Forum Moderators: buckworks
Using this process, the credit card transaction is processed immediately, and I don't know how I could watch for fraud. I see here at WW just about everybody uses some kind of delayed processes to screen orders for fraud.
What are the steps you implement in an order transaction to watch for fraud? Thanks in advance.
If that all sounds like too much work, I see that Authorize.net is now offering some pretty robust looking fraud screening - not free, of course.
Depending on the type of merchandise you sell, you might obviously have a higher risk of fraud than others. My business is such that fraud is a non-issue, but I still require AVS and CVVS just to protect myself and my customers.
Don't do an AVS check, and you're screwed. Actually you're screwed regardless....the banks always and unquestionably side with the cardholder, instantly yank the funds out of your account and then inform you that they've done so after the fact. You're given 3 or 4 days to object to this before it's irreversible, but worse is that they drop the notification telling you of their act into the mail on the first of those 3 days, so usually when you open the mail to discover it even happened, it's already final, and too late to do anything about it. As I said, you're simply screwed, and you eat the loss. You- not the cardholder, not the bank, and certainly not the crook who stole your product. It's a lovely feeling....
:o(
Never forget: when it comes to fraud, you're on your own.
But back to AVS:
You can adjust AVS for various levels of screening. If street address matches, if zipcode matches, or both plus some other little gauntlets.
Problem is: it's a cranky system with false positive glitches. It doesn't work at all for international orders. If a customer gets his bills at home but wants the order shipped to work, or he's using mom's card with permission, or the other business partner's card, or simply misspells his address but is otherwise legit, you'll get a decline.
I have lots of text at checkout about how shipping and billing addresses must match or card might be declined, and that if they want to use an alternate shipping address, they need to call the tollFree # on the back of their card and have that address added as an OK alternative address with the card issuer. I use AVS but do a lot of forced-captures after the AVS declines, once I've chatted with the cardholder and decided the little old lady on the other end of the line is probably not a criminal.
Another excellent fraud screen is to prompt for the CVS code: the 3-digit number on the back of the card. Highly recommended.
There are also some new programs out:
Verified by VISA
and
MasterCard Secure Code.
Cardholders sign up for some kind of secure ID passport or something. Reviews I've read say they're great programs but won't work unless way more people sign on, and if every card issuer technically supports the system, which thus far, is very far from reality.
I'm in the jewelry trade by the way, so the tabs can get quite high and fraud's a big issue. If an order is pretty large and I'm feeling suspicious, I can call the risk management dept. at my merchant card-processor. They have access to a classified U.S. Secret Sevice database. I give the guy the first 6 digits of the credit card and he gives me the issuing bank's name and phone number. I then call the bank, verifiy the address, and ask them to call the cardholder to make sure he authorized the charge. It's a bit elaborate and only for high totals, but if you do it, you know conclusively it's a safe transaction.
Lastly: never, ever, ever ship to Nigeria or Singapore. NEVER NEVER NEVER. In the name of our dear and loving lord in heaven, I appeal to you to please heed this URGENT message from the neice of the late finance minister of Burkina Faso blah blah blahhhh blather bother banter argghh. 'Honest Nigerian Businessman' is apparently an oxymoronic term. Maybe there is one, poor suffering fellow. I don't know how in the world he gets by, because no one in his right mind would ever do business with him.
Verified by Visa protects you on all Visa transaction regardless of cardholder enrollment or bank participation. When we recieve a Visa transaction from a non-participating bank, which means the cardholder is therefore not enrolled we get 100% protection against fraud on that card. They see nothing upon checkout
So the way I see you doing it is let the gateway process the order, then check out the details before you ship. If it looks fishy, then do you reverse the transaction manually? Do you notify the buyer?
Also I was planning on not keeping the credit card numbers in my database just to have peace of mind about security. Do I need to keep the card numbers or would the authorization number be enough? My website is on a commercial web host. I guess I could keep the numbers here on my personal network where I can manage security, but that means a lot of work. What do you think? Thanks again.
For the whole group here:
Do you keep complete credit card numbers and all personal data on a hosted server?
The questions you have to answer for yourself are, how secure is your hosted database and how much do you trust the hosting company? You have to assume that there's some kid running around there with the sa password and access to every database on the server. Take measures you think are appropriate to protect the data.
