Most of the attention in the press surrounding online fraud is focused on consumers...whether its having their credit card numbers stolen by hackers or being suckered into giving their personal and financial information by a phony email phishing scam. But barely any attention has been given to the other side of the coin...the Internet merchants who are defrauded by crooks posing as legitimate consumers.
One of the first things you need to do as a merchant to prevent fraud is to always verify who the consumer is. On card-present transactions, this can easily be done by asking for a valid photo identification card, for example, a driver's license or state issued ID card. On card-not-present-transactions, this is a much more difficult task for the merchant to accomplish.
There are two basic steps that every online merchant should follow to ensure that the consumer is legitimate.
The first step in preventing fraud in a card-not present environment is called address verification or AVS. The consumer should be required to enter their billing address when they are filling out their credit card information. The payment gateway will then send this information to the payment processor for verification. The payment processor will then pass the address information to the issuing bank who will then match that information with the address information they have on file for that card. The payment gateway will then send back some codes to let you know whether or not the AVS was a match. AVS only compares the street number and ZIP code against the information on file with the card issuing bank.. So if the street address was 1234 Main Street and the ZIP code was 90210, the transaction processor would compare 1234 and 90210 with the issuing bank's information.
Once this process is completed, you will get an AVS code that tells you how well the address matched the bank's records. If you get an AVS code indicating that the address and/or zip code do not match, it is up to you to decide whether you wish to accept the risk and ship the goods to the customer. We recommend that you do not ship goods in cases where the zip codes do not match. This will not only help to prevent chargebacks but will also prevent problems from occurring if the consumer works during the day. The shipping companies have become so inundated with packages from the ever-growing Internet world that they will drop the package at the door, often times not waiting for a signature. Without a signature, you do not have proof of delivery. And without proof of delivery it is very hard to fight a chargeback.
It is important to know that AVS has some limitations, because this may impact your decision-making about how to treat bad verification results:
oThe AVS system isn't always reliable; bad results can be triggered unnecessarily because people move, or because some people report five-digit zip codes and some report nine-digit zip codes. This may generate a response stating that the address matches, but the zip code does not match.
oThe AVS system can't handle addresses outside the U.S., so if you decide to ship only to addresses with good AVS results, you will rule out all international orders.
Online merchants typically do not rely solely on the AVS result to accept or reject an order. Most online merchants use the address verification service as part of an overall fraud prevention program and in conjunction with several other tools to help them prevent fraud.
Now we'll talk about the second step in basic fraud prevention - Card Code Verification
To help reduce fraud in the card-not-present environment, credit card companies have introduced a card code program. Visa® calls this code Card Verification Value (CVV); MasterCard® calls it Card Validation Code (CVC); Discover® and American Express call it Card ID (CID).. The card code is a three- or four- digit security code that is printed on the back of cards. The number typically appears at the end of the signature panel. This program helps validate that a genuine card is being used during a transaction. Card code verification works similar to address verification. The payment gateway passes the code entered by the consumer to the payment processor who then compares it to what is on file at the card issuing bank. The payment gateway then returns a code to let you know whether the numbers matched. This helps to verify that the person using the card has the card in their possession at the time they place the order.
We advise all merchants to require this code for all credit card transactions to help combat fraud. It is important to note however that these numbers can be obtained by fraudsters just as credit card numbers are obtained if they are stored by the merchant. It is for that reason that the card associations prohibit merchants from storing these codes in their system.The use of CVV2, CVC2 , and CID by online merchants has continued to increase, rising from 44% of online merchants using this tool in 2003 to 66% today. It appears that asking for the CVV2 , CVC2, and CID has become standard practice for the majority of online merchants.
So there you have it. Two very basic and easy fraud prevention tools that every online merchant should use to prevent fraud and eliminate chargebacks.
Copyright 2007 Loud Commerce, LLC. All Rights Reserved.
Russ Gottlich, CPA is the CEO of Loud Commerce (http://www.loudcommerce.com), a leading provider of payment processing services and tools for Internet and retail merchants worldwide. As an independent agent for First Data Services by Cardservice International, Russ and his team offer merchants the benefit of having a personal merchant services consultant backed by the largest payment processor in the world.
One of the first things you need to do as a merchant to prevent fraud is to always verify who the consumer is. On card-present transactions, this can easily be done by asking for a valid photo identification card, for example, a driver's license or state issued ID card. On card-not-present-transactions, this is a much more difficult task for the merchant to accomplish.
There are two basic steps that every online merchant should follow to ensure that the consumer is legitimate.
The first step in preventing fraud in a card-not present environment is called address verification or AVS. The consumer should be required to enter their billing address when they are filling out their credit card information. The payment gateway will then send this information to the payment processor for verification. The payment processor will then pass the address information to the issuing bank who will then match that information with the address information they have on file for that card. The payment gateway will then send back some codes to let you know whether or not the AVS was a match. AVS only compares the street number and ZIP code against the information on file with the card issuing bank.. So if the street address was 1234 Main Street and the ZIP code was 90210, the transaction processor would compare 1234 and 90210 with the issuing bank's information.
Once this process is completed, you will get an AVS code that tells you how well the address matched the bank's records. If you get an AVS code indicating that the address and/or zip code do not match, it is up to you to decide whether you wish to accept the risk and ship the goods to the customer. We recommend that you do not ship goods in cases where the zip codes do not match. This will not only help to prevent chargebacks but will also prevent problems from occurring if the consumer works during the day. The shipping companies have become so inundated with packages from the ever-growing Internet world that they will drop the package at the door, often times not waiting for a signature. Without a signature, you do not have proof of delivery. And without proof of delivery it is very hard to fight a chargeback.
It is important to know that AVS has some limitations, because this may impact your decision-making about how to treat bad verification results:
oThe AVS system isn't always reliable; bad results can be triggered unnecessarily because people move, or because some people report five-digit zip codes and some report nine-digit zip codes. This may generate a response stating that the address matches, but the zip code does not match.
oThe AVS system can't handle addresses outside the U.S., so if you decide to ship only to addresses with good AVS results, you will rule out all international orders.
Online merchants typically do not rely solely on the AVS result to accept or reject an order. Most online merchants use the address verification service as part of an overall fraud prevention program and in conjunction with several other tools to help them prevent fraud.
Now we'll talk about the second step in basic fraud prevention - Card Code Verification
To help reduce fraud in the card-not-present environment, credit card companies have introduced a card code program. Visa® calls this code Card Verification Value (CVV); MasterCard® calls it Card Validation Code (CVC); Discover® and American Express call it Card ID (CID).. The card code is a three- or four- digit security code that is printed on the back of cards. The number typically appears at the end of the signature panel. This program helps validate that a genuine card is being used during a transaction. Card code verification works similar to address verification. The payment gateway passes the code entered by the consumer to the payment processor who then compares it to what is on file at the card issuing bank. The payment gateway then returns a code to let you know whether the numbers matched. This helps to verify that the person using the card has the card in their possession at the time they place the order.
We advise all merchants to require this code for all credit card transactions to help combat fraud. It is important to note however that these numbers can be obtained by fraudsters just as credit card numbers are obtained if they are stored by the merchant. It is for that reason that the card associations prohibit merchants from storing these codes in their system.The use of CVV2, CVC2 , and CID by online merchants has continued to increase, rising from 44% of online merchants using this tool in 2003 to 66% today. It appears that asking for the CVV2 , CVC2, and CID has become standard practice for the majority of online merchants.
So there you have it. Two very basic and easy fraud prevention tools that every online merchant should use to prevent fraud and eliminate chargebacks.
Copyright 2007 Loud Commerce, LLC. All Rights Reserved.
Russ Gottlich, CPA is the CEO of Loud Commerce (http://www.loudcommerce.com), a leading provider of payment processing services and tools for Internet and retail merchants worldwide. As an independent agent for First Data Services by Cardservice International, Russ and his team offer merchants the benefit of having a personal merchant services consultant backed by the largest payment processor in the world.