Skip to Internet Payment Gateway Main
Cardstream are aware that taking payments from debit and credit cards can raise the level of risk that a business has to manage. With this in mind Cardstream provide Merchants with FREE advice surrounding best practices in fighting fraud.
Secure Payment Service Provider

Fighting Fraud

Introduction

Any Merchant considering the possibility of taking credit and debit card transactions online should be aware of and concerned with fraud, how to protect themselves against it and what to do if it happens to them. This guide is an overview of online fraud, how it is perpetrated and what Merchants should be doing to protect themselves and their businesses.

Who are the Fraudsters?

There are two main types of fraudsters, as can be seen below, and Merchants must make every effort to guard their businesses from both forms.

  • Users of Stolen Cards - This type of fraudster will use the details of a large numbers of stolen credit and/or debit card to try to purchase goods and/or services from Merchants illicitly. These fraudsters tend to operate as syndicates and will actively hunt out websites that have weaknesses in the purchase procedure or the terms and conditions. Once one of them has found a website with potential weaknesses, a group of them will begin to purchase goods from the website. They will do this until the merchant becomes aware and then move on to the next one. If these cards are not reported lost or stolen by the card holders or if the issuing bank does not stop their use due to unusual spending patterns, it is often not possible other than by having good internal fraud systems to spot such transaction
  • Fraudsters Who Exploit Contractual Weaknesses - These fraudsters tend to be mainstream people who regularly purchase online and use their own cards then chargeback the transaction using a loophole they have discovered on the Merchant’s website. These people are actually operating within the law and cannot be prosecuted if found. This is why it is critical that a good deal of time and effort is spent on having solid terms and conditions, as well as having delivery and order screening procedures in place. A common practice is for someone to have the good(s) delivered to an address which is not the billing address and then deny knowledge of placing the order.

Fighting Fraud

First Line of Defense

The first line of defence is always your website. Having a professional web site with solid terms and conditions is actually a very good deterrent to both of the two fraudster types. By having a professional looking website that is well structured and aesthetically pleasing to the eye, this will infer to any potential fraudsters that the Merchant running the website has a professional operation with systems able to deal with fraudulent behaviour.

All fraudsters will look at your terms and conditions in great detail. Any purchase made by any customer on a Merchant’s site is a contractual agreement bound by payment for the Merchant to deliver goods and/or services as detailed on the site, in the manner dictated by their terms and conditions. If a Merchant fails to meet any of the documented terms and conditions they are technically in breach of contract with the purchaser and, therefore, under card scheme regulations the consumer can request their money back. A Merchant could find themselves in the situation whereby they have shipped the goods or delivered the service and the consumer then claims their money back via the chargeback system and they are left out of pocket by way of both money and goods. However, that said, customers do have to return the goods to the Merchant if the funds are returned to them successfully. As such it is imperative that the Merchant has accurate terms and conditions that reflect internal procedures and business policies that they have in place relating to the fulfilment of an order once it has been placed with them. Attached in the information pack is a website compliance guide that will assist Merchants in making sure that their website has the correct information held in the correct places, thus meeting with the relevant criteria designed to assist with the deterrence of potential fraudsters. By working through the website compliance points, Merchants will not only be protecting themselves and their businesses but also educating themselves as to fraud prevention at the same time. It is also good for Merchants to revisit the guide frequently to ensure that they have not lost sight of the objective of implementing the website compliance points over time.

Technical Tools

There are a number of technical tools that can be employed in order to assist Merchants with the prevention of fraud. Although technical tools aid in the detection and prevention of fraud, they should only be used to complement a Merchants internal policies and procedures that dictate what purchases they will accept. Fraudsters often have all the data required to pass all checks that are completed when processing a credit or debt card.

It is good practice for Merchants to have firm policies for their staff to follow when orders are received and actions they must carry out if any of the security checks are not matched. For example, if an order comes in that looks acceptable but the address check fails, a Merchant could have a procedure in place that states that they will, before the transaction is completed, obtain proof of address by another means (a faxed copy of utility bill is advisable).

12 Key indicators of Fraud

  1. First-time shopper: Criminals are always looking for new victims.
  2. Larger-than-normal orders: Because stolen cards or account numbers have a limited life span, fraudsters need to maximize the size of their purchase. If it looks too good to be true it usually is.
  3. Orders that include several of the same items: Having multiples of the same item increases a fraudster's profits.
  4. Orders made up of “big-ticket” items: These items have maximum resale value and therefore maximum profit potential.
  5. “Rush” or “overnight” shipping: Fraudsters want these illegally obtained items as soon as possible for the quickest possible resale and are not concerned about extra delivery charges.
  6. Shipping to an international address: A significant number of fraudulent transactions are shipped to fraudulent cardholders outside of the country of origin. Visa AVS can not always validate the address if it is outside of the jurisdiction in which the purchase is made.
  7. Transactions with similar account numbers: Particularly useful if the account numbers used have been generated using software available on the Internet (e.g., CreditMaster).
  8. Shipping to a single address, but transactions placed on multiple cards: Could involve account number generated using special software or even a batch of stolen cards.
  9. Multiple transactions on one card over a very short period of time: Could be an attempt to "run a card" until the account is closed.
  10. Multiple transactions on one card or a similar card with a single billing address, but multiple shipping addresses: Could represent organized activity, rather than one individual at work.
  11. In online transactions, multiple cards used from a single IP (Internet Protocol) address: More than one or two cards could definitely indicate a fraud scheme.
  12. Orders from Internet addresses that make use of free e-mail services: These e-mail services involve there being no billing relationships and often neither an audit trail nor verification that a legitimate cardholder has opened the account. This is often coupled with pay as you go mobile numbers.

Online Trading Business Policies & Procedures

Each company is unique and will need to develop its own specific procedures for spotting and dealing with potential fraud. Generally speaking all Merchants should have the following:

  1. Review Procedure – Each transaction should be reviewed by a member of your staff. They should be at a minimum looking for any of the 12 indicators listed above as well as any additional patterns deemed necessary.
  2. Action Plan –Merchants should have a detailed action plan to follow in the case that any of the above indicators are detected or for any additional checks that are deemed necessary. Staff should be trained to follow this and advised that it must be strictly adhered to. For example, if the CV2 check is passed and the address is failed then a Merchant might have their staff obtain proof of address in the form of a faxed utility bill.
  3. Account Monitoring – Monitoring Merchants should closely monitor their accounts for patterns and more specifically irregularities in pattern. For example if a business’ predicted turnover is normally around £1000.00 per day and the figure suddenly spikes to £10000.00 then the Merchant will need to review their transactions and try to identify if there is a pattern that would indicate fraud. It could be that a Merchant received £9000.00 worth of orders in a day to a country they would normally not ship to, this is definitely a strong indicator of fraud.
  4. High Value Orders – A good policy to have in place is having a ceiling limit on an individual order value for which a Merchant will accept a credit card as a payment method. If a high value order is put through it does not necessarily mean it is fraud. It is recommended that Merchants contact the purchaser for extra checks. One thing that will tell a Merchant instantly if it is fraud is if they ask the person to pay via a bank transfer and they refuse or give an excuse as to why they cannot then do not ship the order.
  5. High Risk Countries – Historically, shipping to certain countries is seen to be very high risk; these include Nigeria, Former Easter Block Countries (e.g. Ukraine, Bulgaria, Romania and Former Yugoslavia). It is recommended that Merchants do not ship to these high risk countries. There are going to be some valid orders but in the main it is better to avoid the problem entirely by not dealing with the orders at all.
  6. Registered Mail – Always send everything by registered mail. It is standard practice and is accepted cost for people purchasing online. It also gives Merchants the signature of the person accepting the parcel which may help if they decide to make a chargeback

Managing Trading Risk

Trading online can be a risk to all Merchants and their businesses. It is therefore in the best interest of the Merchant and their company to learn to manage the risk. Merchants need to determine what risk they will and will not accept. Once this is determined, their policies and procedures must reflect this and support any decision made as to whether or not to deliver the good(s) or service(s). Technology can be used to assist in fraud prevention but it is best not to rely on it as fraudsters are devious and will, if they have not already done so, find ways around even the best systems. If for whatever reason a Merchant suspects a purchase may be fraudulent, they should take a safety first stance with it and simply do not deliver anything until they and their business are certain the order is not genuine.

Conclusion

The two greatest defences against online fraud are common sense and high-quality business practices. If Merchants remember that and apply the above advice to their online business model, this will go along way towards preventing fraud and protecting themselves and their company.

Back to Top


Supported Merchant Banks