A guest post by: K. Volker, Certified eCommerce Fraud Professional
It is often not feasible for small merchants just opening an online presence and taking direct credit card payments to invest a great deal of money into fraud management. For merchants that have low, sustainable volume, there are several inexpensive, manual fraud reviews that can be completed. It is important to remember that these tools may not be the best option once a company begins to grow, as they can be quite time-consuming.
One very simple tool that can easily be reviewed is the CVV response code (also sometimes called the CVD, CSC, CV2, CVC, or CVVC code). The CVV code, or Card Verification Value, is the 3-digit code located on the back of a credit card (4-digit code on the front for American Express). While this code should not be used alone to detect fraud, it can be very helpful in eliminating fraudulent transactions. The customer’s issuing bank will provide a response on this code indicating if it was correctly entered or not. If the code does not return a response that indicates it is a match, then this is likely a high-risk transaction. The most common responses to this code are Y (match) and N (no match). The idea of this code is to determine if the card user actually has physical possession of the card, however, this can be purchased by a fraudster along with a stolen credit card number and therefore is not usually the best indicator of true fraud.
Another simple tool that can be used is the AVS response code that is returned by the customer’s issuing bank. As a merchant, it is important to be familiar with these codes and to know what they mean. The AVS response is the Address Verification System response. It allows a merchant to see if the billing address provided by the customer is the billing address on file with their credit card company.
Address Verification Service is only currently supported in the United States, the United Kingdom, and Canada. Some common response codes for these locations are Y (full address match), Z (zip code only match), A (street address only match) and N (no match). Responses often received for cards located outside of these countries are often G (global unavailable), S (service unavailable), and U (unavailable). While these are common codes, there are many others that may be communicated depending on the issuing bank of the card. If a code is received that is not familiar, it can most likely be found on a search engine.
Depending on a merchant’s risk appetite, levels of acceptance on these responses should and can vary. One merchant may only allow cards to be used with full address responses while other merchants may allow an address or zip match to complete. Like the CVV code, a full billing address can also be purchased with a credit card number and therefore is not always the best indicator of fraud when used alone.
For merchants that take international payments online where AVS is not available, the BIN, or Bank Identification Number can often be a useful tool in fraud prevention. Because AVS is not supported in many locations across the world, the BIN can be utilized to determine the country in which the credit card was issued. The BIN is the first 6 digits of a credit card. There are several free and low-cost sites that offer BIN checks to merchants. These sites also often retain lists of “bad” or “black-listed” BINs. Cross-checking the BIN of the card with the billing address provided by your customer can help to prevent fraud. For example, a customer coming to your site and suggesting that the billing address is in Frankfurt, Germany should not have a credit card where the BIN shows Israel as the issuing country.
Another useful tool that merchants can use is the customer’s issuing bank. Often, there are services provided by credit card companies that allow a merchant to verify a customer’s credit card by calling a toll-free number. While not every credit card company offers this service, it can definitely be helpful in determining fraudulent activity.
Black lists, or bad buyer lists, can also be maintained. These lists indicate that a customer has had previous negative history with the merchant and is not someone the merchant wishes to do business with in the future. These lists can be maintained off of shipping addresses, customer name, phone numbers, credit card numbers, or IP addresses (discussed below).
When a customer visits a merchant’s website, the IP (Internet Protocol) address that the customer is coming from can be tracked. A customer’s IP address shows the location of the ISP (Internet Service Provider) they are using. An IP address can be a useful tool in both cross-checking against the customer’s provided billing information as well as in maintaining bad buyer or black lists. For example, normal behavior for a customer stating their billing and shipping address is in Paris, France would be for the IP to show close proximity to this address, not to a location in Sydney, Australia.
One thing to watch for with IP addresses is whether or not it is a proxy. A proxy can be used to mask the customer’s actual IP address and make it appear to be something else. There are several free or low-cost sites that can be utilized to check IP addresses. Many of these will check proxies as well.
The data provided by a customer can also be very useful in detecting fraudulent activity. If a transaction is flagged, for example, based on a mismatch of billing and shipping information, the details provided by the customer can be used to do further fraud checks. Information such as the email address, phone number, customer name, and shipping address can all be utilized in fraud checks. There are several free and low-cost online companies that can be used to check the validity of an email address or phone number. Many of these sites will also indicate the time of creation and if a phone number is pre-paid or limited-use. There is also, of course, the option of reaching out to the customer to see if a response is received via either of these information sources.
The name and address provided by the customer can also be used to do additional fraud checks. There are many free and low-cost sites that offer “people-finding.” Google maps, along with other free services, can also be utilized to validate the authenticity of an address. These can also help to determine if the address provided is a home, a company, a paid mailbox, or a re-shipment company.