SitePoint Sponsor

User Tag List

Results 1 to 19 of 19
  1. #1
    SitePoint Evangelist hessodreamy's Avatar
    Join Date
    Apr 2005
    Location
    uk
    Posts
    524
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)

    How to protect your company against fraudulent transactions online - any tips?

    My company processes 100-250 online transactions per day. Our payment processor gives us a certain element of address validation - it simply checks if the cardholder address provided in the transaction is correct for the account.

    However, given the nature of our customer base (a lot of businesses and tradesmen), it's very common that even if the 'cardholder' address checks out, it won't be where the goods are being delivered, or even where the invoice is going. As such the cardholder address verification doesn't protect us against from fraud.

    I've looked into other address/person checking services, and all any of them will do is tell you whether a person lives at a certain address. But consider the following situations:

    - Customer wants the goods delivered to their work address, or a friend or relative
    - Customer is a tradesman getting the goods delivered to the job address
    - Customer works in a large company, uses a corporate card and is getting the goods and invoice sent to addresses that aren't the same office as the card is registered

    How are you supposed to deal with these situations in any kind of automated or formalised way? Right now it's a person looking at it, using their judgement, researching the customer, maybe contacting them. It's a time-consuming process and we definitely flag up many legitimate orders as possibly fraudulent.

    Ruling out 3d secure for the moment, I was wondering what processes or services other people are using because I'm sure it shouldn't be as hard as this?

  2. #2
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,164
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    This probably doesn't help at all, but I've encountered more than one company which stipulate that first orders can only be delivered to the card-holder's address. For subsequent orders, you can choose an alternative delivery address.

  3. #3
    SitePoint Evangelist hessodreamy's Avatar
    Join Date
    Apr 2005
    Location
    uk
    Posts
    524
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TechnoBear View Post
    This probably doesn't help at all, but I've encountered more than one company which stipulate that first orders can only be delivered to the card-holder's address. For subsequent orders, you can choose an alternative delivery address.
    I've seen that before, too. But to be honest I think that would put a lot of our customers off.

  4. #4
    SitePoint Member
    Join Date
    Jul 2012
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    use maxmind.com . It really really helped us in preventing fraud orders. There is an extension that allowed us to use it directly with our backend (magento).

  5. #5
    SitePoint Evangelist hessodreamy's Avatar
    Join Date
    Apr 2005
    Location
    uk
    Posts
    524
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by hertzberg View Post
    use maxmind.com . It really really helped us in preventing fraud orders. There is an extension that allowed us to use it directly with our backend (magento).
    Cheers. however I'm in the UK so I don't think they'll work for us.

  6. #6
    SitePoint Evangelist hessodreamy's Avatar
    Join Date
    Apr 2005
    Location
    uk
    Posts
    524
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Yes, our payment service will check if the card has been reported stolen. But fraud still occurs in the space between the card being stolen and theft being discovered/reported (otherwise the crooks wouldn't do it!), which lead us to other methods.

    Yes, our payment service will check the address for us, but how about the scenarios above where goods/invoices are going to addresses other than the card address? Address checking only gets us so far and I wondered what other online sellers did to protect themselves against fraud while still allowing honest people to get their goods delivered to their work address? Let's assume that if an order is being shipped to an address that the bank confirms as the card address, that we accept the order. Now how about the others?

    Are other companies making sure first orders are shipped to the card address? Are you allowing the order if the buyer at least knows what the card address is? Are you setting a value limit and allowing all orders below a certain value? Are you using services like max mind that monitor lots of card payments and ip addresses to identify fraud?

  7. #7
    SitePoint Wizard silver trophy
    Join Date
    Aug 2003
    Location
    Southern California
    Posts
    4,686
    Mentioned
    19 Post(s)
    Tagged
    0 Thread(s)
    What sort of fraud rates are you currently seeing? In what category [electronics, household, apparel, etc]?
    - Ted S

  8. #8
    SitePoint Evangelist hessodreamy's Avatar
    Join Date
    Apr 2005
    Location
    uk
    Posts
    524
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Well fraud rates are pretty low at the moment. But we're turning away a lot of orders because Of suspected fraud, as well as spending way too much time vetting the orders. So I don't know what the fraud rate would be if we accepted everything.

  9. #9
    ♪♪ ♪ ♪ ♪ ♪♪ ♪ ♪♪ Markdidj's Avatar
    Join Date
    Sep 2002
    Location
    Bournemouth, South UK
    Posts
    1,551
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    How about sending the cardholder an automated text to just let them know a transaction has been made, or a pin to authorise the transaction. You can get them quite cheap. www.cbfsms.com does it (fish2text or something)
    LiveScript: Putting the "Live" Back into JavaScript
    if live output_as_javascript else output_as_html end if

  10. #10
    SitePoint Enthusiast ubservers's Avatar
    Join Date
    Nov 2010
    Location
    Montreal, QC, Canada
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Or maybe you can use automated phone verification systems?

    We also use Maxmind. One thing that significantly lowers the fraud rate is by not having a payment gateway on your own website. That way, you are not the one who is in charge of the transactions. You are still responsible for the transaction itself if you use a third party payment option, but they do the fraud monitoring for you and block more fraud than any payment gateway that I had on a website, even when I used 3-D secured.

    But 3-D secure remains extremely useful, why would you not want to use it?
    UBservers - Quality since 2008
    Check out our amazing SSD Web Hosting
    Dedicated Servers in America and Europe

  11. #11
    SitePoint Member
    Join Date
    Nov 2011
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Agree on Maxmind- they check the IP address as well as checking for proxies, high risk IPs etc. We partner with Maxmind to help our merchants.. .and I believe their database international- we've blocked IP from non-US locations before. I am not sure what datasources are available in the UK, maybe your best bet is to try to automate the processes as much as possible, instead of doing everything manually?

    As for 3D secure- I've heard that it's a big hurdle that many customers just don't want to jump through. At least here in the US, the adoption rates have been pretty low.

  12. #12
    SitePoint Enthusiast ubservers's Avatar
    Join Date
    Nov 2010
    Location
    Montreal, QC, Canada
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by boonodoh View Post
    As for 3D secure- I've heard that it's a big hurdle that many customers just don't want to jump through. At least here in the US, the adoption rates have been pretty low.
    I think any merchant who has his own payment gateway on his website must have 3-D Secure to avoid fraud, or else you can get targeted by fraudsters quite quickly once they find out your website is vulnerable. And I'm not really sure if there really is any problem with adoption rates, as it's written in the "3-D Secure Payer Authentication" thread.
    UBservers - Quality since 2008
    Check out our amazing SSD Web Hosting
    Dedicated Servers in America and Europe

  13. #13
    SitePoint Wizard silver trophy
    Join Date
    Aug 2003
    Location
    Southern California
    Posts
    4,686
    Mentioned
    19 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ubservers View Post
    I think any merchant who has his own payment gateway on his website must have 3-D Secure to avoid fraud, or else you can get targeted by fraudsters quite quickly once they find out your website is vulnerable. And I'm not really sure if there really is any problem with adoption rates, as it's written in the "3-D Secure Payer Authentication" thread.
    Any step added to your shopping process is going to increase abandonment. Validation can be a minimal impact or a significant one just depending on the type of audience you have shopping and their response to the extra information request and very different style site.

    All businesses experience fraud, that's just reality. You can reduce the rates many ways but the further you go the higher the impact will be to your sales thus the great question: how much business are you willing to lose vs how much you can save.
    - Ted S

  14. #14
    SitePoint Enthusiast ubservers's Avatar
    Join Date
    Nov 2010
    Location
    Montreal, QC, Canada
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's true, however online fraud is on the rise, as it could be expected.

    That is, if merchants who have their own payment gateway have just a bit too much dispues/chargebacks, they are going to face fees and risk having their account closed. For all online merchants who have an abnormally high number of fraudulent transaction, the best decision might end up being to minimize the risk.
    UBservers - Quality since 2008
    Check out our amazing SSD Web Hosting
    Dedicated Servers in America and Europe

  15. #15
    SitePoint Wizard silver trophy
    beley's Avatar
    Join Date
    May 2001
    Location
    LaGrange, Georgia
    Posts
    6,117
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    We use a software fraud detection service (MaxMind) but we review all orders for fraud manually as well, and we have not lost a chargeback in over 5 years. (we've had a few, but they were customers who didn't feel like following our policies, we disputed and won).

    Here are some of the criteria we look for in our store, if you see any of these you should look for more information to further validate the order because there's a high probability of fraud:

    • Small order with extremely high shipping cost
    • Order with different sized items (i.e. size Small shirt and size Large shirt in the same order)
    • Different billing / shipping address
    • Different billing / shipping country
    • IP address does not match billing or shipping city (you can use GeoBytes to locate IP addresses)
    • Extremely large order
    • Phone number that does not match billing or shipping city (reverse phone to look up)

    If you notice any of these things, look at some of the others like IP address and phone number to try to verify further. When we have an order that has a high fraud score through MaxMind and also fails a few of the criteria above, we send the customer an email asking for them to call us. When they call we ask them for clarification.

    If, for instance, their IP address doesn't match the billing or shipping city we'll simply say something like "our fraud detection software marked this order - is there any reason it might have done that?" or "is there any reason our fraud detection would say you're not where you live?" something like that.

    After 13 years I've found that most "scammers" won't call you and explain - they're just looking for a quick and easy transaction. But if we're still uneasy we simply ask them to fax or email us a copy of their photo ID and credit card showing the same name - the one used on the order. They can snap it from their camera phone and blur or hide most of the number, as long as we can make out the last 3 or 4 digits and the name that's all we need.

    It's a hassle but most customers understand... and it happens very rarely. And again, in all these years we've never had one slip through the process so it works! Hope that helps a bit...

  16. #16
    SitePoint Member
    Join Date
    Nov 2011
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here in the US, I know at least one company that will insure physical goods shipped out (you send them all the info, then they'll tell you whether you'll insure or not). We have merchants who use them to insure international shipping (especially high ticket transactions). I am not sure if they are available for transactions originating outside of US, but maybe you can find a similar service in the UK.

  17. #17
    SitePoint Member
    Join Date
    Dec 2012
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Have you considered getting a phone verification service? It’s an extremely powerful tool to protect e-merchants against online fraud.
    Last edited by Ted S; Dec 7, 2012 at 14:06. Reason: promotion removed

  18. #18
    Non-Member
    Join Date
    Dec 2012
    Location
    New York
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree with Micheal. Phone verification will definitely protect you against fraud.

  19. #19
    SitePoint Wizard silver trophy
    Join Date
    Aug 2003
    Location
    Southern California
    Posts
    4,686
    Mentioned
    19 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by robert.duhamel View Post
    I agree with Micheal. Phone verification will definitely protect you against fraud.
    So will only taking orders by phone... or in person. You have to weigh the cost vs the return.
    - Ted S


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •