An efficient checklist to prevent fraudulent transactions

If you run an online business, then you’ve probably tapped into the underground of e-commerce: online fraud. This article lists the best ways to avoid fraudulent transactions.

You have this great product, advertised it well, and revamped part of your website just to accommodate this particular product. Transactions are starting to come in and you are very excited. A few weeks later, you suddenly start dealing with a huge waste of time and money: chargebacks and/or bounced checks. He discovered that the reason for the chargebacks/bounced checks was that the credit card/bank account was compromised. The only solution left for you is to return the money, and forget about the product that you probably sent (if it was a physical product). You ignored online fraud, learned your lesson, but now what?

Worry no more, here is a little checklist you can implement to prevent fraudulent transactions:

1. Never allow direct debit transactions on your site: Direct Debit, a simple technique where you can debit any account (mostly in the US and Canada) just by knowing the account number and routing number is more amenable to fraud than any other type of online transaction. Think about it, you only have to know someone’s account number and routing number just to debit their account, you don’t even have to know their name, their address or anything else, just their account number and routing #. Payment gateways only verify these 2 and ignore all other information they receive about this account (including name and address).

2. Don’t use AVS, use CVV: AVS is extremely unreliable and many times there is no verification against it. On the other hand, CVV is very reliable, since generally the person who buys must have the credit card at hand in order to make the purchase. However, always ask for the person’s full address, you may need it in case of suspected fraud.

3. Monitor the IP of your transactions: If you have IP addresses that originate from abroad, but the address mentioned in the billing or shipping address is local, then it is very likely that it is a fraudulent transaction. Have a small script to raise an alarm and stop the transaction in case the country where the transaction originates is different from the country where the customer claims to be. Your script also has to blacklist that IP so that your system will no longer process any more transactions originating from this IP. Note, however, that it is always possible to spoof an IP.

4. Control the shipping and billing address: As mentioned above, spoofing the IP is not very complicated and there are tools to do it, so in some cases, the above method will not work. However, if you have someone whose shipping address is overseas but their billing address is local, then this is another sign of fraud. Another sign of fraud (although it can sometimes be a legitimate transaction) is having the name on the card different from the name of the person the product is being sent to. Have another script to check both cases. However, please do not stop the transaction, just allow manual processing after contacting the card owner.

5. Do not reveal your security measures: Revealing your security measures does not benefit your customers at all; on the contrary, it is very intimidating. On the other hand, the person committing the fraud might very much appreciate his kind gesture in disclosing such information, as he will be able to figure out how to bypass his security measures.

Although there are no guarantees that you will completely stop fraud once you implement this list, it will certainly reduce it considerably. Implementing the above in our company reduced fraud to almost 0 transactions/month (the last fraudulent transaction we had was approximately 4 months ago). Note that we had around 30 per month before we implemented this list (approximately around 0.25%).