In my last article, I covered a 4-step strategy development process that will serve to provide merchants with a high-level overview of what an effective strategy entails. The four steps (Identify, monitor, automate, and repeat) can assist companies of all shapes and sizes, and If executed correctly, this process will ultimately mitigate and prevent countless losses incurred by fraud.
This article will cover the first aspect of a merchant’s operation that is most heavily affected by a shift to e-commerce, and drill down on some actionable suggestions that you can employ immediately after reading.
It’s the forms, stupid.
Does your website accept cash? Does your website swipe cards with a Point of Sale terminal? The answer is no. When handling physical forms of payment, it is relatively easy to identify counterfeits and refuse the transaction. When accepting payments online, the checkout system is comprised of a series of forms. Forms that anyone can fill out with any information. Authentic, stolen, accurate, inaccurate, and so on. In pursuit of fraud prevention, it is vital that merchants first understand the data being submitted at various touch-points, and second, understand and employ verification processes.
We will dive into verification processes further in the article. For now, let’s focus on credit card payment information, how a system is exploited by fraudsters and what you can do about it.
Credit Card Payment Information:
We are familiar with online checkout forms, but do we know what is going on behind the scenes? Fraudsters do. They know because they experiment with sets of information of varying degrees of accuracy during the checkout process. Payment information is obtained through various tactics and includes things like billing name, account number, CVV, billing zip, expiration date, and billing address.
When attempting a transaction on a website, some of the questions they seek to answer are: Does this form require CVV? Does this form require billing address / billing zip? Does this form allow me to designate a secondary shipping address? In-Store / curbside pickup? Telephone orders? etc. The information that is required on checkout forms is thoroughly analyzed by fraudsters seeking to author new methods. Next, we can cover how this contributes to a fraudster’s operation.
How a System is Exploited by Fraudsters:
When I was operating a fraudster, I called this method of discovery “Checklist Building”, and those were the types of questions I sought answers to. The process was simple enough as there was a mountain of information to experiment with. The results of my “research” painted a picture that holds true to this day. That Everyone is vulnerable at some level. By filling in the required fields on a checkout and monitoring the fulfillment, it would become clear what information was being verified on the back end and what level of payment information was required in order to have a successful transaction.
What You Can Do About It
When conducting in-house manual transaction analysis, it is crucial to understand what these data points indicate, how they are determined, and how your system handles different events.
When using a bare-bones e-commerce platform (such as Shopify) and a payment gateway (like Authorize.net), you should be able to identify about 7 data-points to make accurate determinations. Below I have outlined what the data points are and how they are verified.
1. Card Number – Verified
On it’s own, a card number is deemed ‘verified’ if the number fits the MOD10 / Modulus 10 / Luhn’s Alogorythm.
2. Expiration Date – Verified
Past / Future
3. CVV – Verified
The code indicates whether or not the entered CVV matches what is on file with the issuer.
4. Cardholder Account Name – Not verified
When dealing with an out-of-the-box platform the billing name can be anything, and the order will move forward.
5. Billing Address – Verified
Using the Address Verification Service (AVS), the 3 numerical values (Street number, Zip Code, and zip + 4 ) are verified with the issuing bank. The response code indicates the accuracy of the information submitted as it relates to the information on file with the issuer. The AVS response code can also indicate whether the registered billing address is foreign, unregistered, and more.
6. Shipping Address – Not Verified
There is no mechanism that verifies shipping addresses with the issuing bank.
7. Historical data – Not Verified
Although not verified by an issuer, historical data is very useful for making accurate determinations for accounts that have transactions that appear suspicious at first glance. By escalating suspicious orders to a secondary verification process, you can begin to white-list a number of customers.
After reading this list, you should have a decent idea regarding your current checkout form and the verification process behind it. It is important to note that, among these 7 data points, there are actionable relationships that can assist you with your transaction analysis.
For example, although the shipping address is not verified by the issuer, the billing address is. If the billing address is verified with a code X (Meaning that the 3 numerical values are 100% accurate) and the shipping address matches the billing, you could say that the package is to be sent to the verified billing address. Success! Adversely, if the billing address is verified, but the shipping address doesn’t match, you should understand that the package is to be sent to an unverified address.
This article has been contributed by Alex Hall, a former fraudster who spent ten years successfully operating in the Las Vegas fraud scene. Today, he is the Principal at Dispute Defense Consulting, a Full-Spectrum Fraud Mitigation Consulting agency, with an aim to assist merchants to build a comprehensive defense against fraud throughout many aspects of their system.