There’s a mighty battle going on between web stores and fraudsters. In the US, fraud is now several billion dollars per annum according to CyberSource. The good news is that after years where the scamsters had the upper hand, merchants are slowly starting to win the war.
It’s important not to just reject all orders that look suspicious, but to get a balance between fraud prevention and losing good business. You are not just at risk from fraud, you are at risk of losing good business from over-zealous anti-fraud measures. It’s also crucial to remember that fraud varies greatly between different product sectors. For example, most of us would instinctively know that fraud is a problem when selling unblocked smart phones.
However, I have known merchants selling bibles and model trains to suffer as well. Assumptions can be dangerous. These tips are based on a range of real life experiences and should make sure you stay on top in the battle against fraud.
The good news is that the banks have started to take online fraud seriously. They now offer a range of services such as address verification (AVS) that checks the billing address; CV2 (the code on the back of the card) which endeavours to determine that the buyer has access to the physical card; and 3D Secure (also known as Verified by Visa and Mastercard SecureCode), which requires a password. When 3D Secure is used, the banks are prepared to guarantee the payment if the buyer claims they didn’t carry out the transaction.
You can choose to not allow delivery to an address other than the cardholder’s. This will reduce fraud, but at the cost of lost business. You will loose sales where one person is buying on behalf of another, or sending a gift. You will also lose orders from people who are in full time work and want their deliveries made to their work addresses. .
The widely disliked Payment Card Industry Data Security Standard (PCI DSS) has also been introduced to make it more difficult for scamsters to acquire big treasure troves of card data. Any organisation processing payment cards must adhere to its rules or suffer fines and/or loss of processing facilities. The easiest way to comply for a small trader is to use a payment service provider like WorldPay or PayPal. We support this standard, even though it appears to place obstacles in the way of merchants. We have seen a big rise in organised and highly intelligent hacking attempts. It’s vital that legitimate businesses fight back by raising the bar as high as possible.
Alongside the bank-based initiatives, there has also been the rise of independent anti-fraud services like The 3rd Man, which now checks more than 20 million online payments a month, claiming to detect around 97% of all fraud. I must declare an interest here as my company, Sellerdeck, has integrated The 3rd Man into its own payments service. The many elements that the anti-fraud services look at including IP address, electoral roll and spending patterns across cards, buyers and addresses. They also collect information on chargebacks, and can flag up buyers that consistently lie in order to get free goods. Their database of the fraud-free transactions is just as important as the ones with issues. If a card is re-used at the same address and same IP address where it has previously been used with no problems, the transaction is probably safe.
Alongside these technical weapons the retailer needs to look at policies that can help prevent acceptance of fraudulent orders. With a policy-based approach, companies define what to do when fraud is suspected, which in turn may be flagged by technical indicators or orders over a certain value.
Contacting the buyer by phone or email can be very effective, as fraudsters usually don’t like to engage in dialogue – it’s high risk for them. It may also become apparent that false details have been provided as a result of such contact. So you could call and say, “Hello Jerry, and your surname is?”, or ask the buyer for details of “the order”. If the fraudster has placed multiple orders with multiple identities, they won’t easily recall this information. Your suspicions should increase if questions take too long to answer. You could also request a fax of the credit card, bank statement, bill, driving licence or passport and this will most likely discourage a fraudster, although it may also irritate genuine customers. However, most will be happy to help once the reasons for your suspicion are explained.
You can adopt another tactic if you are still suspicious of the order. Simply ask for payment by an alternative means, such as cheque. If a different card is offered, it would need to have the same billing address.
Your policies need to be crystal clear to all staff and full training must be given on how to explain the approach to customers so as not to alienate them.
If possible use a delivery method that requires a signature, as this can help when the buyer denies they have received the goods. However, people may deliberately obscure their signatures and it isn’t a guaranteed way to prove safe delivery. On the other hand, without a signature, you can’t even begin to prove it.
It’s difficult to find the right balance between over-zealous rejection of genuine business and losses from a lax approach. For instance, AVS will give up to 40% false negatives, due to the variety of address formats used by people, and AVS cannot be used on overseas orders. So AVS should only be used as one of several fraud indicators. Also, your business will turn out to have its own fraud profile, so using your own experience to develop specific policies is the best way to get this balance.
The critical help that you need to implement all of these checks is the right payment service provider. So make sure that your payment provider supports 3D Secure, AVS, CV2, preferably one of the independent fraud checking services and is PCI DSS compliant. Once you have these services in operation, it’s an idea to mention them on your web site to provide added reassurance to your customers.