With the EMV shift now almost three weeks in, merchants need to be even more on guard to online fraud. With physical card present fraud becoming near impossible with the new chip, fraudsters will go where the path of resistance is least, unfortunately, that is currently online merchants. When a merchant gets hit with fraudulent orders on their website, the cost is more than just the money. It can take a toll on their confidence and make them question whether they should abandon their hopes at being an entrepreneur.
Consider these easy to implement techniques that will help eCommerce merchants to avoid fraud. Following these techniques will save you time, money, aggravation and help you avoid developing a bad online reputation. Having been in the eCommerce space for over 12-years, I have seen a wide spectrum of fraud on the Internet. Almost every case of fraud could have been avoided if the merchant had their payment gateway configured correctly. In most cases, the transactions are glaringly fraudulent; but the merchant is so thrilled to have a great order that they overlook the obvious signs and fill the order only to get burned. Here are my suggestions for avoiding online fraud.
Merchant Account Setup
When you are going through the merchant account application process it is important to give the bankers realistic numbers. You will need to provide the bank with numbers such as estimated annual transaction volume, estimated monthly volume and minimum and maximum transaction amounts. From my experience, I’ve seen merchants exaggerate these numbers in the hopes of impressing the bank. That is a mistake. Give the bank conservative numbers, especially if you are just starting out online. It will take a year before you are transacting with any volume. These numbers can easily be increased as needed. The bank uses these numbers to set up profiles for you in their fraud prevention systems. This is your first line of defense – the more accurate the numbers you provide, the more likely the bank can protect your account. Remember, the bank’s job is to help you with sales, not prevent them. They can only run things so tight or too many of your transactions will fail. The bank’s fraud prevention system is only one layer of defense. It is not your merchant bank’s job to watch every transaction for fraud, they will only pick up some of the transactions that are outside of your profile. That leaves plenty of room for fraud inside those parameters. Your merchant application is not a business plan. Don’t bloat the numbers; you will only be hurting yourself.
AuthCapture (bad) AuthOnly (Good)
There are two types of transactions you can run when receiving payment online: Authorize and Capture (AuthCapture) and Authorize Only (AuthOnly). You can greatly reduce your exposure to fraud if you run AuthOnly. I strongly recommend setting your transactions to AuthOnly. An AuthOnly transaction will require the merchant to review orders and mark them for settlement if it passes their scrutiny. I know, you need your money now and AuthOnly could mean that it will take another day before you have your money, and it’s so much work to mark transactions for settlement. Get over it! You can wait one more day for your money and it only takes one click to mark a transaction for settlement.
Merchants often have a false sense that the bank, the gateway or the ecommerce platform will protect them from fraud, and ultimately someone other then the merchant will be responsible for paying for the fraudulent activity. The merchant ultimately pays for fraud and has a duty to screen their transactions for fraud.
The merchant is responsible for scrutinizing their transactions and approving the ones that pass a simple test. Here is what to look for:
- Did the transaction pass the Address Verification System (AVS) check?
- Did the CVV code have a match?
- Are the shipping and billing addresses the same?
- Common sense check?
If the answer to any of the above questions is “no,” then the merchant must take a closer look at that particular order. If someone orders 12 vacuum cleaners and wants them shipped to Pakistan, and the billing address is Jane Smith from Arkansas, the order stinks of fraud. This scenario has happened more than you would think. The merchant is so thrilled to have the big sale, they don’t even consider that it could be fraud. In the end, the merchant pays for the product, pays for the shipping, pays Jane Smith’s credit card back, and even gets to pay a charge back fee from the bank. Ouch! The merchant is left feeling like it was someone else’s fault. Shouldn’t the bank or payment gateway prevent that? The merchant is the last line of defense and needs to use common sense and scrutinize their transactions. If it looks fraudulent, make a customer service call to the cardholder and ask some simple questions. This will quickly confirm whether or not the transaction is fraudulent.
Set Your Minimum and Maximum Transaction Amounts
Most payment gateways will let you set a minimum and maximum transaction amount for all of your orders. Using these features can greatly reduce your exposure to fraud. If you don’t sell anything for under $9.99 then set the amount to $9.98. Also set the ceiling just above your realistic highest order amount.
This simple adjustment will help avoid a common hacker technique known as “Phishing.” Phishing is when a thief uses your website or payment gateway to test a database full of stolen credit card numbers. They will run a high volume of small transactions
( $0.25) to see if the credit cards are good, and if so, they can exploit them elsewhere. When a merchant sees they have 2,000 transactions for 25 cents each, they are victims of a phishing attack. The bank will often hold the merchant responsible for paying the per transaction fees on all of the transaction. This hassle and frustration can be avoided by setting the minimum transaction amount to something greater than zero, and preferably over $1.00. Having your transactions set to AuthOnly will prevent all of these little phishing transaction from settling. Waking up Monday morning to find that you have settle 3,000 fraudulent transactions over the weekend is not the way you want to start your week.
Merchants can greatly reduce their exposure to fraud by running AuthOnly transactions, setting minimum and maximum transaction amounts and scrutinizing their transactions before capturing the funds. Most decent online payment solutions will have these basic fraud prevention features available.