Credit Card Security
Card payments, either directly or via eWallet services like PayPal, make up the vast majority of payments for goods online. Consumers are well protected against fraud, however, merchants do not enjoy the same blanket level of protection and need to be careful when accepting online payments.
Online payments funded by a card can be subject to charge backs, where the card holder disputes the transaction up to 6 months after the sale. Charge backs can either be because the card holder disputes that they made the transaction (i.e. it was a fraudulent transaction), or because they believe that the item they received was not as described.
Who Carries the Risk?
It is easy to assume that funds arriving in an account are cleared and legitimate payments. However, for any online payments where the 3D secure test is not passed (see below), the merchant carries the ultimate risk of a fraud as the transaction is ‘card holder not present’. To understand the risks associated with any transaction, merchants should understand the available security checks and other factors which can be used to filter out the good from the bad.
Card Security Checks
Most payment gateways make little effort to educate their customers as to the best security settings for their business and leave the merchant to create their own security rules. However, it pays to spend some time working out the best settings for your business. For example, if your products are all low value, you may wish to have a low security threshold as fraud is unlikely or a risk you are willing to take. Conversely, if your products are desirable, high ticket items, then fraud settings should be high.
3D secure, also know as Verified by Visa or Mastercard SecureCode creates a virtual “card present” environment during internet transactions by asking the buyer to enter a password. 3D secure is only available for Visa and Mastercard transactions and as yet there are no similar initiatives for American Express, JCB or Diner’s Club.
The major benefit of this system is that a transaction that has been fully 3D Secure validated, cannot be charged-back to the merchant if subsequently found to be fraudulent. The merchant is protected by the card issuer against such charge backs because the bank themselves assume the liability. However, charge backs are still possible as a 3D secure validated transaction will not protect in the event of the customer denying receipt of goods.
3D secure is not universally popular with some merchants complaining of reduced conversions. Some consumers also find the extra step in the checkout process annoying.
AVS (Address Verification Service)
AVS checks the numeric values in a card holder’s address (i.e. flat or house number and numbers in the post code) given at checkout against the billing address on file for the card. Checking that the buyer knows the right billing address is an important extra check, but by no means foolproof. For example, a card owner can enter their address incorrectly, or a fraudster can have access to the card holder’s address. The AVS result can be either match, partial match or mismatch.
CV2 (a.k.a CVV and CVVC)
These are the three numbers which are on the back of the card for Visa and Mastercard, or four on the front (American Express). Their purpose is to provide some confidence that the buyer has the card in their possession as the numbers are not stored on the magnetic strip. The system is by no means infallible as the there are scripts available on the internet for generating the codes.
With experience humans can get a feeling for whether or not a transaction poses a risk. However, as transaction volumes grow, it is not possible to check each purchase individually. Fraud screening services such as Third Man automate the analysis of each transaction by looking at various elements including name, card numbers, frequency of use, delivery address, value and IP address to produce a risk score for the transaction. Fraud services are integrated into many payment gateways such as SagePay.
As well as using automated services, be aware of the following warning factors:
• Use of free email addresses with names unrelated to the name given
• Incomplete contact details
• Orders which are unusually large or have a strange combination of items
• Billing and delivery addresses different. Be especially wary if the delivery address is a hotel or guest house
• Be wary of customers who ask insist on obtaining tracking number for deliveries, they could be trying to intercept the delivery.
A good list of fraud signs can be found on the 3rdman website
Security of Common Payment Gateways
PayPal’s website payments standard product only provides seller protection for purchases which go to verified addresses. All purchases which are made using the Website Payments Pro service are ineligible for seller protection. AVS and CV2 checking are available through PayPal but 3D secure is not supported and no additional fraud screening information is available to merchants.
Google provides merchants with details of whether a transaction has passed CV2 and AVS tests. It does not support 3D secure, but does provide its own chargeback protection for eligible transactions.
SagePay allows merchants to set their own security rules for AVS, CV2 and 3D secure. It also provides a risk score for each transaction in conjunction with Third Man.