One of the continual struggles for online store owners and operators is fraudulent orders. Unfortunately there are too many people out there that insist on pouring their energies into stealing from others instead of making an honest living for themselves.
Yet, with as big of a problem as online store order fraud is, there is not much written about how to prevent it. Chalk some of that up to not sharing the secrets with the enemy, but store owners need a place to turn to that will give them some of the tricks of the trade.
Check the Credit Card AVS Response Code
If you are fulfilling an order for which the payment is made with a credit card, you should have access to two response codes. The first one is called Address Verification System (AVS). This system simply checks the billing address that your customer provides against the billing address on file with the issuing bank. See this wikipedia for a full list of the possible responses.
Note that your processor may not use the standardized list of codes in that wikipedia. For example, Yahoo! Store’s merchant gateway instead returns responses like “YYY” or “NNN”. Here is a complete list of the possible responses:
|YYY||Addr OK Zip5 OK|
|YYX||Addr OK Zip9 OK|
|YNA||Addr OK Zip bad|
|XXU||No address information (domestic card)|
|XXS||AVS not supported for this card|
|XXG||No address information (international card)|
|NYZ||Addr bad Zip5 OK|
|NYW||Addr bad Zip9 OK|
|NNN||Addr bad Zip bad|
Note that a less than perfect AVS does not necessarily mean the card has been stolen. There are several reasons that the AVS result may not come back with a match. For example, international cards often do not have AVS information stored to compare it against. Also a card issued domestically, but the owners living overseas may have address information that does not line up with the expected format. Lastly, the card owner may have moved without updating their address information or the information may be entered incorrectly. AVS is a good indicator, but not the end all of verification.
Check the Credit Card CVV2 Response Code
More recently, credit card issuers added another verification on top of the AVS. There are three or four numbers on the back of a card that are unique to each card that is issued called the Card Verification Value (CVV). When a customer places an order, most merchant gateways require, or at least recommend, that the customer enter these digits. These digits are, of course, compared to digits on file with the issuing bank to make sure they match.
When an authorization is made with the CVV one of the following responses is given:
|N||CVV2 No Match|
|S||Issuer indicates that CVV2 data should be present on the card, but the merchant has indicated data is not present on the card|
|U||Issuer has not certified for CVV2 or Issuer has not provided Visa with the CVV2 encryption keys|
Again, the CVV not matching is a thing to watch out for, but does not necessarily indicate fraud.
When payment is made through PayPal instead of a credit card, the verification means change a little bit. PayPal does give a two-letter fraud screening code. The first letter indicates whether the account is verified (“V”) or unverified (“U”). PayPal has a process for verifying accounts, wherein the owner has to link a bank account to the PayPal account.
The second letter indicates whether the address on the account is confirmed (“C”) or unconfirmed (“U”). PayPal account owners can verify the address on the account by linking a credit card to it, which has the same billing address or by other means.
These two indicators give pretty good credibility when an account is both verified and confirmed. However, many accounts are not. PayPal does do their own internal screening before releasing funds from a credit card or account. Generally this screening is reliable, however, you might want to play it safe when you see other indicators in an order.
Another thing to watch out for is when an order comes through with an email address they give you for sending updates about the order that is different from the address associated with their PayPal account. It’s probably a good idea to send an email to the PayPal address to make sure the transaction was approved.
Billing and Shipping Addresses Do Not Match
Many online orders are purchased as gifts or are, for convenience shipped to work, a friend or family member. It should be expected to get some orders that have billing and shipping addresses that don’t match. You should be aware if they don’t match, however, that if there are other indicators that don’t seem right in the order that you might want to give the customer a quick verification call or email.
You should especially watch out when the billing address is in one country and the shipping address is in another.
Most shopping carts track the IP address of the computer on which the order was made. IP addresses can generally be traced to a geographical area and then you can compare that area against the billing and/or shipping address of the order. This task is fairly tedious to do manually, however, it is possible. You can go to http://whois.arin.net and look for their IP lookup tool and enter the IP address. This will at least give you the address of the issuing service provider.
There are subscription services available to assist you in fraud prevention. Subuno and MaxMind to name two. Additionally, The SuperManager eCommerce order manager has the ability to tie to these services and/or enter your own rules for screening orders for fraud. SuperManager calculates a risk score based on the indicators above and more. Each rule potentially adds to that score. Then if the score is higher than a threshold that you set, it highlights the order for you on the order list to alert you that you might need to do some additional verification.