Date Published: 2000-12-01
Written by Rick Olson, Internet Business Center
12 Ways to Protect Your Business From Online Credit Card Fraud - Prevent Loss of Goods and Chargebacks
Despite the media attention given to the miniscule risks of
consumers being defrauded by online merchants, it is usually
the merchant who is the victim of Internet credit card
fraud. The incidence of fraud perpetrated by online
merchants against consumers is fairly rare. Consumers are
typically only liable for the first $50 of any fraudulent
transaction, and even this liability is often waived by the
credit card issuers.
On the other hand, credit card fraud can be important
depending upon the online merchant. Some claim they have
had no problems at all while others claim significant losses
(especially sellers of digitally delivered products). For
digitally delivered goods, there is no time to check out the
validity of the information provided by the customer, and
the e-mail identity and address may be as fraudulent as the
credit card number.
Here are some important things every merchant should know
about credit card fraud:
The verification process a merchant starts by swiping the
card through the terminal or key in the credit card number
in the credit card software program does not provide fraud
protection. All this verification process does is check that
the card has not been reported stolen and that it has
sufficient free credit available to fund the purchase.
The Internet makes credit card fraud easier in some ways.
Lists of stolen credit card numbers and even programs to
generate valid new numbers are readily available online. The
lack of face-to-face or voice contact on the Internet tends
to make a thieves more daring. Also, a thief can keep on
trying various combinations until he succeeds on the net
without fear of being confronted.
The current techniques for credit card fraud prevention that
use signatures on anti-tamper tape, holograms and now even
the etched image of a card's owner are of no value when it
comes to CNP (cardholder not present transactions)
transactions, as the merchant never gets to see the credit
card and verify the signature.
In offline POS (Point of Sale) purchases, merchants are
sometimes asked to call an authorizer (a human being) who
asks the merchant some questions or requests to speak to the
cardholder, for example, if an "out-of-pattern" purchase
tips off the consumer buying habit computer model or other
anti-fraud device, such as sophisticated risk models or
Unfortunately, none of the 7 Tips above are possible online
in "real-time". If an online merchant is willing to forego
many purchases by failing to provide for real-time credit
card authorization, they could resort to manually checking
each credit card request. But this can get very burdensome
as an online business grows.
Internet credit card transactions fall under the heading of
MOTO (Mail Order / Telephone Order) transactions, also
called CNP (cardholder not present transactions). Most
credit card merchant account agreements leave the merchant
100% liable for fraud committed via this type of
transaction. Thus, any fraudulent transaction results in a
chargeback. In addition, many agreements also require them
to pay a $15-$25 chargeback fee.
Further, if a merchant experiences a high level of
chargebacks they are often hit with an increase in the
discount rate they have to pay on each transaction or may
even have their account terminated. And once lost, a
merchant account can be almost impossible to obtain again.
Online merchants that become victims of a fraud will
probably receive very little support from the police. The
police are likely to view the amount involved to be too
small to bother about, or in the case of international
orders, to be out with their jurisdiction.
Still want to do business online with credit cards? :))
Well, it is a necessity if you are serious about e-commerce.
So, what to do?
Obviously, all online merchants should seriously consider
what protections they should take to prevent them from being
defrauded-before a fraud attempt occurs. Here are a number
of way to limit your exposure to fraud:
Always verify the customer's billing address. This can
be done automatically with the Address Verification System
("AVS"). The AVS system compares the statement billing
address on file with the credit card issuer with a
customer's billing address provided with each order. It
gives added assurance that customer is the legitimate
cardholder. Check to see if the processing equipment or
software provided by your merchant provider supports
AVS was developed to help MOTO (Mail Order / Telephone
Order) merchants avoid fraud, but is relatively limited in
its prevention of online fraud. One of the major
opportunities that the Internet brings is the ability to
accept orders from all around the world, but AVS only works
for addresses in the USA.
Another major advantage of the Internet is that it allows
"soft" goods such as software to be purchased and downloaded
instantly. AVS provides no protection here as all a thief
has to do is to obtain a valid address that corresponds to a
stolen credit card number. This is certainly not hard to do.
It matters not that the address is not the thief's, as
nothing will be physically delivered anyway.
And even with "hard" goods there is still a problem as
thieves can supply a valid address for a stolen credit card
as the "bill to" but then request a different "ship to"
The shipping address & billing address should match.
Some merchants don't accept orders where the "ship to"
address differs from the "bill to" address from
international customers and some carry out additional checks
even for domestic orders.
For example, I have had to call the credit card company to
verify that it was actually me who wanted a computer shipped
to the office, but charged to my personal credit card for
which the billing address was my home.
Be wary of orders from free e-mail addresses. Once a
thief has a stolen credit card number and a stolen address
they need one more thing to complete their fraud portfolio -
an untraceable e-mail address to hide behind. That's why a
high proportion of fraudulent orders come from free e-mail
addresses. As a result, many merchants refuse to accept
orders from them or at least perform additional checks.
You can find a list of free e-mail domains on the AntiFraud
Web site at http://www.antifraud.com/redflag.htm.
Check out the customer's Web site, where it is possible.
This often possible to determine the URL of a customer's Web
site by simply putting "www" in front of the second part of
their e-mail address. For example, if a customer provides an
e-mail address of "email@example.com" then typing
www.somedomain.com into a Web browser usually leads to their
Things to look out for include empty or "under construction"
Web sites or sites where the contact information differs
significantly from the order information. For example, the
Web site might display a U.S. business address but the order
requests delivery to be made to Eastern Europe.
Some merchants go even further and check out who owns the
domain name. Information on the ownership of US domains is
available on the Network Solutions Web site at
Watch out for unusual orders. Thieves tend to place
orders that differ significantly from what legitimate
customers typically order. Things to look out for include
orders for "big ticket" items, orders for unusually high
quantities and orders where the customer is prepared to pay
a lot for expedited delivery.
Phone the customer if you have doubt. A quick telephone
call can often be enough to establish whether an order is
legitimate or not.
Collect all possible order data: When trying to detect
fraudulent orders or trying to recover money lost through
fraud, the more data you have available the better. This
includes the customer's address and telephone number, the
name of bank that issued the credit card, and the IP address
of the computer from which the order was placed. (Of course
this conflicts with the concept of asking for no more
information from your customer than needed, but you will
need to judge how important preventing fraud is for your
product and your target audience.)
Warn visitors of anti-fraud devices and consequences of
fraud. Stating clearly on a Web site that the merchant has
anti-fraud safeguards in place and will pursue prosecution
for all fraudulent orders can be enough to scare of some
Never process (factor) for someone else. It is illegal
as well as a breach of your agreement It could cost you big
If using a real time service, ensure it's reliable.
Contract for a sophisticated anti-fraud service such as
CyberSource if fraud is
likely to be or becomes a problem. These services can
automate many of the checks you might do manually, and
reduce your incidence of fraud well below what you could
do by yourself. Do not let credit card fraud limit your
growth! There are effective ways to manage this risk. For
much more on this, see "Automate Your Credit Card Anti-Fraud Efforts" at
Utilize SET (Secure Electronic Transaction) or the
Microsoft Wallet approach with digital certificates which
authenticate the web site visitor. But, are you going to
forego a sale if a customer does not have the appropriate
software on his computer? Most merchants won't.
For much more on accepting credit card payments on your
web site, see "Making It Easy For the Customer To Buy Online
By Offering Credit Card Purchasing" at
Written by Rick Olson, Internet Business Center
Rick Olson, from Internet Business Center,
offers a free Web Site Review with at least three ways to improve your site. Avoid the big mistakes that cost you
money. See for yourself the high quality of the advice for profitable web sites.
firstname.lastname@example.org. Subscribe to his free weekly newsletter for fresh articles,
quick to use how-to tips, guides, and internet business tools. Use the
form or click
here to subscribe.