My Merchant Account Blog

Preventing Online Fraud

Saturday, December 23, 2006

One of the first things you need to do as a merchant is to verify the consumer.  On card-present transactions, this can easily be done by asking for a valid photo identification card, i.e.  a driver's license or state issued ID card.  On card-not-present-transactions, this is much more difficult for the merchant to accomplish. 

Basic Fraud Prevention Techniques - Steps One and Two

Address Verification

The first step in preventing fraud in a card-not present environment is called address verification.  The consumer will enter their billing address.  The gateway will send this information over to the transaction processor (usually First Data or Nova (Elavon)) for verification.  The transaction processor will send back some codes to let you know that the AVS was a match or not.  Usually this match is done on the street number and ZIP code only.  So if the street address was 1234 Main Street and the ZIP code was 90210, the transaction processor would take a look at 1234 and 90210.  The alpha characters are not verified. 

Once this is completed, you will want to seriously consider sending your product to the billing ZIP code.  This will help to prevent some of the chargebacks but will also cause some problems if the consumer works all day.  The shipping companies have become so inundated with packages from the ever-growing business, that they will drop the package at the door, not waiting for a signature.  Without a signature, you do not have proof of delivery. 

AVS is subject to a significant rate of "false positives" which may lead to rejecting valid orders as well as missing fraudulent orders.  If the cardholder has a new address or a valid alternate address (such as seasonal vacation home), this information may not be up-to-date in the records of the cardholder's issuing bank, so the address would be flagged as invalid.  Merchants typically do not rely solely on the AVS result to accept or reject an order.  Approximately 75% - 80% of online merchants rely on address verification service as a tool to help prevent fraud. 

CVV2 / CVC2 / CID

Card Verification Value 2 / Card Verification Code 2 / Card Identification Number

Visa calls the three digit number a CVV2 (Card Verification Value 2).  MasterCard calls it CVC2.  American Express and Discover call this CID.  This number is found on the back of the of Visa, MasterCard, and Discover cards.  It is a four digit number on the front of American Express.  At first the card associations came out with this number to curb fraud.  The card associations told the merchants - do not store this number.  They thought this would potentially stop most of the fraud.  However, these numbers can be obtained by fraudsters just as credit card numbers are obtained.  The CVV2 / CVC2 / CID usage by online merchants has continued to increase rising from 44% of online merchants using this tool in 2003 to 66% today.  It appears that asking for the CVV2 / CVC2 / CID has become standard practice for many online merchants in 2005. 

The purpose of card verification number in a card-not-present transaction is to attempt to verify that the person placing the order has the card in their possession in order to provide the additional security digits.  Requesting the card verification number during an online purchase can add a measure of security to the transaction.  Approximately 66% - 75% of online merchants rely on this number to help reduce fraud.

Adding a Surcharge to a Credit Card Transaction

Wednesday, December 06, 2006

Usually in your merchant account agreement, it will state that you cannot charge any additional fees to the consumer if they pay using a credit card instead of cash.

However, debit cards and credit cards have different rules and regulations. Interlink Debit grandfathered in organizations about ten years ago that were using their system to accept payment. Interlink allows these merchants to charge a surcharge specifically when a consumer pays and it goes through the Interlink debit system.

Credit card companies also allow the merchant to surcharge the consumer if and only if:

• Charged for a bona fide convenience outside of the merchants customary payment channel
• Disclosed to the cardholder as a charge for alternative payment channel
• Added only to non face to face (if merchant is face to face merchant)
• A flat or fixed amount
• Applicable to all forms of payment
• Disclosed prior to completing transactions
• Included in total amount of transaction

Meeting the above requirements, remember will be in the credit card associations (Visa, MasterCard, etc) and your merchant account provider. Before doing any type of surcharging, contact your merchant account provider and / or the associations for specifics.

I do not recommend this be done because if it does not follow the guidelines as set forth between your merchant account provider, the card associations, and yourself, you might find yourself without a merchant account and on the MATCH list.

Subscription Based Websites

Saturday, December 02, 2006

A lot of websites are based on subscriptions. Charging a consumer for anything is very risky and charging them monthly just makes it riskier. You run the risk of chargebacks and fraud. A lot of times, these go hand in hand. Someone might want to see what you have to offer and will use a credit card number that does not belong to them. By the time that you find out, they could potentially have used your services for a couple of months. You are now out your subscription fee(s) as well as chargeback fee(s). A few of these can potentially ruin a merchant.

You have a number of options available to you and choices to consider. The first, of course, is do you really want to get involved with something like this? Once you realize you do, you will want to protect your merchant account. You might even consider using a third party processor to process your transactions. Using a third party processor will help with a lot of the "scrubbing". Scrubbing basically means that the transaction will go through a few fraud prevention tools to help verify the transaction.

Once this is completed and the transaction is deemed OK by the processor, the consumer will be allowed access to your site. A lot of times, chargebacks will happen in days of the transaction. The consumer might not have thought it was worth their money. And instead of calling you, they contact their issuing bank. A good rule of thumb for this is to always send out an email maybe a couple of hours later even asking them about the service, etc. This way you open the communication with them.

Depending on the issuing bank, the consumer can have months to potentially request their money back. Usually with a debit card (with a Visa or MasterCard logo on it), the time frame is less than a credit card (with a Visa or MasterCard logo on it). With American Express, the time frame increases to almost forever. I have seen merchants complaining of chargebacks from over 18 months. This is why you should always keep records.

There are pros and cons to a subscription website. Whenever you are dealing with consumers, the word chargeback always lurks around. Increasing your business unfortunately increases your risks. You will want to do everything possible to scrub the transaction to prevent a chargeback.