measures to try and keep safe accepting credit cards

[Steven1976a]

Hi, Im very new to accepting credit cards online.
Is there a way of checking if a card is not stolen before sending products?
The reason I ask is we received an order for about 1200US$ in the UK of which the card address is one address and the delivery address is another.
Are there any measures or precautions that can be taken to check to ensure the card has been used by the owner before sending?
Steve

[brian.mark]

Yes.

For orders like that, we call the issuing bank and have them contact the customer for validation. Most banks will do that for an order of that size without question, but some (Citi has been really bad in the past) don't want to do it at all. If you tell them you'll call the customer and say that their card issuer won't cooperate and they'll need to use a different card, most of them help you out. They want to keep that charge on their card.

That's not the only thing to do, though. Check the IP address (is the ip address in the same country as the customer is supposed to be from, etc.), look for free email accounts (potential flag), use Google Earth to take a look at the delivery location (if it's supposed to be a home address but it's really a warehouse or the other way around, that's a flag), and document everything you can.

In the end, if it doesn't feel right, it's better to reject it or ask for some additional information from the customer than to allow a fraudulent order through.

Brian.

[StevenAllen]

We request the following from the customer and feel free to use our canned response:

"Hello!

Thank you for your order. We are very concerned about credit card security, as I am sure you are. Because of this certain orders we receive in which the shipping address differs from the billing address we request the following to protect you "our customer" and ourselves:

1) Please contact the card issuer at their customer service dept.
2) Inform the credit card issuer that you would like to have the shipping address you have requested to be an authorized alternative shipping address noted on your account. For any future orders to this ship to address, this will not be necessary.
3) E-mail us when you have completed the above so we may be diligent and again verify with your credit card issuer.
4) If we do not hear from you within 48 hours, this order will automatically cancel.

Alternatively, if you prefer we can ship to your bill to address and none of the above will be required.

We know you can appreciate our motivations, concerns, and we thank you for your efforts in assisting us in protecting you. Upon completion of your order, we will include FREE some nice samples for your extra effort."

You can also help yourself if your processor offers verification via telex. If you have questions on this feel free to drop me a line.

[ADAM Web Design]

A client of mine used to try a similar trick to StevenAllen's, and it can either be implemented via telephone call, email, or even explained at the point of purchase. I'm not sure of the exact wording, but this is the general idea:

"Dear sir/madam,

"It appears that your billing address does not match your shipping address.

"In order to protect against fraudulent transactions and to continue to offer our low, low prices, we do require a signed authorization form. You may download and print this form at (URL Here.)

"When you have completed the form, please contact us at 1-800-NO-FRAUD and we will arrange for a (courier ocmpany) agent to pick up the letter from the billing address at your convenience. However, to ensure that this transaction is legitimate, our courier has been instructed only to pick up documents from people that are physically inside of the house at the time of pickup.

Why is this measure in place? (explanation of why it's a lot harder to card someone and break into their house vs. just carding them).

"We thank you very much for your assistance in ensuring a smooth transaction.

"Sincerely, yadda yadda yadda."

One other thing: make sure your shipping company/companies require signatures at the other end. UPS is one that does not do so (even when it's specifically requested), so avoid them at all costs. A signature goes a long way toward establishing that someone picked it up.

Alternatively, you could arrange depot-only delivery with your shipping provider and ensure that the recipient provides a valid photo ID before receiving the goods. If I remember correctly, Purolator does this at their depots but I haven't had to pick anything up there in over a year.

[usedphones1959]

Most fraudulent orders have several red flags.

Among these are

A 'Virtual' email address (e.g., soandso@hotmail.com)

A larger than normal order.

New Equipment (as opposed to refurbished, if your site offers both).

Address and zip don't match credit card billing info.

A phone number that is not real.

A name that sounds fictitious.

An order for a product that is expensive, but is complicated enough that a real buyer would first discuss it with you bfore the purchase.

If you store manager gives details on the search info they used to arrive at your site, it may seem to have nothing to do with the item purchased.


You can usually sniff out a suspicious order with these red flags. If you aren't sure of its validity, contact the customer (if you can). following the guidelines posted by others in this post is recommended.

[StevenAllen]

We are starting to post a how to avoid being busted as a fraudster in a public forum. I suggest leaving this right here.

[mortymouse]

Hi,
i used to run an internet payment gateway in the UK.

did the card match csc(card security code) /avs (address verifcation service) checks?

have you contacted you payment provider? they should give you the full card number and expiry if you can give them certain security information about the user such as name and last 4 card numbers, there are other parameters depnding on the provider.

if you are really uncertain of the recipient's status phone them (where possible) if they have not given a phone number ask of a copy of a utility bill.
more often than not you will find the product is a present or want it delivered to a work address.

at the end of the day there is no guarantee against fraud and caution is the only way to be.

at the end of the day if you contact a customer asking for more information they would norammly be most appreciative you bothered to check as a retailer you are liable.

good luck ;)

MM

[ppayne]

Yes, we've had this problem on my site, http://www.jlist.com .

There are organized bands of Nigerian criminals and you HAVE to be careful. Things I've noticed...

a) many are supposedly based in the UK, be warey
b) often they will email you ahead of time, asking if you can rush a big wholesale order to their store EMS
c) they often have terrible Engilsh
d) they often choose fake names like Rolly McDolly, which are absolutely stupid to the point of being bad comedy
e) when you find one, they will leave, but will come back in a few weeks/months

Some items are more in demand than others. We have to take special precautions with the region free DVD players we sell, as they attracted dishonest people like flies. Also T-shirts, which apparently can be easily resold. Remember, if they're in a hurry to receive the order, ask yourself why? We often ask for scans of credit cards when we've got suspicions, although not everyone will give us that (sometimes for valid reasons, which we respect).

[smakyyy]

I just avoid orders from outside the US with a different shipping address then the billing address-it is just not worth the risk.
Even if it was the same address as the billing address - I usually add insurance to the package just in case something goes wrong.

[TrafficProducer]

I believe their is insurance may be purchased to help recover from this. BUT I guess these would expect you to take ALL normal safeguards anyway.

Check the Charge Back fees for any shopping cart technology. Check for the following safeguards
SSL, Secure Socket Layers.

Address Verification System (AVS): this verifies that the billing address matches the address on file for that card. Although AVS provides some level of protection, our experience tells us that you will see a number of "false-positive" readings. You need to employ other fraud tools.

Card Verification Codes (CVV2): you'll find the CVV2 number on the back of the credit card (the last three digits, after the account number). CVV2 is not on the magnetic stripe and is not to be stored online. By requiring customers to provide the CVV2 number, you have fairly high assurance that the buyer is holding the physical card.
Insurance against fraud.

View (United Kingdom)Crime issues, UK Government Crime reduction sites at:-

http://www.direct.gov.uk/CrimeJusticeAndTheLaw/fs/en and http://www.crimereduction.gov.uk/

[mortymouse]

the problem with avs it only works with numbers so this is great for the US with the numerical zip codes however in th uk negatiting things like spaces and alpha characters along with the fact the uk database is 7 years out of date(!!) does not help.

the other issue is that it only "works" in the US and UK

NB: the cvv2 (csc) code on an amez card is the 4 numbers on the card front

MM

[SnerdeyWebs]

We use a buildt in anti-fraud merchant account. Try our merchant partners at 2CheckOut they have helped us for over a year and we accept payments world wide.

Refunds are easy, credits are no problem. 2CO is easy to use and you can even request payment manually via emails.

[kgun]

Excellent.

Kjell Gunnar Bleivik
http://multifinanceit.com/
http://www.blognorway.com/
http://www.multifinansit.no/