Best ways to prevent CC Fraud?

Hi,

Sorry, I know this is a "dev" forum, but thought maybe some of you all online store owners might be able to help. I've been selling online on my website for a couple of years now. I've never run into CC fraud until the last couple of months. The first one started where we shipped an item to a different address than the billing (which we've done plenty of times in the past) but then we get a charge back from our merchant and we are out of the merchandise we just shipped. Double whammy! Then, in the last couple months, we start getting all these orders where the billing and shipping address don't match so I've been weary of these orders. I'll call the number they leave, and there is no answer. I send emails and no answer. I feel something fishy here.

So my question is this. I know all ecommerce sites run into this problem, but can you all give some tips on how to at least reduce the number of these fraudulent orders? Its a pain to call and email all the people with non-matching addresses..so do you all usually do that? This is so frustrating! Sorry, had to vent. Thanks for any tips.

Signed invoices!

If card not present [e.g. online ecomm sale] it's your chosen risk... but before shipping any item get a signed invoice [which replaces the the cc slip]... if the signature matches the signature on file with the card issuer... no chargeback.

...also you can ship with signature required to receive shipment by a specific person... this means a recourse.

Thanks for tips Fathom. So how do you get a signed invoice before you ship an item? Do you have them fax the invoice back? Also, how would you see the back of the credit card if card not present to match the signatures? I'm a little confused.

Also, has anyone used the Verify By Visa and Secure Code by Mastercard? If so, any comments, concerns on using these on your website?

I use this, and as far as I can tell it hasn't negatively affected checkout completion rates (I'm always nervous about putting any additional steps in the process). The problem is though that not all cards are part of the scheme, so it's not foolproof by any means.

As for the issue regarding postal and billing addresses that don't match, although it's a pain to have to spend time confirming the legitimacy of these orders, it's nothing compared with the financial pain of losing money to fraud.

Maybe implement an additional telephone confirmation for all orders above x amount where the addresses differ? Make it clear in the checkout process that you're going to be doing this. Alternatively you could automate the confirmation process -- I do recall there being 3rd party services that do this, though I couldn't give you any names off the top of my head.

If it were me, and I couldn't contact the customer by phone or email, then I'd be very nervous about sending the goods out.

We ship by US Mail and use delivery confirmation on all packages. That costs a few cents per package but the buyer knows that the postal service recorded delivery. When we started using that "I didn't get the package" complaints immediately decreased. They dropped to almost zero. Now, if they say "I didn't get it" they are disputing the US Postal Service.

For higher value orders we use some combination of signature confirmation and insurance. We don't spend a lot on insurance. We only insure for the minimum. With insurance and signature the buyer is guilty of mail fraud if he trys to cheat us.

I've been involved with a major online retailer that sold electronics online - a prime target for cc fraud.

We create some automated rules in the software that flagged an order for credit card verification whereby someone from the customer service desk called the client, sussed them out and if dodgy either requested more info, such as photo id, cancelled the order or requested an alternate payment method.

Loosely, the rules we had for checking are below. Initially this was a human process but then the rules were automated and built into the system. IMO if it costs you $1-2k in coding costs to get this done its worth it.

-is the ip address the order was made from in our country (we'd block cc orders made outside our country, there was a semi-automated process where genuine customers were advised how to get an exception for their ip/subnet range
-does postal and shipping address match
-have they made orders before
-were any sales/pricing/stock enquiries made before order
-are there grammar/spelling/logic errors in the data inputted, eg correct data in the wrong field
-are lowercase characters used throughout the order details (suprisingly large no of CC fraud attempts got picked up this way)
-are they using free email address (gmail, hotmail etc)
-logic checking on the actual things they ordered, are the parts related, do they all work together

Hope this helps!
BTW don't rely on your shipping company to get an signature on invoices/delivery slips. Your sales rep at the company can give you as many guarantees as you ask for but quite simply, the guys at the other end delivery the parcel to your company just don't care.

Great comments everybody. I appreciate the help.
1. About the IP address lookup. I asked my host how to do this, but they said it was something my gateway should know. Is this true? How do you all go about finding the IP address of the customer when you have hundreds or thousands of visitors a day? Also, is there a good website that will tell you the geo location of an IP address?

2. I do get quite a few international orders, but none have resulted in chargebacks..yet! Anyhow, I read to be weary of certain countries. I sell dog products, so I'm probably not a prime target for CC fraud, but I've still been a victim.

Anyhow, its seems like nothing is really fool proof and this probably happens to everyone at some point. Am I correct on this assumption?

Ease of online buying equals the ease of online fraud.

Reducing online fraud usually impacts the ease of online buying... thus less sales... if you average:

Loses due to less sales : loses due to fraud you will "likely" find less sales cost you more.

That said - In my product sites I have CC insurance... it's still a cost but a cost that does not impact on any customer.

In my marketing orders [$500-6000 transactions] it's service base and signed invoices act as the credit card slip and a verified signature of the card holder protects my interests.

Agree here....always a tradeoff between convenience/ease of use vs. security.

In our particular instance, the products were high value, low margin with ~100 orders a day so the loss of a single product=lot of lost cash so the investment of ~$2k was easily justifiable.

As electronics were a prime target, CC insurance was something like $200k+ per year vs. ~$5k losses per year for cc fraud so a bit hard to justify here :-)

IMO credit card companies are laughing when it comes to CC fraud. The only one who really loses out is the business who inadvertently processed the transaction. Ultimately the original card holder will try and do a chargeback and if successful the business has to cough up the cash - essentially credit card companies profit from a security flaw in their product :-(

I dealt directly with VISA, MC, AX and Discover and it's about $30 - $38/month... since these are "global issuers" it isn't going to be too much different "anywhere".

In fact, your other point [~$5K] per year if a prime fraud rate [that is, as in, high] suggests your annual sales are less than $100,000 with a 5% fraud rate... and your insurance "rate" will never "EVER" exceed your yearly sales... won't ever come close... "200K in yearly fraud insurance" would be like on microsoft's sales forecast in the billions.

Sorry but your 200K+ per year sounds quite bogus.

Nothing bogus about it, approx figures from insurance companies.

At the time this was looked into, our only avenue for insurance on CC transactions was from general business insurers. This was about 2 years ago when there were far fewer options for payment gateways and transaction processing.

The fraud rate was post automated processes - obviously effective in our case.

OK - ignore your insurance company since they are "at best" middleman in a process that doesn't involve them thus for them to get involved likely cost them alot in setup and training... and that's why - if some smuck wanted to help them get into the game....??????

The "fraud," no matter who commits the crime - the only players are you, card holder, and card issuer... and the card issuer might be a bank but even so they are all tied to American Express guidelines as the grand-daddy... to a lesser degree the other CC [VISA, MC, DISC as the majors]

That's still $120-$150/month additional cost but it does kick the chargeback fee... lost product/shipping cost are a different matter... but most fraud orders are "overnight" to reduce the chance of being caught... beyond these most fraud thereafter can be detected with product enroute and a re-routing fee is usually around $10 for most shippers.