Small E-Stores Avoid Credit Card Fraud

By Adam Stone | Posted December 23, 2003

Credit card fraud literally killed Raymond Attipa's online business.

As the proprietor of topautoparts.com he saw fraudulent charges run as high as $35,000 in a single year, about 25 percent of the site's total income. "I found fixes, but there definitely was not one solution to fix it," said Attipa, who shut down the site about half a year ago.

Experts say it does not have to be that way. While the use of fraudulent credit cards is rampant online, it still is possible for the small e-business owner to put in place meaningful safeguards. To do so requires a careful mix of human and mechanical safeguards.

Mix and Match Mechanisms
At GiftCertificates.com, for instance, Michael Ness takes the threat of fraud seriously. As director for corporate security and risk management he has in place a policy whereby staff members review all transactions looking for suspicious behavior. "If you have someone making a $25 purchase, and they want to spend the extra $10 or $15 to have that shipped overnight, that to me is suspicious," he said.

At the same time, the site's order-processing mechanism is set to detect possible fraud automatically. If for example an order is placed from an IP address whose physical location does not match the billing address, that order will be flagged as suspicious.

Many security pros say this mix of hands-on detection and automatic oversight gives a merchant the best odds against credit card abuse. Nor does such an approach need to be especially complicated or labor-intensive. In fact, it can something as simple as an e-mail receipt.

Subtle Verification Systems
The Merchant Risk Council, a not-for-profit association of online retailers, suggests that every online purchase be concluded with an e-mail receipt, which can be generated automatically. If the e-mail bounces back, a live representative can follow up to make sure the order is legitimate. If the e-mail goes through and the client says he or she never placed the order, it is possible to cancel the order and flag the credit card information as suspect.

Then there are the standard procedures. Before giving up his site, for example, Attipa implemented a policy of only shipping items to the credit card's billing zip code. But that was not enough. "They would find a credit card that matched their zip code, so the only difference would be their street address. So we would ship it out and we would get bit in the end," he lamented.

In fact, few merchants have been able to claim total success in the fight against fraud. It might help if the credit card companies themselves would step up with a solution — and in fact they are.

Thwarting Risky Transactions
A Visa-authenticated payment program called 3D Secure is presently in development. The program verifies that the consumer and the merchant are both authorized to use and accept credit cards. Customers have to enroll in the program and establish a password, which they then use to authenticate themselves online. Pilot efforts using the protocol are running throughout North America and Europe.

It's not a perfect system. After all, it requires both merchant and consumer to enroll, thus adding an extra step to the purchase process for first-time users. On the plus hand, participation in the program also takes all the risk off of the merchant's shoulders, explained John C. Gould, director of consumer lending and bankcards for the financial-industry consulting firm TowerGroup.

Right now a merchant who accepts a fraudulent credit card will have to eat the cost of the transaction if the legitimate cardholder demands a refund. For those who take part in 3D Secure, however, the credit card companies will let it slide. "The merchants should all be doing this. They are crazy not to do it," said Gould.

For those not already involved in 3D Secure, there are other ways to avoid the wrath of Visa. Stay in touch with Visa and the other credit card associations that track fraudulent numbers, advises Doug Barbin, West Coast managing director of consulting services for security firm Guardent. Show that you are taking all possible precautions, and that you are staying up to date on security news.

"The more interaction you have with them, the better off you are going to be," he said. "If you have relationships already established [with the credit card companies], and those relationships show that you have been taking steps to protect yourself, they are going to be much more lenient on you" in cases of fraud.

A Few Final Tips
How to avoid credit card fraud? The Merchant Risk Council suggests the following:

  • Know what looks suspicious, such as lots of small things. Someone bought $1000 worth of DVDs? They may soon be sold from the back of a van.

  • Have a plan for suspicious orders. Know how to flag and review them.

  • Create a negative file, tracking key information from fraudulent orders. Don't let it happen twice.

  • Ask for the CVVC, CID, CVV2. This is a new 3 or 4 digit code printed on the credit card.

  • Have your company name and a toll free number printed on the credit card statement. Make sure this name reflects your URL. Have a toll free number printed on the credit card statement as well. If a consumer has a question about an order, they likely will call a toll free number before they contest the charge.

Following these tips may not stop credit card fraud, but it will certainly reduce the odds that your small e-business will be taken to the cleaners by charge-backs.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date