Payment Gateway Fraud

We often recycle tips that have been mentioned in the past because we continue to field support questions about them, so this one is directed toward merchants using a payment gateway for accepting payments from their website. One way that payment gateway fraud is still being committed is when a merchant’s website is used to authenticate a stolen credit card. This works by “fraudsters” running a program which rapidly authorizes credit card numbers, either by using an algorithm that generates legitimate card accounts or by taking stolen card numbers that are sold on the internet. Once the perpetrator receives a correct authorization – for a tiny amount like a penny or some other random amount – these positive account numbers are then sold on the black market to be programmed onto magnetic strips of actual credit cards that are then used at another merchant’s point-of-sale to purchase goods and services. When the real cardholder sees a purchase that they did not make, a chargeback would occur and the merchant’s account would be debited for the original sale amount plus a $25 chargeback fee.

For the merchant who operates the website, though, a transaction fee is assessed by both the payment processor and payment gateway provider! For example, let’s say that a fraudster runs 2,000 authorization requests on a merchant’s site, and that the authorization fee is .10 each by the merchant account and by the gateway. In that case, the merchant would be out $400! There is a very easy way to protect oneself from this kind of fraud and that is as follows:

Log on to your gateway account (e.g. Authorize.Net or USA ePay) and set the velocity filter, which will dictate how many transactions can be run over a period of time. So let’s say that it is set to allow no more than five transactions per minute. If anyone tries to run multiple concurrent sales, they will be kicked out after five authorization attempts. There are also various other filters – like Address Verification Service – that requires the address information from the sale to match the address on file with the cardholder’s issuing bank. Finally, there is no substitute for daily monitoring, by logging onto your gateway account every day to view any anomalies.