Online fraud is a growing menace to e-businesses and their customers as fraudsters
target online payments using stolen card details. The crucial thing to know before you start selling is that you will be responsible for any fraudulent transactions made at your store. Its up to you to ensure that your customers are genuine. If you don't, you are liable for reimbursing cardholders whose cards were used without their authorisation. The good news? WorldPays dedicated fraud-fighting tools will help you reduce your losses due to fraud. But you need to take your own fraud prevention measures as well: many new online companies go out of business within six months because they fail to do so. You'll also need to make sure any card payment information you store is protected against hackers and fraudsters who might attempt to steal credit card information. This is in order to comply with requirements introduced by the Card Schemes (called Payment Card Industry Data Security Standard or PCI DSS) to protect cardholder data. Large fines can be imposed for non- compliance or data breaches so it's vital you understand your obligations before you start accepting payments - have a look at our dedicated PCI DSS microsite for more information. Why e-business appeals to fraudsters Because there is no physical interaction with the card and cardholder, you are unable to: physically check the card's security features to ensure it is genuine verify the customer is the genuine cardholder via a signature or PIN guarantee that the payment information has been provided by the genuine cardholder. Some online retailers don't understand the risks, dont take steps to prevent fraud and are easy targets for fraudsters. Is my business high-risk? Although all types of e-business can and do experience fraud, the following types of business and product are particularly attractive to fraudsters. If you do sell any of these products or services, we strongly recommend that you take the time to review your fraud controls, tools and company policy to ensure you are prepared: Financial services sector Gaming sector Computer and electrical goods inlcuding electronic toys, videogames and gadgets Travel sector Technology and telecommunications - especially Voice-over-IP services Domain name registration and web hosting Downloadable goods - the product can be downloaded and the fraudster is long gone. Fashion items, clothes, jewellery and accessories such as handbags and sunglasses for example Furniture especially modern and contemporary items Charities - can be susceptible to 'card testing' whereby fraudsters make small payments simply to test whether the card will be authorised, before they go on to use it to purchase expensive goods or services Any other highly desirable items that can easily be re-sold High risk or not, you want to protect your business from fraud. This section advises you on spotting fraudulent activity and dealing with it before it damages your customers and your business. Fraud: how can you spot it? WorldPays fraud detection tools will help you identify fraud but you should also look out for other signs that a payment may be suspicious. Potentially fraudulent payments are often out of the ordinary for your average customer or purchase. Many have the following things in common:
late night orders high-risk countries - refer to our Support site for more information P.O box addresses or hotels/ guest houses free/ anonymous email addresses express delivery high quantity orders high value orders different shipping and billing addresses or IP country and billing/card issue country frequent purchases frequent contacts from anxious fraudsters mobile rather than landline number suspicious behaviour by the customer indiscriminate purchases inconsistencies in shopper details across multiple purchases, e.g. same shopper e-mail address but differing name or address provided
Checking on these types of transaction is common sense. We strongly advise you to do so have a look at Manual Checks for more information. Case Study
We have developed three ways of spotting potentially fraudulent transactions:- The Honey Trap. No time to check. Old fashion detective work. The Honey Trap. A customer has ordered a birthday cake. Then we offer a number of additional products including a deliberately over-priced party pack, containing plates, cups, banners, candles etc. Experience has shown us that someone using a stolen credit card is not worried about value for money! They are not expecting to pay for it themselves so they will order any extra bells and whistles, even if its obviously bad value. No Time to Check. Many fraudsters try to order at the very last minute to avoid being contacted. They hope that the order will just go through the system without being noticed. Large orders ordered at the very last gasp? Were highly suspicious. Old Fashioned Detective Work. When an order looks too good to be true, it probably is. We call the customer, alerting them to a potential payment issue, and ask for three further bits of information: a work email address (if they have given only a hotmail address) a home landline number (if they have given only a mobile number) a work telephone number We call the phone numbers and use Google and Facebook to verify the information given. Five minutes spent now saves hours making and distributing goods which may never be paid for. You might have to apologise to an indignant honest customer now and then, but theyll probably be grateful that you take their card security seriously.
Graham Brookes from www.londoncakes.com Fraud prevention: WorldPay tools BEFORE you accept your first payment online, get to know the tools thatll help you combat fraud. We provide a number of automated tools that, alongside your own manual fraud checks, help you combat fraud and reduce your fraud losses. Take advantage of these tools from the word go which means understanding how to use them. With Risk Management we can check each transaction and get fraud advice from experts. As a result our fraudulent transactions are less than 0.1%
www.londoncakes.com Fraud screening The Risk Management service monitors each transaction and provides automated alerts indicating possible/probable fraudulent transactions. This is one of the most effective ways of identifying potentially fraudulent transactions. The service is constantly updated and new checks automatically made available to all our merchants with the Risk Management service. Checks include those made on the following: order, shopper and address details inconsistencies in purported and actual location if multiple addresses are used by the same person or card if known fraudulent details are being used payment behaviour and purchase patterns of the shopper when submitting payment details repeat occurrences of order data (for example, credit/debit card number, IP address, shopper email address) over a specified period of time logical patterns in shopper and payment data the number and total amount of payments for a particular credit card or bank account number. Risk Management comes as standard with our Business Gateway Plus account, and can be added on to our Business Gateway account for a small fee. Have a look at our Knowledgebase for more information. In-house fraud experts If you subscribe to our Risk Management service, our in-house fraud specialists will be on hand to provide support and advice in identifying, preventing and tackling fraud. They can help with individual queries, as well as assisting with more comprehensive reviews of your fraud controls and order review processes and providing recommendations for improvements to your fraud controls. To speak to the team, simply contact our Customer Services department and they'll put you in touch with the right person for your query.
Tip: Avoid Refund Costs!
If you accept a payment and subsequently refund it because you suspect it's fraudulent, you'll be paying twice - for the processing and refunding costs. But setting a capture delay means there's no transaction or refund processing charges to pay if you decide not to accept the payment. Capture delay You can specify a delay between the authorisation of a payment and when the actual payment is taken (called 'capture'). With capture delay you can set payments to: be automatically taken ('captured') after a specified number of days if you have not rejected the payment, or expire after a certain number if days if you have not manually confirmed you wish to accept the payment. The capture delay functionality gives you time to carry out additional manual checks before you decide to accept or reject the payment. You won't pay any WorldPay charges for processing payments you subsequently decide not to accept, and you'll avoid the costs involved with refunds and with dealing with fraud because, as no payment has been taken, there is no risk of payments you decide not to capture being disputed. Capture delay comes as standard with our service but you'll need to specify the delay yourself as it's automatically set to immediate capture. Have a look at our Knowledgebase for more information. Authentication If your shoppers join a cardholder authentication scheme, you can use our no-charge authentication feature to identify these shoppers as genuine cardholders, before they pay for their online order. This authentication reduces your exposure to fraud, and increases shoppers confidence in your site. Our payment systems support the MasterCard SecureCode and Verified by Visa authentication schemes, so you can check if shoppers are genuine MasterCard or Visa cardholders. The shopper enters a password to confirm their identity with the card issuer. Then you can accept the shopper's payment and complete their order with more confidence. Have a look at our Knowledgebase for more information. AVS/CVV2/CVC The Address Verification Service (AVS) and Card Verification Value or Card Verification Code (CVV2, CVC) check the authenticity of a transaction by comparing cardholder information which the shopper has entered during the payment process, with details held by the card issuer. Both services are available as standard to all of our merchants, at no extra cost. Have a look at our Knowledgebase for more information. Fraud prevention: is the customer genuine? Credit card fraud is a major threat for any online business. Carry out your own manual checks on suspicious, out of the ordinary or high-value transactions. A lot of fraud detection is common sense and carrying out the checks needn't be time consuming.Make manual checks for fraud part of your business processes. Potentially fraudulent transactions are marked with a warning or caution by WorldPay. It makes sense to check those transactions yourself because: itll help you to reject high risk payments, but youll avoid rejecting legitimate payments that may have been flagged as potentially fraudulent (because of a shopper typing mistake, for example)
Tip: Registered Post
Send goods by registered or recorded post and obtain a signed and dated delivery note to help you protect yourself against fraudulent claims that the goods were not received. If you're not satisfied that the person placing the order is genuine, don't ship the goods and refund the money immediately. Use your manual checks to identify high-risk names, email addresses and IP addresses. Merchants using WorldPay's Risk Management service can then set up so-called 'negative databases' to block suspect shopper names, email addresses and domains and IP addresses and ranges. Have a look at ourKnowledgebase for more information.
Manual Checks Name and phone number Look out for a shopper whose name is not correctly formatted and/or shows nonsense details. Check the electoral role for the shopper's details using a service such as www.192.com. A mobile phone as the contact number is riskier. If the shopper has provided a landline, use one of the free web-based look-up programs such as (UK only) http://www.ukphoneinfo.com/section/tci/locator.shtml to check that the area code of the phone number matches the address
Addresses Remember: a fraudster who has obtained card data by copying elements from a card will not usually have the genuine user's billing address and will have to make one up. Look out for: an incomplete billing address a shopper who refuses to confirm their credit/debit card and billing address details a delivery address that's not the same as the billing address an export delivery address, particularly to certain countries (please refer to the table in Country Checks for a list of high risk countries) a temporary address such as a hotel or boarding house deliveries to airports or other unlikely addresses such as industrial estates if it's not a business to business transaction. These arent necessarily evidence of fraud. A shopper on holiday, for example, may request delivery to a hotel and not the billing address. But they are all worth checking. Consider using the Electoral Register in the UK or your local equivalent to check names and addresses. If you are not convinced your customer is geniune after carrying out the checks above, consider checking the shopper's ID to try and confirm they are the geniune cardholder by requesting a copy of: a passport and/or driving license a utility bill with an address that matches the billing address provided a bank statement or credit card statement showing the correct billing address (sensitive data can be obscured by the shopper) Remember, you as the merchant have responsibility for how you manage confidential or sensitive information, so you'll need to destroy or securely file this information after you've used it.
Email Free-site email addresses (eg, noname@hotmail.com) are more risky than those provided by an ISP that requires the user to register properly (eg, noname@rbs.com) to check email addresses try opening the domain of the email in a browser (eg, www.consultant.com). You may find the domain isn't registered or is registered abroad. Websites such as www.verify-email.org can also help confirm whether the email address actually exists, although it doesn't work with all email providers. Send an email to the email address supplied to confirm that it exists. If it doesnt it may be returned by your email server as undeliverable. shoppers often enter their email addresses wrongly: for example, another character where the '@' symbol should be or misspelling of .co.uk, .com. You might detect obvious misspelling by comparing the shoppers name with their email address if you cant identify an obvious problem and you cant make contact by email, try the phone number the shopper provided.
IP address Check the IP address supplied on the order confirmation matches the shopper's billing country using a free IP address lookup tool such as http://www.ip-to-location.com/free.asp. You can find similar tools by carrying out a web search for 'IP look up tools' or similar. WorldPay's Risk Management service lets you to automatically block transactions from IP addresses that you know from experience have been associated with fraud in the past. Have a look at our Knowledgebase for more information.
Orders Signs that should alert you to potential fraud include: a shopper ordering unusually large amounts of an item without any preference for the size, colour, make or model an existing shopper who suddenly orders an unusually large volume of goods an unusually small order or unusually big order top-of-the range item or multiples ordered an unusual order swiftly followed by a repeat order multiple transactions attempted using a range of different cards (called 'card testing'). This is done by fraudsters to validate whether card details are valid and will be authorised In each of these instances, call the phone number to confirm the order details and, at the same time, check that the number and the shopper exist.
Tip: Intercept services If you're sending items by courier, instruct them not to allow so-called 'Intercept' or 'Redirect' services, which mean shoppers (or fraudsters!) can change the delivery address whilst the goods are in transit Deliveries If you spot any of the following it isnt necessarily evidence of fraud, but it's worth checking: a request for fast deliveries where delivery cost is not an issue genuine shoppers often avoid the expensive delivery options the delivery address is not the same as the billing address an export delivery address, particularly to certain countries (see list of high-risk countries below) a temporary address such as a hotel or boarding house instruction to leave goods on doorstep (or similar) We advise you carry out further checks on such orders to reassure yourself the purchase in genuine.
High risk countries Some countries have a higher risk of fraud than others, including the following: Algeria Argentina Belarus Bulgaria Indonesia Lithuania Macedonia Nigeria Philippines Romania Russian Federation Ukraine Yugoslavia
Credit card fraudsters know lots of ways to part you and your customers from your money. With WorldPays fraud prevention service and your own checks, youll protect your business and your profits from them. Fraud prevention: dealing with disputes When youre a shopper paying with your credit card, its reassuring to know that your card issuer will usually reimburse you in case of fraud. But the money doesnt come from the card issuer it comes from the business the shopper was buying from. And that could be your business. In an online/telephone environment where no card, cardholder or signature is physically present, it is more difficult to identify the real cardholder. So card Issuers try to protect their cardholders by giving them the right to raise a 'dispute' with the business their card was paying. There are two types of dispute:
Tip: Avoid Disputes!
Dealing with disputes can be time consuming and result in big financial losses. Make sure you avoid losses by doing as much as you can to prevent disputes in the first place. More atAvoiding Disputes 1. The shopper isn't satisfied with the goods or services you provide. They claim (for example) the goods are faulty, haven't been received or aren't as described on your website. Normally you can settle it by offering your customer a refund. But shoppers have the right to take their grievance to their card issuer, and the card issuer may guarantee to get them their money back. 2. The payment is fraudulent. The card might have been lost or stolen. Card data, such as the card number and CVC code on the back of the card, might have been 'phished' (illegally obtained). However it happened, if its fraud you are liable for reimbursing cardholders whose cards were used without their authorisation at your business. Credit card fraud Cardholders can dispute a payment up to six months (sometimes longer) after the payment is complete, after the full delivery of the product or service. They can take any dispute direct to the card issuer without contacting you first. When a payment is in dispute, WorldPay, the card issuer, and the acquiring bank work together to resolve the dispute. The process is goverend by rules set by the Card Schemes (such as Visa and MasterCard) that each party must comply with. An automatic process (a chargeback) removes funds from your merchant account and places them in the card issuer's account for repayment to the defrauded customer. Prevention is, of course, better than cure. Better avoid disputes over credit card fraud in the first place by: using WorldPay's fraud screening tools and your own manual fraud checks focusing, from the start, on customer service and good communications with customers But if you are faced with a payment dispute, you need to know what to do. How does the dispute process work? 1. Depending on the scenario, the card issuer may send you a Request for Information (RFI) about the disputed sale. This comes to you via your acquiring bank WorldPay if you subscribe to our Business Gateway Plus account. However, if the card issuer believes it to be a clear-cut case of fraud, they may not issue an RFI and may charge the funds back immediately (see step 4). 2. The RFI requires you to send any documents or information that support your side of the dispute: a signed delivery slip, for example, if a shopper is claiming not to have received the goods. 3. Our Knowledgebase explains the types of information you can send, but be warned: if the payment really was fraudulent, no evidence you can provide will prevent a chargeback. This is why it really is crucial to identify and reject potentially fraudulent payments before it gets to this stage. 4. Once youve submitted any evidence, the card issuer decides whether the shopper's dispute is genuine. If the card issuer does not receive your RFI response in time, and/or decides against you in favour of the cardholder, youll be subject to a chargeback. The money you received from the cardholder will be moved from your merchant account to the card issuers account. 5. It is possible to appeal against a chargeback - more information on our Knowledgebase Our Knowledgebase has all the information youd need about the dispute process: have a look now, so that youre in the best position to prevent disputes or successfully defend yourself. Fraud prevention: top tips for avoiding disputes Dealing with a cardholder dispute will at the very least take lots of your time, and may take lots of your money too. To avoid disputes you need to communicate well with your shoppers right from the start, and be vigilant about suspicious transactions. You cant be too careful. Carry out futher checks if you have any suspicions about the identity of the shopper. See Is the customer genuine? Use WorldPay's Fraud Screening tools which alert you to potentially fraudulent transactions. Then carry out further investigation and your own manual checks on those transactions before you send out any goods Use our Risk Management service to block known or suspect fraudulent details associated with undesirable shoppers. You can block shopper IP addresses, email addresses and names. Carry out manual checks on high value or out-of-the-ordinary payments, even if the Fraud Screening tools didnt pick them up. (The fraudster might have stolen all of the cardholder's legitimate details.) Make it easy for your customers to contact you. Cardholders can be quick to take a dispute to their card issuer if they think youre ignoring their query Provide clear and detailed descriptions of your goods or services on your website itll avoid shoppers claiming to have been misled Publish your refund policy: it reassures customers they can get their money back from you rather than having to escalate to their card issuer Be realistic with customers about delivery timescales and keep them informed if there are any delays. This is good customer service in any case. And if you don't they may go straight to their card Issuer complaining of goods not received Immediately refund any payments you believe to be fraudulent and do not send out the goods. Once you have refunded the payment, the issue cannot be escalated by the cardholder Shoppers may not recognise your trading name on their bank statement if its not the same as your website name. Make sure that your trading name which is used as default on your customers' bank statements is recognisable. Contact your merchant account provider about changing it if it is not.
Evaluation of Some Websites that Offer Virtual Phone Numbers for SMS Reception and Websites to Obtain Virtual Debit/Credit Cards for Online Accounts Verifications