Collecting Unpaid Balances

Often customers are responsible for charged back transactions. In order to recover such losses, eCommerce merchants should apply the following best practices:

• Use email collection messages and letters as a first step toward collecting low-dollar amounts. Merchants can often recover unwarranted chargeback losses by contacting customers directly using an internal collection department or an external collection agency. For example, if a customer claims that a transaction was fraudulent, but the merchant has determined that the customer has actually received the products or services, the merchant should contact the customer directly to recover the chargeback amount. If a letter was received from the cardholder as part of the chargeback documentation, the merchant should attempt to address the customer's concerns and arrive at a mutually acceptable solution.
  
• Follow up with phone calls to customers who do not respond to the initial correspondence.
  
• Outsource the remaining customers with unpaid balances to a collection agency on a contingent fee basis.
  

ECommerce Representment Rights

ECommerce merchants must understand their representment rights and work with their acquiring bank to apply the necessary actions in a timely manner.

• AVS and Card Security Code representment rights*. In cases of chargebacks associated with the use of the Address Verification Service (AVS) and the Card Security Codes, the acquiring banks can represent a charged back transaction if the merchant:
  
  • Received an AVS positive match in the authorization message and if the billing and shipping addresses are the same. A proof needs to be submitted of the shipping address and the delivery.
    
  • Submitted an AVS query during authorization and received an "U" response from an US card issuer. This response means that the card issuer is unavailable or does not support AVS.
    
  • Submitted a Card Security Code verification request during authorization and received an "U" response from a US card issuer. The response means that the card issuer does not support the respective code.
    
  
  If the merchant believes that it has AVS or Card Security Code representment rights on a charged back transaction, all available supporting evidence should be provided to the acquiring bank to be submitted with the representment.
  
  Even though an acquiring bank has the right to represent a transaction on its merchant's behalf under the above circumstances, there is no guarantee that the disputed items will be accepted.


• Verified by Visa and MasterCard SecureCode representment rights. Merchants that participate in Verified by Visa and MasterCard SecureCode are in most cases protected from unauthorized use chargebacks. If a participating merchant receives a fully authenticated or attempted authentication response from the card issuer and the authentication data was provided in the authorization request, the merchant retains representment rights. This also applies to "unauthorized use" chargebacks.
  

Unnecessary Chargebacks and Processing Costs

In order to minimize losses, eCommerce merchants need an adequate chargeback tracking system, procedures in place to avoid unnecessary chargebacks, and a thorough understanding of their representment rights. The following best practices should be applied:

• Do not complete transactions where authorization has been declined. Authorization requests should not be repeated after the first one has been declined, an alternative form of payment should be requested instead.
  
• Credits should be promptly issued, where applicable. In particular:
  
  • When cardholders contact merchants to directly resolve a dispute, the credit should be issued in a timely manner to avoid unnecessary disputes and the associated chargeback processing costs.
    
  • Email messages should be sent to cardholders informing them immediately of the impending credit.
    
• Provide sufficient information to transaction copy requests.*
  
  • The response to a copy request should include full information about the transaction, including the following details:
    
    • Account number.
      
    • Card expiration date.
      
    • Cardholder name.
      
    • Transaction date.
      
    • Transaction amount.
      
    • Authorization code.
      
    • Merchant name.
      
    • Merchant online address.
      
    • General description of product and services.
      
    • The shipping address, if applicable.
      
    • Address Verification Service (AVS) response code, if applicable.
      
  • Provide the following optional additional data to help resolve inquiries and reduce chargebacks:
    
    • Transaction time.
      
    • Customer email address.
      
    • Customer telephone number.
      
    • Customer billing address.
      
    • Detailed description of products and services.
      
    • Whether a receipt signature was obtained upon delivery of goods or services.
      
• Respond to transaction copy receipts in a timely manner.
  
  • Design and implement a timely, efficient process for fulfilling transaction copy requests.
    
  • Investigate fax fulfillment by the acquiring bank, if this is appropriate for the provided products or services.
    

*Card issuers may charge a transaction back if a sales receipt copy is not received within 30 days of a request to the acquiring bank. A prompt fulfillment of the request will help avoid such chargebacks and their associated costs.

Card Data Security Breach Actions

In case of a suspected or confirmed security breach, eCommerce merchants should take immediate actions to contain and limit the exposure. To prevent further loss of information, merchants should conduct a thorough investigation of the suspected or confirmed compromise of information. The following concrete steps should be applied:

• Do not access or alter compromised systems (i.e. do not log on to any compromised machines and change passwords).
  
• Do not turn the compromised machine off. Instead, isolate compromised systems from the network (i.e. unplug the cable).
  
• Preserve all logs and electronic evidence.
  
• Log all actions that are taken.
  
• If using a wireless network, change the SSID on the AP and the other machines that are using this connection (with the exception of the compromised machines).
  
• Closely monitor all systems containing cardholder data.
  

ECommerce merchants should provide all compromised card account information to their acquiring banks within ten business days. The compromised card account information is then provided to the Credit Card Companies and Associations and then distributed to the affected card issuers.

ECommerce merchants are also required to provide to their acquiring banks, within three business days of the reported compromise, an Incident Response Report detailing the loss of information that had occurred.

Complying with PCI Data Security Standard Requirements

To protect the interests of their customers, eCommerce merchants must apply the following best practices:

• ECommerce merchants should work with their acquiring banks and merchant services providers to understand their information security role and what is required of them and their service providers in regard to compliance with PCI Data Security Standard.
  
• Train employees on PCI Data Security Standard compliance. In particular:
  
  • Use materials that the Credit Card Associations of Visa and MasterCard make available to train staff on PCI Data Security Standard compliance.
  • Make certain that all service providers are fully compliant and that the service contracts specify PCI Data Security Standard compliance as a condition of doing business.
    
• Do not store Card Security Codes. For information security purposes the Credit Card Associations and Companies prohibit merchants from storing Card Security Codes.
  
• Use vendors who offer PCI-compliant payment application software. To help merchants in the process the Credit Card Associations have developed best practices manuals that are derived from the PCI Data Security Standard.
  
• When asking a cardholder for their card's security code, merchants must not document this information on any kind of paper order form or store it in any database.
  

ECommerce merchants must know their liability for data security problems. Many acquiring banks provide contracts that explicitly hold merchants liable for losses resulting from compromised card data if the merchant (or their service provider) lacked adequate data security. Liabilities to consumers may also arise.

Payment Card Industry Data Security Standard

Consumers want to be sure that their account information is safe before placing an order for products or services on an eCommerce website. The Payment Card Industry (PCI) Data Security Standard was the result of a joint effort of all major credit card companies and associations to help establish security procedures to protect cardholder information in all payment security channels. The PCI Data Security Standard applies to all entities, i.e. all merchants and merchant services providers (including third party agents*), that store, process, or transmit cardholder account information.

The PCI Data Security Standard consists of 12 basic requirements:

1. Install and maintain a firewall configuration to protect data.
   
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
   
3. Protect stored data.
   
4. Encrypt transmission of cardholder data and sensitive information across public networks.
   
5. Use and regularly update anti-virus software.
   
6. Develop and maintain secure applications.
   
7. Restrict access to data by business need-to-know.
   
8. Assign a unique ID to each person with computer access.
   
9. Restrict physical access to cardholder data.
   
10. Track and monitor all access to network resources and cardholder data.
    
11. Regularly test security systems and processes.
    
12. Maintain a policy that addresses information security.
    

*A third party agent is an entity that is not a payment processor but instead provides payment related services (directly or indirectly) to an acquiring bank, and/or stores, processes or transmits cardholder data. Third party agents must be registered by all acquiring banks that utilize their services.

Transaction Post-Authorizations Best Practices

Upon approval by the card issuer of an online transaction, eCommerce merchants should consider sending a confirmation to the customer before completing the order. If the transaction is declined, however, there should be procedures in place specifying how such situations are to be handled with customers and that help determine whether this type of decline can be avoided in the future. The following best practices should be applied by merchants in their post-authorization actions:

• Implement a fraud-focused authorization routing sequence when a transaction is initiated.
  
• Issue an email order confirmation for approved transactions. Email confirmation emails enable eCommerce merchants to verify the validity of the cardholder's email address. If the email is invalid, the order should be further reviewed to determine whether it is legitimate. The email should include details about the order.
  
• Review declined authorizations and take appropriate actions. Customer service representatives should review authorization declines and obtain corrected information or an alternate payment that may allow the merchant to proceed with the sale. The following actions should be applied:
  
  • Authorization declines should be reviewed and customers contacted to correct problems with their cards (e.g. incorrect expiration date) or arrange other means of payment.
    
  • If the card information is corrected, a new authorization approval should be obtained before the sale is completed.
    
  • The success rate of the merchant's decline review strategy should be reviewed and modified, as needed.
    
• Track order decline rates. Tracking order decline rates can help merchants increase their approval rates and sales volume, and uncover potential problems related to changes in the authorization process. In particular:
  
  • Track order declines by reason on a daily basis.
    
  • Separate declines by the card issuer from declines for suspected fraud or other reasons.

ECommerce Routing Authorization Requirements

The following authorization requirements should be followed by eCommerce merchants:

• Use the correct Electronic Commerce Indicator (ECI) for all online transactions. The ECI should be entered into the appropriate field of the authorization and settlement messages to identify the transaction as an eCommerce one. ECommerce merchants should work with their acquiring banks and merchant services providers to implement the ECI, which is required by the Credit Card Associations of Visa and MasterCard for all eCommerce transactions.
  
• Obtain a new authorization when the original one expires. If merchants sell products through their websites and if the products are shipped to the customers more than seven days after the original authorization (i.e. back order), the merchants should obtain a new authorization before proceeding with the shipment. This practice is required by the Associations and help protect eCommerce merchants from chargebacks due to no authorization.
  

ECommerce Authorization Routing Sequence

ECommerce merchants should implement a fraud-focused authorization routing sequence when a customer initiate a transaction.

• If the merchant is participating in the Verified by Visa or MasterCard SecureCode programs, the authentication process should be completed and the authentication data should be included in the authorization request.
  
• Internal fraud screening should be performed (e.g. matching the transaction against velocity parameters, high risk locations, and internal negative files), and unacceptable transactions should be further reviewed.
  
• If the transaction has passed the internal check, authorization should be obtained from the card issuer that includes Address Verification Service (AVS) and Card Security Code (CVV2, CVC2 or CID) to determine if the card issuer or the merchant will decline the transaction.
  
• If the merchant is using a third party screening service, a fraud score should be obtained for transactions that have not yet been declined by the merchant or the card issuer.
  

Protecting eCommerce Merchant Accounts from Intrusion

Criminals and other unauthorized persons are gaining access to eCommerce merchant accounts via the shopping cart or the payment gateway. Typically unauthorized users attack eCommerce merchants with weak or generic passwords. Once access is gained, intruders begin processing debits and credits, without the merchant's knowledge. The fraud sales are typically similar in total - and are therefore offset by - the deposited credits. This is done in an attempt to avoid detection by deposit volume monitoring. To keep eCommerce merchant accounts safe, merchants should apply the following best practices:

• Conduct daily monitoring of authorizations and transactions. In particular, merchants should check daily for:
  
  • Authorization-only transactions. An unusually high number could indicate testing for vulnerability.
    
  • An unusually high quantity, average size, or volume of credits. This could be an indication of a fraud.
    
  • Identical transaction amounts.
    
  • Transactions without associated customer identification information.
    
  • Multiple transactions from a single Internet Protocol (IP) address.
    
  • Transactions on similar account numbers. This could indicate the use of account number generating software (e.g. CreditMaster).
    
  • Multiple transactions made on a single card over a very short period of time.
    
• Monitor your daily batches. In particular:
  
  • Know what time your transactions settle. Make sure to review your transactions before settlement occurs.
    
  • If you use the Address Verification Service (AVS) or Card Security Codes (CVV2, CVC2 and CID), look for transactions submitted without an AVS or a Card Security Code response in the authorization record.
    
• Change the password on your payment gateway regularly.
  
  • Include a combination of letters and numbers with a minimum of six characters.
    
  • Make sure that the log-in ID and password are different.
    
• Make sure that the requirements in the Payment Card Industry (PCI) Data Security Standards (DSS) are in place.
  

Verified by Visa Merchant Authentication Actions

ECommerce merchants participating in Verified by Visa need to perform the following authentication actions:

• Complete the authentication process. The authentication data should be provided in the authorization request.
  
• If authentication fails, request payment by alternate means. Consider the following concrete steps:
  
  • Quickly display a message or open up another web page to communicate to the cardholder that the purchase will not be completed with the card that failed the authentication process.
    
  • Offer an immediate opportunity for the cardholder to enter a new payment card number and try again, or
    
  • Display a button that, when clicked, opens up a new page that allows the cardholder to re-initiate the purchase.
    
• Do not submit an authorization request for Verified by Visa transactions that fail authentication.
  

Alerts of High Fraud Rates

The Credit Card Associations of Visa and MasterCard provide warnings to acquiring banks of eCommerce merchants that exceed fraud thresholds for Electronic Commerce Indicator (ECI) 5 (designating fully authenticated transactions) and ECI 6 (attempted authentication), and overall transactions. A merchant that is identified multiple times by these ECI indicators or other thresholds may be designated as a high-risk merchant, which carries with it chargeback liability for fraud transactions.

ECommerce merchants should work with their acquiring banks and merchant services providers to respond on a timely basis to alerts of high fraud rates. Merchants should immediately identify the source of the problem and take adequate measures to address it through more robust transaction fraud screening, investigation and verification.

Fraud Screening Benefits

Both Verified by Visa and MasterCard SecureCode provide robust fraud protection. However, they cannot completely eliminate online fraud, particularly for Attempted Authentication (Electronic Commerce Indicator [ECI] = 6), for which no authentication occurs. Additionally, fraud may occur on fully authenticated transactions (ECI = 5) in account takeover situations or fraudulent cardholder claims. Despite the protection from chargeback liability, merchants should continue to perform fraud screening to prevent these types of fraudulent activity from occurring. There are important reasons for this best practice:

• Keep fraud out of the payment system. Only criminals benefit from fraud. Both customers and merchants are victims or, at the very least, significantly inconvenienced.
  
• Provide protection from processing errors. Transactions may be believed to qualify for chargeback liability protection when they actually do not, due to processing errors. These errors are typically discovered after the fact and may result in a merchant loss.
  
• Not exceeding fraud rate thresholds. The Credit Card Associations of Visa and MasterCard monitor fraud levels separately for ECI 5 and ECI 6 transactions. Merchants with unusually high levels may lose their chargeback protection until corrective measures are put in place.
  
• Reducing chargeback processing expense. Under some scenarios, chargebacks for Verified by Visa and MasterCard SecureCode transactions may not be rejected, resulting in the acquiring bank and merchant having to process chargebacks and representments.
  

Ensuring ECommerce Transaction Qualification

In order to obtain chargeback protection, eCommerce merchants need to ensure that their acquiring bank or a card payment processor is providing the authentication results and Electronic Commerce Indicator (ECI) in the authorization message.

• This can be an issue when a second authorization is obtained, such as a split shipment.
  
• Depending on the merchandise sold and the merchant's customer base, this should represent 80 percent to 95 percent of all transactions. A lower percentage could indicate a processing issue and lack of fraud chargeback protection.
  
• ECommerce merchants should monitor on a daily basis their ECI codes to identify any problems early on.
  

ECommerce merchants should always remember that in order to receive chargeback protection and the best interchange rate, the ECI and results of the authentication or attempted authentication must be provided in the authorization message.

Verified by Visa At a Glance

Verified by Visa enables card issuers to verify the identity of participating cardholders during online payment transactions. The verification process goes through the following steps:

1. At a participating merchant website, the cardholder clicks "Buy," "Submit," or a similar button to complete the transaction at the checkout. Software installed on the merchant's server automatically recognizes enrolled Verified by Visa cards, initiating the verification procedures.
   
2. A Verified by Visa page appears, within the merchant frame, showing the Verified by Visa logo. If the cardholder has previously activated the card, he or she will be prompted to enter the password previously created. There is also a "forget password" option for establishing new passwords when the original one has been forgotten. If the card has not been previously activated, the card issuer may prompt the cardholder to activate it. If the card issuer does not participate in Verified by Visa, no cardholder interaction occurs. However, the cardholder still qualifies for certain fraud liability protection. The merchant receives an Attempted Authentication response with authentication data to be submitted in the authorization as proof of qualification for chargeback protection for the transaction.
   
3. The card issuer validates the cardholder's identity for activated cards and sends a response to the merchant on the result of the authentication. If authentication fails, the merchant should request payment by alternate means.
   
4. Once the cardholder authentication process is completed and the cardholder identity is verified, the merchant includes the authentication data received from the card issuer in the authorization request. The transaction is now complete.
   

Setting up Verified by Visa

The following actions are recommended for merchants participating in Verified by Visa:

• Add the Verified by Visa logo to your home page, security information page, and checkout pages to promote reliable and secure online shopping. One of the following approaches should be used:
  
  • Activate Now. This is the preferred approach that guides customers directly to an activation page where they can activate their Visa cards without leaving the merchant's website.
    
  • Learn More. This approach directs customers to a service description page (hosted on the merchant's website) where they can read more about Verified by Visa and activate their cards. Merchants need to make sure that they provide clear instructions on how Verified by Visa works. Every participating merchant receives a toolkit that includes a "Learn More" page with details on the Verified by Visa program.
    
• Add a pre-authentication message to the checkout page to inform customers that they may be asked to activate their Visa cards for Verified by Visa.
  

Implementing Verified by Visa and MasterCard SecureCode

Verified by Visa and MasterCard SecureCode provide a significant reduction in merchant risk exposure by increasing transaction security through cardholder authentication and providing chargeback protection from fraud. The following best practices should be implemented:

• Work with your acquiring bank and merchant services provider to implement Verified by Visa and MasterCard SecureCode.
  
• Evaluate the benefits of Verified by Visa and MasterCard SecureCode. These include:
  
  • Increased security and revenue growth. Improved online security will allow cardholders to become more confident purchasers, possibly increasing sales volume for participating merchants.
    
  • Reduced fraud and chargeback processing expense. Merchants who use Verified by Visa and MasterCard SecureCode are protected from fraud-related chargebacks on all personal Visa and MasterCard cards - credit or debit, domestic or international - whether or not the card issuer or cardholder is participating in Verified by Visa or MasterCard SecureCode, with limited exceptions. Attempted issuer chargebacks for fraud on Verified by Visa and MasterCard SecureCode transactions will be rejected in most cases, resulting in reduced fraud and chargeback expenses.
    
  • Interchange benefits. Verified by Visa and MasterCard SecureCode transactions that meet processing requirements settle at an interchange rate that is lower than a standard eCommerce transaction.
    

Cardholder Verification

ECommerce merchants should establish cost-effective procedures for verifying the authenticity of the cardholder. Call verification procedures should be developed that address both the need to identify fraudulent transactions and the need to leave a positive impression with legitimate customers who should be assured that your company is doing everything possible to prevent fraud and to ensure that sensitive account information is protected. The following procedures should be utilized:

• Use directory assistance and online search tools to verify the cardholder name, address and telephone number.
  
• Contact card issuing banks directly and:
  
  • Confirm name, address and telephone number associated with the card number.
    
  • Confirm whether the cardholder has made a recent address change or added an alternative address.
    
• Call the cardholder to confirm the transaction and resolve any discrepancies. Inform the cardholder that this confirmation is performed as a protection against fraud.
  

Reviewing Suspect Transactions

ECommerce merchants should establish cost-effective thresholds for determining which suspect transactions to review. The manual review of transactions is both time-consuming and costly, and is generally warranted only for high-risk transactions. The following best practices should be considered when reviewing suspect transactions:

• Using fraud-screening criteria that lets merchants avoid the manual handling of lower-risk transactions, such as those involving:
  
  • Low purchase amount.
    
  • Repeat customers who have a good record for at least the past 90 days and merchandise has been sent to the same address before.
    
  • An Address Verification Service (AVS) match and a shipping address that is the same as the billing address, as well as a purchase amount that is below the designated threshold amount.
    
• Ensuring that all transactions with higher-risk characteristics are declined or sent for fraud review, such as:
  
  • Negative file matches.
    
  • International Internet Protocol (IP) addresses.
    
  • International billing or shipping addresses.
    

CyberSource

CyberSource is a real-time risk management service that evaluates the risk associated with individual transactions. The results are presented with risk scores and provided to participating merchants. ECommerce merchants use the scores as additional means to identify potentially fraudulent orders.

Every time a cardholder participates in an eCommerce transaction and clicks the "Buy" button on the website of a merchant using the CyberSource fraud screening service, the transaction is evaluated based on over 150 data points. The service runs 24 hours a day, seven days a week and uses a huge database of worldwide fraud and payment card usage patterns, including card-present and card-not-present transactions, and is regularly updated. Risk scores are calculated using a combination of networks, rules-based modeling, and hybrid fraud technologies.

Third-Party Fraud Screening

ECommerce merchants can use internal or third-party fraud scoring procedures to better target the highest risk transactions that require additional verification. The following best practices should be implemented:

• Perform internal fraud scoring before submitting transactions for third-party scoring. In particular:
  
  • Submit only those transactions that have passed internal screening.
    
  • Do not obtain fraud scores for transactions that were declined by the card issuer or were suspected for fraud.
    
• Evaluate the costs and benefits of third-party scores for low-risk transactions. It may not always be cost effective to obtain third-party fraud scores for each online transaction. Merchants may be able to keep costs down by eliminating low-risk transactions from third-party scoring. Consider the following guidelines:
  
  • Analyze your agreements with third-party scoring services and determine the costs of submitting transactions to them.
    
  • Identify transactions with potential fraud risk losses that are lower than the cost of obtaining third-party fraud scores. the following factors should be taken into consideration:
    
    • The amount of the sale.
      
    • Whether the transaction involves a new or repeat customer.
      
    • Type of service or products being sold.
      
    • Website click-through patterns.
      
    • Address Verification Service (AVS) results.
      
    • Card Security Code results.
      
    • Verified by Visa or MasterCard SecureCode results.
      

Verification Calls for Suspicious Transactions

By contacting customers directly merchants not only reduce fraud risk but also build customer confidence and loyalty. The verification procedures should not only address the need to identify fraud but they should also aim to leave legitimate customers with a positive impression of the merchant. The following procedures have proved very useful:

• Use directory assistance or online search tools. Merchants should not use the number provided by the customer in a suspect transaction. They should, instead, attempt to locate the customer's number using directory assistance or Internet search tools.
  
• Confirm the transaction and resolve any discrepancies. It is very important that the merchant lets the customer know that the confirmation process serves the purpose of protecting legitimate customers against fraud. Once the transaction is confirmed and any discrepancies resolved, merchants can confidently move on and submit it for clearing.
  

Tracking ECommerce Buying Patterns

ECommerce merchants should develop and maintain customer database or account history files to track buying patterns. Such databases should be used to compare and evaluate individual sales for the following signs of fraud:

• Orders received from Internet addresses at free email services. For these services there is no billing relationship and often no way to verify that a legitimate cardholder opened the account.
  
• Orders shipped to a single address but paid for using multiple cards. These could be generated account numbers or a batch of stolen cards.
  
• Multiple transactions on one card over a very short period of time. Because stolen cards have a limited life span, criminals will often attempt to run a card until the card issuer closes the account.
  
• Multiple transactions on one card or similar cards with a single billing address, but multiple shipping addresses. Such transactions could represent organized criminal activity.
  
• Multiple cards used from the same Internet Protocol (IP) address. This could be an indication of a fraud scheme.
  

Fraudulent ECommerce Transaction Characteristics

When analyzing questionable eCommerce transactions, merchants should be on a lookout for the following characteristics:

• Larger than normal orders. Stolen cards have a limited life span and criminals need to maximize the size of their purchase.
  
• Orders consisting of several of the same item. Multiples of the same product increases the criminals' profits.
  
• Orders for big-ticket items. Big-ticket items offer maximum resale value allowing criminals to maximize their profits.
  
• Orders shipped using expedited delivery services. Criminals do not pay attention to shipping costs and want their fraudulently obtained merchandise as soon as possible.
  
• Orders from Internet addresses at free email services. With these services there is no billing relationship and often no way to verify that a legitimate cardholder opened the account.
  
• Orders shipped to an international address. Be advised that the Address Verification Service (AVS) can only validate U.S., Canadian and U.K. addresses. Many fraudulent transactions involve international shipments.
  
• Multiple orders placed using different names, addresses, and card numbers, but coming from the same Internet Protocol (IP) address.
  

ECommerce Fraud Screening Part 2

• Treat non-U.S. transactions as high risk. Transactions that involve cards issued by non-U.S. financial institutions present higher levels of risks. The following procedures are recommended to help reduce these risks:
  
  • Apply greater scrutiny and verification for international transactions. In particular:
    
    • Tighten transaction controls and velocity thresholds for international transactions to increase screening frequency.
      
    • Be especially careful when billing addresses do not match shipping addresses.
      
    • Look out for customers who use anonymous email addresses.
      
    • Use a third-party fraud screening for non-U.S. transactions.
      
  • Evaluate risk based on factors such as type of goods purchased, transaction amount, and the country where the card was issued.
    
  • Contact the card issuer to confirm cardholder information prior to shipping merchandise for a high-risk transaction.
    
• Thoroughly scrutinize or restrict shipping merchandise to foreign addresses. In particular:
  
  • Consider reducing shipments to higher-risk countries.
    
  • Thoroughly scrutinize any requests to ship merchandise to foreign countries.
    
  • U.S. military addresses located overseas are typically treated as domestic addresses.
    
• Prior cardholder purchases should be treated as a favorable factor to apply less restrictive screening and review when cardholder information has not changed.
  

ECommerce Fraud Screening Part 1

There are a variety of fraud-screening products available to eCommerce merchants today to help them assess the risk associated with online transactions and assist them in their efforts of verifying the validity of both the cardholders and cards. Fraud-screening tools can be developed internally or acquired from third parties. Best fraud-screening practices include:

• Implement fraud-screening tools to identify high-risk transactions. The following best practices should be considered:
  
  • Suspend processing for transactions with high-risk attributes. Such characteristics can include the following:
    
    • Transaction data that match information stored in the internal negative files.
      
    • Exceeded velocity limits and controls.
      
    • Generated Address Verification Service (AVS) mismatch.
      
    • Matched high-risk profiles.
      
  • Develop effective and timely manual review procedures for investigating high-risk transactions. The goal should be to reduce fraud as a percentage of overall sales and to minimize the impact of this effort on legitimate sales.
    
• Treat international IP addresses as higher risk. Statistics show that international IP addresses have a substantially higher fraud rate than domestic addresses, particularly a US billing address is required. Classifying international IP addresses as higher risk requires these transactions to meet higher standards, e.g. to match on Card Security Code and AVS.
  
• Require the shipping address to match the billing address for higher risk transactions. Such transactions can include:
  
  • Larger transaction size.
    
  • Type of merchandise.
    
• Screen for high-risk shipping addresses. Fraud can be reduced by comparing the shipping address provided by the customer to high-risk shipping addresses in third-party databases and in internal negative files. A special attention should be paid to high-risk locations, such as mail drops, prisons, hospitals, and addresses with known fraudulent activity.
  

Using the Address Verification Service

The following procedures are recommended when evaluating an AVS response:

• Research all AVS "partial matches." The following actions are recommended when a partial match AVS response is received:
  
  • Evaluate all AVS partial matches to date and assess historical risk.
    
  • Contact the card issuer for high risk transactions to determine whether the name, address, and telephone number provided by the cardholder match the data in the card issuer's file.
    
• Evaluate all AVS "no matches." Although a no match AVS response is a strong fraud indicator, it can also be legitimate if the customer has recently moved and not updated his or her address with the card issuer. The following actions are recommended when evaluating a no match response:
  
  • Call the customer to verify that the provided telephone number does belong to the person who placed the order and that the address is the correct billing address. Confirm whether the customer has recently moved.
    
  • Contact the card issuer to determine whether the name, address, and telephone number provided by the customer match the data in the card issuer's file.
    
  • Use directory assistance or online search tools to locate and contact the person at the billing address and confirm that he or she initiated the transaction.
    
• Ensure that the AVS response is incorporated into the used fraud scores. The AVS result code is a crucial component of the scoring system for many third-party fraud screening services.
  
• Evaluate fraud rates by AVS result and product type.
  
  • Review your actual fraud experience segmented by the AVS result code so you can adjust your AVS review procedures to prevent future losses.
    
  • Develop transaction review criteria based on the results of your fraud analysis.