Is your merchant provider doing CVV checking (although this has almost become worthless)? If not, fix that right away as that may filter some.

Are you shipping only to the credit card holder's address listed with the credit card (AVS checking)? If so, and the person refuses to return the merchandise, then the card holder is in big trouble (effectively receiving, or in possession of, stolen merchandise)- sick the local police on them. If not, WHY NOT?!? (That's a major red flag for potential fraud.) Also if not, then sick the local police on the delivery address as whoever lives there could be in big trouble as well.

^ ^ As one who uses FirstData/Evalon/Linkpoint (or whatever they are calling themselves these days!), AVS is a tremendous tool. We also require CVV. However, we don't accept or reject based on AVS, but do examine it's value, and it's a clue for possible fraud.

Many of my clients' orders fail on AVS, because the cardholder has moved and not updated their credit card. If the difference is in the same city, it's likely not fraud. But we always check.

The most blatant example, and I've only seen a couple like this, is a billing address in New York and shipping to Nigeria. Riiiiiiigggght.

However, you must tread carefully. One of my client's sites often has orders with Aunt Mary in Connecticut sending a gift to Sally in California.

So the question, are you using AVS and do any of these fraud orders have a suspicious difference in billing/shipping address?

I hate to recommend it, but one I hear often is same billing/shipping only. This would kill some of my client's businesses, and might yours as well.

olimits7 from the read you actually have nothing in place to stop fraud. No checks, no verification, nothing so your system is so weak I am suprised your not posted on some board some were titled "Easy Target"
Getting the card authorized is a piece of cake most now have the CVV number to go with the card. To be honest with ya 99% of the time it isn't the owner of the card that caused the breach. Haven't you been reading lately of the millions upon millions of companies being hacked and lost the customers data.
40 million in just one hack [money.cnn.com]

I strongly suggest you take better proactive measures to defend yourself against this type of activity and put in place were ALL new orders are verified before processing.

[edited by: lorax at 11:17 am (utc) on Oct. 28, 2009]

Yes, we also use CVV and AVS but just like you said I don't think these are the best tools to use for fraud prevention.

We run into the same problem; we receive plenty of orders where AVS would come back as a "No Match", but the orders are still perfectly valid and not-fraudulent.

We have actually implemented on the site that orders billing and shipping address must match before a customer can submit an order. I guess this has helped a little, but not too much because I still get these fraudulent orders coming through.

It's just a pain dealing with these fraudulent orders!

olimits7

So back to my original suggestions- get the police involved. If they are holding on to your products, they're involved in the fraud. Just because someone steals their credit card doesn't allow them to keep your merchandise.

Yes, the method you mention would fine if I receive a valid response with AVS, and the customer tries to report this as a fraudulent order.

However, I will still have this issue for orders that receive an "approved" authorization, but return with a failed AVS check. Then I really don't have anything to back myself up with...

olimits7

olimits7

Can you setup your account to disapprove orders when the AVS comes back invalid? I'm pretty sure you can.

Then you won't get the case that an order is approved and yet the AVS fails verification.

Yes, I can set it up that way but I would hate to not process non-fraudulent orders that come back with a failed AVS check...

I'm going to have to research and see how many orders are:

1) failed AVS non-fraudulent orders
2) failed AVS fraudulent orders

and base my decision on the outcome of this. If it's just a small amount of orders that fail AVS and are non-fraudulent I will just decline all failed AVS orders. It's not worth taking the chance on processing the order if it's just a small number of non-fraudulent orders I will be missing.

olimits7

olimits7 I firmly believe checking each new order by a Manual AVS and the CC's phone number on record. I have gone your route it may work but the number of orders I lost was far greater than paying an employee to do the check for me.
After the person has passed it is a done deal and they are now able to order without any checks.
I strongly recommend all "new" orders be checked by a human check change the shipping to were the customer wants the package shipped.

I buy all the time online fact is most of my shopping is done online and I never ship to my billing address. If I can't ship to were I want the package delivered then you won't have my business.

99.9% of the time I get a call from the company "if" I am a new customer verifying I placed the order. After I am verified I go right through the system without issues or checks on future orders.

I can't think of a large company Dell, Amazon, Apple on and on that forces me to ship to my billing. This is a bad decision but it is your business run it how you want to but to me it is a mega loss of sales and no way I would do what your doing.

Maybe you should check the IP address before all shipments. If it makes no sense with the order. Then contact the customer by phone to confirm they placed an order.

I would imagine this little bit of extra work will eliminate most of your fraud.

Rugles yes checking IP's are another way but I am seeing more and more fraud orders coming in through aol accounts. Ip check doen't work here.
Fraud is a big business and those that are in this business are up on the checks above.

Use to be large orders, then it was ip's AVS, CVV checks and still they were getting through.

Losing the whole sale, plus shipping, plus labor, plus the added fee from the processing company I found the only sure way to check ALL new orders manually. If you don't curb the fraud orders your gonna find your processing fee increase to the point your going to be in serious trouble.

My fraud orders have dropped to 2 this year and that was the fault of our employee and should have been caught.
Before I went the route I am now it was 1 a week slipped through.

We routinely get orders from customers with different ship to and bill to addresses. I think the key is to have a series of red flags, that will trigger closer scrutiny. Large orders with UPS next day air, orders from certain countries, etc. We then use the internet to research the company and personnel, check the ip address where the order was placed, and contact customer via email and or phone for more verification. This seems to catch most of the fraud.

Yes, the method you mention would fine if I receive a valid response with AVS, and the customer tries to report this as a fraudulent order.

It can also work with orders with a different ship to address. Either way, the recipient is in possession of "stolen" goods. Get the police involved.

I think the key is to have a series of red flags, that will trigger closer scrutiny.

This is exactly how we approach the problem. I developed a list of red flags (established with the Red Flags thread here on WebmasterWorld) and circulated it with everybody here that will be processing internet orders. Now we almost never get burned, just once a year .. maybe twice.

I firmly believe checking each new order by a Manual AVS and the CC's phone number on record.

How do you perform a manual AVS and CC's phone number check?

The only information I have is what is provided by the customer on my website; so I have no other information to check against what they provided is accurate.

This is a bad decision but it is your business run it how you want to but to me it is a mega loss of sales and no way I would do what your doing.

You are right, I should switch this back to allow for a different shipping/billing address. I will give this a try to see if this works and hopefully it doesn't cause an increase in fraudulent orders.

However, one thing that I have noticed by keeping the shipping/billing address the same. Anytime a customer needs to ship to a different address I usually receive an email from them asking me. I then allow them to ship to the new address and I make the change on my website.

I think it seems to weed out any fraudulent orders if they see that the shipping/billing address must match.

Maybe you should check the IP address before all shipments.

I actually do record all IPs and ISPs of orders submitted through my site, but never really used this as a fraud check.

To do this I would just check the IP location and see if it matches the address location of the order?

Thank you,

olimits7

Hi,

I just took a look at my PCCharge software in more detail, and found these two menu setting boxes that will hopefully help with properly checking for fraudulent orders; I didn't even know these were in PCCharge...woops!

Accept Transaction When...
- CVV2 Match
- CVV2 No Match
- CVV2 Not Processed
- CVV2 Not Present on Card
- CVV2 Issuer Not Certified
- CVV2 Server Did Not Respond

For some reason all of these were checked ON, so I now unchecked the "CVV2 No Match" checkbox.

Accept Transaction When...
- Address and 5 Digit Match
- Exact Address and 9 Digit Match
- Address Match, No Zip Match
- 5 Digit Zip Match, No Address Match
- 9 Digit Zip Match, No Address Match
- No Match
- Address Information Not Available
- Retry System Unavailable
- Service Not Available

For some reason all of these were checked ON too, so I now unchecked the "No Match" and "Retry System Unavailable" checkboxes.

I hope this helps in declining the orders that are fraudulent; I'll let you guys know if this helped reduce the number of fraudulent orders I receive.

olimits7

olimits7 you can get the cc number from your merchant provider interface. Then with the cc number and exp. date you can call for address verification or phone number verification. Since you are already having the Address checked through your system all you will need to check is the phone number. If this matches it is a done deal.

Now if they are shipping to a different address then you will call the verified phone number and make sure this person did do the charge.
I am seeing the fraud orders now have all the information of the card holder down to the correct phone number but we won't ship(to a different address) until the verified phone number card holder has verified they did the charge.

Now remember this is only on new customers and not returning customers.

Visa MasterCard can be checked in one system were discover card and AMES have there own number to call for verification.

To do this I would just check the IP location and see if it matches the address location of the order?

Yes, lets say the buyer is from Chicago and they are sending the order to Florida. Yet the IP address shows up as Amsterdam. Do not ship this order until you talk to the customer. There is always a chance they are on vacation and doing christmas shopping while on the road.... but in this case there is a good chance its a fraudster sitting in an internet cafe in Amsterdam and sending the goods to their cohort in Florida.

Like somebody mentioned, AOL will not show you their location. So if you have any red flags and a AOL IP, phone the customer.

These are the numbers I would need to call for the manual AVS and CC phone check; right?

American Express (800)528-2121
Discover/Novus (800)347-1111
Visa/MC (800)228-1122

Also, what website do you use to check the IP location?

Thank you,

olimits7

Do you take the orders on a website or by phone/fax/e-mail? In the first case, switch to direct integration on the website, and use 3D-Secure (aka Verified by Visa / Mastercard Securecode).

Get 3D-Secure on your merchant account, integrate 3D-Secure, use it all the time. If you use 3D Secure, you should be able to get the "liability shift" in many cases: the bank is now responsible for any unauthorized use of the card. With VISA it applies even if the bank does not support it or the cardholder is not enrolled. There are exceptions, but it should already help a lot.

Note that 3D-Secure only works for "online" transactions, since it redirects the user to the bank's authentication server so that he can provide whatever information they have decided proves the user is actually the cardholder. So you can't use it with "offline" solutions such as virtual terminals etc.

For the rest, use AVS and CVC2 checking, always ship with tracking and signature. For larger orders or "suspicious" orders, get the customer to send you a copy (scan/fax) of the card and/or their credit card statement and/or ID and/or proof of address (utility bill...).

You can also use services such as Maxmind's minFraud (there must be plenty of others). You can already use basic GeoIP/GeoCity services to get location info, but minFraud adds more (open proxy, etc.).

Of course if you receive an order to ship 20 PSPs to Nigeria, decline :-)

Jacques.

Ok, thank you...I will take a further look into 3D-Secure and Maxmind's minFraud!

olimits7

800-645-9120 is what I use for the Visa/mastercard check the other 2 are the same ones I use.
you will need your merchant account number when you call them to check it can be done by phone prompt or you can get an operator.

I quit checking the ip address after going manual on all new orders and don't really remember what I used. I am sure there will be someone here give ya that answer.

I have been using "whatismyIP" for a little while. It has not misled me yet and seems pretty accurate. There are services that you can subscribe to but we dont do that anymore and we just rely on the free web based stuff.

MaxMind is great at detecting fraud based on proxy level. They have some huge proxy list that is up to date. Most thieves use proxies. We minimized fraud TREMENDOUSLY thanks to MaxMind.

As for stolen card data, well, per PCI compliance, merchant isn't supposed to store CVV data, it's actually illegal. So even if data is stolen from merchants, it's unlikely to contain CVV.

moltar

So even if data is stolen from merchants, it's unlikely to contain CVV

That is correct but how many cc numbers do you think I could get working in a restaurant in one day. Selling cc info has gotten to be big business and the more data you have the higher your data is worth.

I know for a fact I had mine ripped from using it at a restaurant. I now go with them if the card it taken out of sight.

So even if data is stolen from merchants, it's unlikely to contain CVV

From what I understand, most of the CC info taken from TJ Maxx was because the store was using an unsecured wireless network for their CC readers. The thieves were grabbing the data before it was even being stored.

Also, the CVV number is only 3 digits. That's a max of 1000 tries to find out a CVV number by brute force trying. I'm sure thieves have a list of well over 1000 sites that they use for CVV brute-forcing.

You need to take extra steps which no provider is going to do.

This means looking up phone numbers and other tricks online for "unexact matches" which flag but are most often still valid orders.

Like everything else, if you want it done right you have to do it yourself.

Yeah, I think in restaurants it's so easy to take the card information.

My idea is to have one of those portable card readers in restaurants that they usually use at baseball games. Then they would just swipe right in front of you so your card never leaves your possession.

olimits7

So back to my original suggestions- get the police involved.

Are you seriously serious?

Honest customers will pay for the loss of product, money, time, or, more likely, all three, no matter what.

We have almost no fraud whatsoever. In fact, the only fraud that I've dealt with in forever-and-a-day has been 'honest customers' gaming the system. We get one once in a while. They are easy to find, and theft is overt.

However, whatever additional time/money we might throw down the hole is also going to get passed along and I don't have time for it.

For all their whining about merchants, 'honest' customers are the #1 thieves. Our last hit was $160. Thankfully we take very few losses. It helps that we have enough to do without taking on fraud prone niches.