Preventing Credit Card Fraud on Your Website
BY Anne Stuart
Despite e-payment options, credit cards remain the Internet’s primary currency. Here are some basic steps to keep your e-commerce site safe from credit fraud.
My husband, who owns a one-year-old retail website, describes credit cards as both the cornerstone of his company’s payment systems and the potential crack in the foundation that could bring the whole business tumbling down.
While his company is geared largely to technophiles whom you’d expect to order with a guaranteed third-party payment service like PayPal, fully 90 percent of his customers buy their gifts with American Express, MasterCard or Visa. So far he’s been lucky; out of the hundreds of credit-card transactions he processed last year, not one was bogus.
But like other online merchants, he worries about what will happen if somebody does make a fraudulent charge, starting a chain of events that typically doesn’t end well for the seller.
The biggest such threat: “chargebacks” or credit-card charges that buyers dispute. Buyers typically win those disputes. If someone successfully uses a lost or stolen credit card in person, the issuing bank is usually liable for the amount. But in online transactions, also known as “card-not-present” sales, the merchant typically takes the loss. (And even if a bank does agree to assume responsibility for a disputed charge, the incident can return to haunt the seller later. Some merchant service providers -- that is, the companies that process the transactions for the banks -- assess fees against merchants with too many chargebacks or even threaten to terminate their services.)
E-commerce merchants have recently gotten savvier about handling card-not-present transactions, according to the Merchant Risk Council (MRC), a Seattle-based retail-industry association that focuses on fraud prevention. Before 2005, fraud occurred five times more often online than it did in “card-present” sales, according to the MRC’s annual survey. But 2006 MRC research indicates that fraud now occurs at about the same rate online and in person.
While that’s positive news, it certainly doesn’t mean that online merchants can relax their vigilance about potential credit-card rip-offs. The following technologies and best practices can go a long way toward keeping any e-commerce business safer from fraud:
Use Address Verification Service (AVS). These systems run during the credit-card authorization process, matching the billing address provided for the sale against the billing address on file for that account . The method is useful, but far from foolproof: One industry study indicated that AVS technology identified up to 40 percent of transactions as problematic -- many times the number of actual fraud cases. That can be frustrating for e-merchants, who sometimes have to turn the AVS off to enable legitimate transactions.
Request Card Verification Codes. If you’ve ordered merchandise online or over the phone in past few years, you’ve probably had to provide not only your credit-card account number, but a short security code as well. If you’re not requesting the same information from your own customers, this is the time to start. Card Verification Codes appear only on the actual credit cards, not on statements, receipts or other documents. So when customers give you correct three- or four-digit verification codes, that means they’re probably holding the actual credit cards, not just stolen account numbers.
Again, it’s not perfect protection. Providing the right code doesn’t, of course, guarantee that the person using the card is authorized to do so -- only that the card itself is valid. But it’s still another layer of security that can thwart some fraudsters.
Watch for red flags, especially in first-time orders. Among them:
Billing and shipping addresses don’t match (although if the item is being sent as a gift, the shipping address may well be different).
Mail goes to a post-office box rather than standard business or residence address.
Customer can’t be reached by phone; number is missing or incorrect.
E-mail goes to a free Web account rather than one connected with an Internet service provider.
Order total is surprisingly large for your business.
Order is being shipped overseas (when most of your business is domestic).
Of course, none of those circumstances necessarily means that somebody’s trying to rip off your website. But if you find several of them associated with a single order, it’s probably a good idea to investigate further before accepting the charge and shipping off your merchandise.
Anne Stuart, a former Inc. senior writer, is a Boston-based journalist who specializes in covering business and technology.