Here come the holiday shoppers. Some of them are headed for their local shopping mall, but more people than ever are shopping online, using their credit cards to buy gifts for their immediate family and friends as well as for relatives and friends on the other side of the country — or the world.

That’s great news for small and big ecommerce sites alike. More people using their credit cards to buy more gifts, should mean more profits for most online businesses if they aren’t victims of credit card fraud.

Credit card fraud, unfortunately, can quickly turn a prosperous holiday season into a nightmare for a small business. The owner of a small mail order business located in California had to borrow from friends and family to make good on $14,000 worth of fraudulent charges made on stolen cards one year. The following year, the owner implemented procedures to screen out possible fraudulent orders and refused to ship $25,000 in orders that seemed suspicious.

Spotting fraudulent orders

Fortunately, if you sell online or over the telephone there are a number of steps you can take to minimize the occurrence of fraud.

First and foremost, be on the look out for suspicious sales. These include:

Unusually large orders placed through the Internet without any contact from the customer.

Rush orders for large quantities or high-priced goods. Crooks may ask to have an order shipped overnight so they know exactly what day the order will arrive and they can be waiting to pick it up.

Missing information, or information the customer refuses to give such as a day-time phone number.

Orders that are shipped to a different address than the billing address.

Orders from foreign countries

Orders on US cards shipped to foreign countries

Billing addresses that don’t match the information on file with the credit card company.

By themselves, no one of these things are a sure sign that a credit card is stolen, but when several factors are present (say, your average ticket amount is $75 and you see an rush order for $5,000 being shipped to a different address than the address of the credit card holder) it’s prudent to be suspicious and investigate the sale.

Even if there’s only one factor that doesn’t pass your “sniff” test, it’s useful to err on the cautious side. As an example, not long ago, someone using a credit card with US address purchased a product from us and wanted it shipped to someone by a different name in another country. The particular product was one that wouldn’t be a lot of use to anyone in the country it was being shipped to, so we called the credit card holder to verify the shipping address. The credit card holder hadn’t made the purchase. Neither had anyone else authorized to use the card. The card and the cardholder’s contact information had been stolen.

What should I do if an order does sound suspicious?

Under any of the above circumstances you should be particularly cautious and do everything possible to ascertain the person ordering the merchandise is actually the cardholder, or an authorized representative of the cardholder.

These tips, though not infallible, may help you decide if an order is legitimate:

Get the complete name, address, ZIP code and phone number for the cardholder.

Require customers to enter the 3-digit card code number from the back of their credit card.

Verify that the billing address of the card holder is correct. Then, verify the information you are given by calling the merchant bank or using whatever other address verification system is in place through the ISO that processes your charges. If the address you were given doesn’t match the address of the cardholder, don’t ship.

Implement a fraud detection service that blocks suspicious transactions based on where they originate, or other factors. (Online credit card processing gateways such as Authorizenet have these available for a fee.)

Use address an address verification service (AVS) to block sales when the billing address entered online doesn’t exactly match the billing information on record for the cardholder.

If a sale looks suspicious, find an excuse to call the customer back, using the phone number he or she gave you, and ask to speak to the cardholder. If you can’t reach the cardholder, don’t ship the merchandise. People who use stolen credit cards don’t give out their real phone numbers.

Look up the address and phone number of any local orders in the phone book.

Send a reminder letter to people when you ship an item telling them the item has been shipped and when they can expect it to appear on their bill. This type of letter can reduce complaints and chargebacks from people who simply forget what they ordered or from whom.

This quarter I will be continuing the synopsis of Visa’s study and findings last year on the recommended practices for conducting sales over the Internet. In any non face to face sales environment there is a certain amount of fraud risk involved, but e-commerce presents its own set of inherent dangers that are not normally encountered by MO/TO (mail order/telephone order) merchants.

Before actually accepting credit card payments over the Internet, a merchant should ensure that their authorization request process is secure and efficient. This protects the merchant from accepting payment for merchandise and finding out later that the card was used fraudulently or that the cardholder did not have sufficient funds available for the transaction.

Some cost effective authorization processes suggested are using internal screening techniques (i.e. sales from high risk locations, or internal fraud avoidance files), using both AVS (Address Verification Service) and CVV2 (Card Verification Value 2) responses in the Issuer authorization obtained, and using a third party scoring service. The authorizations should be performed REAL-TIME using secure Internet gateway (such as the PayStream gateway www.paystream.net) which decreases the risk of fraud as well as lost sales resulting from problems with the transaction (if performed at a later date). The gateway should also employ the use of ECI (Electronic Commerce Indicator) which is required for all e-commerce transactions and helps to eliminate referral responses.

Once the processor approves the transaction, the gateway should send an e-mail response to the cardholder to confirm the sale. This not only provides the buyer with details concerning the transaction, but also enables the merchant to test the validity of the cardholder’s e-mail address. Order decline rates should also be tracked, and on a daily basis differentiated between those declined by the card issuer and those declined internally due to suspected fraud. This helps to increase approval rates and discover any problems in the authorization process.

If the merchandise is backordered and has to ship more than 7 days after the initial authorization was obtained, a new authorization should be sought. Visa regulations actually require this practice to reduce chargeback risks. If only part of an order can be shipped, the authorization should be reversed and the new amount posted.

As Internet merchants become more successful, the risk of fraud increases. To reduce this risk, certain risk management practices should be adopted. A formal fraud control group or division can be formed to detect and prevent fraud. This group should work closely with the chargeback group and coordinate its efforts to improve fraud prevention techniques and track fraud control performance. Another good idea is to develop an internal fraud avoidance file to aid in protecting against fraud perpetrated by the same individual more than once. This file should contain all of the key information related to the fraudulent transaction, including the name, address, phone numbers and card account. This file can be used to screen transactions so that further attempts to defraud by the individual will be declined.

The AVS (Address Verification System) protocol that is used by both Visa and MasterCard is another highly useful tool for avoiding fraud. The basic assumption behind AVS is that the majority of the time the person attempting fraud with the use of compromised credit card information will not have access to the legitimate cardholder’s billing address (normally the home address). The AVS check is conducted when an AVS request is included in the authorization request from the gateway.

There are three types of responses that can be generated-a full match, a partial match, or a total mismatch. It is recommended that once AVS is implemented as part of the authorization process, a pop up screen should be used to inform the merchant of failures. Because a real-time gateway will be used, the failure response can generate further questions for the customer to answer (such as “Did you move recently?” or “Is this your billing address?”) and customers should be allowed to reenter their address up to two additional times in the case of an initial failure. If failures continue after two tries, the customer should be locked out and that particular transaction reviewed and perhaps added to the fraud avoidance file. In fact, even partial matches should be reviewed for possible fraud. In the case of a mismatch or partial match, the merchant can take several other steps to determine the legitimacy of the sale. The prospective customer can be called or e-mailed, the card-issuing bank can be contacted for verification, or directory assistance can be used to determine the billing address of the prospective customer. There are also third party fraud screening services, such as Cybersource, that can be used.

Source: Visa Electronic Commerce Risk Management

Possible AVS Responses

Y- Yes, or Exact Match on Street Address and Zip Code

A- Street Address matches but Zip Code doesn’t

Z- Zip Code matches but Street Address doesn’t

U- Address unavailable or Issuer doesn’t support AVS

R- System is unavailable, try back later

N- No, or Total Mismatch

Hints to avoid Fraud

Treat the following as high risk and submit to closer fraud examination:

1. High Risk shipping addresses- such as P.O. Boxes, prisons, hospitals, motels, and areas of the country known for risk.

2. Anonymous E-mail Accounts- e-mail using unknown ISPs as opposed to the larger well know ISPs.

3. Non-U.S. Transactions- these cannot be screened by AVS.

4. High Dollar Purchases

5. New or Unregistered Customers 6. Any AVS or CVV2 partial or total mismatch

What is CVV2?

CVV2 (Card Verification Value 2) is a 3-digit code printed on the back of all newer Visa cards. By referring to this number in all MO/TO or Internet transactions, the cardholder is verifying that they have the physical card in their hand.

Merchants that employ CVV2 in their authorization requests are protected from fraud related chargebacks!

VPAS- The NEW Internet Security Tool

VPAS (Visa Payer Authentication Service) is the latest online security mechanism released by Visa International to combat online credit card fraud. In the physical retail world, merchants are practically guaranteed funds from their credit card transactions, primarily due to customer authentication during the approval process. When the merchant physically swipes the credit card through the magstripe reader on the terminal, the sale will qualify as “Visa CPS Retail” and because it is assumed that the merchant will compare both the signatures and the embossed account numbers, the cardholder is considered “authenticated”.

Until now, no such authentication method existed for the Internet merchant. Now however, VPAS will allow merchant to verify the cardholder’s identity through the use of passwords and encryptions, and by doing so will have similar payment guarantees as the retail merchant. Both the merchant and the customer have to be enrolled in the program. The cardholder must register the credit card account number and expiration date at an Issuer (i.e. the card issuing bank) VPAS enrollment site, where the Issuer will encrypt the data and issue passwords. The online merchant who wishes to participate must register the computer platforms and server software being used with their acquiring bank. They will then receive software modules to allow their participation.

When a registered cardholder makes a purchase from a VPAS enabled merchant, VPAS contacts the card-issuing bank, which will then identify the account number and authenticate the cardholder.

Source: Visa Directions

Merchants need to avoid credit card fraud at all costs. This goes without saying getting hit by fraudulent orders affects the bottom line of any business. I was reading an article a while back about one of the bigger travel agencies on the Internet who wasn’t able to get out of the red ink simply because they are getting so many fraudulent orders. Now this company may think they are too big to monitor all their transactions, but if they are in the red because of it, well then it’s time to make some changes.

Smaller merchants with big-ticket items can be wiped out with just a few fraudulent orders; sometimes it only has to happen once. I wrote an ebook, “Protect Your Merchant Account from Fraud & Chargebacks” that goes into great detail on this subject. I will highlight some of it here.

Chargebacks happen when a cardholder disputes a credit card purchase. There are a variety of reasons a cardholder may dispute a charge. Some examples of these are:

Never receiving the item ordered

Not getting what they thought they were buying

Their credit card was stolen and they did not authorize the charge

They could just be a thief and use the chargeback clause to their advantage

In the event of a chargeback, the card-issuing banks will initiate a chargeback against the merchant. The funds for that sale are pulled from the merchant’s bank account and the merchant may or may not be notified of the chargeback and be given the opportunity to dispute the chargeback. I was told by one really big acquiring bank that they were not obligated to notify the merchant of a chargeback. Anyhow, the merchant and merchant bank knows nothing of the chargeback until it is over and done with. Keep in mind, the customer’s card issuing bank is the one who initiates chargebacks.

The most important part in accepting a credit card is to do your best to verify the cardholder is actually placing the charge. On the Internet, this can be done with AVS (Address Verification System). Not a 100% guarantee, but it is the best available right now. AVS will attempt to match a portion of the customer’s credit card statement billing address against the billing address the customer placed during the order. If you get an address and zip code match, well chances are the actual cardholder or someone authorized to use the card placed the order. If you get a match of one or the other, then it is your call if you want to accept the credit card. I have a merchant who does between 13,000 and 15,000 online transactions per month and will accept a partial match, but rejects all that come back with no match. His chargeback rate is pretty low and this seems to work for him. If you do not get any match, then you need to sit on the order, jump up and down on it, and chew on it for a while and try your best to get in touch with the customer. If you cannot, then it is in your best interest to reject the order. Now the limitation of the AVS system is that it only works in America with American orders. There is no system in place, as of yet, for accepting International orders. As the attorney I interviewed in my ebook says, “You accept International credit card orders at your own risk.”

There are a few hotspot countries you would be best to avoid unless you have an established relationship with your client. Let me preface this by saying, I draw this conclusion from my own personal experience and the feedback I get from my merchants, so take it for what it is worth. This is not gospel! The countries are; any country that was part of the former Soviet Union, and Malaysia. They seem to have a larger than average amount of fraudulent orders placed from there.

Now for my most controversial comment, never accept an order placed with a FREE email address! I have been laughed at and scoffed at over this comment simply because there are so many honest people who use free email and this means losing orders. Simply put, you are correct. You will lose orders and sales and maybe even money if you follow this rule. However, I don’t think you will lose as much as you would if you accepted orders from free email addresses though. I know one merchant doing $45,000+ in credit card orders per month from the Internet that was following this rule. Then one day, he decided to throw the rule out and increase sales, as a result he almost lost his merchant account due to excessive chargebacks. Take it for what it is worth. Statistics show that more then 50% of orders placed from a free email address will be fraudulent. For more facts about this, I suggest you visit http://www.antifraud.com

There is more to a chargeback than meets the eye. Not only does a merchant lose the actual inventory and the purchase price, but there are also chargeback fees assessed to the merchant each and every time. These fees add up because they are anywhere from $15 to $50 a pop. Consult your merchant account provider if you do not know what fees you can be hit with. That is not all. Merchants who have excessive chargebacks, this is again defined by the provider, range from ½% to 2 ½%; a merchant can lose their merchant account. That is, get terminated without warning and could end up on the MasterCard Match List, a.k.a. Terminated Merchant File, which is looked at by other providers and if you show up on it, this means you will not get a merchant account. You can expect to stay on the list for 5 years too. There are new rules and regulations that have cropped up with the card associations. Visa has an International Fine for excessive International chargebacks and MasterCard has a fine for excessive chargebacks for high volume merchants. These fines are in the several $1,000′s to over $100,000. I am in the process of updating my ebook to reflect this along with an interview with T.J. Walker of http://www.antifraud.com and hope to have it ready within a few weeks.

Keep an eye on those transactions, use some common sense and good judgement and things will be well with your Internet business and merchant account.