Merchant Credit Card Liability and Credit Card Fraud Risk
When a brick and mortar merchant accepts a credit card, and the charge is authorized, and assuming the merchant conforms to regulation, the merchant will get paid, even if a stolen card is used. Liability for fraud shifts from the card issuer to the merchant for ‘Card Not Present’ sale (mail order, telephone/fax order, and internet sales). The merchant is generally liable for credit card charge backs, even when the bank has authorized the transaction. After a merchant is stung by a fraud, the credit card processors often hike their rates, citing increased risk. The merchant also risks losing their accounts with the card companies if their fraud rate gets too high.
Visa uses sophisticated behavioral profile models to continuously monitor our network for disruptions in typical spending patterns so we can identify and respond to fraudulent activity immediately.
When a credit card is lost or stolen, it remains usable until the holder notifies the issuer that the card is lost. Most issuers have free 24-hour telephone numbers to encourage prompt reporting. Still, it is possible for a thief to make unauthorized purchases on a card until it is canceled. Without other security measures, a thief could potentially purchase thousands of dollars in merchandise or services before the cardholder or the card issuer realize that the card is in the wrong hands.
The only common security measure on all cards is a signature panel, but signatures are relatively easy to forge. Some merchants will demand to see a picture ID, such as a driver’s license, to verify the identity of the purchaser, and some credit cards include the holder’s picture on the card itself. However, the card holder has a right to refuse to show additional verification, and asking for such verification is usually a violation of the merchant’s agreement with the credit card companies. Self-serve payment systems (gas stations, kiosks, etc.) are common targets for stolen cards, as there is no way to verify the card holder’s identity.
A common countermeasure is to require the user to key in some identifying information, such as the user’s ZIP or postal code. This method may deter casual theft of a card found alone, but if the card holder’s wallet is stolen, it may be trivial for the thief to deduce the information by looking at other items in the wallet. For instance, a U.S. driver license commonly has the holder’s home address and ZIP code printed on it. Visa Inc. offers merchants lower rates on transactions if the customer provides a zip code.
In Europe, most cards are equipped with an EMV chip which requires a 4 digit PIN to be entered in to the merchants terminal before payment will be authorised. However, a PIN isn’t required for online transactions.
Card issuers have several countermeasures, including sophisticated software that can, prior to an authorized transaction, estimate the probability of fraud. For example, a large transaction occurring a great distance from the cardholder’s home might seem suspicious. The merchant may be instructed to call the card issuer for verification, or to decline the transaction, or even to hold the card and refuse to return it to the customer. The customer must contact the issuer and prove who they are to get their card back (if it is not fraud and they are actually buying a product).
Forbes claims most credit card numbers are still stolen the old-fashioned way. Unethical retail store clerks and restaurant employees steal card numbers often using hand-held skimmer devices. A scam artist can go through the trash of any merchant (brick and mortar or e-commerce) or customer garbage, get valid credit card numbers, and use them on the Internet. Industry analysts and e-merchants claim the credit-card companies have yet to come to grips with the full scope of the problem. None of the credit-card associations disclose exact loss-rate figures for fraud – Visa, MasterCard and American Express claim to have a handle on the problem overall. Credit card fraud is something that can never be completely eliminated, but rather something that must be managed. Merchants must develop a delicate balance between using safeguards to prevent fraud and not creating too many hoops for customers to jump through. This article concentrates on preventative methods and procedures that merchants can perform to limit credit card fraud. After a credit card processor or registration service approves an order, the merchant needs to perform additional checks, as fraudulent orders sometimes are approved. The merchant should not depend on the credit card company, or the registration service, to stop all fraudulent orders. Using a combination of the following methods and techniques can be the best defense against credit card fraud. Do not rely too much an any one technique or tool to prevent and detect credit card fraud.
FOLLOW THE MERCHANT RULES:
Follow the procedures recommended by your payment processor and the credit card companies. You can loose your merchant account for failing to follow their rules. If a merchant suspects a fraudulent order, contact the registration service, so they can cut reduce the total number of charge backs. Registration services with a large number of charge backs will likely be charged higher services fees, which will be passed on to merchants. Everyone wins when the registration service, the card issuing bank, and the card holder are notified of a fraudulent or suspected fraudulent order.
Authorization approval does not mean that the merchant is guaranteed payment. Approval only indicates that at the time the approval was issued, the card hasn’t been reported stolen or lost, and that the card credit limit has not been exceeded. If someone else is using the credit card number illegally, the card holder has a right to dispute the ‘approved’ charges.
ADDRESS VERIFICATION SYSTEM (AVS):
AVS is only available for the U.S. and partially available in four European countries. In the US, AVS checks if the cardholder’s address and zip code matches the information at the card-issuing bank. AVS only uses the zip code and numeric portion of the billing street address. There are many reasons why AVS may fail (recent address change, AVS computers down, etc.). If the address verification fails on any level, the merchant may decline the transaction. If the AVS fails for any reason, the merchant should contact the customer for additional information (for example, the name of the issuing bank, the bank’s toll-free telephone number, etc.). If your current merchant account system of authorization approval can not provide AVS, then you can get address verification from the card holder’s issuing bank for MasterCard and VISA. Discover and American Express purchases can be verified by calling them directly. Only American Express can verify all international credit cards. When you call, have your merchant number, your phone number, the customer’s full name, address, and phone number ready. If you call MasterCard/Visa directly regarding a purchase, they can provide you with the issuing bank’s phone number (foreign and domestic). It is up to the merchant to make the phone call to the issuing bank. With today’s cheap phone rates from calling cards, and using the Internet to place phone calls, there is no excuse for not checking for possible fraud. American Express 1-800-528-5200
- Discover Card 1-800-347-2000
- Visa/MasterCard 1-800-228-1122
Once a fraudster has a legitimate customer name and the stolen credit card number, they can use the Internet to look up their victim’s telephone number, address, and zip code. This allows a software purchase to pass AVS, and the fraudster can download the software before the fraud is reported. With orders that are shipped, the thief can provide the correct billing address for AVS approval, but request a different ship to address.
CARD VERIFICATION METHODS (CVM):
Card Verification Methods (VISA = CVV2, MasterCard = CVC2, and American Express = CID use a security code of 3 or 4 extra digits imprinted on the card, but not embedded or encrypted in the magnetic stripe. This verification code does not appear on credit card receipts. Since most fraudulent transactions result from stolen card numbers rather than the actual theft of the card, a customer that supplies this number is much more likely to be in possession of the credit card. VISA claims that the use of AVS with CVV2 validation for card-not-present transactions can reduce chargebacks by as much as 26%. Merchants that accept Internet, mail-order, and telephone orders must be prepared to request the verification code when the cardholder is not present to help validate a transaction. Even if a merchant cannot confirm the CVV2 number, they can still ask for it, or provide a space for the number on their web order form. If the crook does not have the number, they could look somewhere else to commit their fraud. The merchant is not allowed to store the CVM numbers. The merchant should never keep the customer’s credit card “on file”. Each transaction should be treated as a new order. We’ve all seen too many reports of computer files being compromised by hackers.
PAYER AUTHENTIFICATION PROGRAMS:
Authentification programs (Verified by Visa and MasterCard’s SecureCode) use personal passwords to ensure the identity of the online card user. If merchants use this program, card issuers may occur some of the losses for online fraud that was previously entirely borne by the merchants. If merchants do not participate, they remain liable for the losses. The pop up windows for authentification can be blocked if card holders have installed software to disable pop-ups. This also adds an extra step in the ordering process. There is also an additional processing fee incurred by the merchant. Another loophole is if the customer claims they never received the merchandise. I have seen information indicating Visa always trusts their card holders, so the customer gets their money back and the merchant gets stuck with a chargeback. Even if Visa rules against the merchant, the merchant can still take the customer to small claims court. If the merchant can prove the customer did receive the product, the merchant is entitled to recover the value of the product plus all their costs when they win. Most licenses included with software includes a clause concerning court actions. This is one more reason to keep accurate records, document customer phone calls, keep copies of emails, delivery signatures, and web logs.
Credit card information is sent to the processor for immediate approval (usually 5 seconds or less). This method ensures that the credit card has not been reported as lost or stolen and that the number is valid. The customer is still in contact with the merchant, and incorrect information can be corrected. There is an additional cost for real-time authorization. Authorization does not tell you if the person using the card is authorized to use the card.
The first 6 digits of the credit card are called the Bank Identification Number (BIN). You can determine if the credit card holder and the issuing bank for the credit card are located in the same country. Legitimate users sometimes use a credit card from another country. You can enter the BIN of a credit card number at http://all-nettools.com/toolbox,financial . The site provides the bank name, card type, and a 3 character code for the country.
CALLING THE CARD-ISSUING BANK:
When you call the card-issuing bank, have your merchant number, your phone number, the customer’s full name, address, and phone number ready. You can ask the card-issuing bank to make a courtesy call to your customer to verify the charge.
DIFFERENT BILL AND SHIP TO ADDRESSES:
Use Google to search for the numeric street address, street name, and zip code. The web site at http://www.anywho.com integrates telephone numbers, maps, and email addresses. Check for bogus billing addresses like 123 Main Street. Use resources like http://maps.yahoo.com to see if the address can be verified. If the billing and shipping addresses are different, request telephone numbers for both addresses. You can also establish a company policy and charge an extra fee to recover your costs to require a delivery signature (UPS, Federal Express, post office) if the billing and shipping addresses are different. You could require advance payment with a cashiers check or money order when different ship to and bill to addresses are used. Be careful of remailing services, such as Mailboxes, etc. Remailing services can remail your packages to overseas destinations.
NEGATIVE HISTORICAL FILE:
Keep a database of prior fraud attempts, problem customers, charge back records, and customers receiving refunds. This file should include the customer name, shipping/billing addresses, phone numbers, credit card numbers, IP addresses, and email addresses, and merchant comments. Incoming orders can be searched for matches in this database. This method reduces the incidence of repeat offenders, has a relatively low cost, but does not stop new fraudsters.
SHARED NEGATIVE HISTORICAL FILE:
Several merchants combine their negative historical database. Since this database has fraud data from several merchants, using this file should reduce fraudulent hits. Pattern-specific fraud should be reduced. One drawback is that a bad customer for one merchant may not be a bad customer for other merchants.
POSITIVE DATABASE FILE:
This file contains a list of good customers, for example, customers eligible for upgrade purchases. Customers who purchased successfully in the past will more than likely not committing fraud. This file can contain the same types of information as the negative file. You must have some limits to people accessing the information in this file. This file should also be encrypted.
CREDIT SERVICE DATABASE:
A credit database service, such as Equifax ( www.equfax.com ), Experian ( www.experian.com ), and Trans Union (www.tuc.com) are most appropriate for high-dollar value items, The customer would be asked to verify some very specific information such as the mother’s maiden name or their social security number. This can be expensive and time consuming.
CUSTOMIZABLE MERCHANT RULES:
Some E-commerce merchants feel this is the best method to catch fraud. The merchant sets up rules to stop or flag specific orders for review. For example, the merchant could set up rules to review all orders from a specific IP address, specific country or if a certain dollar amount is exceeded, or shipping to a specific address. This method may flag valid customers for review, but it will reduce repeat or pattern-specific types of fraud. If the IP address is dynamically assigned by an ISP, a legitimate order could be delayed or rejected.
FRAUD SCORING SYSTEMS:
The merchant assigns points for different elements of a transaction (IP Address, free-email account, time of day, AVS results, amount of sale, type of products ordered, shipment method, different shipping/billing addresses, certain zip codes, etc) to generate a fraud score to indicate the likelihood of fraud. Points could also be added back for other factors such as previous orders, length of time as a customer, etc. The merchant decides what point levels should be used to approve, reject, or review the order. The merchant can adjust these values based on trends and time of the year. Large merchants have built their own scoring model based on their historical data of fraud and charge backs. This very targeted model should catch more fraud, but requires additional time and/or money to implement the new software.
Check if multiple orders are placed shipping to the same address, but different credit cards were used. Check orders for an unusually high quantity of a single item. Thieves may have access to several stolen card numbers. Check if multiple orders are being sent from the same IP address. If the credit card numbers vary by only a few digits, it is very likely these numbers were generated by software. Identify users who repeatedly submit the same credit card number with different expiration dates. Often the crooks have the credit card number, but not the expiration date, so they will just keep submitting that number with a different expiration date until they hit the right combination,” Most fraudulent orders in the US are made between midnight and 2 a.m..
There is a high correlation between IP addresses labeled as spam sources and credit card fraud. The web site http://www.all-nettools.com/ can be used to check IP addresses. SmartWhois finds information about an IP address or hostname, including country, state or province, city, name of the network provider, administrator, etc. Traceroute determines the path between your website and the person placing the order. It matches each machine along the path to a destination host and displays the corresponding name and IP address for that hop.
ANONYMOUS AND OPEN PROXY IP ADDRESSES:
Unfortunately, IP addresses can also be forged. These forged IP addresses hide the true location of the fraudster. Organized credit card fraud rings often use anonymous proxies. When a computer is infected by a virus, it can be used by spammers and credit card thieves to place fraudulent orders. A legitimate order could come from from an infected computer. The IP address sent by the infected computer can be an open proxy IP address instead of their real IP address. The customer can visit the web site http://www.all-nettools.com or www.openrbl.org to check if the IP address their computer is sending to the Internet is an open proxy IP address.
CHECKING TELEPHONE NUMBERS:
The web site at http://www.freeality.com/finde.htm and http://www.theultimates.com/ provides plenty of tools to match the telephone area code to a postal zip code, reverse telephone directories, search for email addresses, maps, directions, etc. The web site at http://www.anywho.com integrates telephone numbers, maps, and email addresses. The web site http://nt.jcsm.com/ziproundacx.asp also provides zip code and telephone area code matching. Any telephone book is out of date as soon as it is sent to the printer. The Baby Bells update as many as 500,000 records every day.
The Fast Charge Payment Gateway and Fraud Prevention:
Fraud and Risk Management (FRISK)
The proprietary FRISK risk management system from Fast Charge provides a sophisticated suite of fraud detection and prevention options. Each transaction submitted can be filtered through a comprehensive series of fraud detection rules to determine potential risk. Configuration of these rules is under your complete control using our user-friendly Online Merchant Center administration web site.
- Negative Account Blocking – Reject transactions from known fraudulent account numbers from over 65,000 merchants already using the FRISK system.
- Cramming Protection – Prevent the use of credit card or ACH number generating schemes by limiting the number of transactions allowed from a given IP address.
- Domain Blocking – Filter transactions by the Internet domain associated with the customer’s email address.
- Country Blocking – Filter transactions by the Internet domain associated with the customer’s country code.
- Prevent Duplicate Transactions – Track recent transactions to ensure the same transaction is not authorized more than once. This eliminates problems due to “double clicking” the transaction submit button as well as duplicate submittal of batch transactions.
- IP Activity Limit – Limit the number of accepted transactions from a given IP address.
- Large Transaction Notification – This feature examines the transaction amount after the transaction has been accepted. When the amount exceeds an amount specified by the merchant an e-mail is sent notifying the merchant that the amount has exceeded the threshold. The merchant can then review the transaction, refuse the sale before any products are shipped, and credit back the consumer at a later time.
- Address Verification (AVS) – AVS matches the known address information associated with the given credit card number against the billing address information provided by the user. If the information does not match, the transaction is declined. The merchant has the option of choosing the level of match required for an approved transaction.
- CVV2 – CVV2, or Card Verification Value 2, is a number that is printed, not imprinted, on Visa and Mastercard. This number is never transferred during card swipes and should only be known by the cardholder, the person holding the card in their hand.
- Reject Free Email Address – checks the e-mail address of the consumer against a database of free e-mail providers. Transactions in which the email domain of the consumer is in this database are declined. Need more information? Our experienced customer service representatives can step you through the process and answer any questions you have about processing payments on your web site. Click here to contact them.
If you would like more information on Fast Charge and preventing fraud you can call (800) 757-5453.