In our previous blog post, we discussed a few methods and scams used by online fraudsters specifically in the travel industry. Today, we will discuss in more detail the common best practices for effectively minimizing the fraud risks merchants face in the world of ecommerce.
Using a secure credit card processor is an efficient way to ensure customer protection and avoid online fraud. For example, 3G Direct Pay has adopted the use of sophisticated risk management methods to monitor transactions and to intercept and reduce online fraud attempts. Among the various methods that should be employed to avoid fraud are the following:
- PCI-DSS: Complying with Payment Card Industry Data Security Standard ensures that your systems are secure, customers can trust you with sensitive data, and it improves your reputation. To be awarded this certification requires merchants to utilize advanced fraud and risk management technology with the latest algorithms for fraud checks. Merchants must enact stringent security procedures and meet the strict standards set by the PCI DSS. Working with a payment processor that is PCI DSS certified, such as 3G Direct Pay, can reduce the cost and burden of maintaining PCI compliance certification for merchants, themselves.
- AVS: Address Verification System is an automated fraud prevention method used to reduce the risk for merchants selling in the “card-not-present” – e. g. online or telephone purchase – environment. AVS checks the billing address listed in the transaction against any other address registered with the issuing bank. Merchants should request both billing and shipping addresses of the consumer so an AVS check can be conducted before a transaction is processed.
- CVV: Card Verification Value is the three-digit security code printed on the back of the credit or debit card (in the case of American Express, four digits on the card front). It is not stored in the magnetic strip or embossed on the card, so it can’t be as easily retrieved by thieves unless the card is in their possession. Visa calls it a CVV2, MasterCard calls it a CVC2, and American Express calls it CID.
- Geolocation by IP Address: This can help to identify the consumer’s precise location or determine the distance between billing address of the person who is paying for the product and actual location of the person who is placing the online order. Thus, it acts as an additional verification measure or authentication for transactions that have a significant distance discrepancy. Geolocation technology provides information that assistance online business owners conclude which transactions to look deeply into and which to clear. This leads to an even balance between the risks of losses due to fraudulent activity and the risk of preventing legitimate customers from completing their purchases.
- Check if the customer used an anonymous proxy server: Anonymous proxy servers enable people to hide their real IP addresses. Proxy servers are used by fraudsters as they help them stay anonymous and avoid detection. Detecting an anonymous proxy server is no simple task, as they appear and disappear sporadically.
- Compare the IP address country with the billing address country: Check that the IP address country of the customer and the billing address country where the product will be delivered are the same. If a customer’s shipping and billing addresses are in Canada, but the order was placed from an IP in Ukraine, you should closely scrutinize the transaction. In some cases, this scenario could be completely legitimate, but it's better to be safe than sorry - call the customer's Canadian phone number to confirm the order and the customer’s identity.
- Check if the shipping address is in a “high risk” country: Merchants should always pay close attention to orders that are shipped to an international address. They should pay even closer attention to the transaction if the shipping address or credit card is located in a country where credit card fraud is prevalent. The top 12 countries where online fraud is prominent are: Indonesia, Romania, Pakistan, Ukraine, Malaysia, Turkey, Lithuania, Egypt, Bulgaria, Yugoslavia, Russia, and Israel. While an order being made from one of these countries is not a strong sign of online fraud, there are statistics and trends that show us that merchants should use this information to help them determine how stringently to authenticate transactions originating from these areas.
- Security Services: Using a “trust mark” security service that scans your systems daily to search for malware and vulnerabilities is a superb tactic for reducing fraud as it adds an additional level of security. In addition to your own fraud prevention measures, and those of your payment processor, a security service gives the added protection to make your online business even safer. TRUSTe, Verisgn, or McAfee Secure are examples of services that help avoid and catch problems fast. They also increase customer trust and decrease the attractiveness of your site to hackers.
- 3D Secure: Implementing 3D Secure offers merchants an additional security layer for online credit and debit card transactions. This goes a step further than standard comprehensive fraud protection, as it ties the payment authorization process to an additional online authentication step in which the end user is prompted to enter a password known only to the bank and the customer. Visa offers 3D Secure as Verified by Visa, MasterCard as MasterCard SecureCode; JCB International as J/Secure and American Express as American Express SafeKey in select markets.
Some merchants may opt out of accepting online payments in order to avoid fraud attempts, however this does not reduce exposure. On the contrary, the risk of falling victim to fraud is actually higher due to fewer control measures. Fraud can take place offline as well as online: such “offline” – or “traditional” methods – could include theft of actual credit cards and the creation of fake ID’s or other documentation, such as passports and driver’s licenses. On top of that, a business that does not accept online payments will surely lose many clients and possible go out of business.
For more information on security measures, best practices, and online fraud prevention training, check out the Visa and MasterCard resource centers. They provide literature that can help guide you through the various procedures and use of advanced anti-fraud systems.
Protecting your online business from fraud, theft, and hacking is of utmost importance – now, more than ever before. By working with a PCI DSS Level 1 payment service provider that implements the aforementioned security measures, you will be better equipped to mitigate the risks of online fraud and run a healthy and prosperous operation.