Preventing or at least minimising credit card fraud is every merchant’s responsibility—both in-store and online. Using appropriate prevention techniques helps to keep your customers safe. It also protects you from excessive chargebacks and the possibility of being barred from opening another merchant account. If you run a business, it’s essential to be familiar with:
- Checks for card-present transactions
- Checks for card-not-present transactions
- How to balance security and ease of use
- The role of your payment processor in merchant credit card fraud prevention
Preventing Credit Card Fraud In-Store
Any business that accepts credit and debit cards is vulnerable to fraudulent transactions. These typically take place when:
- The card being used was physically stolen
- The card is being used by a family member without the cardholder’s knowledge or consent
- A counterfeit credit card is being used
Fortunately, a few simple checks at the checkout are usually sufficient for merchant credit card fraud prevention. Make sure that your employees follow these steps consistently as they only take a few seconds and can save you significant losses of time and money trying to recuperate the goods.
Always Check the Signature on the Card
Credit card fraud can often be detected simply by comparing the signature on the card to the signature of the customer on the receipt. If the two signatures don’t match, you’ll know that the credit or debit card is not theirs. Never process a purchase made with a physical card that is not signed as you won’t be able to identify fraudulent transactions.
Reject Cards that Are Damaged or Defaced
Most cards today come with a chip as well as a magnetic stripe that contains embedded information. Counterfeit cards won’t have these security features. In an attempt to bypass your security checks, fraudsters might present a card that is damaged or defaced and ask you to enter the card number manually. In this case, ask for a different payment method or decline to process the purchase.
Ask for the Customer’s ID
Both traditional fraud and family fraud can occur when a physical card is stolen. You can prevent these transactions from going through by asking the customer for a photo ID. If the name on their ID doesn’t match the name that is printed on the card, refuse to put the transaction through. In some cases, parents do allow their children to use their cards, but this privilege can be abused and it’s better to be safe than sorry.
Verify Receipts before Issuing a Refund
Refunds for faulty goods or a change of mind are an important part of customer service. However, this loophole also provides an opportunity for fraud. Fraudulent activity can take place when:
- The customer tries to return stolen merchandise
- Someone tries to return goods with a counterfeit receipt
Employees who work in the returns department can be trained in merchant credit card fraud prevention strategies, such as verifying the original purchase date in the system and requiring that the customer provide a receipt. Be sure to make your returns policy clear so that customers know what to expect.
Don’t Accept Threatening Behaviour
Unauthorised customers may try to bully the cashier into processing a sale even when they don’t pass the security checks. While a legitimate customer may genuinely have forgotten or lost their ID or for some reason the chip is not working, these problems are much more characteristic of a fraudster. Have a clear “no aggression” policy displayed at the checkout and provide a way for your cashiers to discreetly call for help.
Communicate with Your Payment Processor
If a legitimate customer wants to make an unusually large order and pay for it with their credit card, it’s helpful to notify your payment processor beforehand so that they don’t flag the transaction as suspicious. Likewise, if you do let a fraudulent transaction through and later discover it wasn’t a legitimate customer, you should notify the cardholder, card network and issuing bank so that they can put a block on the stolen card.
Preventing Credit Card Fraud for Card-Not-Present Transactions
Card-not-present fraud is much easier to perform than card-present fraud simply because there is no direct communication with the customer and you can’t see their physical card. Offering online payments, telephone payments or mail order payments automatically puts merchants at risk for payment fraud.
Basic Ecommerce Fraud Prevention Strategies
These standard security measures should be part of any payment gateway and are measures that customers expect. While they will help you to decrease fraudulent transactions significantly, they don’t represent any unnecessary hassle for customers and shouldn’t lead to checkout abandonment.
Card Verification Value
Debit and credit cards come with a 3-4-digit number imprinted on the back that is not embedded in the magnetic stripe and is not displayed on receipts. This number is referred to as the CVV2 (VISA), CVC2 (MasterCard) or CID (American Express). If a customer can enter these digits at the time of purchase, it’s much more likely that they actually have the card with them and are not simply using a stolen credit card number.
When you are taking online payments, telephone payments or mail orders, it’s very important not to keep your customers’ card numbers and security digits on file as these details could be stolen by employees or a third-party hacker. This is also a requirement for PCI compliance. Each purchase should be treated as a new transaction and it’s up to the customer to save their card details on their browser if they wish to save time on a future purchase.
Address Verification System (AVS)
Issuing banks in the United Kingdom, United States and Canada provide the possibility of verifying the billing address against the address that cardholders have on file with their bank. If the zip code, city, state, country or street number don’t match, the suspicious transactions will be flagged for follow-up before they can be approved.
If the address verification service fails, it’s the merchant’s responsibility to call the card network (VISA, MasterCard, Discover Card or American Express) or the card-issuing bank to verify the customer’s address. It’s possible that the customer recently moved or that the address verification system is down. You can find the issuing bank by entering the first six digits of the card number (the bank identification number or BIN) on the BIN website: http://www.binlist.net/
Caveats with AVS
There are two scenarios in which AVS is not totally effective for merchant credit card fraud prevention. The first is if the unauthorised customer was able to find the cardholder’s address online or in a telephone book. The second is if the customer has recently moved, in which case you will be blocking a legitimate sale.
However, according to VISA, using AVS plus CVV2 validation for card-not-present transactions can reduce chargebacks by as much as 26%, so this is a very worthwhile security check to have in place. If the card validation number is correct but the AVS check fails, you can always call the customer and their bank directly to resolve the issue without losing the sale.
Different Billing and Shipping Address
Comparing the billing and shipping addresses is another way to detect online payment fraud. If the fraudster managed to obtain the cardholder’s billing address, they will usually have the goods shipped to a different address—their own, a mailbox forwarding service or the address of an innocent third person.
There are other possible reasons why the billing and shipping addresses might not match, such as a customer who is travelling, a customer who is buying the product as a gift or a customer who lives in a country where your business doesn’t ship and they’re using a friend or mailbox forwarding service to receive the goods. There are several ways to resolve these situations without turning a legitimate customer away:
- Flag these kinds of suspicious transactions for review rather than blocking them outright.
- Display an alternate “thank you” message that explains further checks will be completed before the credit card can be processed. You should still send the customer an email receipt.
- Ask international customers to contact you by phone or email to authorise the purchase and arrange the best method of payment.
Additional Steps for Customers to Complete
There is a delicate balance between ensuring merchant credit card fraud prevention and making it too much of a hassle for legitimate customers to make a purchase on your site. However, specific security measures used as needed (rather than every time) can help in cases of large or potentially suspicious transactions.
For a new customer or an especially large ticket item, you could send a verification code to the customer’s phone that they need to enter in order to validate the purchase. This helps to prevent credit card fraud in the case of a stolen card.
Card and ID
For a faxed or online transaction that you suspect might be fraudulent, you can contact the customer and ask for a photo or scan of the front and back of their credit card as well as their ID. Very few fraudsters will take the time to complete this verification and will decide to go elsewhere.
Customise Your Fraud Scrub
Fraud scrub should be included in your merchant services package. If it’s not (or if you’re charged extra for it), your merchant services provider is not doing their job. In your merchant account, you should be able to set your own transaction thresholds (ticket amount and quantity of transactions) and decide whether to block or simply flag the following kinds of suspicious activity:
- Larger-than-usual tickets
- Repeated transactions and repeated items
- Different billing and shipping addresses
- Purchases made from certain countries
You can also create an internal blacklist that blocks transactions from certain people, cards and IP addresses. This will help to prevent anyone who has made a fraudulent transaction in the past from doing it again. Some merchants also create an internal whitelist. However, a legitimate customer could still have their card details stolen in the future, so whitelists aren’t 100% foolproof.
Additional Steps for Merchants to Take
Once suspicious transactions are marked for review, there are several things you can do to work out whether the transaction is legitimate.
Online tools can help with merchant credit card fraud prevention when a transaction is flagged as suspicious. Simply enter the customer’s name, phone number, address or email address and see if the details match up. For example, if the reverse lookup results indicate that the name and address that are being used to purchase Halo Infinite correspond to a 90-year-old woman in Cornwall, it’s a likely case of credit card fraud.
Search people by landline or mobile phone number, check area codes, trace phone numbers and more.
Match a calling code to its country of origin.
A list of international reverse lookup directories—some free and some paid.
Verifies the identity and location of the customer. This is a paid service.
Look up the phone numbers of customers from the United States for more information about the customer and where they are located.
Look up customers in the U.S. by name and state and view their age and recorded address.
Look up customers in the U.S. by name, address or telephone number and match their email address, phone number, age and social media profiles.
Call the Customer
This might seem like the most obvious—albeit the most time-intensive—strategy for credit card fraud detection and is a good idea if you have enough staff. Soon after a customer makes a purchase, call them using the phone number provided, welcome them aboard and check that they really authorised the purchase. You’ll quickly find out whether the number is genuine and can notify any surprised cardholders of fraud.
Finally, there might be legitimate customers who commit “friendly fraud”—claiming that a product never arrived and initiating a chargeback through the issuing bank. To protect yourself against friendly fraud:
- Issue an email receipt within minutes of each transaction.
- Ship purchased goods within your stated timeframe.
- Ship every parcel with tracking.
- Require a signature upon delivery.
- Follow up to see whether the parcel has arrived.
- Make it easy to return faulty goods.
- Issue refunds within your stated timeframe.
- Choose a merchant services provider that provides chargeback mitigation tools.
Prevention Is Better than Cure
Merchant credit card fraud prevention takes work, but it could save you thousands (or tens of thousands) each year. By putting appropriate safeguards in place, customising fraud scrub to your business type and doing your due diligence on suspicious transactions, you will protect your customers and your good standing in the industry without losing legitimate sales.