Globally, there is a multi-billion dollar online payment fraud industry that is growing at an alarming 11% per year. Roughly 27 of every 1,000 online purchases is fraudulent, with digital and luxury goods under the most intense attacks. On the other side of that battle, there exists a multi-billion dollar e-Commerce fraud prevention industry, who do an increasingly excellent job at identifying and mitigating this fraud. Unfortunately, these companies offer packages that typically start at a few thousand dollars per month, way out of reach for small and mid-sized e-Commerce companies. Thankfully, there are some pretty basic steps that small businesses can take that can dramatically mitigate credit card fraud. And the best part, is that because these tweaks are done within your own payment gateway, they are either for free (or nearly free) to implement.
4 Steps to Fight Fraudulent Transactions
In this article we’ll provide a walk-through of how to make basic payment gateway security changes that can significantly reduce your company’s exposure to online payments fraud. We’ll be using the built in iSpyFraud tool in the NMI Payment Gateway for all screenshots, however, most other mainstream payment gateways offer similar features.
1. Require the card’s security code
If you’ve made a purchase over the phone with any large retailer, you’ve probably been asked for the 3 digit code on the back of your card (or 4 digits for American Express cards). That code is called a CVV, and it’s a surprisingly effective e-Commerce fraud prevention measure. That’s because when many credit cards are stolen they do not include the CVV number, so by requiring the customer to enter that number and enabling CVV Match to ensure that the number entered matches, you can immediately reduce a large amount of credit card processing fraud.
Enabling this protection is relatively simple. When configuring your payment gateway, block any transactions in which there is a CVV error (aka mismatch) or where the CVV information is not provided.The Pros and Cons:
The downsides of requiring CVV are pretty minimal. But because each unnecessary field required in the customer’s checkout process will at least at some level lower the shopping carts conversion rate, and because AVS is technically an optional requirement, one can expect a small dip in the overall funnels conversion rate when implementing AVS.
2. Require a Zip Code Match
When purchasing gas throughout the U.S. it is now standard that the customer enters their zip code when swiping their credit card. The reason is that the gas station is conducting an AVS or zip code match. That is, they are checking whether the zip code that you entered matches the zip code of the credit card. The reason, is much like CVV codes, most individuals who are attempting to use stolen credit cards do not have the owner’s zip code. Moreover, the zip code is not listed anywhere on the credit card, which means that even if the fraudster stole the cardholders physical credit card they likely wouldn’t have the zip code.
Another benefit of zip code matches, is that it takes very little work by the cardholder and thus has a minimally negative impact on conversion rates. And unlike requiring a full address match, which does generate a lot of false positives due to customer types, requiring merely a zip code match accomplishes much of the same e-Commerce fraud protection while generating far fewer false positives as it only requires the customer to enter 5 digits.
The Pros and Cons:
Implementing zip code matches is easy, simply require a 5 digit zip code match for transactions to process in your payment gateway’s setup. Alternatively, you can also require a full address match (e.g. house number, street name, city name, etc.); however, the increased security benefits of a full address match are generally outweighed by the significantly increased rate of declined transactions due to legitimate customers committing typos.
3. Flag Suspicious Transaction Amounts
If your company’s typical ticket size is under $50 with very few purchases over $100, then consider flagging in your payment gateway any transactions which are over say $150. Similarly, if your average transaction size is $100 and you have very few sales under $50, flag transactions under $10. Why? Because unusual transaction sizes are often an early indicator of fraudulent activity.
You don’t necessarily want to block these transactions, because of course, they may be legitimate. But by setting them to be flagged by your payment gateway you can manually review them each day before the transactions actually post and stop any that seems fraudulent. Reviewing transactions might mean calling the customer to confirm the purchase, or could be as simple as doing a quick google maps search of the delivery property and see if it seems to match what you were expecting.
To accomplish this online fraud prevention measure you need to do two things. The first is to make sure that your credit card processor sets your batch time to provide whomever will be reviewing flagged transactions with the maximum amount of time to do so. Thus, if your business sells the majority of its products between 9 a.m. and 1 p.m., then set your batch time to 5 p.m. That way you’ll have a few hours to check on that days flagged credit card sales and do any verification necessary before the transactions actually post. By contrast, a midnight posting time (which is often the default) means that you’re exposed to fraud perpetrated by savvy fraudsters who attempt to make purchases at 11 p.m, and you’ll have no one to review the flagged transaction before it posts at midnight.
Once you’ve set the batch time, you simply need to configure your payment gateway’s fraud filter to flag transactions both on a dollar amount and by an IP that exceed the thresholds that make sense for your business.
The Pros and Cons:
The downsides to flagging transactions are minimal. From the customer’s perspective, the transaction will still process as before, so it won’t impact conversion rates negatively. It does, however, add a labor requirement that someone in your company has to be assigned to review flagged transactions on a daily basis. But given the cost of payment fraud, this is typically worthwhile.
4. Block or Flag Based on Geography
Look through your recent customer list. Is everyone from the US? Or alternatively, the US and Canada? For all but the most international of companies, typically your entire customer list can be reduced to being from 3-4 countries. And if that’s the case, you should consider using geographically based filters to reduce fraud.
That’s because the majority of large scale fraud operations originate from third world countries against first world merchants. Thus a major category of payment fraud can be mitigated by configuring your payment gateway to flag, if not block entirely, transactions in which the originating IP or the billing address indicates that the customer is outside of your expected geographic region.
This is simple to accomplish via a payment gateway’s configuration panel. Most offer the ability to simply block or flag all non-US transactions, or for slightly more international companies to specify individually which countries to permit transactions from.
The Pros and Cons:
The downsides affecting these geographic filters are pretty obvious. If you block transactions from customers outside your country you will largely miss out on all international customers. You can mitigate this effect somewhat by showing the customer an error message that instructs the international customer to call your offices in order to have the transaction manually approved. For most companies whose customer base is almost exclusively from their home country. However, the loss of these very few international customers is typically outweighed by the significant reduction in overall credit card fraud suffered by the company.
e-Commerce fraud is a booming multi-billion dollar industry. And as large multinational eCommerce platforms spend millions in order to beef up their security, fraudsters are increasingly targeting smaller e-Commerce companies who do not employ sophisticated risk monitoring tools. By using the very basic (and largely free) payment gateway configuration techniques described above, however, even a small business can eliminate the vast majority of payments fraud.
About the Author
Brad Martin is the Chief Marketing Officer at Soar Payments, a high risk merchant account provider. Learn more about the company, and read their latest blog articles on their Facebook page.