This quarter I will be continuing the synopsis of Visa's study and findings last year on the recommended practices for conducting sales over the Internet. In any non face to face sales environment there is a certain amount of fraud risk involved, but e-commerce presents its own set of inherent dangers that are not normally encountered by MO/TO (mail order/telephone order) merchants.
Before actually accepting credit card payments over the Internet, a merchant should ensure that their authorization request process is secure and efficient. This protects the merchant from accepting payment for merchandise and finding out later that the card was used fraudulently or that the cardholder did not have sufficient funds available for the transaction.
Some cost effective authorization processes suggested are using internal screening techniques (i.e. sales from high risk locations, or internal fraud avoidance files), using both AVS (Address Verification Service) and CVV2 (Card Verification Value 2) responses in the Issuer authorization obtained, and using a third party scoring service. The authorizations should be performed REAL-TIME using secure Internet gateway (such as the PayStream gateway www.paystream.net) which decreases the risk of fraud as well as lost sales resulting from problems with the transaction (if performed at a later date). The gateway should also employ the use of ECI (Electronic Commerce Indicator) which is required for all e-commerce transactions and helps to eliminate referral responses.
Once the processor approves the transaction, the gateway should send an e-mail response to the cardholder to confirm the sale. This not only provides the buyer with details concerning the transaction, but also enables the merchant to test the validity of the cardholder's e-mail address. Order decline rates should also be tracked, and on a daily basis differentiated between those declined by the card issuer and those declined internally due to suspected fraud. This helps to increase approval rates and discover any problems in the authorization process.
If the merchandise is backordered and has to ship more than 7 days after the initial authorization was obtained, a new authorization should be sought. Visa regulations actually require this practice to reduce chargeback risks. If only part of an order can be shipped, the authorization should be reversed and the new amount posted.
As Internet merchants become more successful, the risk of fraud increases. To reduce this risk, certain risk management practices should be adopted. A formal fraud control group or division can be formed to detect and prevent fraud. This group should work closely with the chargeback group and coordinate its efforts to improve fraud prevention techniques and track fraud control performance. Another good idea is to develop an internal fraud avoidance file to aid in protecting against fraud perpetrated by the same individual more than once. This file should contain all of the key information related to the fraudulent transaction, including the name, address, phone numbers and card account. This file can be used to screen transactions so that further attempts to defraud by the individual will be declined.
The AVS (Address Verification System) protocol that is used by both Visa and MasterCard is another highly useful tool for avoiding fraud. The basic assumption behind AVS is that the majority of the time the person attempting fraud with the use of compromised credit card information will not have access to the legitimate cardholder's billing address (normally the home address). The AVS check is conducted when an AVS request is included in the authorization request from the gateway.
There are three types of responses that can be generated-a full match, a partial match, or a total mismatch. It is recommended that once AVS is implemented as part of the authorization process, a pop up screen should be used to inform the merchant of failures. Because a real-time gateway will be used, the failure response can generate further questions for the customer to answer (such as "Did you move recently?" or "Is this your billing address?") and customers should be allowed to reenter their address up to two additional times in the case of an initial failure. If failures continue after two tries, the customer should be locked out and that particular transaction reviewed and perhaps added to the fraud avoidance file. In fact, even partial matches should be reviewed for possible fraud. In the case of a mismatch or partial match, the merchant can take several other steps to determine the legitimacy of the sale. The prospective customer can be called or e-mailed, the card-issuing bank can be contacted for verification, or directory assistance can be used to determine the billing address of the prospective customer. There are also third party fraud screening services, such as Cybersource, that can be used.
Source: Visa Electronic Commerce Risk Management
Possible AVS Responses
Y- Yes, or Exact Match on Street Address and Zip Code
A- Street Address matches but Zip Code doesn't
Z- Zip Code matches but Street Address doesn't
U- Address unavailable, or Issuer doesn't support AVS
R- System is unavailable, try back later
N- No, or Total Mismatch
Hints to avoid Fraud
Treat the following as high risk and submit to closer fraud examination:
1. High Risk shipping addresses- such as P.O. Boxes, prisons, hospitals, motels, and areas of the country known for risk.
2. Anonymous E-mail Accounts- e-mail using unknown ISPs as opposed to the larger well know ISPs.
3. Non-U.S. Transactions- these cannot be screened by AVS.
4. High Dollar Purchases
5. New or Unregistered Customers 6. Any AVS or CVV2 partial or total mismatch
What is CVV2?
CVV2 (Card Verification Value 2) is a 3-digit code printed on the back of all newer Visa cards. By referring to this number in all MO/TO or Internet transactions, the cardholder is verifying that they have the physical card in their hand.
Merchants that employ CVV2 in their authorization requests are protected from fraud related chargebacks!
VPAS- The NEW Internet Security Tool
VPAS (Visa Payer Authentication Service) is the latest online security mechanism released by Visa International to combat online credit card fraud. In the physical retail world, merchants are practically guaranteed funds from their credit card transactions, primarily due to customer authentication during the approval process. When the merchant physically swipes the credit card through the magstripe reader on the terminal, the sale will qualify as "Visa CPS Retail" and because it is assumed that the merchant will compare both the signatures and the embossed account numbers, the cardholder is considered "authenticated".
Until now, no such authentication method existed for the Internet merchant. Now however, VPAS will allow merchant to verify the cardholder's identity through the use of passwords and encryptions, and by doing so will have similar payment guarantees as the retail merchant. Both the merchant and the customer have to be enrolled in the program. The cardholder must register the credit card account number and expiration date at an Issuer (i.e. the card issuing bank) VPAS enrollment site, where the Issuer will encrypt the data and issue passwords. The online merchant who wishes to participate must register the computer platforms and server software being used with their acquiring bank. They will then receive software modules to allow their participation.
When a registered cardholder makes a purchase from a VPAS enabled merchant, VPAS contacts the card-issuing bank, which will then identify the account number and authenticate the cardholder.
Source: Visa Directions