The following is a combination of tips and tricks to reduce credit card fraud, gleaned from various sources (listed at the end of this document). This advice is primarily aimed at the e-commerce sector, but may be equally valid for certain situations in mail order and/or telephone orders where the cardholder is not present (CNP).
GENERAL ADVICE
Banks 'chargeback' fraudulent transactions to the retailer even after initial authorisation has been given. So, make sure you understand the details of your contract with your merchant acquirer and follow their guidelines at all times.
Educate your staff to be vigilant at all times and check out the web sites below for the latest information.
Add a message to your web site stating that you check all transactions for possible fraud (even if you don't it may put off some thieves from trying).
Set an upper limit for transactions (£100 sounds reasonable, but preferably base it on your own experience). Telephone all UK buyers over the limit and run extensive checks on all international orders over the limit.
Keep a log of all fraudulent transactions and analyse them for patterns, e.g. value, geographical location, type of card, multiple cards at the same address etc.
You will find that certain UK Post Codes and countries are far worse for fraud than others. It is hard to predict, but many countries in Africa (Egypt, Ghana, Nigeria, Sierra Leone etc.), Asia (Indonesia, Malaysia, Pakistan, Philippines, Singapore, Thailand etc.), Eastern Europe (Belarus, Estonia, Hungary, Latvia, Lithuania, Macedonia, Romania, Russia, Serbia, Slovakia, Ukraine, Yugoslavia etc.) and (by implication) even Austria, are notorious for fraud on the Internet. It may be wise to wait until you are sure funds have been cleared or simply reject all orders emanating from these countries.
STEPS TO MINIMISE CREDIT CARD FRAUD
The first port of call should be your merchant acquirer, who will hold details of stolen cards and may also have Address Verification Service (AVS) or Card Security Code (CSC) or other knowledge-based systems based on the sending patterns of their customer.
Don't accept an order unless complete information is provided. The British Retail Consortium's Code of Best Working Practice for CNP transactions recommends that retailers should capture the following information:
Customer/Cardholder name & statement billing address (including Postcode which can be checked online or via a database available from Royal Mail)
Length of time at address & previous address (if moved within last year)
Delivery address (if different) & name of intended recipient
Card number & expiry date
Card issuer (for comparison with BIN ranges supplied by acquirer)
Customer email address & land line telephone number (Telephone numbers can be checked online or via a database available from BT and possibly include a fax number if it's a company).
Be extra careful where the delivery address is different from the billing address, especially if it is a non-permanent address (eg a hotel). Ask for a fax confirmation with a signature and a copy of the bank billing address. If you have time, send a paper 'receipt/thank you' card to the billing address including instructions to call you if there is a problem.
Never release goods to a third party allegedly sent by the customer (e.g. a taxi driver).
Obviously, do not accept orders where the return email address is undeliverable. Also be wary of orders from free e-mail services (you can check if it is a free service by typing www in front of the domain name of the email address) and mobile phones.
Check the origination of the email using the IP number to see if it is from the country claimed in the email - go to www.arin.net/whois/ .
Be especially careful of very large orders (value and/or quantity) and where the customer appears unconcerned about shipping costs.
Contact the customer and ask them to confirm details of the order and ask for additional information or repetition of part of their details. For instance there is a Card Security Code, which is the last three or four digit number on the security strip. Or, ask for a check on the bank issuing the card or the expiry date.
You don't want to lose the order, but in suspicious circumstances, if at all possible delay delivery until you are certain the funds will be paid.
Make sure you have some form of proof of delivery and understand if you can claim insurance for lost parcels, especially for overseas orders. Banks will also chargeback if the customer claims not to have received the order ('denial of service').
Consider using the Verified by Visa or MasterCard SecureCode services for online payment security, which can protect retailers from chargebacks for certain fraudulent transactions.
Consider using a specialist software service that checks for fraudulent orders - no system is perfect, but they can screen out suspect orders automatically for checking.
SOURCES OF INFORMATION
The primary source for information on tackling UK credit card fraud is:
Card Watch - www.cardwatch.org.uk
Other information and security products can be obtained from:
Americart - www.cartserver.com/americart
British Telecom - www.bt.com
CyberSource - www.cybersource.com
ClearCommerce - www.clearcommerce.com
Experian - www.experian.com
Internet ScamBusters - www.scambusters.org
Metropolitan Police Fraud Alert – www.met.police.uk/fraudalert/
NetBanx - www.netinvest.com
Retail Industry - www.retailindustry.about.com
Royal Mail Postcode Finder – www.royalmail.com
WorldPay - www.worldpay.com
Worldwide E-Commerce Fraud Prevention Network - www.merchantfraudsquad.com
The attention of members is also drawn to the advice on the following sites: