Free eBook

Keeping The Fraudsters Away From Your eBusiness

Thursday, 17 September 2009 21:21

"Not having to deal with shoplifters and thieves face-to-face adds an attraction to selling online"

A while ago a government minister was reported as saying that as the economy worsened they expected crime to increase. And not having to deal with shoplifters and thieves face-to-face adds an attraction to selling online. But does growth in white collar redundancies herald a rise in online fraud too?

The challenge with online fraud prevention is not simply to identify suspicious activity, it's to find the balance between prevention and alienating customers.

There's a danger that you upset genuine customers by stopping their orders, and they will tell all their friends about your terrible company.

Not all online merchants suffer from fraud, as the incidence varies greatly between different sectors. Instinctively we might guess that fraud would be a big problem selling iPods, for example. However, I have known merchants selling bibles and model trains to experience it too. E-tailers I know with fewer problems include one selling trailer parts and another offering fleeces for dogs and horses.

Technical weapons

The big change recently has been the banks taking online fraud seriously. There are now a range of services such as address verification (AVS) that checks the billing address; CV2 (the code on the back of the card) which endeavours to determine that the buyer has access to the physical card; and 3D Secure (also known as Verified by Visa and Mastercard SecureCode), which requires a password.

When 3D Secure is used, the banks are prepared to guarantee the payment even if the buyer claims they didn't carry out the transaction.

Banks have also introduced the Payment Card Industry Data Security Standard (PCI DSS) which any business taking card payments must comply with.

Alongside this we have seen the rise of independent anti-fraud services like The 3rd Man, which now checks more than 20 million online payments a month, claiming to detect around 97% of all fraud. I must declare an interest here as my company has recently integrated The 3rd Man into its payments service.

Anti-fraud services look at a huge variety of factors including IP address, electoral roll and spending patterns across cards, buyers and addresses. They also collect information on chargebacks, and can flag up buyers that consistently tell lies to get free goods. The result is advice to the merchant on which orders to accept and which to investigate further.

The approach adopted by a merchant really needs to combine the technological weapons with some sensible internal policies for combating fraud. With a policy-based approach, companies define what to do when fraud is suspected, which in turn may be flagged by technical indicators, or orders over a certain value.

Validation

Contacting the buyer can be very effective, as fraudsters don't want to engage in dialogue - it's high risk for them. Asking for details of "the order", or maybe saying "Hello Jim, and your surname is?" If the fraudster has placed multiple orders, they won't recall the details. Your suspicions should increase if questions take too long to answer.

Requesting a fax of the credit card, bank statement, bill, driving licence or passport will most likely discourage a fraudster, although it may also irritate genuine customers. However, most will be happy to help once you explain the reasons for your suspicion.

Ensure that your policies are clear to all staff and they are well trained to explain things to the customer in the most friendly way possible.

A second line of defence the merchant can adopt if still uncertain of the genuineness of the order is to simply ask for payment by an alternative means, such as cheque or even a different card, which would need to have the same billing address.

It may pay to use a shipping method that requires a signature, as this can help when the buyer denies that they have received the goods. However, people can obscure their signatures and it isn't a guaranteed way to prove safe delivery. On the other hand, without a signature, it's impossible to prove.

Balancing act

It should be remembered that there is no single method that ensures that the right balance is struck between over-zealous rejection of good business and painful losses from lax standards in processing fraudulent orders. For instance, AVS will give up to 40% false positives, due to the variety of address formats used by people and AVS cannot be used on overseas orders.

So it must only be used as one of several fraud indicators. Remember, your business will build its own fraud profile, and using your experience to develop policies can't be beaten.

In order to implement all of these checks, you need a payment service provider that supports them. So make sure that your payment provider supports 3D Secure, AVS, CV2, preferably one of the independent fraud checking services, and of course is PCI DSS compliant. When you have these services up and running, mention them on your website as they boost trust.

The last few years have seen a big increase in ways to combat online fraud. Sadly criminals will always be finding new tricks, but that's no reason to let them steal your lunch today.

Chris Barling, CEO of ecommerce supplier, Actinic. Originally published on Ecommerce Eye.