The following sections provide guidance to merchants on some of the ways they can help to prevent their business becoming a victim of fraud and having a card payment they have accepted charged back.
Click on the links below to view more information about each of the following topics:
- Top Tips To Combat Card Present Fraud
- Top Ten Tips To Combat Card-Not-Present Fraud
- Fraud Prevention Tools
- AVS / CSC
- MasterCard SecureCode and Verified by Visa
- MasterCard / Visa Internet Transaction Liability Shift
- Third Party Solution Providers
Top Tips To Combat Card Present Fraud
- Check the customer - Watch out for random purchases (bulk buying, different sizes in clothing, no time taken in choosing). Does a customer seem edgy or are they trying to distract or rush their purchase? Watch for customers making low-value purchases but asking for high-value cashback. On some cards, the cardholder’s title or name makes it clear whether they should be male or female – so make sure the cardholder matches the name.
- Check the card under a UV lamp - If you have an ultra violet (UV) light, use it to check that the card has a special mark when held under the light. An acquiring bank can provide details of the features that should appear on a genuine card.
- Check the first four digits appear above or below the embossed account number - On MasterCard and Visa cards, the printed digits above or below the first four embossed numbers should be the same.
- Look for the unique ‘MC’ on MasterCard’s and the ‘flying V’ on Visa cards - The special printing is difficult to copy. Note that Visa Electron cards do not carry the ‘flying V’ security feature. A merchant’s acquiring bank can provide full details on what to look for.
- Compare the number on the card with the till print-out - Check that the last four embossed numbers on the card match the last four numbers on the till print-out.
Top Ten Tips To Combat Card-Not-Present Fraud
The following are ten tips to help merchants’ spot and stop card not present (CNP) fraudsters and reduce potential chargebacks.
If a merchant’s sales staff can answer “yes” to one or more of the questions below, it does not mean that the transaction is fraudulent, but it does mean they should consider further checks before proceeding with the transaction.
- Is the sale too easy? Is the customer disinterested in the price of the goods? Are they a new customer?
- Are the goods high-value or easily resalable?
- Is the sale excessively high in comparison with a merchant’s usual orders – for example, a merchant’s average transaction is for £50 but this transaction is for £250? Is the customer ordering many different items? Do they seem unlike their usual customer?
- Is the customer providing details of someone else’s card e.g. that of a client or family member?
- Is the customer reluctant to give a land line contact phone number – are they only prepared to give a mobile number?
- Does the address provided seem suspicious? Has the delivery address been used before with different customer details?
- Is the customer being prompted by a third party whilst on the phone?
- Is the customer attempting to use more than one card in order to split the value of the sale?
- Does the customer seem to lack knowledge of their account?
- Does the customer seem to have a problem remembering their home address or phone number? Does the customer sound as if they are referring to notes?
These tips and further information to help merchants combat fraud can be found in APACS’ ‘Spot & Stop : Card Not Present Fraud’ guide, which is available from the retailers publications section of the Card Watch web site. The guide also has specific help aimed at certain types of business e.g. best practice for electrical retailers.
For further information to help prevent CNP fraud visit www.cardwatch.org.uk.
Fraud Prevention Tools
There are a range of tools that the card industry has developed to help merchants prevent fraud for both card present and card-not-present (CNP) transactions and these can be explained by a merchant’s acquiring bank. In addition, there are a number of sophisticated tools to help prevent fraud designed by third party solution providers – these mostly target CNP fraud.
AVS / CSC
AVS (address verification service) can be used for both card present and card not present transactions, and allows a merchant to check that the address given by the cardholder is the one that their card issuer has on file and is where they send the card statement. The card issuer will provide a response to confirm that the address matches their records – full match, partial match or mismatch. AVS is particularly useful in checking that the delivery address is the same as the cardholder’s statement address.
CSC (card security code) is the three or four digit number that is printed on the reverse of the card in the signature strip after the cardholder’s short account number. It provides better evidence that the person making the transaction is in possession of the genuine card rather than stolen card details. The card issuer will confirm if the CSC provided is the correct one or not. In the case of an American Express card, the CSC is on the front of the card.
Unlike a transaction that has been authenticated by a cardholder using their PIN, neither AVS or CSC can provide a full confirmation, even if there is a complete match on the details provided, that it is the genuine cardholder who is agreeing the transaction. In many cases of card not present fraud, the cardholder may only become aware of the fraudulent transaction when they see it on their card statement and charge it back – the transaction will be classified as “cardholder has not authorised or does not recognise the transaction”. Please note that a positive AVS or CSC response does not guarantee payment.
An acquiring bank may provide this service to help a merchant minimise card fraud and they will be able to explain what the responses mean, which card types can be used and how the responses may influence their decision to accept or decline a particular card transaction.
APACS has provided help and guidance on how AVS / CSC can help a merchant’s business. See section seven of Spot & Stop Card-Not-Present Fraud available on the Card Watch web site.
3D Secure (MasterCard SecureCode and Verified by Visa)
3D Secure stands for the three domain protocol that has been developed by MasterCard and Visa to authenticate a cardholder’s transactions made over the internet. The three domains are the acquiring bank, issuer and the card schemes.
MasterCard SecureCode and Verified by Visa allow a cardholder to confirm that they are the genuine cardholder by giving their pre-selected password when taking part in a transaction. If a merchant implements MasterCard SecureCode and Verified by Visa, they can better protect their business from liability for fraud losses as they will receive a liability shift, assuming the correct procedures have been followed, if the transaction is subsequently raised as a chargeback by the cardholder claiming that they did not authorise the original transaction. This liability shift will be in place even if the cardholder has not registered a password with their card scheme.
In some circumstances, card scheme rules say that MasterCard SecureCode or Verified by Visa has to be used to accept certain types of internet card transaction.
To understand the customer experience of using MasterCard SecureCode or Verified by Visa - view the online shopping demo on Shop Safe Online.
MasterCard / Visa Internet Transaction Liability Shift
Where a merchant has enabled Visa’s Verified by Visa and MasterCard’s SecureCode they may benefit from a shift in liability, from the merchant to the card issuer, in the event of a chargeback. For example, where the merchant and acquiring bank have installed either of the services but the cardholder is not enrolled, or the merchant and cardholder have both enrolled for the service(s).
A merchant's acquiring bank can provide further details on how a merchant could benefit from a chargeback liability shift.
Third Party Solution Providers
Although the cards’ industry has developed a range of best practices to help merchants together with recommended solutions such as AVS, CSC, MasterCard SecureCode and Verified by Visa, there are a number of suppliers offering bespoke solutions such as name and address checking and rule based and neural networks that can help to combat fraud.
As a guide, the following is a list of third party solution suppliers of which APACS is currently aware of. It is not a definitive list and should not be read or understood as being, in any way, an endorsement or recommendation by APACS of the suppliers and their products.
Identity Checking Systems
Card not present merchants should check details supplied provided by their customer, wherever possible.
The following suppliers provide products to check names, addresses and other aspects of identity such as date of birth.
192.com Business Services
The 192.com offering works on the premise that a determined fraudster will have the payment card details and the customers name and address but that fraudster can be identified and stopped when they give the incorrect date of birth, home phone number or some other personal characteristic.
192 eShopper-ID checks characteristics such as name, home address, date of birth, phone number and other personal details against voter databases and credit reference files during the transaction process. Potential fraud flags are sent back to the merchant in less than a second enabling the merchant to make an informed decision on the customer transaction. Based on the level of risk or potential for fraud, merchants can also verify further transaction characteristics such as IP address, driving licence and passport data and mortality files.
ai Corporation Ltd
SmartAuth is a fraud screening service for all CNP merchants. It operates in real-time and uses fraud detection and prevention techniques taking billions of transactions and authorisations at more than one million merchants. SmartAuth can be accessed on the Internet through a simple real-time interface or using a set of secure easy to use screens. It also provides a clear PASS or FAIL response accompanied by a score that enables a subscriber to decide whether to accept or decline a CNP transaction.
SmartAuth 3DS Cardholder Verification Service. SmartAuth 3DS is an effective pay-as-you-go solution for merchants that require a rapid and inexpensive implementation of Verified by Visa and MasterCard Secure Code.
SmartAuth Fraud Screening Service. SmartAuth is a fraud screening service for all CNP merchants. It operates in real time and uses fraud detection and prevention techniques taking billions of transactions and authorisations at more than one million merchants.
Aristotle – Integrity
http://integrity.aristotle.com
Integrity is an international fraud prevention, age and identity verification service that integrates a government-issued ID database check, algorithms and web-based signature capture. The service enables merchants to comply with age verification laws and guidelines.
CitizenCard – iAC (Interactive Age Check)
iAC is a software product developed jointly by CitizenCard and information solutions company Experian. It combines reliable sources of information to ensure that everyone in the UK population is capable of being authenticated by iAC, if not immediately then within one working day.
Experian - e-identitycheck
Experian offers two products to validate the identity of customers for CNP transactions: Identity Check and Card-Not-Present Check.
These products can be used in any business and non-business situation where there is a risk of identity fraud or a risk from CNP fraud. They determine whether the customer exists by using independent data sources to confirm the information provided. These checks can provide greater assurance that the customer is who they say they are.
These systems involve a pay-per-search method with registration and no licence fee. The system is based upon Experian’s 440 million-record database of consumer information.
Experian also offers a specific service for ABTA members to assist with the authentication of customers purchasing travel services.
GB Group
GB Group provides a range of data services designed to improve customer interactions at every stage of the customer life cycle. In particular, ID3™ technology, it has pioneered the use of electronic ID verification solutions that can actually drive down fraud without negatively impacting the customer experience.
URU
URU is a web-based solution that is powered by ID3™ technology and was developed with the express purpose of helping businesses meet their compliance requirements and drive down fraud in an increasingly virtual business world.
Jointly developed using GB’s data matching capabilities in ID3 and BT’s robust web services, URU removes the need for manual identity checks by using the Internet to match information against a comprehensive list of primary data sources. It removes the need to verify paper documents as part of the customer sign up process and can authenticate passports and other proofs of identity electronically.
URU is in use in many large organisations to combat identity fraud and money laundering and to prevent access by minors to age restricted goods and services.
QAS – QuickAddress Software
Any company that sells goods or services via a CNP channel can use QuickAddress software to validate delivery addresses and help to minimise incidents of items going astray or being returned as undeliverable.
Call centre operators are able to enter complete and accurate addresses with a minimum number of keystrokes.
QuickAddress allows a merchant to capture accurate name and address details from a postcode or partial address. Using the 27 million UK addresses and 1.7 million postcodes in the Royal Mail’s Postcode Address File, QuickAddress Pro requires only minimal data entry to capture a full address, and paste it into a merchant’s underlying application.
Quova – Geolocation
Geolocation is a web geography technology that determines an online customer’s geographic location – from country level down to city precision – providing the same data that merchants and financial institutions use to flag potential fraud in the real world.
Geolocation technology identifies the Internet protocol (IP) domain of origin, effectively adding an accurate “return address” to every online transaction and enabling the merchant to identify and reject a suspicious transaction before it is completed. Quova, as a geolocation provider, is able to determine an online customer’s country of origin with 99.9% accuracy.
The inadvertent blocking of a legitimate customer by a merchant’s fraud rule can do more damage to revenue flow than a fraudulent transaction, because the customer’s future business is lost as well – a rejected customer probably won’t return.
With an accurate geolocation solution incorporated into a fraud scoring system, the risk of blocking legitimate traffic is reduced. In flagging orders from certain fraud-prone IP origination points for closer examination, the enterprise is adding another level of authentication that can also be used to admit a proven customer with more efficiency, enhancing the customer experience while minimizing the risk of rejecting legitimate business.
Rule-based and neural networks
Solutions are available which can build rules into a merchant’s payment processing system in order to identify potentially fraudulent transactions. There are also neural systems that rely on mathematical calculations to rate the likelihood of a transaction being a risk.
Alaric – Fractals
Alaric’s fraud detection solution, Fractals, uses a combination of user-defined rules and system-derived strategies to detect higher levels of fraudulent transactions in real time (preventing fraudulent transactions) or near real time (detecting fraudulent transactions) with lower false positive ratios than the traditional rules-only or neural network solutions.
Fractals is used by organisations that are experiencing card fraud due to skimming, cash machine fraud or card-not-present (CNP) fraud. Fractals integrates with existing payment authorisation and card management systems used by card issuers, card acquiring banks and payment processing organisations in the banking, retail and telecommunications sectors.
ClearCommerce Europe
ClearCommerce provides fraud prevention and payment processing solutions to merchants and service providers in the UK and Europe.
ClearCommerce Risk Management is an open, extensible platform that combines online fraud detection technologies with total business user control of the screening process. This solution combines payer authentication mechanisms, rule-based detection, neural network risk scoring, negative and positive databases and IP-based systems which provide transaction screening and case management for e-commerce merchants.
ClearCommerce Payment is a scalable, cost-effective, and efficient solution that automates processing of all major online payment methods and currencies.
ClearCommerce Suite integrates both into a safe and efficient e-business engine.
ClearCommerce Payer Authentication easily plugs into a merchant’s check-out process and manages cardholder authentication with the Verified by Visa and MasterCard SecureCode programs.
Commidea Ltd
The Commidea Fraud Prevention Services combines all of the tools required to implement an effective fraud prevention solution.
It enables merchants to implement sophisticated business logic strategies which make use of the entire portfolio of fraud prevention tools including positive and negative list checking, velocity checks, predictive scoring (using neural network technology), AVS/CSC analysis, tailored business rules and payer authentication. The service can be run in conjunction with (or independently from) Commidea’s online card authorisation and funds transfer services providing merchants with a one-stop shop for all aspects of card payment processing.
Cybersource
CyberSource has developed a range of solutions to help merchants manage their risk management processes more effectively.
CyberSource Decision Manager allows merchants to make decisions based on the responses from all their fraud tools as well as their own business logic and rules. The system automatically evaluates transactions in real time and determines whether they should be accepted, reviewed or rejected.
The solution combines support for industry authentication tools (including AVS, CSC and payer authentication), built in fraud scoring, positive and negative list management, velocity pattern analysis and an extensive rules library, with built in case management to speed order review.
CyberSource Payer Authentication gives merchants the online payment guarantees offered by the Verified by Visa and MasterCard SecureCode programmes. The systems verify the cardholder’s identity directly with the card issuer in real time to increase payment security and reduce the risk of fraud.
Fair Isaac – Falcon Fraud Manager for Merchants
Falcon Fraud Manager for Merchants uses neural network models, tailored to the merchant’s industry to detect minute differences between genuine and fraudulent orders. This precision exceeds the capabilities of rule-based systems, allowing merchants to implement more flexible policies and safely accept more business.
Compared to systems based solely on rules and negative files, Falcon Fraud Manager delivers far fewer false positives (legitimate transactions incorrectly identified as potentially fraudulent). This decreases the number of orders requiring manual review, enabling the reduction of fraud while preventing the loss of legitimate CNP sales.
Neural Technologies – Minotaur™ Transcure
Minotaur™ Transcure combats and manages sophisticated and evolving types of fraud by using a range of advanced features, tackling and eradicating frauds such as CNP, lost or stolen, skimming, application, counterfeiting, etc., within fractions of a second.
The newly developed module of Minotaur also profiles merchants (retailers, auto loan dealers and other third party agents) to detect merchant fraud.
Minotaur™ Transcure employs a hybrid of advanced rules, case-based reasoning and neural techniques. In particular, the solution’s flexible architecture enables it to interface with many systems, combining multi-stream analysis capability from both customer information and transactional data to detect fraud in real time.
Features include dynamic rule creation, workflow management, user configurability and scorecard creation and implementation.
Retail Decisions
Retail Decisions (ReD) provides products and services for:
- Card Fraud Prevention (CNP and card present)
- Neural Fraud Prevention Software
- Online Payment Processing
- Payment Gateway Services
ReD’s products can be used in retail, banking, telecommunications, petroleum, travel and the broader CNP market sectors.
The core fraud prevention fully managed service, ebitGuard includes:
- A multi dimensional approach to protecting online retailers against card fraud.
- Neural networks card checking and tracking to detect unusual patterns.
- Pre-status risk management technology to identify fraudulent use of payment cards, before the owner or issuer has registered the card lost or stolen.
- An international database containing over 70 million records of suspicious cards.
- Authentication methods i.e. MasterCard SecureCode and Verified by Visa, AVS, CSC.
- Fraud detection rules specific to a client’s business processes and industry.
- A firm recommendation with every transaction.
ReD’s range of products and services has a wide range of potential applications that can be customised to meet particular requirements.
The 3rd Man
The 3rd Man provides a service enabling retailers to monitor all transactional activity so they may be alerted to any increasing level of risk or exposure. The 3rd Man analysts will import any format of data and then tailor a set of business rules for each individual retailer. The only requirement is that the data feed must be secure. This service is based on using the time between accepting an order and shipping the goods as an opportunity to manage risk.
The service enables each retailer to decide whether or not to accept the risk based upon many variable factors. These factors take all bank authorisation responses into account and also make use of authentication services such as AVS / CSC and 3D Secure. This process ensures that no genuine customer is ever automatically disadvantaged.
An online analysis service is also available which empowers retailers to analyse transactions themselves in as much detail as is necessary, before making a decision on any suspect transaction. A customer’s behaviour, history and transactional considerations may be combined using this tool.
RiskGuardian™ Solution
This is a fully automated, real-time or batch, risk-assessment solution. It is designed to profile a cardholder’s transaction in real time or batch, using a set of knowledge-based rules and complex business logic algorithms. The profile and transaction pattern is matched with existing data within RiskGuardian’s historical database to produce a score of risk that is associated to the transaction.
It allows clients to control the potential risk individuals offer, up to the point of digitally banning them from the site or call centre. Individual companies or persons are awarded individual risk profiles on a case-by-case, transaction-by-transaction basis. RiskGuardian also uses historical data to learn from the past to increase the protection provided to the merchant.
Data sharing
Merchants who are able to share information with other merchants who have been targeted by card not present fraud use the following solutions. APACS does not endorse any of these initiatives, but acknowledges their role in fighting card not present fraud.
The Early Warning Scheme
A low-priced data-sharing service that allows registered merchants to post information on fraudulent attacks and receive information on attacks against other merchants.
IMRG
IMRG is a member-driven organisation set up in the interests of the e-retailing community. A warm-file data-sharing service is now available that allows merchants to share information on fraudulent activity.
TriRidium – TransTrack
TransTrack is a browser-based application that automates the process flow between merchants and acquiring banks for the resolution of payment card disputes, retrieval requests and chargebacks.
Using XML, SOAP and web messaging, TransTrack reduces clerical intervention, head office staff processing time and ultimately chargebacks.
Security Alert is a “neighbourhood watch” service for merchants to enhance their in-house vetting services with regard to fraud and risk
