Tell them to have their issuing bank file their school address as an alternate address on that card. You'd be able to contact the bank to verify that address.

It depends. If its a low ticket item, it's probably not fraud. If it's high ticket or multiple items, definately check it out first and confirm the order with the billing party. Card code verification also helps.

I do it all the time and have never had a fraudulent one yet. The site sells gift items at about $80 each.

With the increase of ID theft and account takeover most Issuers are refusing to take third party addresses as temporary updates to accounts. In any case, even if the third party address is lodged with the issuer you are still liable as you will still be in breach of your T's & C's.

Best bet is to stick to ship to bill to unless you can prove positively the person making the order is entitled to make the order (no easy thing to do, granted).

All I can say to the person who does it all the time for $80 goods is you've either been lucky or your products have no resale value to fraudsters.

An alternative is to write to the validated billing address with a contact telephone number for the cardholder to call if they have concerns. Chances are though they won't respond (especially if they are travelling - a key reason for alt ship to for some issuers).

Ultimately AVS and CV2 only prove conclusively that the anonymous person on the end of the IP address making the order knows the cardholder billing address and CV2 value. Unless you deliver to the validated billing address you place yourself at risk. Even then, with account takeover as detailed above, you could still be banged back.

One option is a bureau style check. e-identity provides that so at least you would get corroboration that the person making the order has a link to the address they claim - gets around the ID theft problem.

In the UK no chex offer 100% chargeback proofing - although there appears to be a get out clause of "reasonable efforts" on your behalf. Similiar to PayPal they offer cart integration.

Hope this helps :)

It does all depend. Check the IP address also. If it is registered to a California IP address, the billing address is in FL and you are shipping to NY, then yes - something could be wrong. You can always telephone the client.

Gift orders are probably going to be coming in now so there is always exceptions to make.

-Corey

Why you don't have a testing period about a month?

See if you loosen the policy and see how's the sales going? If the sales is increased and the number of fraud doesn't change much, then you should loosen the policy.

Every time you ship item to customer, check the cost of the order, if it's above $250 or something. Give them a phone call to approve the order.

Dell selling a Computer which cost above $1000, but they didn't need shipping and billing address match in order to process the order. The process is smooth and easy.

Usually people stole someone's card they don't know the billing address. The rate of the scammer pick a gift store is pretty low.

I think you act like a cop investiage all your customer as theift. You should make the order process easy and without hassle.

You should Lower Shopping Cart Abandonment Rates on your store for Better Conversion

Point being that if it's a fraud the phone number will be the fraud's ... gets you nowhere... IP addresses can be masked or misleading by on-ramping to a local provider... best look for "unimpeachable" sources of confirmatory information (bureau, public directories).

As the transaction is at your risk you owe it to yourself to independently validate the data you've been given if you are uncomfortable with the transaction. If it's worth it is business terms always use a tracked delivery option - helps prove the goods were delivered to a validated address and avoids not received chargebacks.

There are stacks of resources out on the web - and third party solutions to deploy to automate most, if not all, of the above checks.

Merchants who view the net as a quick and cheap channel miss the point. Depending on your product and visibility it can be the quickest way to loose your entire business - for the sake of not setting up meaningful checks and balances.

Strike the right balance between risk and reward and your business will fly - cut corners and it will most likely die.

Not many merchants understand the card payment process in enough depth to be able to make those calls alone. It stands to reason then that external help is needed and should be sought.

That said - if you're selling spanner sets or lumber the resale opportunities are so limited as not to be worth the hassle for frauds.

Selling gadgets, PC's, AV equipment, car parts, jewellery - you're a magnet....

You are right about the IP addresses. We had someone order hosting from us - and of course we went with our gut feeling. We called them, that checked out. We then emailed them back & when the email came back, the IP address was then in Canada. And just the day before, the client was in Europe. We never did process the transaction.

-Corey

Corey - that throws up a very interesting quandry. I'm UK based but my hosting is US (like the weak dollar :)). If I use webmail from my provider (a long shot, bear with me...) I too would appear to be US based but I operate out of the UK.

Web hosting was not treated as even a moderate risk by my team in my "other" life as we figured that, like utilities (gas, electricity etc, hosting had no resale value and the fraud would lose everything in the blink of an eye when the hosts got a chargeback.

Interestingly we were getting more and more cases towards the end of my time involving just that. Can't for the life of me figure out what they hoped to gain other than possibly the ability to set off another scam with the space (phishing for example) and wanting to remain as anonymous as possible.

One very interesting development I was involved with was "planting" files on a users PC (much like a cookie - but not ;) ) that could be used to track use and multiple attempts (primarily for finance applications) from a single machine. Legally this was skating on thin ice to say the least but throws up some useful ideas for high traffic sites that are prone to near sequential and "testing" attacks.

Main stumbling block was the UK DPA requirement to tell everyone you intended to store a piece of unique code on their PC that would ID there machine - kind of defeats the object as bogus people would simply search for and destroy the file.....

Be interested to have your thoughts on why hosting would be a target....

Basically what you said - they want to send out thousands of emails either for phishing or to sell viagra, enhancements etc. if they can get a free months of hosting to do this, that is great for them. And unfortunately horrible for the web host provider because now they might be on a spam list. And some of them want a few hundred to delete you - one I heard wanted $1,200.

And since smaller hosting companies are targeted, that money can really eat away all the profits.

And there are ways to verify your IP address. Look at the hosting company, etc.

-Corey

I've ordered a number of fairly big-ticket items (including at least two new computers and two 19" monitors) -- that I had shipped to a different address. Lots of normal, non-rip-off artists need to do that for very legitimate reasons. In my case, I was never home during the day to receive delivery, and I wasn't about to have UPS drop off my new computer at my front door. So I would always have stuff shipped to my office.

I wonder how much legitimate business you lose by not allowing this?

We have a policy to contact the buyer via phone to verify it. We sell higher priced items however, so this wouldn't apply to someone selling thousands of smaller priced items daily.

There is a lot of fraud and you have to use common sense. If you see transactions from a card in Maryland looking to ship to Arizona, I'd be a little cautious.

A lot of our customers are college kids - they have credit cards with billing address of their home and shipping address of their apt/dorm.

I think different industries need to apply different policies when it comes to shipping & billing addresses being different.

Actually, it's the college kids who seem most familiar and at ease with adding their school address as an alternate address on their cards. In fact, a number seem to already have their cards setup that way - either to switch the billing address for the months they are in school or for other orders with companies who have similar policies.

We ship eagerly to a different ship-to address than billing address. Had a $650 order (big for us) like that earlier today. We phoned the customer as we often do with unusually large orders. He was thrilled that we called and asked about some other products that he will need soon.... another $1000 worth.

We get such orders from college students and small businesses where card is paid from owners business but he wants stuff sent home. Maybe 5% of our orders have diff ship and bill.

Different ship/bill probably doubles risk. But our loss rate is about .1% to start with.

From the buyer side: I do a lot of gift buying online. The shipping addy is NEVER the same as the billing addy! I'd be MAJORLY pissed if the store got sideways because they weren't the same....

As an aside, I turn about $10k in gifts to physical addys OTHER THAN my billing addy on a yearly basis - not a lot by some standards, but not peanuts either....

99% of our orders have a ship-to address that's different from the bill-to address since we sell gift items. We have had 2 fraud orders and one was extremely blatant, but since we were new yet, we didn't know and got a chargeback. We also have plenty of orders that fail the AVS. Usually those are the ones where the boss tells the assistant to order x amount of client gifts and hands him/her a credit card. The assistant just uses the company address as the billing address. If it's the boss's personal cc, then obviously the AVS won't match up.

We require they at least give us the correct billing address, but will ship to a separate address. In addition we check the CVV2 number.

When things look fishy, ie next day air shipping on a high dollar item, we call the customer to verify.

Bottomline, no AVS match on the billing address, we don't ship.

Andrea

Thanks to everyone for the feedback. Based on what I heard, I decided to lift the billing-shipping match restriction. We will do a manual check before we ship if anything looks especially iffy.

Post back and let us know how it goes.