Low Cost Fraud Protection Methods

As we noted in the previous article, "Fraud and Chargebacks Challenge Online Merchants," credit card fraudsters are out there to steal from merchants. If your business specializes in instant online access to your product, you'll want to seriously consider subscribing to an online fraud screening services such as described in a companion article. But if you're trying to get started on a shoestring, here are some steps you can take to cut down your susceptibility to fraud.

We're particularly indebted in this article to "T.J. Walker's Online Fraud Prevention Tips" at AntiFraud.com.

This article contains older information. Go here for newer information on ecommerce and selling online.

1. Get a full address and phone number

Insist on a full address and phone number from those who order. That way, if the order looks suspicious or is for a lot of money, you can phone the cardholder to verify the purchase. Though you can require a field to be filled in, you can't easily check to see that it is filled in with meaningful information. But this is the place to start.

2. Reject free e-mail addresses

Do not accept any online order from a free, Web-based e-mail address, since these are very difficult to track in case of a fraudulent order. AntiFraud.com's T.J. Walker says, "We have never had a fraudulent order placed through a standard, ISP-based e-mail address." The challenge is to see whether or not a specific e-mail address is a free account. You can spot yahoo.com and hotmail.com with ease. AntiFraud.com has posted a list of more than 700 free e-mail addresses. You can manually check this list, pay an annual fee to AntiFraud.com to check the list real-time, or have your programmer write a simple program to check your own list of free e-mail addresses before authorizing the order. Note: many off-the-shelf shopping cart programs may not let you get into their proprietary code to do this, but may offer some points at which authorization programs can be called. Check with the software developer and your programmer.

If you suspect something amiss with an e-mail address, you can always put a www in front of the e-mail domain and try it on your browser. If it takes you to a "get your free e-mail address" domain you'll know not to accept the charge. You'll also probably know if it belongs to an ISP or a legitimate company.

Asking for your shopper's actual e-mail address can be compared to a clerk requesting a picture ID to go along with a credit card at a store counter, or installing Caller ID on your phone so you know to whom you are talking. For those whose orders are rejected by your e-mail address check, gently explain the reason for this precaution, and ask them to use their main ISP-based e-mail address. Also offer an alternate way to order, such as by mail or phone.

3. Capture your customer's IP number

Capture your customer's IP number by asking your programmer to add a HTTP_USER_AGENT, REMOTE_ADDR line to the code in the CGI program that runs your ordering system. When you log onto the Internet using a dial-up modem, your ISP usually assigns you a temporary IP number (such as 123.78.123.92) which identifies your unique Internet connection, so the server for the Web page you are requesting knows where to send the packets of information that make up that Web page. When you log off the Internet, that temporary IP number goes back into a pool of your ISP's available IP numbers, and will soon be assigned to another of that ISP's customers who logs on. Even though the IP number isn't assigned to any one person, the ISP's log files will show who was using it at any given time. Such a log could enable you to prosecute the person for fraud. At the very least it allows you to contact the ISP and report fraud by one of its subscribers.

This method isn't foolproof, however. There are some sites that keep no IP number log files for logons. The real value, however, may be in your ability to state on your order form some of the methods you use to identify those who try to commit fraud. It's like placing a sticker on your front window stating, "This home protected by Acme Alarm Associates." It may not discourage professional burglars, but it will make amateurs think twice if they fear detection.

4. Use the AVS

Use your credit card processor's AVS (Address Verification System). This system typically captures the numeric portion of the ZIP code, and sometimes the address line of the billing address on your order form. Then it compares these with the address and ZIP code listed on the customer's credit card account. If they don't match, the charge is not authorized. Of course, this works only in the US so it doesn't stop foreign crooks. Nor will it help if the credit card owner's ID has been stolen or is being used without authorization, for example, by a family member. But used in conjunction with other methods, it will cut down your rate of fraudulent orders.

While we don't for a moment want to suggest closing your doors to the global marketplace, be extra careful of foreign credit card orders, especially those from Eastern Europe. It's hard enough to get authorities to investigate fraud in the US; it's almost impossible in a country not your own. Make sure you have a legitimate order before you ship, and then consider shipping in such a way that receipt is verified.

If you have a low incidence of credit card fraud in your online business, consider yourself fortunate. But if you've been getting burned, using some or all of these methods will dramatically cut your fraudulent order rate.

You'll find more Anti Fraud Resources in our Electronic Commerce Research Room.