Preventing Order Fraud
By Michael Stearns, 8/1/2010
Over the years we have seen an increase of fraudulent order attempts on our customers' websites. This is a disturbing trend and one that requires more vigilance on the part of Ecommerce site owners. The approach we recommend is one that involves a three-pronged approach: preparation, scrutiny, and follow-up.
Preparation
* Use a secure server. If you are already hosting your site with MightyMerchant, your transactions are going through a secure server. If you aren't using a secure server, you could actually be contributing to credit card fraud. The key element is for your checkout pages - where your customer enters their credit card information to have the correct security measures in place. You should be able to confirm this by seeing a "lock" symbol in the corner of the browser and the web page address should begin with "https" instead of "http".
* Use a real-time credit card authorization gateway on your site. This
will verify that the credit card number exists and that it has not been
reported stolen. It is possible that someone can steal a card number
and make a charge against it, so be aware of orders that are abnormally
large or exhibit one of the other "red flags" described below.
*
Use the Address Verification System (AVS). This will confirm that the address and zip code given by the customer matches the address and zip code associated with the credit card. If you are using a credit card gateway, this feature can easily be turned on and configured.
Please note that although AVS is a good technique to use, it is by no means foolproof and has definite limitations. Importantly, if you configure your Payment Gateway to decline payments with AVS mismatches, it may result in legitimate orders being rejected as well. Unless you feel your business is at a particularly high risk for fraud attempts, we would suggest that you not configure your Payment Gateway to decline orders with AVS mismatches. For more information, please take a look at our article "HEROweb’s Advice on Credit Card Gateway Security Settings."
*
Use Card Verification Codes (CVC). Most credit cards have a special 3 or 4 digit number printed on the back. This number does not appear on statements, receipts, or anywhere else other than on the card. We recommend including this field on your payment form and using it to verify your customers' credit cards. If the customer can give you this number (and it successfully goes through the verification system of the particular credit card company), there is a good chance they are actually in possession of the card.
*
Post a warning on your website that says you use anti-fraud procedures. Simple, but effective. Some people won't attempt credit card fraud if they think it's going to be too much trouble or too dangerous.
Scrutiny
There are many indicators of credit card fraud that you can keep an eye out for when processing orders, or look for when you already have suspicions. You want to build some level of monitoring each order into your daily routine. Gateway systems, like authorize.net, have automated security monitoring tools, that can be helpful. The following is a list of some of the most common indicators of a fraudulent order.:
* E-mail address from a free provider
* Shipping address doesn't match the mailing address
* IP address is from a different country than the addresses given
* Large orders from first-time customers
* International orders
* Orders with incomplete information
* Overnight/Express delivery
* Same shipping address, different credit cards
* Multiple orders sent from the same IP address
* Same credit card number, different expiration dates
* Orders with an unusually high number of the same item
* A phone number from a different state than the billing address
The appearance of one or two of these indicators isn't conclusive, of course, but several of these red flags coming through on your orders is a cause for concern.
Follow-Up
If you think you've discovered orders with a fraudulent intent, you'll want to do some research and customer follow-up. Here are some procedures to go through if you suspect fraud:
* Look up the person's telephone number at http://www.switchboard.com/ and see if the resulting information matches what was given to you.
* Send the person an E-mail. If it bounces back, you'll know something strange is going on.
* Telephone the person. Tell the person that you need the name of the bank that issued the card for verification purposes. In most cases, only the real owner would have this information.
It's not always easy to spot fraud, but these tips are concrete things you can do to protect yourself. There's no need to treat every order with suspicion, but staying watchful and vigilant before there is a problem can save you time, money and the hardship of cleaning up the aftermath of credit card fraud.