Card Verification Value

[mystic]

I recently sold a few things on my website www.splaytech.com and when the order was sent to me it said the CVV and the AVS were wrong.
In case you dont' no what CVV is its the 3 digit code on the back of every CC.

Those of you who have an ecommerce site, do you guys accept orders where the CVV doesn't match? and what are the bad outcomes of excepting this.

[ADAM Web Design]

I've seen payment processors that take CVV numbers and and ones that don't, and the chargeback/fraud rates are just about the same on each (usually less than 0.25%).

AVS isn't available in Canada (at least if it is, I don't know who's using it), so it doesn't really apply.

Personally, I've always felt the CVV idea was a tad overrated. Once it's captured via a form post, it can be stored in an unsecured database, intercepted in transfer, or retransmitted just as easily as any other credit card info.

This is NOT a statement of fear or of paranoia, but one of awareness. THe possibility, albeit a minute one, exists.

The only advantage to a CVV number is that it can't be obtained by someone who might have received a printed receipt containing a CC number.

What I'd like to see happen is some sort of a passcode or login value that has to get changed every X number of days. That way, even if something does get intercepted, it's only good for a certain amount of time and if used after that, the potential to catch a fraudster is greater.

[mystic]

well i got about 6 orders in the past couple of days that the cc had the wrong avs and cvs, that didn't match, and I cancelled all those orders. The reason for doing this is because when all of these people purhased something they had to put in a phone #, and when i called these #'s it says this # doesn't exist or it has been disconnected. Also when i email them saying please email me back with the correct cvs # i hear no response. so wouldn't you think this is a fraud? these guys or maybe its one guy stole someones cc # and is using it.

you said the outcome of this would be a minute one but i doubt it would be minute because all the orders i got today i would have made a gross profit of over 1k and if that was all fraud i'd loose that much money and that's to much to just loose.

what would you have done in my situation since you say theres only about .25% fraud?

btw i'm guessing these guys tryed a fraud on me since my website is fairly new thinking they might get away with it easier.

[jestep]

I would say that you absolutely did the right thing. Especially if the AVS didn't match.

IMO, I would decline any order that has an AVS mismatch, and flag anything with a CVV mismatch. Sometimes CVV numbers get scratched off or are unreadable, which is acceptable, but you should be able to get a hold of the customer to verify the order with them. If not, don't process the order until you can verify.

Also if you can, check the IP addresses of the orders in question. From my experience, about 99% of fraudulent orders come from APNIC, or RIPE IP addresses.

[ADAM Web Design]

It's certainly well within the realm of possibility.

Where were the orders to be shipped? If they were to be shipped to a fraudster's hotspot (Nigeria, Romania, Russia, even the UK and Canada on occasion), then quite often they're fraudulent orders.

You may want to check for some other subtle signs of fraudulent behaviour:

• FRAUDULENT ORDERS ARE OFTEN IN ALL CAPS FOR NO APPARENT REASON.
• Fake orders often come with a weird set of shipping/other instructions ("please send me letter indicating that I am legit shipping to person for the package of receive").
  
  One registration on a conference site I worked on asked the client for a letter indicating that the fraudster could legally enter the country.
• The order is to go to one country, but the TLD of the email address indicates another (e.g. a .uk email address when the order is to be shipped to China.)
• Often times, repeat names are used: Mrs. Miriam Abacha, Martins Cole, John (no last name, just John), etc.

[mystic]

what are your experiences with this on your e-commerce site? do most orders have the correct avs and cvv? because so far all except one order had incorrect avs and cvv. Today i got 2 orders. Both wanting 3 of the same product and both from the same person but different credit cards.

I believe its better to sign up for verified by visa and mastercard secure code so that they have to put a password. Does anyone no exactly how to go about signing up for those to put on my website?

[ADAM Web Design]

I usually find that fraudulent attempts are very slight, and usually pretty obvious (like the duplicate order thing you found.)

But this leads to another question: how exactly are you processing these orders? If you go with most payment processors, they should be able to detect fake/stolen credit cards/bad numbers/etc.

[mystic]

I have the yahoo shopping cart and that flags wrong CVV's and AVS's. But it doesn't show if it is stolen or anything.

[jestep]

Quote:

Originally Posted by mystic

what are your experiences with this on your e-commerce site? do most orders have the correct avs and cvv? because so far all except one order had incorrect avs and cvv. Today i got 2 orders. Both wanting 3 of the same product and both from the same person but different credit cards.

I believe its better to sign up for verified by visa and mastercard secure code so that they have to put a password. Does anyone no exactly how to go about signing up for those to put on my website?

I think that VBV or Secure Code are good, but use them only as an extra option. There are very few people that use these systems, so you are taking the chance of loosing a lot of customers if you restrict orders to these. You can sign up for these at:
Visa:
MC:

I would say that there are very few problems with AVS and CVV usually is about 50 / 50. Thats why I say restrict to correct AVS and Flag CVV. Most of the time you can spot a fraudulent order because things don't look like a normal order. I'm not sure about your customers, but since we sell a lot of B2B, our customers often use business or corporate cards. Because of this, its fairly common for us to see several attempts because people sometimes confuse which billing address the card uses.

I would also say it is common that if a customers card declines they switch to a different card. I would be vigilant of any order where more than 2 cards were used, and still check the order out if they tried with 2 cards.

[CardinalCommerce]

Just to clarify:

Running VbV and MCSC will not limit your orders to participating cardholders.

http://usa.visa.com/business/accepti...ement/vbv.html
"Merchants who use Verified by Visa are protected from fraud-related chargebacks on all personal Visa cards—credit or debit, domestic, or international—whether or not the issuer or cardholder is participating in Verified by Visa"

MCSC only protects on enrolled cardholders but they give an interchange break on all cards. Your rates will be reduced by 22 and 59 basis points

[jestep]

Quote:

Originally Posted by CardinalCommerce

Just to clarify:

Running VbV and MCSC will not limit your orders to participating cardholders.

http://usa.visa.com/business/accepti...ement/vbv.html
"Merchants who use Verified by Visa are protected from fraud-related chargebacks on all personal Visa cards—credit or debit, domestic, or international—whether or not the issuer or cardholder is participating in Verified by Visa"

"the merchant is not liable for certain fraud-related chargebacks."

Just Curious, Who is reliable for the chargebacks if the merchant and the consumer are not reliable?

[CardinalCommerce]

The cardholder's bank is liable.

And the merchant isn't liable for all the reason codes related to credit card fraud.

23
61/83
75

[mystic]

just wondering if the avs and cvv are correct and marked as ok and I process the order but the order comes out to be fraudelent who's liable for it me or the cc company?

[CardinalCommerce]

you are

[ADAM Web Design]

Burden of proof falls on the merchant in that case (i.e. you).

[Digger51]

My experience has shown that both are essential. I have a site that runs in what would definitely be considered a high fraud category.

We do not ship to addresses other than the billing address. That is about the most common way for a theif to use a stolen card. I am willing to forego the additional, incremental business, that would come from legitimate customers that want to ship to another address. If you think this is important do it on a trusted customer basis (sold to prior).

Shipping to the matched AVS address also helps in defending a chargeback.

We automatically decline all transactions that don't have a matching CVV. Doing anything else is just asking for it, if the customer doesnt have the CVV they are not an authorized user of the credit account, end of story.

Obviously, these are not going to stop the more sophisticated fraudster but when used with a good credit policy they can and do cut down down on your losses significantly.

Also, in every instance of fraud it has been my company that is held liable, not the issuing bank, not the cardholder and certainly not the person comitting the fraud. I end up giving the money back along with all of the fees that go with the chargbacks.

My recomendation would be that you don't ship any B2C order that does not pass both tests unless you know and trust the customer.