Fraud Protection – Online and International Best Practices
The best practice you can have is to always be vigilant with your credit card transactions. Just like you protect your cash, protect your credit card sales! Review daily transactions, don’t allow orders or sales for fishy-smelling deals and protect sensitive information.
Online Best Practices
- Use AVS (Address Verification System): Always use AVS for eCommerce or keyed transactions. AVS compares the billing address provided with the billing address on file with the card-issuing bank, and returns an address match or mismatch response. Reject transactions with a mismatch response. The default settings in Authorize.net will do this automatically. If you accept a transaction with an AVS mismatch response, your rate will be affected. Note that for most international sales, AVS will not work, due to many countries using alpha-numeric zip codes.
- Use the CVV (Card Verification Code): Always require the 3 digit security code on the back of Visa, Mastercard, Discover, and JCB cards or the 4 digit code on the front of the American Express card with your transactions. If the CVV code does not match what is on file with the bank, reject the transaction. If you use Authorize.net, you need to set this up on your account. If you accept transactions with a CVV mismatch, your rate will not be affected, but this could reduce your ability to win a chargeback case.
- Review your Daily Transactions: Be on the lookout for unauthorized refunds (employee fraud), duplicate transactions, and excessively large orders to unknown customers. Immediately contact us or the 24/7 support center if you see any anomalies.
- Set your Gateway’s Daily Velocity Filter: If a fraudster is using your website to test credit card transactions, this will limit the number of tests they can run, causing them to go elsewhere. This will also limit the number of authorization charges you will incur for these fraudulent transactions. If you use Authorize.net, go to the “Account” menu, and click on the “Daily Velocity” link under the Security Settings area. Authorize.net also has additional Fraud Screening technology available with their optional Advanced Fraud Detection Suite. Contact us to learn how to activate this feature in other gateways.
- Additional Red Flags to look out for:
• “Rush” orders
• Orders shipped to an address that does not match the billing address
• Large orders
• Orders to be shipped outside the United States
• Multiple sales made in a short period of time which appear to be indiscriminate purchases
International Orders Best Practices
International orders can really help boost sales and donations, but they carry higher inherent risks. To help avoid being the victim of fraud, we recommend shipping products outside of the US only once you have vetted the cardholder and verified their address. Below are some best practices for your organization to follow when accepting international transactions.
- Use AVS (Address Verification System) if possible: Always use AVS for eCommerce or keyed transactions, if it’s available. If you are processing with Authorize.net, the default Address Verification Service (AVS) settings will automatically reject transactions placed on cards that were not issued in the United States, and you will see a letter code returned with the decline reason that corresponds to a specific AVS reject reason. If you decide to change those default settings so these transactions are not automatically declined, please take care to not fulfill the order, especially a large order, without vetting the customer first.
- Require copies of the customer’s passport and the front and back of the credit card: Most thieves will not reply, assuming that you are “fraud aware”, and have caught on to them. If they do respond, contact the card-issuing bank using the toll-free number on the back of the card and ask them to call their customer to verify that the charge is legitimate.
- Call the phone number given with the order: It may be bogus or could be the actual number of the person whose card was stolen. Ask the cardholder for the card expiration date, and the details of the order. Fraudsters often lose track of which card they used on which site, and go on a “shopping spree”, not remembering who they ordered from or what they ordered. A legitimate consumer will know exactly what they ordered and will be able to repeat their order accurately.
- Trust your Instincts: At the end of the day, we recommend trusting your “gut feeling.” Only you, the merchant, know your business well enough to determine if a transaction smells fishy or not. Use your best judgment, and when in doubt, ask for additional information from your customer. There’s a good rule of thumb: If your organization can’t withstand the loss of a sale plus the inventory, then we highly recommend either passing on the order, or requesting a wire-transfer. A legitimate customer will be willing to either verify their identity or complete the sale with an alternate payment. If you ever have further questions about a potentially fraudulent sale, give us a ring so we can help out!
An Authorize.net Example
The Authorize.net Gateway has an Advanced Fraud Detection Suite that allows you to manage 13 different types of fraud detection, from velocity to IP addresses to transaction characteristics. You can learn more about Authorize.net Advance Fraud Detection Suite in this video:
Need more help? Authorize.net has put together a great resource for their merchants, and you can read about all of the new features of your account, in their Getting Started Guide. Click to see all of Authorize.net’s Support Videos.