Fighting the Secret War: online fraud

 Technical solutions

The good news is that the banks have started to take online fraud seriously. They now offer a range of services such as:

- Address verification (AVS) that check the billing address

- CV2 (the code on the back of the card) which endeavours to determine that the buyer has access to the physical card

- 3D Secure (also known as Verified by Visa and Mastercard SecureCode), which requires a password. When 3D Secure is used, the banks are prepared to guarantee the payment even if the buyer claims they didn't carry out the transaction.

 The widely disliked Payment Card Industry Data Security Standard (PCI DSS) has also been introduced to make it more difficult for scamsters to acquire big treasure troves of card data. Any organisation processing payment cards must adhere to its rules or suffer fines and/or loss of processing facilities - the easiest way to comply for a small trader is to use a payment service provider like WorldPay or PayPal. I personally support this standard, even though it appears to place obstacles in the way of merchants. We have seen a big rise in organised and highly intelligent hacking attempts. It's vital that legitimate businesses fight back by raising the bar as high as possible.

Alongside the bank-based initiatives, there has also been the rise of independent anti-fraud services like The 3rd Man, which now checks more than 20 million online payments a month, claiming to detect around 97% of all fraud. I must declare an interest here as my company, Sellerdeck, has recently integrated The 3rd Man into its own payments service.

The many elements that the anti-fraud services look at include IP address, electoral roll and spending patterns across cards, buyers and addresses. They also collect information on chargebacks, and can flag up buyers that consistently lie in order to get free goods. Their database of the fraud-free transactions is just as important as the negatives. If a card is re-used at the same address and same IP address where it has previously been used with no problems, the transaction is probably safe.

Use policies for prevention

Alongside these technical weapons the retailer needs to look at policies that can help prevent acceptance of fraudulent orders. With a policy-based approach, companies define what to do when fraud is suspected, which in turn may be flagged by technical indicators or orders over a certain value.

Contacting the buyer by phone or email can be very effective, as fraudsters usually don't like to engage in dialogue - it's high risk for them. It may also become apparent that false details have been provided as a result of such contact. So you could call and say, "Hello Jerry, and your surname is?", or ask the buyer for details of "the order". If the fraudster has placed multiple orders with multiple identities, they won't easily recall this information. Your suspicions should increase if questions take too long to answer.

You could also request a fax of the credit card, bank statement, bill, driving licence or passport and this will most likely discourage a fraudster, although it may also irritate genuine customers. However, most will be happy to help once the reasons for your suspicion are explained.

You can adopt another tactic if you are still suspicious of the order. Simply ask for payment by an alternative means, such as cheque. If a different card is offered, it would need to have the same billing address.

Your policies need to be crystal clear to all staff and that full training must be given on how to explain the approach to customers so as not to alienate them.

If possible use a delivery method that requires a signature, as this can help when the buyer denies they have received the goods. However, people may deliberately obscure their signatures and it isn't a guaranteed way to prove safe delivery. On the other hand, without a signature, you can't even begin to prove delivery.

It's difficult to find the right balance between over-zealous rejection of genuine business and losses from a lax approach. For instance, AVS will give up to 40% false negatives, due to the variety of address formats used by people, and AVS cannot be used on overseas orders. So AVS should only be used as one of several fraud indicators. Also, your business will turn out to have its own fraud profile, so using your own experience to develop specific policies is best way to get this balance optimal.

External resources

The critical help that you need to implement all of these checks and precautions, is the right payment service provider. So make sure that your payment provider supports 3D Secure, AVS, CV2, preferably one of the independent fraud checking services and is PCI DSS compliant. Once you have these services in operation, it's an idea to mention them on your web site to provide added reassurance to your customers.

The proportion of fraud is slightly decreasing despite the strong rise in web sales, so merchants are just winning the war against criminal activities. This is good news, but not grounds for complacency. Hopefully, with the right mix of tools and processes, you can not only control fraud, but even gain competitive advantage as you deal with it more effectively than the competition.

Written by Chris Barling, CEO of E-Commerce & EPOS supllier, Sellerdeck. Originally published on the Internet World site.

Return to previous page