Shopping remotely is now a regular part of people’s everyday lives with consumers finding the internet to be a particularly convenient and easy way to shop.
Unfortunately shopping on the internet, via telephone or mail order is also one of the ways that criminals can commit card fraud.
A key challenge for retailers in countering the risks of fraud in remote purchase (internet, mobile, telephone) transactions lies in the fact that neither the card nor the cardholder is present with the retailer when the transaction takes place. This means retailers cannot easily check;
- The physical card to determine whether it is valid
- The customer is the genuine cardholder (i.e. a PIN cannot be used as verification)
There are a number of tools and techniques which can be utilised by retailers when selling remotely to build up a profile of their customer, authenticate the cardholder and ensure they receive payment securely. Without these measures, retailers are at increased risk of becoming victims of remote purchase fraud.
A remote purchase fraud means a business loses both the goods and the purchase income.
Initial set up to accept card-not-present transactions
Be aware of all the risks relating to CNP transactions especially when offering online shopping services and the associated acceptance rules. Familiarise yourself with the rules relating to chargebacks and cardholder disputes. Always follow the detailed procedures provided by your acquirer and Head Office.
As part of a retailer’s risk assessment, they should consider the threats to each part of the sales process, from transaction to delivery, and fulfilment of any goods and services.
High-value and overseas orders
High-value items and overseas transactions should be treated with caution.
Consider secure delivery through a courier company. Confirming the genuine details of customers outside the UK is very difficult, however a number of third-party services are available to allow retailers to check the address details provided by the customer.
Do not allow repeat orders to be processed or goods to be shipped without undertaking a further authorisation. Extra care should be taken if dealing with an unknown or new customer.
As internet, mail and telephone order retailers are typically liable for fraud associated with card transactions, it is vitally important to first undertake checks to authenticate the details provided by the customer before you have chosen a payment method.
Personal customer address details can be checked in the Electoral Register or with third-party suppliers. Other checks to help reduce the risk of fraud and incurring a chargeback include:
- checking details of new business customers in a local business directory or register
- obtaining a phone number for the customer’s address through directory enquiries and contacting the customer to confirm the order
- using the 1471 call-back facility – be wary if the phone number has been withheld
- being wary if the contact phone number(s) is only a mobile number – a landline number should be obtained where possible
- checking order records to see if there are a large number of transactions over a short period of time from a company or person with whom previous business has not been conducted
- checking to see if the delivery address has been used previously with different card details.
Orders for goods made over the internet, by mail order or phone are usually delivered to an address. If the cardholder collects the goods in person, they should be asked to produce the card used in the transaction.
It is recommended that goods are not released to taxi drivers, chauffeurs, messengers or any third party as this is high-risk.
Be particularly wary of customers who:
- Demands next day delivery and shows no regard for any additional costs involved
- Alters the delivery address at short notice
- Makes a telephone call on the day of delivery asking what time the goods are due to be delivered, as it may be a fraudster trying to intercept the goods
You can help to reduce fraud if you:
- Insist that goods are only delivered to the customer’s permanent address; if goods are to be sent to a different address, you should be cautious and obtain detailed proof of delivery
- Avoid sending goods to hotels or guest houses; the incidence of fraud involving delivery to such places is extremely high
- Only send goods by registered or recorded post or by a reputable security carrier, and insist on a signed and dated delivery note
Couriers should be instructed to:
- Return with the goods if they are unable to deliver to the agreed address
- Always deliver the goods to the specified addressee and be wary of people lingering suspiciously outside the property
- Not deliver goods to a vacant property
- Get signed proof of delivery
Transaction receipt requirements
All internet retailers must provide the customer with a transaction receipt in accordance with card scheme requirements. The on-screen receipt should suggest that the customer prints or saves the receipt for their records. An e-mail message should also be sent to the customer with the required receipt. For telephone or mail order transactions, the receipt should be posted to the cardholder.
Internet technology enables additional information to be recorded which can be analysed at a later date. Most computers reveal an Internet Protocol (IP) address, which provides information on where the transaction was made. Although this information cannot be relied upon to determine the individual’s exact location, it can assist in the post-transaction analysis. If a single IP address shows differing cardholder details it could possibly show a risk of fraudulent activity. Be aware that some Internet Service Providers (ISPs) allocate dynamic IP addresses, so the information is not necessarily accurate.
If transaction data is available in an electronic form, it can be analysed in an application such as MS Access or MS Excel to help identify fraudulent patterns. This allows retailers to understand the potential risks. This may include identifying addresses where fraud is continually being perpetrated, or perhaps the type of goods that are being obtained.
Maintaining records of any fraudulent activity can be an effective way of identifying patterns and exposing areas of potential risk. Many retailers use this type of data to develop in-house fraud-screening tools, to predict which transactions present a higher risk. Maintaining records relating to chargebacks is important. It is useful to capture as much information as possible and to provide this to your acquirer.
If your business accepts card payments over the internet, you should be aware that, you may be liable for any losses should these transactions turn out to be fraudulent.
You should also be aware of the risks to your business from criminal attacks across the internet, where criminals look to obtain value from gaining access to your website or payment records and those of your customers, and the potential damage this may cause to the reputation of your business.
There are a number of fraud prevention and security best practices and tools that you can adopt to reduce these risks.
- Making sure your payment application and shopping cart/checkout is secure and meets Payment Card Industry Data Security Standards (PCI DSS) requirements
- Ensuring you or your payment software vendor have up-to-date anti-virus and anti-phishing software installed on your computer systems
- Ensuring that your business maintains an information security policy and culture thereby protecting you and your customers’ data from attack
- Ensuring you know what card payment data your business is storing and why – you should only be holding that which you need to process a transaction
- Adoption of fraud prevention tools such as Verified by Visa and MasterCardSecureCode which can help to minimise your online fraud losses
For further details on security best practice and Payment Card Industry Data Security Standards (PCI DSS) contact your Acquiring bank or Processor. If your card payment process is provided by a third party (e.g. a payment service provider) you should also engage with them.
Fraud Prevention Tools
It is strongly recommended that the following tools are used in association with your own internal fraud detection systems and never in isolation or instead of these checks and balances.
There are a number of suppliers and vendors in the market, offering solutions or fraud detection systems designed to assist in combating fraud. As well as offering their own solutions, your acquirer will be able to provide more details of additional suppliers and their products.
Address Verification Service (AVS)
The UK banking industry introduced AVS in 2001 to help retailers prevent card-not-present fraud (CNP). AVS compares the delivery address provided for the order with the billing address details for the payment card held by the card issuer. The AVS responses provide CNP retailers with detail as to whether or not the order’s delivery address matches the cardholder’s billing address.
Card Security Code (CSC/CVV2)
The UK banking industry introduced CSC (also known as CVV2) in 2001 to help retailers in managing the threat of card-not-present (CNP) fraud. The CSC/CVV2 is a three-digit code on the back of Visa and MasterCards and appears as a four-digit code on the front of American Express cards. The CSC/CVV2 check provides retailers with a degree of assurance that the card number provided is a genuine one. The use of CSC/CVV2 is mandatory for most Visa and MasterCard mail order and telephone order transactions.
American Express SafeKey, MasterCard SecureCode and Verified by Visa
American Express SafeKey, MasterCard SecureCode and Verified by Visa are global solutions offered by the card schemes to both retailers and cardholders to assist in making internet transactions significantly safer from the threat of fraud. These solutions are international services, with cardholders and retailers from all over the world already enrolled. Retailers participating are provided, in most cases with, a liability shift – chargeback protection against non-participation disputes.
As all card scheme services are based on the 3D Secure protocol, the installation of the service, together with a single retailer plug-in, can support all card schemes.
More details regarding American Express SafeKey, MasterCard SecureCode and Verified by Visa can be found by contacting your acquirer and via the following links:
Find out more
Find out more
Find out more