Get What’s Coming to You
For catalogers, payment fraud accounts for a high cost of doing business. On the Internet alone, estimates are that losses from payment fraud exceeded $1.6 billion in 2003.
For direct-response merchants, credit card fraud losses averaged 1 percent of orders in 2003, which may not sound exorbitant, but in terms of total sales, the costs are huge. The good news is that online fraud losses declined from 2.9 percent of total online revenues in 2002 to 1.7 percent in 2003, according to Cybersource Corp./Mindwave Research.
The cost to your customers also is high, because for every fraudulent order, merchants reject another three or four based on their suspicion that the order may be bogus. So in reality, the true cost of fraud is equal to the amount of direct fraud your business experiences, plus the number of good orders that were rejected due to suspicion, and the costs associated with fraud management (e.g., manual review time, training time, chargeback fees).
And because during a telephone order or online transaction the customer’s card is not visible to the merchant, those types of payments continue to be a higher-risk proposition than for traditional brick and mortar merchants.
Following are best practices we encourage merchants to incorporate into their business processes to reduce their risk of payment fraud.
Know Thy Enemy
The face of a fraudster takes many forms and is not defined by socioeconomic boundaries. In some cases, it may be a teen shopping with a stolen or borrowed credit card trying to beat the system, or a shopper of any age who resolves his or her buyer’s remorse by disputing the charge.
The more devious types of fraudsters are those targeting specific merchants or offshore professionals attempting to make purchases in the United States.
Then there’s the “credit master,” someone who uses software that actually generates credit card numbers. At some point, these individuals get lucky with a real number.
Last but not least are, unfortunately, your own employees. No one knows better how to beat your system than the people you pay to utilize it every day.
Best Practices for Detecting External Fraud
In general, there are two types of fraud: internal (done by employees) and external (done by everyone else). These types of fraud take numerous forms but always result in the same outcome: The business owner loses money.
Types of external fraud include:
- identity theft;
- e-mail, chat room and instant messaging schemes;
- re-shipping schemes;
- card generators;
- dumpster divers; and
- skimming (magnetic stripe readers)
Every business is different, of course, and some best practices to fight external fraud will make more sense to you than others. While you want to protect your company, an overly zealous attempt can result in customers feeling insulted because you’re asking for what may seem to be too much information, or by declining a transaction that may be legitimate but doesn’t fall within the parameters you’ve established for authenticated transactions.
The key in many instances is giving your contact center employees the data they need to detect potentially fraudulent transactions, and empower them to act on those hunches right away. Following are some basic steps to identify external fraud.
Check for proper addresses and phone numbers. One of the most fundamental detection tactics is to verify customers’ addresses and phone numbers. Compare ANI (Automatic Number Identification) to the phone number provided. If the numbers don’t match existing database information, instruct your contact center staffers to proceed with caution.
Beware of suspicious addresses/hotspot countries. The same goes for suspicious addresses that have proven in the past to be either fake or high-risk, such as prisons and P.O. boxes, and hotspot countries that historically have shown higher instances of fraud (e.g., Nigeria).
Maintain an in-house negative file. While third-party negative databases are useful in preventing fraudulent transactions, you should have your own negative database of cardholder information. Keeping a customized list helps you to be doubly sure you’re authenticating the transaction to the best of your ability.
Beware of rush orders. For some customers, next-day delivery is a value-added service. For fraudsters, however, it’s an easy way to get the goods before the transaction has been settled. Teach contact center employees to carefully scrutinize rush orders requested by new customers. Likewise, beware if a customer is indifferent to color, size, model, etc., of the product being ordered. The customers who say, “Just send it to me, I don’t care what it looks like,” can spell trouble.
Watch out for high ticket/high quantity orders. If your average ticket size is $50, then a $600 order may indicate something is amiss. Likewise, if you sell statues, and generally customers order one or two at a time, then beware the 50-count order.
Perform velocity checks. With reporting tools, you can monitor the amount of same card numbers or same bill to/ship to address transactions that filter through your system. Three or four in a row could be a red flag.
Perform e-mail address checks. Requiring e-mail addresses for order confirmation also can determine the order’s legitimacy.
Tools to Fight External Fraud
As noted earlier, external fraud can take many forms. Identity theft alone has reached an alarming growth rate of 25 percent each year. More sophisticated scammers, like card generators, hackers and skimmers, are no longer an anomaly.
Yet 75 percent of all disputed transactions are due to one reason: The customer wasn’t authenticated at the point of sale. As a cataloger, you have the right to set parameters for each transaction that’s initiated, both via phone and Internet. Now more than ever, authentication methods are mandatory. They include the following:
Address verification is based on the numbers in a customer’s billing address. Here’s how it works: After the data are collected, they’re submitted for authorization. The information then is compared to data on file with the issuing bank for that user. You get one of the following responses: match, no match or partial match.
The best part to address verification is there are no added processing costs. However, address verification can be subject to false positives, which in turn can result in lost sales.
(Note: Address verification is a highly effective tool in the United States, but still is in its infancy in the United Kingdom and Canada.)
Card security verification is available from the major credit card companies. Visa offers CVV2; MasterCard’s is CVC2; and Amex and Discover have CID. Employing these requires an extra step from your cardholder, and it also requires a change in your order-acceptance procedures. However, card verification is extremely effective, and doesn’t add to your processing costs.
Visa and MasterCard have taken steps to ensure that issuers use card verification tools. In fact, Visa dictates that U.S. issuers must support CVV2 to maintain chargeback rights for fraud. As of April 2005, that will apply to international issuers as well. Currently, both U.S. and international issuers are subject to that rule under MasterCard.
Verified by Visa (VbV) and MasterCard SecureCode are services that allow issuers to authenticate the cardholder at the time of purchase for Internet-based transactions. The cardholder registers his or her card with the issuer, adding a personal password to the account to enter at checkout.
When using VbV or Secure-Code, the merchant collects the authentication data, which then are submitted to the processor during authorization. The processor in turn passes the authentication to the card association. To use these, the merchant must integrate plug-in software that communicates to each card association’s central server to get issuer authentication at the time of purchase.
Employ both solutions and the advantage is a reduction in fraud chargebacks and disputes — both of which directly affect your bottom line.
The liability is shifting. Last year, VbV merchants received protection against fraud chargeback reason codes, regardless of the issuer or cardholder’s participation. Interchange rates now are five basis points lower for e-commerce preferred (VbV) consumer transactions.
In addition, MasterCard offers protection from fraud chargeback codes to merchants using Secure-Code -— if the issuer and cardholder have enrolled in the program, and the cardholder is fully authenticated. Lower interchange rates are available to qualifying international (not domestic) MasterCard transactions.
Other authentication methods include:
- score-based (i.e., pattern detection, consortium-based);
- rules-based (i.e., “if, then” statements);
- identity verification (i.e., data element matching);
- third-party databases and negative files; and
- IP validation (i.e., geo-location to determine the IP origin).
A robust risk management solution combines many of the above methods.
As a cataloger, you can never be completely sure the customer is who he/she says. That’s why for some catalogers, it makes sense to use a third-party provider of risk-management solutions. There are many to choose from, including Retail Decisions, CyberSource, ClearCommerce, Experian and VerifyME. Some of them are costly, and some may seem intrusive to the cardholder. However, they also can offer you added technical support. Work with your processor to decide if this is a good fit for your business.
When shopping for a management solution, consider the depth and breadth of the database(s); frequency of updates; who contributes the data; whether the solution provides you with a user-friendly response; and whether it offers reason codes for declined transactions.
Prevent Internal Fraud
As in the brick and mortar retail space, internal theft, initiated by the very people who are on your payroll, remains the most common method of fraud. Dishonest employees can take full advantage of fake returns, so avail yourself of internal control methods such as the following:
1. Restrict access to refund capabilities among your employees. For example, require manager approval.
2. Ensure refunds match a prior sale.
3. Review merchant statements and monitor refund rates.
4. Restrict employee access to customers’ credit card information; that is, block the card number or just the last four digits.
[Editor’s note: For tips on how to prevent internal loss in your distribution center, see “Safeguard Your Inventory,” April 2004 Catalog Success.]
Future Forms of Fraud
New forms of fraud are being developed every day. What once was an aberration becomes mainstream in no time. For example, phishing, in which fraudsters trick consumers by duplicating a company’s Web site (i.e., to request that they update their information with a credit card number, address and phone number) has become a serious issue for both retailers and financial institutions. You must remain aware of the types of fraud in vogue and help your customers understand how to avoid the latest scams.
Some best practices are easy and inexpensive to implement, while other services may add to your payment acceptance budget. Nevertheless, the old adage “You can’t afford not to” has never been truer. Work with your processor to decide what is right for your business. Use these methods, and you’ll save both time and money. And best of all, you’ll find yourself with more time to concentrate on your business, instead of on payment fraud.
Helpful Web Sites
Your acquirer can offer you fraud-prevention guides, as well as updates on card association rules. Here are some helpful Web sites to check out:
www.bmitf.org (This is the site for the Business Mailing Industry Task Force, a subscription-based database of suspected fraudulent addresses.)
www.ic3.gov (The site for the Internet Crime Complaint Center; use this to file a complaint about online fraud.)
www.usa.visa.com/business/merchants/afs_overview.html. (You’ll find fraud-detection tips from Visa for card-not-present merchants.)
www.mastercardmerchant.com/preventing_fraud/index.html. (This site offers fraud prevention tips from MasterCard.)
As a product manager for Paymentech, Tonya Carroll oversees many of the company’s fraud management and recurring payment tools, private label (closed-loop) card processing, among other products. She wrote this article at the request of the Catalog Success editors. Paymentech is a national electronic payment processor based in Dallas. To reach Carroll, e-mail her at: email@example.com.