Your SlideShare is downloading. ×
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Merchant Account Tips: Proven Methods for Reducing Online Credit Card Fraud & Risk

2,705

Published on

Excellent Presentation done by Chris West, CDGcommerce owner. In this presentation Chris will educate you on how to better protect your business against fraudulent transactions using AVS scrubbing, …

Excellent Presentation done by Chris West, CDGcommerce owner. In this presentation Chris will educate you on how to better protect your business against fraudulent transactions using AVS scrubbing, VbV/MSC, among several others tools provided by CDGcommerce.

www.cdgcommerce.com

Published in: Economy & Finance, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,705
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Proven Methods for Reducing Online Fraud & Risk Increase your sales without increasing your risk!
  • 2. The Goal of this Presentation
      • We all want more sales.
      • We all want less fraud.
      • The question quickly becomes – how do we reach that “optimal” point of
      • maximizing our sales while minimizing the amount of fraud losses that we
      • encounter?
      • The goal of this presentation is to help you answer exactly that question
      • for your business using an analysis of the tools that can help you and
      • real life examples from our industry.
      • There are no “perfect solutions” or “silver bullets” – but by intelligently
      • combining a variety of techniques, you can truly get the best of both
      • worlds.
  • 3. Fraud: How & Why They Do It
    • Common Methods of Compromise
    • Physical Card Skimming – as much as 40% by some estimates
    • “ Phishing” E-mails & Attacks – we have all seen many of these
    • Security Breaches
      • External Attacks (Packet Sniffing, Direct Hacking, etc.)
      • Internal Attacks ( “Inside Jobs” from Disgruntled Employees, etc.)
    • The “Secondary Market” of Card Sharing Forums/Chats
    • Card Testing Attacks – to determine which cards are still valid
    • Common Motivations Behind Fraud
    • Selling them to other Fraudsters for Profit (now a $1B industry)
    • Steal Easy-to-Resell Products
    • “ Steal & Spam” (host hopping for bulk e-mail campaigns)
    • “ Because I can” (ego motivated)
  • 4. The Risk Management Toolkit
    • AVS
    • CVV
    • IP/GEO/BIN
    • Cardholder Authentication (VbV/MSC)
    • Phone Verifications
    • Manual Order Reviews
    • Chargebacks & Representments
    • PCI Compliance & Data Security
  • 5. AVS - Address Verification Service
    • How It Works
    • Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code … not the actual Address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be)
    • Implementation
    • Available on any Internet merchant account and virtually any Payment Gateway
    • Most gateways provide an AVS configuration area where you can specify whether you want to automatically “decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match
    • Benefits
    • Easy to implement
    • Limitations
    • Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.
    • A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases – will also contain the necessary information to provide a valid AVS match result.
    • Recommendation
    • If you handle a mix of int ’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not be considered a primary means of verifying the validity of a transaction.
    • PORTFOLIO METRIC: nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS
    • match results. However, 50% of our portfolio CB ’s still have FULL AVS match results.
  • 6. CVV – Card Verification Value
    • How It Works
    • A service with many names – CVV2, CVC2, CID – but the premise is the same for all
    • Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder ’s card. The CVV is NOT encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.
    • Implementation
    • Available on any Internet merchant account and virtually any Payment Gateway
    • Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do not settle) an authorization that has an CVV non-match or non-entry
    • Benefits
    • Works for virtually ALL cardholder accounts – both U.S. and international
    • There is no valid reason why a legitimate cardholder, in possession of the card, would not be able to enter a 100% matching number for this.
    • Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.
    • Limitations
    • CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring Transactions.
    • Recommendation
    • CVV is a recommended service to utilize for ALL initial transactions processed.
    • PORTFOLIO METRIC: based on our internal chargeback analysis, merchants can reduce their fraud rates
    • by as much as 70% by simply requiring a matching CVV result.
  • 7. IP/GEO/BIN Scrubbing
    • How It Works
    • Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California ordering from Europe?)
    • Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer is using an US-issued credit card but they are from Europe?)
    • Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction
    • Implementation
    • Custom direct integration into a service such as MaxMind.com
    • Use an existing integration that is part of a Shopping Cart such as X-Cart , LiteCommerce , osCommerce , ZenCart , ASPDotNetStorefront .
    • Use an existing integration that is part of a Billing System such as WHMCompleteSolution , ClientExec or Ubersmith .
    • Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway .
    • Benefits
    • Fast, Cost Effective and Non-Intrusive
    • Provides merchants with an excellent “do the pieces fit consistently?” analysis
    • Can block up to 89% of all fraud if properly implemented
    • Limitations
    • Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)
    • Proxy database is always in a real-time process of being updated as new proxies open up
    • Recommendation
    • IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk” for more intensive scrubbing vs. being an outright decline.
  • 8. IP/GEO/BIN Scrubbing
    • INSIDER INSIGHT:
    Since 2002, MaxMind.com has provided geo-location and online fraud detection tools. Over 6,000 e-commerce businesses currently benefit from MaxMind and clients include About.com, AT&T, Dupont, Earthlink, eBay, IBM, Lexis Nexis, Lycos, Match.com, Morgan Stanley, Orbitz, Red Hat, Reed Elsevier, Sony, Walgreens, Wal-Mart, Warner Brothers, WebEx and Yahoo! . MaxMind ’s minFraud service – which has screened over 100,000,000 transactions - combines IP Address Reputation with a Collaboration Network of more than 10,000 merchants to piece together the most relevant risk indicators that are the consistent earmarks of a fraudulent transaction.
  • 9. IP/GEO/BIN Scrubbing
    • Examples of what IP Geo-Location can tell you:
    • YELLOW ALERTS:
    • Free E-mail Address: is the user ordering from a free e-mail address?
    • Customer Phone #: does the customer phone # match the user ’s billing location? (Only for U.S.)
    • BIN Country Match: does the BIN # from the card match the country the user states they are in?
    • BIN Issuing Bank Name: does the user ’s inputted name for the bank match the database for that BIN?
    • BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?
    • RED ALERTS:
    • Country Match: does the country that the user is ordering from match where they state they are ordering from?
    • High Risk Country: is the user ordering from one of the designated high risk countries?
    • Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
    • Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
    • High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
    • Ship Forwarding Address: is the user specifying a known drop shipping address
    • Now let ’s take a look at some interesting stats on the above…
  • 10. IP/GEO/BIN Scrubbing
    • Open/Anonymous Proxies: an open proxy is often a compromised
    • “ zombie” computer running a proxy service that was installed by a
    • computer virus or hacker. The computer is then used to commit
    • credit card fraud or other illegal activity. In some circumstances, an
    • open proxy may be a legitimate anonymizing service that is simply
    • recycling its IP addresses. Detecting anonymous proxies is always
    • an ongoing battle as new ones pop up and may remain undetected
    • for some time.
    • 26% of orders placed with from open proxies on the MaxMind minFraud
    • service ended up being fraudulent. Extra verification steps are strongly
    • recommended for any transaction originating from an
    • open/anonymous proxy.
  • 11. IP/GEO/BIN Scrubbing
    • High-Risk Countries: these are countries that have a
    • disproportionate amount of fraudulent orders, specifically
    • Egypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,
    • Nigeria, Pakistan, Romania, Serbia and Montenegro,
    • Ukraine and Vietnam.
    • 32% of orders placed through the MaxMind minFraud
    • service from high-risk countries were fraudulent. Extra
    • verification steps should be required for any
    • transaction originating from a high risk country.
  • 12. IP/GEO/BIN Scrubbing
    • Country Mismatch: this takes place when the IP
    • geolocation country of the customer does not match their
    • billing country.
    • 21% of orders placed with a country mismatch on the
    • MaxMind minFraud service ended up being fraudulent.
    • Extra verification steps are recommended for any
    • transaction with a country mismatch.
  • 13. IP/GEO/BIN Scrubbing
    • Results that speak for themselves:
    • ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services
    • to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it
    • sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After
    • implementing MaxMind, losses were reduced by 90% .
    • MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting
    • has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house
    • checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting at
    • least 60 chargebacks and $6,000 in unnecessary costs.
    • Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for small
    • and medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4%
    • while reducing its chargebacks by 90% .
    • 365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base
    • that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced by
    • over 96% from more than $10,000 per month to less than $500 per month. At this point, most chargebacks
    • are general order disputes as opposed to fraud.
  • 14. Cardholder Authentication
    • How It Works
    • Verified by Visa (VbV) / MasterCard SecureCode (MSC) is a unique fraud protection tool provided by Visa and MasterCard whereby cardholders can specify a secret password that only their bank knows to use as an added authentication factor.
    • VbV & MSC protects both cardholders & merchants against unauthorized use of the card. Liability protection shifts from the acquiring bank (and merchant) to the issuing bank on an authenticated transaction.
    • Think of VbV/MSC as an “insurance policy against fraudulent transactions” – it helps out a lot but there are always certain limitations
    • Implementation
    • Utilize a Shopping Cart/Billing System that has a VbV/MSC module already integrated such as X-Cart, LiteCommerce, Cart32, ASPDotNetStorefront, Lagarde, PinnacleCart, Miva Merchant or a solution with available modules such as osCommerce or ZenCart.
    • Utilize a Payment Gateway that has built-in support for VbV/MSC such as the Quantum Payment Gateway , Authorize.Net and others
    • Custom direct integration into CardinalCommerce.com
    • Additional fees apply with most gateways & merchant processors – ranging from FREE to several hundred dollars setup fees, $10-50 per month, $0.15-0.25 per transaction , depending on who the service is acquired through.
    • Benefits
    • Actually blocks chargebacks (and chargeback fees!) for covered Reason Codes from reaching the merchant
    • Provides liability protection for both enrolled & non-enrolled cardholder
    • Virtually impossible to get a false declines
    • Provides substantially enhanced chargeback representment case even when Chargeback Block coverage does not exist
    • Limitations
    • Certain limitations to coverage exist – please see the Coverage Matrix on the next page
    • Chargeback blocking is only available on an initial transaction – not a subsequent Recurring Trans
    • Recommendation
    • VbV/MSC should be used for ALL initial transactions for merchants with Large Tickets or a High Risk Profile.
    • VbV/MSC should be strongly considered for use with all other merchant types as well due to its substantial benefits.
  • 15. Cardholder Authentication
    • INSIDER INSIGHT:
    Cardinal Commerce is the leading provider of cardholder authentication (Verified by Visa / MasterCard SecureCode) and provides authentication services to more than 30,000 merchants worldwide with more than $100 billion worth of authenticated transactions processed since its inception. In 2007, VbV/MSC was the most sought after fraud tool by major merchants. VbV/MSC is the only technology sponsored by the Card Associations which truly helps to level the playing field between the Issuing & Acquiring side with E-Commerce transactions.
  • 16. Cardholder Authentication When you use VbV/MSC, you are in very good company…
  • 17. Cardholder Authentication Results that speak for themselves:
    • Geeks.com:
    • Chris Beatty, Customer Service and Order Processing Manager of Geeks.com comments, "We have been able to approve more orders, faster. We spend less time reviewing orders protected by Verified by Visa, but still maintain our confidence in the validity of the order. “ “Overall, we consider using Verified by Visa and MasterCard SecureCode an eCommerce industry best practice that can decrease chargebacks and increase consumer confidence," comments Chris Herzog, Geeks.com, VP of
    • eCommerce Development .
    • TigerDirect:
    • “ We now have the ability to reduce our processing rates, make fraud significantly easier to identify and ultimately reduce fraud by utilizing Verified by Visa and MasterCard SecureCode,” said Joe Dunne, Executive Vice President for TigerDirect. “On top of it all, we were able to re-deploy staff and turn eCommerce order reviewers into eCommerce order takers, how much better can it get?”
    • Crucial Technology:
    • “ Since our implementation of Verified by Visa and MasterCard SecureCode, we have seen significant reduction in chargebacks,” said Shane Baker, Global Credit Manager for Crucial Technology. “We also feel our participation in leading-edge fraud prevention programs acts as a deterrent to potential fraudsters.”
      • PORTFOLIO METRIC: nearly 60% of the Chargeback Reason Codes from our Internet merchant portfolio are covered by VbV/MSC.
  • 18. Cardholder Authentication
    • Why these clients have all used VbV/MSC:
    • Transaction liability
      • Card-not-present, no guarantees
    • Chargebacks
      • Acquirer fines
      • Lost merchandise
    • Extensive Fraud Screening
      • * Manual Review and 3rd party services
        • * False negatives - turning away good customers
        • * False positives - accepting fraud
    • Low Conversion Rates
      • * Insulted customers can ’t pay the way they want
      • * Insulted customers turned away as too risky
      • * Lost ‘repeat business’ compounds impact
    • International Orders - added risk but also added market opportunity
      • * Bill To/Ship To does not match
      • No AVS available (as mentioned earlier)
  • 19. Cardholder Authentication
    • Fraudulent Chargeback Blocking on all U.S. consumer Visa transactions regardless of cardholder enrollment
    • There is NO automatic Chargeback Blocking with international, corporate or prepaid gift cards
    • Fraud Liability Shifted to Card Issuer
    • Accept International Orders with Protection
      • Programs extend Worldwide
    • Dramatically Lower Manual Review
    • Current Enrollment – over 380,000,000 cards enrolled in VbV to date
    • Increase Conversion
      • Consumers feel safer shopping on your site and in turn, spend more
    Verified by Visa Benefits Coverage Specifics:
  • 20. Cardholder Authentication
    • Chargeback Blocking on interregional and intraregional transactions (non-U.S.) regardless of cardholder enrollment
    • There is NO automatic Chargeback Blocking for U.S. transactions
    • MasterCard offers chargeback representment rights for US to US authenticated transactions
      • If a chargeback is issued for reason codes 37, 63 or 49, the merchant may represent the transaction to have it reversed
      • When a consumer enters a PIN at checkout, ECI and CAVV data will be attached to that transaction thus ‘securing’ that order
    • Fraud Liability Shifted to Card Issuer
    • Accept International Orders with Protection (see next slide)
    • Dramatically Lower Manual Review
    • Enrollment - MSC is currently enabled on 250,000 web sites and run on 20% of all e-commerce transactions globally
    • Increase Conversion
      • Consumers feel safer shopping on your site and in turn, spend more
    MasterCard SecureCode Coverage Specifics:
  • 21. Cardholder Authentication Verified by Visa 23 : Invalid T&E 83 : Fraudulent MOTO/Ecommerce 75 : Cardholder does not recognize MasterCard SecureCode 37 : Non Cardholder Authorization 63 : Cardholder Does Not Recognize 49 : Questionable Merchant Activity Covered Chargeback Reason Codes: Here ’s an easy way to know if VbV/MSC would help you – look at the CB Reason Code on the CB’s that you have already received!
  • 22. Cardholder Authentication Non-Enrolled Authentication Experience There is no change in the user checkout process
  • 23. Cardholder Authentication Pre-Enrolled Authentication Experience Presented to cardholders after suggested enrollment advertising from issuer Enrollment Is Optional
  • 24. Cardholder Authentication Enrolled Authentication Experience Secure inline frame prompt from issuer – for cardholders who already voluntarily enrolled
  • 25. Phone Verification Calls
    • How It Works
    • Phone verification calls can be done manually by employees OR done through an automated system that provides the online purchaser with a special PIN # or keyword and then calls them up on the phone and asks them to enter the information. The latter can be done 24 x 7 x 365 without any actual employees present.
    • By calling up the customer at their specified phone #, it is possible to verify that the number itself is valid and that the customer actually is present. With a stolen card or fraudulent purchase, it is very unlikely that you will ever reached a live human being.
    • Implementation
    • Use an existing 3 rd party service such as TeleSign.com, Varilogix.com, DialVerify
    • Build your own VOIP system to make automated phone calls to customers
    • Benefits
    • Reliable method for validating “proof of life” on the part of a remote purchaser.
    • Automated implementations can save employee time & cost.
    • You can use the phone call as a dual “verification plus welcome” call for the customer.
    • Limitations
    • Additional fees apply when using an automated solution – the costs can be a per-minute fee based on destination phone # or a flat monthly fee which includes a specific amount of calls with overage costs for calls above and beyond that.
    • For international sales, there can be a language barrier issue and/or telecom connection problems under certain circumstances.
    • By using VOIP lines or prepaid wireless, a savvy fraudster can still get past this method of fraud scrubbing although this is still the exception to the rule – most still do not want any phone # that can directly reach them if they can avoid it. (In addition, some systems can determine whether the # being called is a VOIP or pre-paid phone, etc.)
    • Recommendation
    • Phone Verification calls should be implemented on a case by case basis depending on the merchant ’s risk profile. For high ticket or higher risk transactions, phone verification calls should be used. The decision to use Manual Calls vs. Automated Calls depends on the frequency of calls, order fulfillment speed needed to be competitive and staff availability.
  • 26. Phone Verification Calls
    • INSIDER INSIGHT:
    Ace-Host is a leading Web hosting company that currently serves the needs of more than 40,000 webmasters worldwide. Jerald Darow, one of the founders, was kind enough to share his company ’s internal order verification process. Many aspects of this process were developed on a trial & error basis as a result of various fraud losses early on and Jerald’s hope is that other Web hosting companies can benefit from what his organization has learned along the way.
  • 27. Phone Verification Calls
    • AceHost Order Review Process:
    • STEP ONE: INITIAL ORDER SCREENING PROCESS
    • Use Varilogix + ModernBill for the initial automated phone verification process
    • Use VbV/MSC for Dedicated Server Orders (which are higher tickets by nature)
    • STEP TWO: COMPLETE ORDER REVIEW & DECISION
    • Use custom order review system – which ties into ModernBill – to review the results of the IP/BIN/GEO results as per the screenshot and review to get an overall assessment of how risky the transaction appears
    • Pay close attention to the Phone Area Code Checking against User-entered State Address (U.S. only)
    • Pay close attention to the Bank BIN-to-IP comparison to ensure that Credit Card is from the same Country.
  • 28. Manual Order Review
    • How It Works
    • Using the “Mark 1 Eyeball” method, you review the information on an order to make sure that it makes sense and is consistent with previous order patterns. In addition, you can cross-check WHOIS, review a customer’s Web site and take other subjective steps. A manual review also helps to flag situations such as:
      • Nonsensical e-mail, phone or address information ( “1234 Test Street”, “123-456-7890”, “1 Gonna Git You Drive”
      • A large ticket purchase without prior discussion that normally would entail extensive prior negotiation
      • A large ticket transaction that the customer wants rushed to them regardless of the shipping cost
      • Too many risk factors together (high fraud score, AVS non-match, CVV non-match, unable to reach customer, mis-matching IP/GEO/BIN scoring
    • Implementation
    • This process requires employee time. Employees must be tasked to review every order manually before capture/settlement OR only to review flagged orders that are considered higher risk.
    • For additional verification, employees could request supporting documents such as: Copy of Credit Card, Copy of Credit Card Statement, Copy of Government-issued Photo ID, Copy of Utility Bill or Bank Statement. (keep in mind that some of the above will be objectional to legitimate purchasers and so there could be a trade off in the form of lost sales)
    • Benefits
    • Subjective analysis - the human brain is the best single tool against fighting fraud… as long as the benefits provided by the other tools in the toolkit are used in conjunction with it.
    • Limitations
    • Employee time & cost are the biggest limitation for manual order reviews.
    • Recommendation
    • Manual order review is always recommended for high ticket or high risk transactions. For other scenarios, it is a case by case analysis which is largely dependent on the merchant ’s risk profile.
  • 29. Manual Order Review
    • INSIDER INSIGHT:
    Hostgator is the world ’s leading provider of reseller accounts with over 20,000 resellers and 1,000,000 websites on its shared and reseller plans. Hostgator has done an excellent job managing its online order risk throughout its incredible growth as a business and Brent Oxley, the founder & owner was kind enough to share his company’s internal method for manual order review & phone verifications.
  • 30. Manual Order Review
    • Hostgator Order Review Process:
    • STEP ONE: INITIAL ORDER SCREENING PROCESS
    • Check IP/GEO fraud score and distance to billing
    • Do a WHOIS search (dnsstuff.com, iptools.com)
    • If PayPal, verify to make sure the name and e-mail matches info in ModernBill
    • Require additional verification on any account with the following words in their domain:
    • proxy bank warez forex torrent paypal lolita hyip
    • All accounts with Proxy Score of over 3.00 must verify by sending in supporting docs.
    • IRAN: no accounts can be accepted from Iran due to legal/trade restrictions.
    • CHINA: payment must be made via Western Union or bank wire transfer.
    • NIGERIA/SOUTH AFRICA (ZA): verification via Photo ID + Copy of Credit Card required. If paying by PayPal, the government ID must match with what we have on file
    • GREAT BRITAIN: has larger distance scores so try to do a WHOIS and verify details carefully
    • ROMANIA: usually has a high fraud score so check WHOIS and verify details carefully
    • If in doubt, make a Phone Verification Call – verify the domain, last 4 of CC and address (see STEP TWO)
    • STEP TWO: CALL EVERY ACCOUNT YOU ARE ABOUT TO MARK AS “FRAUD” BEFORE DECLINING IT:
    • If they answer and verify the info - activate the account!
    • If they do not answer but name on voicemail matches, leave message and activate
    • If they do not answer and voicemail is non-specific, leave a message and pend
    • If the number is invalid, mark the account as fraud and cancel the order
    • If they do not speak English, mention you will send an e-mail and notate the ticket
  • 31. Other Fraud Prevention Tools
    • IP Velocity Scrubbing – recommended for all merchants to avoid card testing attacks.
    • Split Charge with Customer Verification – a great idea but not widely implemented yet.
    • Stolen Card Alert Services – an interesting idea; success depends on scale.
    • Credit Bureau Identity Verification – an interesting idea but one that has realized mixed success.
  • 32. Chargebacks & Representments
    • The Mechanics of a Visa/MasterCard Chargeback
    • A chargeback takes place when a cardholder disputes a transaction with a merchant. The cardholder must specify a reason which is then translated into
    • one of a large list of possible “ Reason Codes .” The Issuing Bank sends through the chargeback and reverses the original transaction with the Acquiring
    • Bank. The Acquiring Bank debits the merchant for the sale amount plus a chargeback fee and notifies the merchant. It is then up to the merchant to
    • submit a “re-presentment” of the original sale along with a rebuttal as to why the chargeback was invalid. If successful, the sales funds are once again
    • debited from the Issuing Bank (and cardholder), transmitted to the Acquirer and deposited back to the Merchant.
    • First Chargebacks
    • The first Chargeback initiated between a Cardholder and a Merchant is considered the “First” chargeback. However, this does not mean that it is the
    • only Chargeback that can take place. However, in most cases if a merchant wins the representment/rebuttal, the case is closed. The rules that govern
    • chargeback disputes are very extensive – they literally take up a book that is over 1.5 inches thick just for the Visa rules.
    • Second Chargebacks & the Arbitration Process
    • Under certain circumstances, a 2 nd chargeback between the same Cardholder and Merchant can be initiated by the Issuing Bank pertaining to the same
    • transaction. Normally this is submitted under a different Reason Code. If the merchant wishes to dispute this, the process then will go to Arbitration
    • whereby each party will state their case before a panel from Visa or MasterCard. The problem here is that there are filing fees and other costs that will
    • be borne by the merchant if the merchant loses the case. Since these fees are often in excess of $400, the only time the risk of arbitration makes sense
    • is when there is a very large ticket involved AND the merchant ’s case is extremely solid. Most of the time, one of these two situations is not the case and
    • so the better course of action is to pursue collection of the payment through the civil/legal side.
  • 33. Chargebacks & Representments
    • Keys to Avoiding Non-Fraud Chargebacks
      • Make sure that the Domain and DBA/Merchant Descriptor match closely
      • Make sure that your Merchant Phone # is always kept up to date with your merchant processor
      • Make sure that any customer inquiries about a transaction are responded to in a very timely manner
      • Make sure that instructions for cancellation of service are clearly understood and that it is not difficult to do so
      • Make sure to clearly and promptly communicate if there is ever a billing error to avoid a chargeback
      • “ If in doubt, refund it out” – it just isn’t worth the headache on a small ticket to argue over a TOS or AUP only to get a CB
    • Keys for Successful Chargeback Representments
      • Respond in a timely manner to any chargeback advisories that you receive
      • Clearly notate if there was a positive CVV , AVS or CAVV match on the transaction
      • Clearly notate if you have a faxed signature from the cardholder
      • If you have correspondence from the customer or proof of delivery, include all of this information
      • Remember: you will lose 100% of the chargebacks that you do not even ATTEMPT to combat!
      • PORTFOLIO METRIC: nearly 42% of the representments attempted by
      • our merchants have been successful
  • 34. Chargebacks & Representments
    • Chargeback Ratios & High Risk Merchant Monitoring Programs
    • It is up to each individual merchant processor how they want to set their acceptable chargeback thresholds for their
    • merchants. Most merchant processors set a guideline of 1% chargeback volume-to-sales volume. The actual Visa and
    • MasterCard internal thresholds vary from 1-2.5% based on volume-to-volume or # of CB to # of sales measurements. Under
    • certain circumstances, a larger volume merchant can be placed on the Visa or MasterCard high risk merchant monitoring
    • programs. This is NOT a happy place to be and penalty fees can quickly start to ramp up into the tens of thousands of dollars.
    • This also brings additional and unwanted scrutiny upon the merchant processor with the Associations and in many cases, a
    • merchant processor will politely (or not so politely!) request that a merchant move their processing elsewhere if this begins to
    • happen. The best way to address this is to avoid this situation in the first place using the methods outlined in this presentation.
      • PORTFOLIO METRIC: the average CB ratio for our Internet merchant portfolio is only 0.003%.
    • Disputes with Other Non-Visa/MasterCard Card Brands
    • Other card brands ( Amex, Discover, JCB ) and payment methods like PayPal have their own specific
    • dispute policies.
  • 35. PCI DSS Compliance & Data Security
    • What is PCI DSS and why it is important
    • PCI DSS is the Payment Card Industry ’s Data Security Standards. It exists to provide a common set of security standards that all market participants
    • can agree to adhere to… instead of having to comply with varying guidelines from every different card brand and processor. Due to the amount of
    • reputational risk and financial exposure that exists whenever there is a well publicized security breach and cardholder data is compromised, Visa and
    • MasterCard have embarked on an extensive campaign to ensure that all participants in their networks adhere to these guidelines to minimize the
    • likelihood of future compromises. In turn, this has put pressure on Acquiring Banks to ensure that their Merchants are also PCI compliant. A good
    • reference site to look at for the full PCI standards is at:
    • https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
    • The Recent Myth of “PCI Compliance Fees”
    • A lot of merchant processors have been using the recent buzz about PCI to leverage additional fees onto their merchant bases under the auspices of it
    • being “required” by Visa and MasterCaard. This is simply NOT the case. Most Internet merchants are Level 4 merchants and it is completely up to the
    • Acquiring Bank what they want to require. Under almost all circumstances, a detailed internal review and a Self-Assessment form by itself should be the
    • only necessary action step needed by most merchants. External scanning is certainly encouraged as well and some acquiring banks may mandate this
    • in the future for their Level 4 merchants.
    • The Road Towards PCI Compliance
    • There is no easy or quick way to ensure PCI compliance. The 12-Step process can indeed be an arduous undertaking. There are a few quick pointers
    • that are worth sharing on this, however: (THIS IS BY NO MEANS AN EXHAUSTIVE LIST!)
      • Avoid direct storage (even if encrypted) of cardholder data if possible and outsource this to a PCI-certified gateway.
      • If you must store data, make sure never to store CVV data under any circumstances. This is a major Visa/MC violation.
      • If you do store data, ensure that it is encrypted and that the decryption key is not stored on the same server(s) as your data.
      • If you do store data, ensure that you have a separate firewall dedicated to that database server which only allows authenticated connections from your Web server or other non-public IP ’s.
      • Make sure to segregate applications – one application per server. Do not have a Web server that also runs a database or a database server that also handles your e-mail.
      • Make sure that your server/network requires 2-factor authentication in order to gain physical access to any equipment.
      • Make sure to develop and maintain a compliant security policy manual, use strong passwords and log all activity carefully.
  • 36. Let ’s Fight Fraud Together!
    • Thank you for reading…
    • We hope you enjoyed the presentation!
    • Questions? Feedback? Ideas? Tips?
    • E-mail: social @ cdgcommerce.com
    • Chris West
    • CDGcommerce
    • www.cdgcommerce.com

×