Credit card fraud

Online fraud is a growing menace to e-businesses and their customers as fraudsters

target online payments using stolen card details.
The crucial thing to know before you start selling is that you will be responsible for any
fraudulent transactions made at your store. Its up to you to ensure that your customers are
genuine. If you don't, you are liable for reimbursing cardholders whose cards were used without
their authorisation.
The good news? WorldPays dedicated fraud-fighting tools will help you reduce your losses due
to fraud.
But you need to take your own fraud prevention measures as well: many new online companies
go out of business within six months because they fail to do so.
You'll also need to make sure any card payment information you store is protected against
hackers and fraudsters who might attempt to steal credit card information. This is in order to
comply with requirements introduced by the Card Schemes (called Payment Card Industry Data
Security Standard or PCI DSS) to protect cardholder data. Large fines can be imposed for non-
compliance or data breaches so it's vital you understand your obligations before you start
accepting payments - have a look at our dedicated PCI DSS microsite for more information.
Why e-business appeals to fraudsters
Because there is no physical interaction with the card and cardholder, you are unable to:
physically check the card's security features to ensure it is genuine
verify the customer is the genuine cardholder via a signature or PIN
guarantee that the payment information has been provided by the genuine cardholder.
Some online retailers don't understand the risks, dont take steps to prevent fraud and are
easy targets for fraudsters.
Is my business high-risk?
Although all types of e-business can and do experience fraud, the following types of business
and product are particularly attractive to fraudsters. If you do sell any of these products or
services, we strongly recommend that you take the time to review your fraud controls, tools and
company policy to ensure you are prepared:
Financial services sector
Gaming sector
Computer and electrical goods inlcuding electronic toys, videogames and gadgets
Travel sector
Technology and telecommunications - especially Voice-over-IP services
Domain name registration and web hosting
Downloadable goods - the product can be downloaded and the fraudster is long gone.
Fashion items, clothes, jewellery and accessories such as handbags and sunglasses for
example
Furniture especially modern and contemporary items
Charities - can be susceptible to 'card testing' whereby fraudsters make small payments simply
to test whether the card will be authorised, before they go on to use it to purchase expensive
goods or services
Any other highly desirable items that can easily be re-sold
High risk or not, you want to protect your business from fraud. This section advises you on
spotting fraudulent activity and dealing with it before it damages your customers and your
business.
Fraud: how can you spot it?
WorldPays fraud detection tools will help you identify fraud but you should also look out for
other signs that a payment may be suspicious.
Potentially fraudulent payments are often out of the ordinary for your average customer or
purchase. Many have the following things in common:

late night orders
high-risk countries - refer to our Support site for more information
P.O box addresses or hotels/ guest houses
free/ anonymous email addresses
express delivery
high quantity orders
high value orders
different shipping and billing addresses or IP country and billing/card issue country
frequent purchases
frequent contacts from anxious fraudsters
mobile rather than landline number
suspicious behaviour by the customer
indiscriminate purchases
inconsistencies in shopper details across multiple purchases, e.g. same shopper e-mail address
but differing name or address provided

Checking on these types of transaction is common sense. We strongly advise you to do so
have a look at Manual Checks for more information.
Case Study

We have developed three ways of spotting potentially fraudulent transactions:-
The Honey Trap.
No time to check.
Old fashion detective work.
The Honey Trap.
A customer has ordered a birthday cake. Then we offer a number of additional products
including a deliberately over-priced party pack, containing plates, cups, banners, candles etc.
Experience has shown us that someone using a stolen credit card is not worried about value for
money! They are not expecting to pay for it themselves so they will order any extra bells and
whistles, even if its obviously bad value.
No Time to Check.
Many fraudsters try to order at the very last minute to avoid being contacted. They hope that the
order will just go through the system without being noticed. Large orders ordered at the very
last gasp? Were highly suspicious.
Old Fashioned Detective Work.
When an order looks too good to be true, it probably is. We call the customer, alerting them to a
potential payment issue, and ask for three further bits of information:
a work email address (if they have given only a hotmail address)
a home landline number (if they have given only a mobile number)
a work telephone number
We call the phone numbers and use Google and Facebook to verify the information given. Five
minutes spent now saves hours making and distributing goods which may never be paid for.
You might have to apologise to an indignant honest customer now and then, but theyll probably
be grateful that you take their card security seriously.

Graham Brookes from www.londoncakes.com
Fraud prevention: WorldPay tools
BEFORE you accept your first payment online, get to know the tools thatll help you
combat fraud.
We provide a number of automated tools that, alongside your own manual fraud checks, help
you combat fraud and reduce your fraud losses. Take advantage of these tools from the word
go which means understanding how to use them.
With Risk Management we can check each transaction and get fraud advice from experts. As
a result our fraudulent transactions are less than 0.1%

www.londoncakes.com
Fraud screening
The Risk Management service monitors each transaction and provides automated alerts
indicating possible/probable fraudulent transactions.
This is one of the most effective ways of identifying potentially fraudulent transactions. The
service is constantly updated and new checks automatically made available to all our merchants
with the Risk Management service. Checks include those made on the following:
order, shopper and address details
inconsistencies in purported and actual location
if multiple addresses are used by the same person or card
if known fraudulent details are being used
payment behaviour and purchase patterns of the shopper when submitting payment details
repeat occurrences of order data (for example, credit/debit card number, IP address, shopper
email address) over a specified period of time
logical patterns in shopper and payment data
the number and total amount of payments for a particular credit card or bank account number.
Risk Management comes as standard with our Business Gateway Plus account, and can be
added on to our Business Gateway account for a small fee. Have a look at
our Knowledgebase for more information.
In-house fraud experts
If you subscribe to our Risk Management service, our in-house fraud specialists will be on hand
to provide support and advice in identifying, preventing and tackling fraud. They can help with
individual queries, as well as assisting with more comprehensive reviews of your fraud controls
and order review processes and providing recommendations for improvements to your fraud
controls. To speak to the team, simply contact our Customer Services department and they'll put
you in touch with the right person for your query.

Tip: Avoid Refund Costs!

If you accept a payment and subsequently refund it because you suspect it's fraudulent, you'll be paying
twice - for the processing and refunding costs. But setting a capture delay means there's no transaction
or refund processing charges to pay if you decide not to accept the payment.
Capture delay
You can specify a delay between the authorisation of a payment and when the actual payment
is taken (called 'capture'). With capture delay you can set payments to:
be automatically taken ('captured') after a specified number of days if you have not rejected the
payment, or
expire after a certain number if days if you have not manually confirmed you wish to accept the
payment.
The capture delay functionality gives you time to carry out additional manual checks before you
decide to accept or reject the payment. You won't pay any WorldPay charges for processing
payments you subsequently decide not to accept, and you'll avoid the costs involved with
refunds and with dealing with fraud because, as no payment has been taken, there is no risk of
payments you decide not to capture being disputed.
Capture delay comes as standard with our service but you'll need to specify the delay yourself
as it's automatically set to immediate capture. Have a look at our Knowledgebase for more
information.
Authentication
If your shoppers join a cardholder authentication scheme, you can use our no-charge
authentication feature to identify these shoppers as genuine cardholders, before they pay for
their online order. This authentication reduces your exposure to fraud, and increases shoppers
confidence in your site.
Our payment systems support the MasterCard SecureCode and Verified by Visa authentication
schemes, so you can check if shoppers are genuine MasterCard or Visa cardholders. The
shopper enters a password to confirm their identity with the card issuer. Then you can accept
the shopper's payment and complete their order with more confidence. Have a look at
our Knowledgebase for more information.
AVS/CVV2/CVC
The Address Verification Service (AVS) and Card Verification Value or Card Verification Code
(CVV2, CVC) check the authenticity of a transaction by comparing cardholder information which
the shopper has entered during the payment process, with details held by the card issuer. Both
services are available as standard to all of our merchants, at no extra cost. Have a look at
our Knowledgebase for more information.
Fraud prevention: is the customer
genuine?
Credit card fraud is a major threat for any online business. Carry out your own manual
checks on suspicious, out of the ordinary or high-value transactions.
A lot of fraud detection is common sense and carrying out the checks needn't be time
consuming.Make manual checks for fraud part of your business processes.
Potentially fraudulent transactions are marked with a warning or caution by WorldPay. It makes
sense to check those transactions yourself because:
itll help you to reject high risk payments, but
youll avoid rejecting legitimate payments that may have been flagged as potentially
fraudulent (because of a shopper typing mistake, for example)

Tip: Registered Post

Send goods by registered or recorded post and obtain a signed and dated delivery note to help you
protect yourself against fraudulent claims that the goods were not received.
If you're not satisfied that the person placing the order is genuine, don't ship the goods
and refund the money immediately.
Use your manual checks to identify high-risk names, email addresses and IP addresses.
Merchants using WorldPay's Risk Management service can then set up so-called 'negative
databases' to block suspect shopper names, email addresses and domains and IP addresses
and ranges. Have a look at ourKnowledgebase for more information.

Manual Checks
Name and phone number
Look out for a shopper whose name is not correctly formatted and/or shows nonsense details.
Check the electoral role for the shopper's details using a service such as www.192.com.
A mobile phone as the contact number is riskier.
If the shopper has provided a landline, use one of the free web-based look-up programs such as
(UK only) http://www.ukphoneinfo.com/section/tci/locator.shtml to check that the area code of
the phone number matches the address

Addresses
Remember: a fraudster who has obtained card data by copying elements from a card will not
usually have the genuine user's billing address and will have to make one up. Look out for:
an incomplete billing address
a shopper who refuses to confirm their credit/debit card and billing address details
a delivery address that's not the same as the billing address
an export delivery address, particularly to certain countries (please refer to the table in Country
Checks for a list of high risk countries)
a temporary address such as a hotel or boarding house
deliveries to airports or other unlikely addresses such as industrial estates if it's not a business
to business transaction.
These arent necessarily evidence of fraud. A shopper on holiday, for example, may request
delivery to a hotel and not the billing address. But they are all worth checking. Consider using
the Electoral Register in the UK or your local equivalent to check names and addresses.
If you are not convinced your customer is geniune after carrying out the checks above, consider
checking the shopper's ID to try and confirm they are the geniune cardholder by requesting a
copy of:
a passport and/or driving license
a utility bill with an address that matches the billing address provided
a bank statement or credit card statement showing the correct billing address (sensitive data
can be obscured by the shopper)
Remember, you as the merchant have responsibility for how you manage confidential or
sensitive information, so you'll need to destroy or securely file this information after you've used
it.

Email
Free-site email addresses (eg, noname@hotmail.com) are more risky than those provided by an
ISP that requires the user to register properly (eg, noname@rbs.com)
to check email addresses try opening the domain of the email in a browser (eg,
www.consultant.com). You may find the domain isn't registered or is registered abroad.
Websites such as www.verify-email.org can also help confirm whether the email address
actually exists, although it doesn't work with all email providers.
Send an email to the email address supplied to confirm that it exists. If it doesnt it may be
returned by your email server as undeliverable.
shoppers often enter their email addresses wrongly: for example, another character where the
'@' symbol should be or misspelling of .co.uk, .com. You might detect obvious misspelling by
comparing the shoppers name with their email address
if you cant identify an obvious problem and you cant make contact by email, try the phone
number the shopper provided.

IP address
Check the IP address supplied on the order confirmation matches the shopper's billing country
using a free IP address lookup tool such as http://www.ip-to-location.com/free.asp. You can find
similar tools by carrying out a web search for 'IP look up tools' or similar.
WorldPay's Risk Management service lets you to automatically block transactions from IP
addresses that you know from experience have been associated with fraud in the past. Have a
look at our Knowledgebase for more information.

Orders
Signs that should alert you to potential fraud include:
a shopper ordering unusually large amounts of an item without any preference for the size,
colour, make or model
an existing shopper who suddenly orders an unusually large volume of goods
an unusually small order or unusually big order
top-of-the range item or multiples ordered
an unusual order swiftly followed by a repeat order
multiple transactions attempted using a range of different cards (called 'card testing'). This is
done by fraudsters to validate whether card details are valid and will be authorised
In each of these instances, call the phone number to confirm the order details and, at the same
time, check that the number and the shopper exist.

Tip: Intercept services
If you're sending items by courier, instruct them not to allow so-called 'Intercept' or 'Redirect'
services, which mean shoppers (or fraudsters!) can change the delivery address whilst the goods are in
transit
Deliveries
If you spot any of the following it isnt necessarily evidence of fraud, but it's worth checking:
a request for fast deliveries
where delivery cost is not an issue genuine shoppers often avoid the expensive delivery
options
the delivery address is not the same as the billing address
an export delivery address, particularly to certain countries (see list of high-risk countries below)
a temporary address such as a hotel or boarding house
instruction to leave goods on doorstep (or similar)
We advise you carry out further checks on such orders to reassure yourself the purchase in
genuine.

High risk countries
Some countries have a higher risk of fraud than others, including the following:
Algeria
Argentina
Belarus
Bulgaria
Indonesia
Lithuania
Macedonia
Nigeria
Philippines
Romania
Russian Federation
Ukraine
Yugoslavia

Credit card fraudsters know lots of ways to part you and your customers from your
money. With WorldPays fraud prevention service and your own checks, youll protect
your business and your profits from them.
Fraud prevention: dealing with disputes
When youre a shopper paying with your credit card, its reassuring to know that your card
issuer will usually reimburse you in case of fraud. But the money doesnt come from the card
issuer it comes from the business the shopper was buying from.
And that could be your business.
In an online/telephone environment where no card, cardholder or signature is physically
present, it is more difficult to identify the real cardholder. So card Issuers try to protect their
cardholders by giving them the right to raise a 'dispute' with the business their card was paying.
There are two types of dispute:

Tip: Avoid Disputes!

Dealing with disputes can be time consuming and result in big financial losses. Make sure you avoid losses
by doing as much as you can to prevent disputes in the first place. More atAvoiding Disputes
1. The shopper isn't satisfied with the goods or services you provide. They claim (for
example) the goods are faulty, haven't been received or aren't as described on your
website. Normally you can settle it by offering your customer a refund. But shoppers have
the right to take their grievance to their card issuer, and the card issuer may guarantee to
get them their money back.
2. The payment is fraudulent. The card might have been lost or stolen. Card data, such
as the card number and CVC code on the back of the card, might have been 'phished'
(illegally obtained). However it happened, if its fraud you are liable for reimbursing
cardholders whose cards were used without their authorisation at your business.
Credit card fraud
Cardholders can dispute a payment up to six months (sometimes longer) after the payment is
complete, after the full delivery of the product or service. They can take any dispute direct to the
card issuer without contacting you first.
When a payment is in dispute, WorldPay, the card issuer, and the acquiring bank work together
to resolve the dispute. The process is goverend by rules set by the Card Schemes (such as
Visa and MasterCard) that each party must comply with.
An automatic process (a chargeback) removes funds from your merchant account and places
them in the card issuer's account for repayment to the defrauded customer.
Prevention is, of course, better than cure. Better avoid disputes over credit card fraud in the first
place by:
using WorldPay's fraud screening tools and your own manual fraud checks
focusing, from the start, on customer service and good communications with customers
But if you are faced with a payment dispute, you need to know what to do.
How does the dispute process work?
1. Depending on the scenario, the card issuer may send you a Request for Information
(RFI) about the disputed sale. This comes to you via your acquiring bank WorldPay if
you subscribe to our Business Gateway Plus account. However, if the card issuer believes
it to be a clear-cut case of fraud, they may not issue an RFI and may charge the funds
back immediately (see step 4).
2. The RFI requires you to send any documents or information that support your side of the
dispute: a signed delivery slip, for example, if a shopper is claiming not to have received
the goods.
3. Our Knowledgebase explains the types of information you can send, but be warned: if
the payment really was fraudulent, no evidence you can provide will prevent a chargeback.
This is why it really is crucial to identify and reject potentially fraudulent payments before it
gets to this stage.
4. Once youve submitted any evidence, the card issuer decides whether the shopper's
dispute is genuine. If the card issuer does not receive your RFI response in time, and/or
decides against you in favour of the cardholder, youll be subject to a chargeback. The
money you received from the cardholder will be moved from your merchant account to the
card issuers account.
5. It is possible to appeal against a chargeback - more information on our Knowledgebase
Our Knowledgebase has all the information youd need about the dispute process: have a look
now, so that youre in the best position to prevent disputes or successfully defend yourself.
Fraud prevention: top tips for avoiding
disputes
Dealing with a cardholder dispute will at the very least take lots of your time, and may
take lots of your money too.
To avoid disputes you need to communicate well with your shoppers right from the start,
and be vigilant about suspicious transactions.
You cant be too careful. Carry out futher checks if you have any suspicions about the identity of
the shopper. See Is the customer genuine?
Use WorldPay's Fraud Screening tools which alert you to potentially fraudulent transactions.
Then carry out further investigation and your own manual checks on those transactions before
you send out any goods
Use our Risk Management service to block known or suspect fraudulent details associated with
undesirable shoppers. You can block shopper IP addresses, email addresses and names.
Carry out manual checks on high value or out-of-the-ordinary payments, even if the Fraud
Screening tools didnt pick them up. (The fraudster might have stolen all of the cardholder's
legitimate details.)
Make it easy for your customers to contact you. Cardholders can be quick to take a dispute to
their card issuer if they think youre ignoring their query
Provide clear and detailed descriptions of your goods or services on your website itll avoid
shoppers claiming to have been misled
Publish your refund policy: it reassures customers they can get their money back from you
rather than having to escalate to their card issuer
Be realistic with customers about delivery timescales and keep them informed if there are any
delays. This is good customer service in any case. And if you don't they may go straight to their
card Issuer complaining of goods not received
Immediately refund any payments you believe to be fraudulent and do not send out the goods.
Once you have refunded the payment, the issue cannot be escalated by the cardholder
Shoppers may not recognise your trading name on their bank statement if its not the same as
your website name. Make sure that your trading name which is used as default on your
customers' bank statements is recognisable. Contact your merchant account provider about
changing it if it is not.