Preventing card fraud when accepting Card Not Present (CNP) transactions

If your business accepts Card Not Present card payments (e.g. an eCommerce website) you are probably aware of the built in checks provider by your merchant services provider:  *AVS, CVV, MasterCard SecureCode / Verified by Visa and Fraud Screening.

*Brief description of built in checks

  • Address Verification Checks   – checks the numerical characters of the transactions billing address and postcode against the details held by the card issuer. (This is not widely used by non-UK cards)
  • Card Verification Value (CVV) – Checks the transactions inputted CVV against the value held by the card issuer.
  • MasterCard SecureCode / Verified by Visa  – services created by the Card Schemes to protect you and your customers.
  • Fraud Screening – your merchant provider provides a score indicating the likelihood a transaction is fraudulent, they also highlight anomalies with the transaction (e.g. transaction billing address country does not match value held by the card issuer).

There is however additional checks you can make to help avoid a fraudulent transaction.

  1. Check the customer emails address – proceed with caution with free email address like Yahoo, Hotmail or Gmail as these are more likely to result in fraud. Subscription email addresses like ‘BTConnect’ or ‘Virginmedia’ are usually safer. Or if the email address is the domain of a company website go to that domain and see if it is an established website, if it’s just a parking page the transaction is less safe. You should also check the name in the email address. Does it make sense when comparing it to the card holder name?  Checking the email address should be a part of your overall checking as many of your honest customers may use free email addresses.
  2. Is the order too good to be true? Be aware if you have an order that is a higher value than your normal orders. Also be aware if you get several orders from the same customer in a short space of time. Have a look at your statistics, how frequently do you get orders from the same customer, if you best honest customer is buying from your website once a month and someone purchases from you 3 days in a row, something might be fishy.
  3. Is it unusual in another way? Is there anything else you can think of that doesn’t match your normal customers.
  4. Check the IP address of the transaction and see where it originates from. Compare this with the billing address.  Be aware that fraudsters can use proxy IP addresses.
  5. Where possible ask customers for a land line telephone number which can be checked using Directory Enquiries (unless they are ex-directory). You can also check the supplied name and address details against the details on the Edited Electoral Roll. This is not a guarantee as it is possible to opt out of having your details published. Try ukphonebook.com people search OR the T2A API search for a person and find a residential telephone number methods.
  6.  Have a look at all the transactions occurring on your website not just the successful ones. Was the customer declined several times before they were successful? You shouldn’t immediately think its fraud as sometimes people mistype things, but you should investigate further.
  7. When you do get a fraudulent transaction or charge-back – investigate the details of the transaction and see if there are any clues to help further improve your fraud screening.

These checks can help you when you are reviewing your transactions but you may want to consider building your own solution that uses a combination of these checks against each transaction before they are submitted to protect yourself further.

Leave a Reply