the address verification fails on any level, the merchant may decline the transaction. If the AVS fails for any reason, the merchant should contact the customer for additional information (for example, the name of the issuing bank, the bank’s toll-free telephone number, etc.).
If your current system of authorization approval can not provide AVS, then you can get address verification from the card holder’s issuing bank for MasterCard and VISA. Discover and American Express purchases can be verified by calling them directly. Only American Express can verify all international credit cards. When you call, have your merchant number, your phone number, the customer’s full name, address, and phone number ready. If you call MasterCard/Visa directly regarding a purchase, they can provide you with the issuing bank’s phone number (foreign and domestic). It is up to the merchant to make the phone call to the issuing bank. With today’s cheap phone rates from calling cards, and using the Internet to place phone calls, there is no excuse for not checking for possible fraud.
American Express 1-800-528-5200 Discover Card 1-800-347-2000 Visa/MasterCard 1-800-228-1122
Once a fraudster has a legitimate customer name and the stolen credit card number, they can use the Internet to look up their victim’s telephone number, address, and zip code. This allows a software purchase to pass AVS, and the fraudster can download the software before the fraud is reported. With orders that are shipped, the thief can provide the correct billing address for AVS approval, but request a different ship to address.
CARD VERIFICATION METHODS (CVM): Card Verification Methods (VISA = CVV2, MasterCard = CVC2, and American Express = CID use a security code of 3 or 4 extra digits imprinted on the card, but not embedded or encrypted in the magnetic stripe. This verification code does not appear on credit card receipts. Since most fraudulent transactions result from stolen card numbers rather than the actual theft of the card, a customer that supplies this number is much more likely to be in possession of the credit card. VISA claims that the use of AVS with CVV2 validation for card-not-present transactions can reduce chargebacks by as much as 26%.
Merchants that accept Internet, mail-order, and telephone orders must be prepared to request the verification code when the cardholder is not present to help validate a transaction. Even if a merchant cannot confirm the CVV2 number, they can still ask for it, or provide a space for the number on their Web order form. If the crook does not have the number, they could look somewhere else to commit their fraud. The merchant is not allowed to store the CVM numbers. The merchant should never keep the customer’s credit card “on file”. Each transaction should be treated as a new order. We’ve all seen too many reports of computer files being compromised by hackers.
PAYER AUTHENTIFICATION PROGRAMS: Authentification programs (Verified by Visa and MasterCard’s SecureCode) use personal passwords to ensure the identity of the online card user. If merchants use this program, card issuers may occur some of the losses for online fraud that was previously entirely borne by the merchants. If merchants do not participate, they remain liable for the losses.
The pop up windows for authentification can be blocked if card holders have installed software to disable pop-ups. This also adds an extra step in the ordering process. There is also an additional processing fee incurred by the merchant. Another loophole is if the customer claims they never received the merchandise. I have seen information indicating Visa always trusts their card holders, so the customer gets their money back and the merchant gets stuck with a chargeback.
Even if Visa rules against the merchant, the merchant can still take the customer to small claims court. If the merchant can prove the customer did receive the product, the merchant is entitled to recover the value of the product plus all their costs when they win. Most licenses included with software includes a clause concerning court actions. This is one more reason to keep accurate records, document customer phone calls, keep copies of e-mails, delivery signatures, and Web logs.
REAL-TIME AUTHORIZATION: Credit card information is sent to the processor for immediate approval (usually 5 seconds or less). This method ensures that the credit card has not been reported as lost or stolen and that the number is valid. The customer is still in contact with the merchant, and incorrect information can be corrected. There is an additional cost for real-time authorization. Authorization does not tell you if the person using the card is authorized to use the card.
BIN CHECK: The first 6 digits of the credit card are called the Bank Identification Number (BIN). You can determine if the credit card holder and the issuing bank for the credit card are located in the same country. Legitimate users sometimes use a credit card from another country. You can enter the BIN of a credit card number at http://all-nettools.com/toolbox,financial . The site provides the bank name, card type, and a 3 character code for the country.
CALLING THE CARD-ISSUING BANK: When you call the card-issuing bank, have your merchant number, your phone number, the customer’s full name, address, and phone number ready. You can ask the card-issuing bank to make a courtesy call to your customer to verify the charge.
DIFFERENT BILL AND SHIP TO ADDRESSES: Use Google to search for the numeric street address, street name, and zip code. The website at http://www.anywho.com integrates telephone numbers, maps, and e-mail addresses. Check for bogus billing addresses like 123 Main Street. Use resources like http://maps.yahoo.com to see if the address can be verified. If the billing and shipping addresses are different, request telephone numbers for both addresses. You can also establish a company policy and charge an extra fee to recover your costs to require a delivery signature (UPS, Federal Express, post office) if the billing and shipping addresses are different. You could require advance payment with a cashiers check or money order when different ship to and bill to addresses are used. Be careful of re-mailing services, such as Mailboxes, etc. Re-mailing services can re-mail your packages to overseas destinations.
NEGATIVE HISTORICAL FILE: Keep a database of prior fraud attempts, problem customers, charge back records, and customers receiving refunds. This file should include the customer name, shipping/billing addresses, phone numbers, credit card numbers, IP addresses, and e-mail addresses, and merchant comments. Incoming orders can be searched for matches in this database. This method reduces the incidence of repeat offenders, has a relatively low cost, but does not stop new fraudsters.
SHARED NEGATIVE HISTORICAL FILE: Several merchants combine their negative historical database. Since this database has fraud data from several merchants, using this file should reduce fraudulent hits. Pattern-specific fraud should be reduced. One drawback is that a bad customer for one merchant may not be a bad customer for other merchants.
POSITIVE DATABASE FILE: This file contains a list of good customers, for example, customers eligible for upgrade purchases. Customers who purchased successfully in the past will more than likely not committing fraud. This file can contain the same types of information as the negative file. You must have some limits to people accessing the information in this file. This file should also be encrypted.
CREDIT SERVICE DATABASE: A credit database service, such as Equifax ( www.equifax.com ), Experian ( www.experian.com ), and Trans Union (www.tuc.com) are most appropriate for high-dollar value items, The customer would be asked to verify some very specific information such as the mother’s maiden name or their social security number. This can be expensive and time consuming.
CUSTOMIZABLE MERCHANT RULES: Some E-commerce merchants feel this is the best method to catch fraud. The merchant sets up rules to stop or flag specific orders for review. For example, the merchant could set up rules to review all orders from a specific IP address, specific country or if a certain dollar amount is exceeded, or shipping to a specific address. This method may flag valid customers for review, but it will reduce repeat or pattern-specific types of fraud. If the IP address is dynamically assigned by an ISP, a legitimate order could be delayed or rejected.
FRAUD SCORING SYSTEMS: The merchant assigns points for different elements of a transaction (IP Address, free-e-mail account, time of day, AVS results, amount of sale, type of products ordered, shipment method, different shipping/billing addresses, certain zip codes, etc) to generate a fraud score to indicate the likelihood of fraud. Points could also be added back for other factors such as previous orders, length of time as a customer, etc. The merchant decides what point levels should be used to approve, reject, or review the order. The merchant can adjust these values based on trends and time of the year.
Large merchants have built their own scoring model based on their historical data of fraud and charge backs. This very targeted model should catch more fraud, but requires additional time and/or money to implement the new software.
PATTERN DETECTION: Check if multiple orders are placed shipping to the same address, but different credit cards were used. Check orders for an unusually high quantity of a single item. Thieves may have access to several stolen card numbers. Check if multiple orders are being sent from the same IP address.
If the credit card numbers vary by only a few digits, it is very likely these numbers were generated by software.
Identify users who repeatedly submit the same credit card number with different expiration dates. Often the crooks have the credit card number, but not the expiration date, so they will just keep submitting that number with a different expiration date until they hit the right combination,”
Most fraudulent orders in the US are made between midnight and 2 a.m.
ALTERNATE THANK YOU PAGE: If an order is being shipped to a non-English speaking country, display an alternate thank you page. Explain that before you can ship the product, you need to have the customer fax either a photo of the credit card or a Xerox of his/her credit card billing. For the customer’s trouble, explain you will deduct $3 from his total amount.
CUSTOM BUILT SOFTWARE: Some merchants have branded their software, displaying the customer’s name in the software. This could require a recompile of code before the software is made available to the customer. When reports are printed, the reports always include the customer’s last name for an individual license or the name of the institution that purchased a site license.
PREVENTATIVE MEASURES: Check the data fields to determine if the buyer is a real person. Check if the ZIP Code the customer listed really exists. Check if the customer’s e-mail address formatted properly. Check for incomplete names like Mr. Smith or bogus information like as Joe Smith or John Doe for the customer’s name, or an address like 123 Main Street. Checking http://www.ussearch.com/consumer/index.jsp can give the merchant some idea of the customer’s age. Your suspicions should be raised if the latest video game was ordered by an 80 year-old card holder.
FREE EMAIL ACCOUNTS: There is a much higher incidence of fraud from free e-mail services. Many businesses refuse to accept orders from any free e-mail accounts or any web-based, non-ISP e-mail domains. (I’ve seen numbers indicating there are over 3000 available free e-mail accounts.) Virtually everyone who has a free, web-based, or e-mail forwarding address also has a traceable ISP address. Many legitimate customers use free e-mail addresses. Many fraudsters use free e-mail addresses to remain anonymous. Most businesses purchasing a business product would not use a free e-mail address.
Depending on the value of the purchase, the merchant may want to request additional information from the customer either by phone or e-mail. The merchant can ask the customer for their business or local e-mail address (not a free e-mail account such as Hotmail), the name and phone number of the bank that issued the credit card (located on the back of the card), the CVM code imprinted on the card, the exact name with middle initial on the credit card, and the exact billing address (nine digit zip code instead of five digits in the US), and the customer phone number. If you get a reply to your e-mail request, you should be able to verify the additional information. A fraudster most likely will not reply to your request for more information.
Your customer will not have a local ISP if they do not have a computer. This customer could be required to telephone the merchant or fax the order. The fax order should also have a photocopy of the customer’s credit card. The merchant should also have caller ID.
DOMAIN NAME RECORDS: Manually review the domain name of the e-mail address on the order form. Look at the website to determine if it is legitimate. Check if the website offers free or low cost e-mail accounts. A website that doesn’t exist or is under construction should raise your suspicions. Check if the delivery address on your order form matches the contact information displayed on the website.
Use the Network Solutions database at http://www.networksolutions.com/cgi-bin/whois/whois to search for domain ownership information. The information may not match exactly (business versus a home address). If the customer uses their own domain name, the city or state should at least match the information in the database.
Unfortunately, Network Solutions has allowed fake contact names, telephone numbers of 000-000-0000, and contact addresses of 123 Main Street, Anytown, USA 00000. They also provide a service to ‘hide’ the owners from a search. Be suspicious if the whois information indicates registration in a country (such as Indonesia or Malaysia) with a high fraud rate.
A reverse e-mail lookup tool is at http://www.freeality.com/finde.htm
REVERSE IP ADDRESS CHECKS: A unique IP (Internet Protocol) address is issued by an Internet Service Provider every time a user is logged on to the Internet. Your server logs can be analyzed to match information on order forms. On your order forms, add a tracking code with a hidden field called the Environment Report field. The syntax used by the different form handlers (FormMail, sendmail, blat.exe, etc,) varies. One example is. The IP information will be included when the order is submitted.
Check if the IP address matches the e-mail address and physical billing address of the customer. The IP address identifies the location of the server where the order was placed. Numerical IP addresses can be checked through programs such as WsPing32. The IP address database is constantly being updated, so it is sometimes incomplete and inaccurate. Matches may not occur if the card holder is traveling, or using a business card from a company branch located in a different city or country. The merchant should be concerned if a server address is located in one country, and the card holder’s address is in another country. Check if the billing address, for example, firstname.lastname@example.org, matches the IP address from the block of IP numbers owned by AOL. If the fraudster is using an AOL address, the merchant can call the fraud department at AOL directly at 1-800-265-8003
There is a high correlation between IP addresses labeled as spam sources and credit card fraud.
The website http://www.all-nettools.com/ can be used to check IP addresses. SmartWhois finds information about an IP address or hostname, including country, state or province, city, name of the network provider, administrator, etc. Traceroute determines the path between your website and the person placing the order. It matches each machine along the path to a destination host and displays the corresponding name and IP address for that hop.
ANONYMOUS AND OPEN PROXY IP ADDRESSES: Unfortunately, IP addresses can also be forged. These forged IP addresses hide the true location of the fraudster. Organized credit card fraud rings often use anonymous proxies. When a computer is infected by a virus, it can be used by spammers and credit card thieves to place fraudulent orders. A legitimate order could come from from an infected computer. The IP address sent by the infected computer can be an open proxy IP address instead of their real IP address. The customer can visit the website http://www.all-nettools.com or www.openrbl.org to check if the IP address their computer is sending to the Internet is an open proxy IP address.
CHECKING TELEPHONE NUMBERS: The website at http://www.freeality.com/finde.htm and http://www.theultimates.com/ provides plenty of tools to match the telephone area code to a postal zip code, reverse telephone directories, search for e-mail addresses, maps, directions, etc. The website at http://www.anywho.com integrates telephone numbers, maps, and e-mail addresses. The website http://nt.jcsm.com/ziproundacx.asp also provides zip code and telephone area code matching. Any telephone book is out of date as soon as it is sent to the printer. The Baby Bells update as many as 500,000 records every day.
For under $10, the merchant can purchase a Rand McNally book each year titled the ZIP Code Finder, which includes telephone area code maps and ZIP codes for more than 120,000 places. You can also purchase a set of CD-ROMS which have address and telephone numbers. Use caller-ID to match names and telephone numbers. The merchant can call directory assistance to determine if the number on the order phone matches their number.
FAX ORDERS: When a credit card order is received by fax, require the customer to also fax copies of both sides of the credit card. This at least provides proof that the customer has possession of the credit card at the time of the order. You could also require a copy of their state-issued ID, or drivers license. It also provides additional proof the person authorized the purchase, preventing a chargeback.
INTERNATIONAL ORDERS: The merchant must weigh the financial benefits of accepting international orders against the possibility of fraud. Merchants who always refuse any foreign orders could be missing potential good sales. The merchant also needs to perform their checks before orders are shipped. It is very difficult to apprehend fraudsters or retrieve goods after they have left the country.
Some countries have very bad reputations for fraud. Your bank or credit card processor can provide a list of high-risk countries. Different sources will likely have different lists of high-risk countries. High risk countries include developing nations like Indonesia, Malaysia, Benin, Nigeria, Pakistan, Israel, Egypt, and Eastern European countries. Placing an international phone call to the issuing bank may make sense for large orders.
Another strategy to use with international orders is to ask the customer to contact you by phone or e-mail for shipping costs. A fraudster may consider this too much contact, and decide to go elsewhere.
Yellow and white page telephone directories for 30 countries can be located http://www.anywho.com/international.html Net2Phone allows anyone to call any phone in the world from their Internet connection at a fraction of the cost of a conventional long-distance distance phone call. Non-US business can use Net2Phone to verify US purchases. There are also many phone calling cards that offer extremely low rates for overseas calls. Contacting your foreign customers, and the card issuing banks is not that expensive, compared to the financial risks of delivering a fraudulent order. When contacting the card-issuing bank, keep a record of the name of the person you talked to.
CALLING THE CUSTOMER: Calling customers is not only an excellent way to detect fraud, but it can also be a valuable part of your customer service. The telephone call also gives the merchant the opportunity to welcome the customer, answer their questions, and build a solid relationship.
Sometimes the fraudster will submit the actual phone number of the person whose card was stolen. If the card holder did not authorize the charge, suggest that they call their credit card company to report their card as stolen.
I have personally called telephone numbers on the same day I received approved orders from registration services, and been told that the telephone number had been disconnected, or the number had been changed. This certainly sent up some red flags for filling an order that was approved by a registration service.
WEB SITE INFORMATION: If your order form includes places to enter the CVV2 verification code imprinted on the credit card, the name of the card-issuing bank, and the bank’s toll-free telephone number printed on the card, and the customer’s telephone number and e-mail address, your additional verification can be quicker, and you may scare potential fraudsters away. Indicate incomplete information will delay their order. State you may need to contact the customer if there are any problems with their order. A fraudster will not reveal their telephone number as he/she can be traced, and the number would most likely not match one of the on-line phone directories.
Signs and camera in brick and mortar stores help prevent shoplifting to some degree. Place prominent warnings on your site indicating that all orders are screened for fraud before processing. Web page graphics are available from www.merchant911.org to use on your site.
State on your website that you have anti-fraud safeguards in place, and will pursue prosecution for all fraudulent orders. Indicate that you will report all fraud to the FBI Internet Fraud Complaint Center at http://www.ic3.gov/ Even though federal investigators usually pursue larger fraud cases, knowledge of smaller frauds can reveal patterns to possibly break up larger fraud rings.
PROCESSING ORDERS: The merchant should have a policy of not shipping any order until the charge can be verified by their additional checks. The merchant can send an immediate e-mail confirmation of the order, and explain additional checks are being performed to reduce fraudulent orders. The additional checks may take 30 minutes, or can take days if telephone and e-mail exchanges are necessary. The processing delay may cause the fraudster to go elsewhere. Many fraudsters want instant gratification, and wish to remain anonymous, so they will not reply to your e-mails requesting additional information. These extra steps create an extra step for the customer and merchant, so it can also lead to lost sales.
Possibly establish a “holdover policy” for large orders. The dollar amount of the large order can vary depending if the order is domestic or international. Most credit card thefts are reported within 24 hours. Even after a phony card number is discovered by a retailer, it can take up to 24 hours for that number to be included in the databases that card processors use.
Fraudsters need to have their transactions approved, and take delivery of the goods before the fraud is discovered. Be wary of orders with immediate or overnight delivery. Crooks don’t care about the increased costs, since they aren’t planning on paying for it anyway. If the order is being shipped overnight, require a delivery signature (UPS, Federal Express, post office). The fraudster may be using an innocent person’s house as a drop-off point.
USE TEMPORARY ACTIVATION CODES: If the merchant wants to process orders immediately, issue thirty-day temporary validation keys for downloaded software. The permanent validation key can be e-mailed to the customer weeks later when all fraud checks have been completed. Emailing the permanent key could be automated to save time. If a customer is upgrading, there is less likelihood of fraud, so they could be sent the permanent key immediately.
ANTI-FRAUD GROUPS: Educate yourself by attending a seminar offered by credit card companies and card processors. Some merchants are joining fraud-screening organizations and beginning to use extra security software that determines the risk assessment. The merchant can decide to accept the card number or not based on that fraud rate value. Some organizations such as www.antifraud.com offer less expensive help ($10 per month). These groups also offer tips, databases of stolen credit cards, and Web look up tools.
Terry Jepson www.wiscocomputing.com