Payment security and what you need to know

No primary category set
Trevor Ginn is a veteran of online selling have worked at and owned several companies. As well as blogging at and running an ecommerce consultancy at Vendlab, he also finds time for his own online ecommerce operation at Hello Baby.

After getting hammered by credit card fraud earlier this year Trevor had plenty of self interest in ways to avoid fraud. Today he shares his research with TameBay:

Credit Card Security

Card payments, either directly or via eWallet services like PayPal, make up the vast majority of payments for goods online. Consumers are well protected against fraud, however, merchants do not enjoy the same blanket level of protection and need to be careful when accepting online payments.

Online payments funded by a card can be subject to charge backs, where the card holder disputes the transaction up to 6 months after the sale. Charge backs can either be because the card holder disputes that they made the transaction (i.e. it was a fraudulent transaction), or because they believe that the item they received was not as described.

Who Carries the Risk?

It is easy to assume that funds arriving in an account are cleared and legitimate payments. However, for any online payments where the 3D secure test is not passed (see below), the merchant carries the ultimate risk of a fraud as the transaction is ‘card holder not present’. To understand the risks associated with any transaction, merchants should understand the available security checks and other factors which can be used to filter out the good from the bad.

Card Security Checks

Most payment gateways make little effort to educate their customers as to the best security settings for their business and leave the merchant to create their own security rules. However, it pays to spend some time working out the best settings for your business. For example, if your products are all low value, you may wish to have a low security threshold as fraud is unlikely or a risk you are willing to take. Conversely, if your products are desirable, high ticket items, then fraud settings should be high.

3D Secure

3D secure, also know as Verified by Visa or Mastercard SecureCode creates a virtual “card present” environment during internet transactions by asking the buyer to enter a password. 3D secure is only available for Visa and Mastercard transactions and as yet there are no similar initiatives for American Express, JCB or Diner’s Club.

The major benefit of this system is that a transaction that has been fully 3D Secure validated, cannot be charged-back to the merchant if subsequently found to be fraudulent. The merchant is protected by the card issuer against such charge backs because the bank themselves assume the liability. However, charge backs are still possible as a 3D secure validated transaction will not protect in the event of the customer denying receipt of goods.

3D secure is not universally popular with some merchants complaining of reduced conversions. Some consumers also find the extra step in the checkout process annoying.

AVS (Address Verification Service)

AVS checks the numeric values in a card holder’s address (i.e. flat or house number and numbers in the post code) given at checkout against the billing address on file for the card. Checking that the buyer knows the right billing address is an important extra check, but by no means foolproof. For example, a card owner can enter their address incorrectly, or a fraudster can have access to the card holder’s address. The AVS result can be either match, partial match or mismatch.

CV2 (a.k.a CVV and CVVC)

These are the three numbers which are on the back of the card for Visa and Mastercard, or four on the front (American Express). Their purpose is to provide some confidence that the buyer has the card in their possession as the numbers are not stored on the magnetic strip. The system is by no means infallible as the there are scripts available on the internet for generating the codes.

Fraud Screening

With experience humans can get a feeling for whether or not a transaction poses a risk. However, as transaction volumes grow, it is not possible to check each purchase individually. Fraud screening services such as Third Man automate the analysis of each transaction by looking at various elements including name, card numbers, frequency of use, delivery address, value and IP address to produce a risk score for the transaction. Fraud services are integrated into many payment gateways such as SagePay.

As well as using automated services, be aware of the following warning factors:

• Use of free email addresses with names unrelated to the name given
• Incomplete contact details
• Orders which are unusually large or have a strange combination of items
• Billing and delivery addresses different. Be especially wary if the delivery address is a hotel or guest house
• Be wary of customers who ask insist on obtaining tracking number for deliveries, they could be trying to intercept the delivery.

A good list of fraud signs can be found on the 3rdman website

Security of Common Payment Gateways


PayPal’s website payments standard product only provides seller protection for purchases which go to verified addresses. All purchases which are made using the Website Payments Pro service are ineligible for seller protection. AVS and CV2 checking are available through PayPal but 3D secure is not supported and no additional fraud screening information is available to merchants.

Google Checkout

Google provides merchants with details of whether a transaction has passed CV2 and AVS tests. It does not support 3D secure, but does provide its own chargeback protection for eligible transactions.


SagePay allows merchants to set their own security rules for AVS, CV2 and 3D secure. It also provides a risk score for each transaction in conjunction with Third Man.

15 Responses

  1. Be especially wary if the delivery address is a hotel or guest house

    Very true. The one time I shipped to a motel room the $600 item was mysteriously missing from the package.

  2. I think it’s also worth pointing out that there are many ways of losing money as a business.

    For example, I have heard many sellers say they only ship recorded to reduce INR claims. However, those 72p’s (or whatever it is now) quickly add up. It would be cheaper to just accept the occasional lost item, however frustrating it may feel.

    Also, time is something that doesn’t come cheap. Especially if you run your own company and find yourself doing everything. Make sure you focus on revenue generating actions and don’t spend too much time manually checking each order/payment, as again this can end up costing you more than the odd dodgy payment.

  3. Bigpoppa makes a fair point. My reasons for writing this article were really to enable merchants to understand the risk they are running and then make their own decisions. They may decide to that the increase in conversion is worth the risk, but at least the decision is an informed one.

  4. I have to agree with Bigpoppa, Retrowarez found it cheaper to accept some inevitable losses than send every single item trackable. Like he says those 72p’s add up quickly.

    I know it sounds prejudiced but the only items we sent trackable were ones where the buyer lived in a known “high crime” or “rundown” area and the item was expensive. In the last year more Prince Naseem Hamed DVDs went “missing” than any other title …. Work that one out.


  5. # Trevor how did you hammered? Was this on your “Hello Baby” site & which payment gateway was the target for the fraud?

  6. One of the major problems (as I see it) is that for an eBay/Paypal transaction, its too easy for the buyer to make a claim and win!

    I am sure many of you out there, that run websites as well as sell on eBay find the number of ‘claims’ generated from website sales is way less (if any at all) than for eBay sales – yet you are the same seller, selling the exact same items and processing the sale in almost the same way ?

  7. #7 100% I think we have had 2 claims for INR via our websites ever, but eBay…well I think you can guess.

  8. Only one claim in a year on our website, Amazon has become worse than eBay now for INR and at least 75% of these had Chinese sounding surnames, so ‘high risk’ surnames, certain cities and halls of residences go recorded now.

  9. #8 eBay has became a paradise for scamming buyers. No negatives, little fear of getting caught, and they know eBay/Paypal ALWAYS take their side. It’s no wonder eBay sales attract so many INR’s. what amazes me is the fact sellers don’t get even more INR’s. Guess most people are still honest.


  10. “eBay has became a paradise for scamming buyers” LOL Guess most people are still honest. LOL LOL LOL

  11. Really Jason ? Everything we’ve done is within the law, and an awful lot of buyers have actually been refunded already, over 70% in fact, so don’t make assumptions.


  12. Wow Steve, just had a look at your ebay shop, what the hell happened there?
    Jason’s right you have some nerve to complain about scamming buyers. If something went wrong, you should at least respond to your customers and not be rude when you do!

  13. @ 10 Totally agree Steve. More and more eBay buyers are getting wise to the fact that they can claim their money back through Paypal time and time again and they will always win. We’ve even forwarded Paypal emails from customers who have admitted receiving the goods, and Paypal still finds in their favour. If it’s not trackable, Paypal aren’t interested. As a business, we just can’t afford to send everything trackable, especially when eBay want us to charge nothing for shipping.


Poshmark adds retail media Promoted Closet

Poshmark adds retail media Promoted Closet

Manhattan Active Maven pioneers use of GenAI in supply chain commerce  

Manhattan Active Maven pioneers use of GenAI in supply chain commerce  

Kretinsky Royal Mail takeover progresses - Will we see Rico back?

Kretinsky Royal Mail takeover progresses – Will we see Rico back?

eBay UK returns as Love Island sponsor to promote pre-loved fashion

eBay UK returns as Love Island sponsor to promote pre-loved fashion

TikTok Pulse Premiere comes to UK with Sky Sports

BBC Studios, ITV and Channel 4 join TikTok’s Pulse Premiere Programme

ChannelX Guide...

Featured in this article from the ChannelX Guide – companies that can help you grow and manage your business.

Register for Newsletter

Receive 5 newsletters per week

Gain access to all research

Be notified of upcoming events and webinars