Best Practices for E-Commerce Merchants to Mitigate Fraudulent Transactions

1. SCREEN HIGHER RISK BOOKINGS

This practice can help you detect and prevent fraud before it happens. Be sure to screen
bookings with such characteristics as:

1. Email address from free-based mail, such as hotmail, yahoo, etc.
2. Customers refused to provide proof of identification, such as the credit card and ID/driver licence/passport requested by merchant for verification
3. Customers not registered in merchant's registration page. If you have a proper registration page, and customer choose not to register with you, this may be an indication that the customer do not want you to have any other contact with them after the sales have been fulfilled.
4. Poor spelling & bad grammar
5. FULL CAPITALS
6. Shipping Address is different to billing address. If the shipping address is different to the billing address, be wary; although it is not uncommon for people sending gifts to others to request a different shipping address, or if the billing address is a post office box. You'll rarely find a fraudster sending goods to the legitimate cardholders address. At the point of ordering, request a telephone contact number for your customer. State that you need this number in order to contact them if there are any problems. Many cardholders of compromised accounts have been alerted in this way. The fraudster definitely won't give you his own phone number as he/she can then be traced! If you are unsure, email the customer or call them to confirm the authenticity of the transaction. Fraudsters hate merchant contact of any kind.
7. Buyer’s name is different to the name on the credit card. Especially for large overseas orders and first time customer, be wary if the customer’s name is different from the credit card. In the event of the chargeback dispute, most merchants would find it hardly to represent the case as the bank will treat this as a confirmed chargeback under ‘unauthorised transactions’. Hence, you need to exercise extra caution when dealing with this type of customer.
8. The nature of goods ordered can be a give away. I.e. items that are easily converted to cash on the black market such as electronics, jewellry etc.
9. Items that are ordered in unusual quantities and or combinations. Unusually large web site orders requesting express delivery definitely warrant further investigation, especially if the customer has not purchased from you before or a customer placing a very large order without any preference for size, colour, make or model. Customers are pretty cautious, and will tend to place small orders in the first instance to test the efficiency and integrity of your online business, or they'll make some sort of contact with you prior to ordering.
10. Orders greatly exceeding the average order value. I.e. a $600 order is suspicious when the average order is only $60
11. Items easily available in the country the order is from. I.e. Why would someone order the latest Madonna CD from someone in overseas when they could get it for less from a local supplier?
12. A customer who provides more than one card to cover an order or a set of orders. For genuine wholesale buyers who have an established business, chances are that they would have a proper corporate credit card with sufficient credit balance. Even though the customer is a sole-proprietor, he/she would not give you a list of credit card numbers and ask you to try all the cards until you successfully charged the cards [with few of the cards failed for various reasons, i.e:stolen card, card expired, do not honored etc]. This is a clear indication that the buyer may have obtained the list of credit card numbers and just tried his luck to get their orders delivered.
13. An existing customer who suddenly - and unusually - orders a substantial volume of goods.
14. BEWARE of people requesting 'Fastest Possible Shipping'. People experienced in online sales laugh at this one because it almost guarantees it's a fraudulent order. Sometimes the freight costs more than the item, the fraudster doesn't care because it's not them that has to pay for it.
15. BEWARE of orders from ‘HIGH RISK’ Country Overseas orders are very risky, but an integral part of your online business. It is very difficult to retrieve goods or apprehend fraudsters once the goods have left the country. Make further enquiries with the credit card company if an order seems suspect. It might not be diplomatic to say DON'T SEND ORDERS TO THESE COUNTRIES but many people experienced in online sales will tell you that is their policy. Listed in order of notoriety
    1. Indonesia
    2. Nigeria
    3. Ghana
    4. Romania
    5. Ukraine
    6. Yugoslavia
    7. Lithuania
    8. Egypt
    9. Bulgaria
    10. Turkey
    11. Russia
    12. Pakistan

2. TRACK FRAUD BY TICKET SOURCE

This practice can help you identify your greatest areas of risk exposure, especially if you are in Airline and Travel segment. When tracking fraud, compare it to the volume of tickets sold by source, such as the Internet, central reservations, ticket counters, and travel agencies.

3. QUEUE LARGE-VALUE BOOKINGS FOR FRAUD REVIEW

High-dollar transactions may increase your exposure to fraud and customer disputes. For Travel, Seminars and Airline industry, you can mitigate risk and its associated costs by reviewing this type of booking carefully before settling with your airline/business partner. For best results, queue large transactions for review and call the cardholders involved to verify booking data.

4. CAPPING TRANSACTION LIMIT & VELOCITY

For those in merchants especially in an instant Internet downloadable services, such as VOIP, e-wallet, online gaming, and mobile telecommunication services, such as ringtone and logo which requires customers to buy and top-up credits, the following procedures MUST be considered to prevent unauthorized transactions:

1. For first time users, implement capping system on the user account either on the amount or velocity.
   For example: for first time user accounts, only allow the credit top-up to the account once every week, maximum 2 transactions on the specific day, or twice per week, maximum 1 transaction on the specific day. Other capping may be in the form of credit balance, for example: only allow $50 in every user account. You may set any of your own combination on the capping depending on your business model, as long as the capping is low enough for you to mitigate the fraudulent risk. This practice can help you to deter any fraudster from taking advantage of your business, as the fraudster will find it harder to transact often in your site. For account that has incurred chargeback, you'll more assured that the loss is minimal and you can terminate the account.
2. Request credit card and ID details for first time user that requested to more frequent top-up.
   For users that insist that they want to top-up more often, you may do further checks on your end, by asking them to fax or email to you the copy of their credit card (front and back), ID details (IC/passport/driver licence). Even though cumbersome, genuine customers would not be reluctant to give you this information, especially this is done to protect their account. You can then proceed to adjust the capping for this account. On the other hand, fraudster might refuse to give the details, simply because they do not all the details. Even though sometimes the credit card and ID details can be forged, fraudster would find it a hassle to keep coming back at your site due to this process.
3. Adjust the capping once you've hit a comfortable zone with the user account.
   From profitability angle, if there's no problem with the user account, you can set the system such as that the capping is loosened down to say, top up 3 times a week, maximum 2 transactions per week, credit balance of maximum $100. Again, this is up to your judgment based on your business model. The advisable time frame to adjust the capping is after 4-6 months after the original transaction. This is because the problematic accounts due to chargeback would already be shown after 3 months of initial transaction.

5. REQUEST IDENTITY INFORMATION

While consumers value their privacy and require quick web site ordering facilities, it is of the utmost importance that you gather sufficient customer identity details during the ordering process. The customers’ name, credit card number and expiry date is not enough. Tell your customers why you need the information and what you will do with it - after all, it's in their best interests too. The fewer chargeback fees you have to pay, the cheaper you can offer goods and services. If you are unsure of an order try asking for a faxed or scanned copy of both sides of the credit card, driver license, or Identification Card (IC). You can say that your bank requests you to verify identity to avoid embarrassment.

6. CONFIRM BANK DETAILS

If you are unsure of an order, call the credit card issuer and ask that they call their customer to confirm that it is an authorized use of the credit card. Even if the order has been processed through automated systems, it's not too late to follow up before shipping the goods or providing the services. The idea is to deal with the situation before the cardholder is issued a statement, notices something on it that they didn't purchase and then contacts their bank. Double check on the number on the trusted source, if the customer is the one who gave you the issuing bank card number, as if the customer is a fraudster, he/she can forge the number and attend on the call to authorize the transactions.

7. ADDRESS VERIFICATION SYSTEMS

These systems actually check to see if the address of the order is the same as the authorised user. For most fraudulent orders they are different. Whilst the fraudster may have stolen or used software to generate a fake credit card number, they are less likely to know the address of the owner of the card, so they make something up. Address Verification Systems are quite expensive and out of reach of most small businesses. They also don't work in Singapore due to privacy policy. However you can still consider saying on your website that you are using such a system as a deterrent.

8. POST A WARNING MESSAGE (ANTI FRAUD POLICY)

Visual deterrents are still one of the most effective ways of minimizing crime. In a bricks and mortar store, signs and cameras do prevent shoplifting to some degree. Why not use the strategy on your site?
Add bold notices to the checkout pages stating your stance on fraud and that systems are in place to monitor all transactions. Not only will this decrease attempts at fraud, but will also demonstrate to your clients that you take transaction security very seriously.

"Company ABC and all its principal and affiliate companies will actively investigate and aggressively prosecute chargebacks or fraudulent use of credit cards on our site!"

As with anything else related to online business security, nothing is guaranteed 100% effective, but the above strategies will definitely assist in decreasing the amount of credit card fraud you experience, or help you track down credit card fraudsters.

On your order page you may want to consider warning people of the following security measures.

1. You are logging I.P. addresses. (Even if you aren't, it’s a deterrent)
2. You are using an address verification system. (Even if you aren't, it’s a deterrent)
3. You don't accept order form Indonesia or Nigeria. (You can be diplomatic and say its due
   to difficulties with shipping)"

9. VERIFY CHARGING INFORMATION

If you are unsure of an order, advise the customer that you require them to contact their credit card provider and request the exact time that the order was processed. Again you can say your bank requires you do this to avoid embarrassment. Credit card companies require callers to identify themselves before releasing that information. Therefore to get it the customer would have had to gotten through the credit card companies security checks. If you don't hear back from the customer it's likely it was a fraudulent order. If they do get back to you with a time, you can cross check that with the time you put the order through.

10. REQUEST SIGNATURE ON DELIVERY & ONLY DELIVER TO LEGITIMATE ADDRESS

Be firm to the shipping company (DHL, TNT, etc) to request signatories only of the actual buyer/cardholder. If the events of chargeback dispute, the correct signatories in the delivery order will give merchant a strong chance to contest the case. Do not deliver to addresses other than an office or residence such as Post Office (P.O.) Boxes, Car Parks, Vacant Premises, Care Of (c/o) address.

11. RECORD FRAUDULENT ORDERS

Fraudsters are notoriously persistent trying to place orders at the same sites, just because they didn't get through the first time certainly won't stop them trying their luck again and again. Ideally, your website will store the details of orders you have previously identified as fraudulent so that if someone tries to place another order with the same IP address, credit card number, name or delivery address your website will automatically identify them.

12. TRAIN YOUR STAFF

Whatever procedures you put in place to prevent fraud make sure that the appropriate staff are trained in them. It's advisable to have them written down as a manual and easily accessible.

13. IF YOU ARE NOT SURE, DON'T DO IT

If after doing all your checks you are still unsure, then it's better to politely decline the order and lose the sale rather than run the risk of losing your stock to thieves.

14. REQUIRE WEBSITE MEMBERSHIP

By requiring customers to become members of your Web site service, you can collect additional customer data that can help you assess risk. When establishing member profiles:

• Verify the customer data that you collect before you store it
• Ensure that strong security measures, such as secure data storage and limited employee access, are in place to protect sensitive customer data

15. REQUIRE PASSWORD TO BOOK AWARD TRAVEL

If you are in Travel industry, when offer award travel programs, you need to protect your customers and your airline from unauthorized use of award miles. By requiring customers to use a password or Personal Identification Number (PIN) to access and select award travel, you can tighten control of benefits distribution.

16. LOCK OUT ACCOUNT ACCESS

Lock out account access after multiple failures to enter the correct password. A website visitor with several incorrect password entries maybe an indicator of risk. For example, a criminal could be trying to guess a legitimate customer's password or and gain unauthorized access to the customer's account. You can control this risk by locking out account access after a certain number of incorrect password attempts.

• Determine the number of incorrect password attempts - for example, five unsuccessful attempts will automatically lock out access to personal account information
• Establish a method for legitimate customers to verify their personal security information and regain access to their accounts after they have been locked out
• Use an automated e-mail message to inform the legitimate customer of the lock out and the method for regaining account access

17. ALLOWANCE ON 3-RD PARTY SALES

Especially if you are in the Airline, or Ticketing industry, Determine whether or not to allow third-party sales and establish appropriate policies. Allowing third parties to purchase travel for passengers increases sales, but also increases risk. For example, a criminal could use the information from a legitimate card to obtain a ticket in his or her own name.

• If you decide to allow third-party sales through the Internet, establish policies to protect your business from risk - for example, you might require third-party purchasers to have the same surname as the passenger or to accompany the passenger during the travel.
• If you decide not to allow the third-party sales through the Internet, establish procedures to direct third-party purchasers to your physical sales offices.

18. CAPTURE AND RETAIN IP ADDRESSES

It is important to know the IP addresses of the Internet Service Providers (ISPs) from which your customers make purchases. With a database of these addresses, you can develop fraud-screening tools based on transaction characteristics. An I.P. Address is what identifies users on the Internet. It doesn't tell you their name or address but it certainly tells you what country they are from and that's enough to assist with fraud prevention. Websites log the I.P address of visitors and ideally your website should check to see that the country of the person placing the order corresponds with the address that they say that they have. This would detect an order where it says that the order is being placed by someone in the US but is actually entered by someone in Nigeria with a stolen credit card.

19. DISPLAY YOUR CHANGE FEE POLICY AND PRICING

You can reduce customer inquiries and disputes by informing your customers in advance of the terms and conditions of your change fee policy and the amounts of fees that will be assessed if bookings are changed. This information should be prominently displayed on your Web site so that customers can review it before purchase.

20. DISPLAY REFUND RULES ON ORDER AND CONFIRMATION PAGES

This practice can help you preserve customer relations in cases where customers cancel their booking. By showing refund rules on your confirmation page, you can educate your customers about the refund policy prior to purchase and then reinforce this policy after the booking has been made.

21. ISSUE CANCELLATION CODE TO THE CARD HOLDER

In accordance with the Visa reservation service requirements, you must provide a cancellation number when a reservation is properly cancelled. Always advice the cardholder to retain the cancellation code.

22. ISSUE E-TICKETS AND ENSURE RISK CONTROL

I n the Airline industry, E-tickets enable you to a lower processing costs while meeting the needs of Internet users seeking greater convenience. It is a good business practice to use etickets in all eligible markets unless there is a ticket on another carrier that does not offer this option. However, since e-tickets are not mailed to the billing address, they create a higher level of risk exposure thatn traditional paper tickets. You can control this risk by requiring the customer at the time of travel to present the Visa card that was used to purchase the etickets.

23. PRESENTATION OF CREDIT CARD AT THE TIME OF EVENT/TRAVEL

Either in Airline or Seminars, determine whether or not to require a Credit Card be presented at the time of the event. You can effectively manage risk by asking customers at the time of travel to present the credit card that was used to purchase tickets through the internet. However, this practice can lead to extreme dissatisfaction among customers who do not carry the card or are not aware of the policy.

• If you decide to require credit card presentment, be sure that this policy is clearly communicated to customers at the time of ticket reservation and purchase
• if you decide not to require Credit Card presentment, use other fraud-screening procedures instead - for example, you might want the customers at the time of event to present identification with an address that matches the billing address.
  

24. BE ACCESSIBLE ABOUT YOUR BUSINESS LOCATION

To mitigate chargeback dispute, DISCLOSE your business address locations, contact no, fax no, and email address. If customers can reach you to have their questions answered about products, they are less likely to be dissatisfied when the order arrives.

Contents provided by ENETS Singapore
To sign up for ENETS payment modules, please contact www.efusiontech.com