Credit Card Fraud Prevention Tips for Online Merchants

The following information was presented by Sharon Gillett from www.gilletts.com and Allison from www.giftsaustralia.com.au at a recent eBIG meeting. Sharon and Allison are both experienced and successful online merchants, and their information is extremely practical. 

Not all the tips below will apply for every business, but many of them will help you drastically reduce the likelihood of credit card fraud in your organisation.

Examine at your orders closely

There is a number of things that can alert you to a possible fraudulent order if you take the time to look closely at your orders. These include:

• Poor spelling
• Bad grammar
• FULL CAPITALS
• Order address is different to delivery address
• Delivery name is different to the name on the credit card.
• The nature of goods ordered can be a give away. For example items that are easily converted to cash on the black market such as electronics, jewellry etc. or
• Items that are ordered in unusual quantities and/or combinations.
• Orders greatly exceeding the average order value, ie. a $600 order is suspicious when the average order is only $60.
• Items easily available in the country the order is from. For example, why would someone order the latest Madonna CD from someone in Australia when they could get it for less from a local supplier?

A good way to double check an order is to see if the name and address of the person placing the order matches that on www.whitepages.com.au or www.anywho.com for U.S orders.

BEWARE of orders from certain countries.

It might not be diplomatic to say DON'T SEND ORDERS TO THESE COUNTRIES but many people experienced in online sales will tell you that is their policy.

Listed in order of notoriety

1. Indonesia
2. Romania
3. Nigeria
4. Ukraine
5. Yugoslavia
6. Lithuania
7. Egypt
8. Bulgaria
9. Turkey
10. Russia

Check I.P. Addresses

An I.P. Address is what identifies users on the internet. It doesn't tell you their name or address but it tells you what country they are from and that's enough to assist with fraud prevention. Websites log the I.P address of visitors and ideally your website should check to see that the country of the person placing the order corresponds with the address they offer you. This would detect an order that is supposedly being placed by someone in the U.S. but is actually entered by someone in Nigeria with a stolen credit card.

BEWARE of people requesting 'Fastest Possible Shipping'

People experienced in online sales laugh at this one because it almost guarantees it's a fraudulent order. Sometimes the freight costs more than the item - the fraudster doesn't care because it's not them that has to pay for it.

Ask for the CVV

The CVV is an anti fraud feature designed to prove that the person placing the order is actually in possession of the card. It's a 3 digit number for all major cards, except for American Express where it is 4 digits.

(last 3 digits on the back)

(4 digits on the front, above the number)

Confirm Bank Details

If you are unsure about an order, call the credit card issuer and ask that they call their customer to confirm that it is an authorised use of the credit card.

Address Verification Systems

These systems actually check to see if the address of the order is the same as the authorised user. For most fraudulent orders they are different. Whilst the fraudster may have stolen the credit card details or used software to generate a fake credit card number, they are less likely to know the address of the owner of the card, so they make something up. Address Verification Systems are quite expensive and out of reach of most small businesses. They also don't work in Australia due to privacy policy. However, you can still consider saying on your website that you are using such a system as a deterrent.

Request Identity Information

If you are unsure about an order, try asking for a faxed or scanned copy of both sides of the credit card and/or driver license. You can say that your bank requests you to verify identity to avoid embarrassment.

Post a Warning Message

On your order page you may want to consider warning people of the following security measures.

1. You are logging I.P. addresses. (even if you aren't, its a deterrent)
2. You are using an address verification system. (even if you aren't, its a deterrent)
3. You don't accept orders from Indonesia or Nigeria. (you can be diplomatic and say it's due to difficulties with shipping)

Verify Charging Information

If you are unsure about an order, advise the customer that you require them to contact their credit card provider and request the exact time that the order was processed. Again you can say your bank requires you do this to avoid embarassment. Credit card companies require callers to identify themselves before releasing that information. Therefore, in order to get it the customer would have passed the credit card companies security checks. If you don't hear back from the customer, it's likely it was a fraudulent order. If they do get back to you, you can cross check that with the time you put the order through.

Request Signature on Delivery

This is not always possible, depending on what sort of business you are in.

Record Fraudulent Orders

Fraudsters are notoriously persistent in trying to place orders at the same sites over and over. Just because they didn't get through the first time certainly won't stop them trying their luck again and again. Ideally, your website will store the details of orders you have previously identified as fraudulent so that if someone tries to place another order with the same I.P. address, credit card number, name or delivery address, your website will automatically identify them.

Advise Customers What Will Appear On Their Statement.

Avoiding charge backs is what it's all about. The last thing you want is someone who has placed a legitimate order with you contacting their credit card provider to dispute a charge because the name on their statement doesn't clearly indicate that it was a purchase from your store. This can be a trap if your merchant account is in a trading name. For example, how is a customer to know that a charge by XYZ Pty Ltd was for the widget they bought online two months ago? This can also be a problem if you use a payment gateway that processes your cards, as it is likely that it will be their name that appears on your client's account. In these cases you may need to advise customers what will appear on their statement to avoid unnecessary charge backs.

Train Your Staff

Whatever procedures you put in place to prevent fraud make sure that your staff are trained in them. It's advisable to have them written down and easily accessible.

Offer Alternative Payment Methods

You don't have to take credit cards. Some alternatives to consider are:

• BPAY
• EFT (Electronic Funds Transfer via the customers Internet Banking)
• Pay Pal (used by millions of buyers and sellers worldwide, preferred method of sending and receiving payment on eBay)
• COD.

If In Doubt... Don't Do It.

If after doing your checks you are still unsure, then it's better to politely decline the order and lose the sale rather than run the risk of losing your stock to thieves.