You are on page 1of 28

Introduction to Fraud

Version 4.2 – March 2013


Business Gateway
Table Of Contents

About this Guide ........................................................................................................................ 3

Update History ....................................................................................................................... 3

Copyright................................................................................................................................ 3

Introduction ................................................................................................................................ 4

What is Introduction to Fraud?............................................................................................... 4

Common Types of Fraud ....................................................................................................... 5

What We Provide ................................................................................................................... 5

What You Can Do .................................................................................................................. 6

Keep Informed ....................................................................................................................... 6

Chargeback Losses ............................................................................................................... 7

Tools We Provide ...................................................................................................................... 8

Capture Delay ........................................................................................................................ 8

Cardholder Authentication ..................................................................................................... 9

Avoiding Chargebacks Due to Fraud................................................................................... 10

AVS / CVV2 / CVC - Address/Security Code Verification Services..................................... 11

Risk Management Service ................................................................................................... 12

What the Risk Management Results Mean and What Action is Needed............................. 14

Checks to Make ....................................................................................................................... 16

Name and Contact Checks .................................................................................................. 16

Email and IP Address Checks ............................................................................................. 16

Address Checks ................................................................................................................... 18

Order Checks ....................................................................................................................... 18

Delivery Checks ................................................................................................................... 19

Country Checks ................................................................................................................... 19

High-Risk Countries ............................................................................................................. 19

Pattern Checks .................................................................................................................... 20

Procedures to Adopt................................................................................................................ 21

Define Your Risks ................................................................................................................ 21

Order Acceptance ................................................................................................................ 22

1
Introduction to Fraud

Respond to Alerts ................................................................................................................ 22

Screening ............................................................................................................................. 23

Payment Methods ................................................................................................................ 23

Customer Registration ......................................................................................................... 23

Delivery Procedure .............................................................................................................. 24

Website Warning.................................................................................................................. 24

Communications .................................................................................................................. 24

When You Suspect Fraud ....................................................................................................... 25

Taking Action ....................................................................................................................... 25

Communicating with Your Shopper ..................................................................................... 25

Chargebacks - Avoiding Losses .............................................................................................. 27

Avoiding Chargebacks Due to Fraud................................................................................... 27

2
Introduction to Fraud

About this Guide


This guide describes how to manage fraud and provides information about:

The fraud prevention measures that WorldPay and our banking partners use.
The checks you can make and the procedures you can adopt when making decisions
about shipping orders.
Use this guide in conjunction with the Cardholder Authentication Guide and the Payment
Notifications Guide, which provide detailed information about specific tools and measures.

Update History

Version Change description Date Affected Pages

4.2 Minor updates. March 2013 Page 10

4.1 Fixed errors. Added information September 2012 All pages


about American Express
SafeKey.

4.0 Gateway and guide name December 2011 All pages


added to navigation path.

3.0 WorldPay rebrand. July 2011 All pages

Copyright
© WorldPay (UK) Limited

While every effort has been made to ensure the accuracy of the information contained in this
publication, the information is supplied without representation or warranty of any kind, is
subject to change without notice and does not represent a commitment on the part of
WorldPay (UK) Limited. WorldPay (UK) Limited, therefore, assumes no responsibility and
shall have no liability, consequential or otherwise, of any kind arising from this material or any
part thereof, or any supplementary materials subsequently issued by WorldPay (UK) Limited.
WorldPay (UK) Limited has made every effort to ensure the accuracy of this material.

3
Introduction to Fraud

Introduction
What is Introduction to Fraud?
Put simply, this introduction to fraud is about how you can maximise profit and reduce your
losses due to fraud when you are trading online.

Online trading has massive potential, unfortunately its very success attracts fraudsters of
many kinds: some use stolen cards or stolen card details and passwords, others deny
receiving goods and demand refunds - and, as you will see in this guide, there are many
other ways fraudsters will attempt fraud.

To counter fraud, and to help protect you from losses, we provide a range of automated anti-
fraud measures that operate within our payment service and across our connections to bank
systems; we carry out fraud checks on every card-based transaction we process.

Although these measures offer a high degree of protection - you can think of them as your
first line of defence - you can add additional measures to further improve your defences
against fraud.

For example, if your business handles a small number of high value transactions per day, an
effective measure could be to manually review each transaction. This might not be realistic if
you handle a large number of transactions, but there are other options open to you. This
guide describes a range of procedures and checks that you should consider adopting within
your overall anti-fraud strategy.

Managing fraud with a sensible combination of manual checks and business-specific


procedures, along with our automated measures, could save you from direct losses due to
fraud and may also save you from indirect losses due to fraud related chargebacks.

Example Alerts Procedure

Procedures do not need to be complex to be effective; the example below illustrates a


straightforward business-specific alerts procedure.

To the Staff of One Stop Shop

Alerts Procedure

Manually review any transaction that has


generated a Warning alert from the Risk
Management service.

Manually review any transaction over £30 that


has generated a Caution alert from the Risk
Management service.

4
Introduction to Fraud

Common Types of Fraud


If fraud does occur, it will most likely be in one of these ways:

Third Party Fraud

Where the fraudster uses card details of another person.

Fraudulent purchase – In this case the fraudster’s aim is to use the anonymity
provided by the Internet to obtain goods for delivery often to a foreign, temporary or
unoccupied address using fraudulently-obtained cards or card details.
Card verification testing - In this case the fraudster’s main aim is to use your
website as an entry point into the card authorisation system.

The fraudster may have a batch of card numbers and will place a dummy order on
your site with each card number in turn to discover if the card is authorised or not. An
authorised card will probably be used later in a fraudulent purchase, very often with
another website rather than just yours. Generally, the billing/delivery detail is
incorrect and often completely meaningless, as this kind of fraudster typically doesn’t
expect or want delivery.

Sadly, charity sites are often targeted by this kind of fraudster. Note that you may still
be liable for chargebacks with this type of fraud.
First Party Fraud

Where the real cardholder is involved.

Refund or chargeback fraud - In this case the genuine cardholder falsely denies
having ordered and/or received goods, and then claims either a refund or a
chargeback.

What We Provide
We provide a number of automated tools and measures to help combat fraud. These are
described in Tools We Provide. The tools make standard checks, in real-time, on every
transaction we process by communicating with the card issuer, to ensure that:

The card number is valid.


The card has not expired.
The card is not recorded as lost or stolen.
There are available funds in the account.
We also enable real-time checks on the card details entered by shoppers, by using whichever
anti-fraud measures your account employs. As part of our standard service we communicate
with card issuers, who operate any of the following checks, to verify details entered by
shoppers:

Address Verification Service (AVS): The card issuer makes checks on the address
details entered by shoppers.
Card Verification Code (CVV2, CVC, CSC): Banks and card issuers check the
security codes that are printed, but not embossed, onto cards.

5
Introduction to Fraud

Cardholder Authentication including Verified by Visa, MasterCard SecureCode for


MasterCard and Maestro, and American Express SafeKey: The shopper enters a
password to confirm their identity directly with their card issuer.
Our Risk Management service also monitors transactions and provides automated alerts
indicating possible/probable fraudulent transactions. You can make the Risk Management
service more effective by tailoring its fraud checking to suit your business needs and
experience.

AVS, CVV2 and cardholder authentication are free as part of our standard payment
processing services. However, you will need to register for the cardholder authentication
schemes by contacting us. We then contact the card issuer on your behalf. Note that the
registration process can take a few days.

What You Can Do


You should develop a strategy of your own to manage fraud. This strategy will consist of a
process to identify and assess the risk of a transaction, criteria for accepting, reviewing or
rejecting the transaction and steps to take as part of a review process.

You should use our automated tools as part of your overall strategy. Some of these tools will
help you identify and highlight risk, while others will provide additional information and some
protection from chargebacks.

For more information on the checks and procedures we suggest incorporating within your
strategy, please refer to Checks to Make and Procedures to Adopt.

Fraudsters usually use 'phishing' techniques to obtain passwords as well


as card details from cardholders. Which means, for example, that the only
clue you may get about an attempted fraud is by being given suspicious
delivery instructions, such as 'Leave it on the step'.

Keep Informed
You should always keep abreast of the scams and rackets operated by online fraudsters.
There are a number of useful web sites dedicated to fighting fraud which can be used to find
up-to-date information including http://www.cardwatch.org.uk/.

Fraud often targets the weakest link and as the payment environment changes fraud will
adapt. The successful roll out of Chip and Pin has provided significant protection for
merchants trading in the cardholder-present environment but it has increased fraud pressure
on the cardholder-not-present environments of mail order, telephone order and ecommerce.

As the various authentication technologies become more widespread, identity theft is


becoming ever more common and it is very likely that you will encounter fraudsters
attempting to use stolen identities, account details and even passwords on your website.

Some fraudsters are very tech-savvy and produce highly convincing scams to obtain financial
details, for example, email phishing.

Phishing - emails and telephone calls supposedly from a bank or supplier requesting
account, PIN and password information. These scams vary widely in their
sophistication, from elementary to very complex and convincing, but most are
successful because of their scale.

6
Introduction to Fraud

Large numbers of people (sometimes hundreds of thousands) are targeted and even
a small success rate means that substantial numbers of people do hand over PINs
and passwords along with account details. The risk to you is the fraudulent use of
these details on your website, which can be difficult to detect.

Pharming - where website traffic is redirected to a bogus website. The bogus site
can then gather account and card details from shoppers. Pharming can be done in a
number of ways, by placing advertising to direct shoppers to the bogus site or by
viruses changing files on a victim's computer or DNS server for example.

Chargeback Losses
Although you might not be able to avoid chargebacks due to fraud completely, you can
reduce your losses by adopting appropriate procedures, as described in this guide.

If you are enabled for Verified by Visa, MasterCard SecureCode for MasterCard and Maestro,
and American Express SafeKey, you can benefit from Liability Shift, where you can be
protected from certain fraud-related chargebacks on card transactions.

Please refer to the chapter Chargebacks - Avoiding Losses for more information.

7
Introduction to Fraud

Tools We Provide
You can use the following features and automated tools to prevent fraud:

Capture Delay: Enables you to specify a delay between the authorisation of a


payment and its capture (its actual payment). This provides you with additional time
to assess whether a transaction may be fraudulent and to avoid the need to refund
the cardholder if you decide not to fulfil the order.
Cardholder Authentication: Verified by Visa, MasterCard SecureCode for
MasterCard and Maestro, and American Express SafeKey are cardholder
authentication schemes that enable cardholders to identify themselves by supplying
a password when shopping online. By enrolling to authentication schemes, you can
protect your business from certain fraud-related chargebacks.
Liability Shift: Where you are protected from fraud-related chargebacks on Visa,
MasterCard, Maestro and American Express transactions in scenarios where the
cardholder did not make the purchase.
AVS / CVV2: Address Verification Service (AVS) and Security Code Verification (or
Card Verification Value - CVV2) are checks offered by card issuers. These checks
enable to confirm the identity of the shopper by comparing information entered by the
shopper during the payment process with details held by the card issuer.
Risk Management service: Provides additional information on the potential fraud
risk of a transaction. The service monitors each transaction and provides automated
alerts indicating possible/probable fraudulent transactions. You can use your
business experience to tailor the Risk Management service settings to make it a
more effective fraud checking tool. Additionally, the Risk Management service:
Blocks transactions in which specific risk criteria are identified. For more
information, see Blocked Transactions.
Issued warning and caution alerts if inconsistencies or discrepancies are
identified in a transaction. For more information, see What the Risk
Management service Results Mean.
For more information about these tools and features, see the appropriate guide.

If you suspect that a purchase might be fraudulent, ensure that you


perform further manual procedures to check that the transaction is valid.

Capture Delay
For more information about Capture Delay, see the Payments & Orders Guide.

Capture Delay enables you to specify a delay between the authorisation of a payment and its
capture. This can be helpful when determining whether you should fulfil an order since it
allows you time to assess a transaction.

8
Introduction to Fraud

When a payment has been delayed in this way, it means that the funds have been reserved
by the card issuer, but they will only be transferred either:

At the end of the delay period when an automatic delay expires, if you are using
automatic capture.
When you manually capture the payment using the Merchant Interface.
Automatic Capture

You can use the Merchant Interface to activate the automatic capture delay for credit card
payments and certain ELV payments (used in some European countries), and to set the
number of days delay for the automatic capture. To avoid the risk of authorisations expiring,
check that you use an appropriate length of the delay period.

This feature depends on the ELV acquirer, and has to be activated for you
by WorldPay.

We recommend no more than 5 days. However, some card issuers/types


can time-out in a shorter period of time.

Manual Capture

Once again, you should take care with the length of the delay to avoid the risk of
authorisations expiring.

After an authorisation has expired, capture is no longer possible and the


order has to be re-authorised, which means that it will have to be re-
submitted to our payment service and authorised once again by the card
issuer.

Cardholder Authentication
This topic is fully described in the Cardholder Authentication Guide, please refer to it for
further details.

Verified by Visa, MasterCard SecureCode for MasterCard and Maestro, and American
Express SafeKey are cardholder identity authentication solutions, which allow cardholders to
confirm their identity by supplying a password when shopping online. Cardholder
authentication therefore reduces instances of online fraud.

Fraudsters use 'phishing' techniques to obtain card details and passwords


from cardholders. Ensure that you remain alert even with authentication in
place.

9
Introduction to Fraud

The results of these checks are also fed into the Risk Management service, which monitors
transactions and warns you of possible fraudulent transactions. Please refer to Risk
Management service for details.

Additionally, you are protected from certain fraud-related chargebacks on card transactions,
where the cardholder did not make the purchase. For more information, please refer to
Chargebacks - Avoiding Losses.

Verified by Visa, MasterCard SecureCode and American Express


SafeKey

For more information about the various authentication schemes, see the following Websites:

Verified by Visa (Europe)


(http://www.visaeurope.com/en/cardholders/verified_by_visa.aspx)

Verified by Visa (USA)


(http://www.usa.visa.com/business/accepting_visa/ops_risk_management/vbv.html)

Visa Asia Pacific (http://www.visa-asia.com/ap/index.shtml) - Select your country


from the list box, navigate to Merchants > Products and Technology, and then
select Verified by Visa.

MasterCard SecureCode
(http://www.mastercard.com/securecode/securecode_main.html)

Maestro SecureCode
(http://www.mastercard.com/securecode/securecode_main.html)

American Express SafeKey (http://www.amexsafekey.com/skmfaq)

Avoiding Chargebacks Due to Fraud


When a shopper uses a card in person, checks can be carried out at the point of sale (for
example, with a signature check), and the card scheme rules ordinarily require that the issuer
is to bear losses.

With online transactions, there is usually no written evidence that the cardholder used the
card or that they received the goods or services. The liability for losses related to online
transactions therefore lies with you. Although you might not be able to avoid fraud-related
chargebacks completely, you can reduce your losses by adopting appropriate procedures, as
described in this guide.

You can also benefit from Liability Shift by enrolling with the cardholder authentication
schemes such as Verified by Visa, MasterCard SecureCode for MasterCard and Maestro,
and American Express SafeKey. Please contact us to enroll.

Chargeback Liability Shift

If you are enabled for cardholder authentication schemes you can protect your business from
certain fraud-related chargebacks on card transactions.

According to Visa, over 80% of all chargebacks fall into fraud-related category. Liability for
this type of chargeback passes from the merchant to the card issuer, even if the card issuer
is not a participating member of the scheme or if the cardholder is not enrolled.

10
Introduction to Fraud

These authentication schemes are designed to increase confidence in online shopping and to
reduce your exposure to fraud. For more information about authentication schemes, please
refer to the Cardholder Authentication Guide and Cardholder Authentication.

Note that some card schemes do not support authentication or Chargeback


Liability Shift, which means that you are liable for chargebacks rather than
the card issuer.

AVS / CVV2 / CVC - Address/Security Code Verification


Services
The Address Verification Service (AVS) and Card Verification Value or Card Verification
Code (CVV2, CVC) were launched by the Card Schemes, such as Visa, MasterCard, and
AMEX, to provide a mechanism for checking the authenticity of a transaction by comparing
information entered by the shopper during the payment process, with details held by the card
issuer.

Both services are available to all of our merchants as standard at no extra cost. Please note
that although most card issuers support these checks, some do not.

We support these services in conjunction with banks and card issuers. We pass the
information entered by the shopper to our banking partners who pass it to the card issuer for
comparison with their records. The results of the comparison are then passed back to you.
The card issuer must support AVS (and/or CVC/CVV2) in order that the comparison can take
place.

You can examine the results of these checks (as shown in the table below) in the Merchant
Interface and the confirmation email. The results are also fed into the Risk Management
service, which may generate an alert if one or more of the checks fail. Please refer to What
the Risk Management service Results Mean for details.

Where the card issuer does not provide AVS (and/or CVC/CVV2) support, a 'not checked'
response is returned.

Address Verification Service

AVS enables elements of the billing address and postcode, entered by the shopper, to be
compared against the card issuer's records during the payment process. The billing address
must be the address to which the card statement is currently sent, and must match the
address held by the Card Issuer. Results for the address and postcode are returned
separately. Note that AVS is not widely used outside the UK and USA.

Security Code Verification

The Security Code Verification service enables the card security code entered by the shopper
to be compared against the card issuer's records during the payment process.

The card security code is a number printed on the card. The number is not embossed on the
card, nor is it encoded in the magnetic stripe; it is not printed on receipts etc, making it harder
for anyone other than the person reading from the card to know what the code is. This helps
prevent 'cardholder not present' fraud. Security codes are now printed on the vast majority of
credit/debit cards.

11
Introduction to Fraud

The format and position of the security code varies across card-schemes. Some cards have a
three-digit number printed at the end of the cards’ signature strip. Some cards (AMEX, for
example) have a four digit number on the front of the card.

Some card issuers refer to this number as the 'Security Code', others as the 'personal
security code' and others as 'Card Verification Value'. In addition, it may also go by the name
of 'CVV2' for Visa Cards, 'Card Verification Code' (CVC) for Mastercard/Eurocard and
'Security Code' for AMEX cards. Our payment page offers guidance to the shopper as to
which number is the Security Code.

AVS and Security Code Results

value result description

1 Not The request to verify the data has not been


Checke completed. This response is usually generated for
d one of the following reasons:
 the service is not supported by the issuer
 the service may be temporarily unavailable.
2 Matched The data supplied matched when compared to
the data held on the Card Issuer’s System.

4 Not The data did NOT match when compared to the


Matched data held on the Card Issuer’s System.
This response does not necessarily mean the
transaction is fraudulent, but further enquiries with
the shopper before progressing the transaction is
recommended.

Risk Management Service


This topic is fully described in the Fraud Screening Guide, please refer to it for further details.

The Risk Management service monitors each transaction and provides automated alerts
indicating transactions with elevated risk. This helps you to make a more informed decision
on whether or not to ship goods.

The automated alerts are sent to you via the methods listed below:

The transaction confirmation email.


A risk result, shown in the financial statements in the Merchant Administration
Interface. For more information, please refer to What the Risk Management Service
Results Mean.
Our Payment Notifications (Callbacks) service, which sends information about each
transaction back to your server when the transaction is complete.

Note that the results of the other automated tools, such as AVS/CVV and
authentication, are also fed into the Risk Management service.

12
Introduction to Fraud

You can make the Risk Management service more effective by tailoring its fraud checking.
You may create extra blocking filters (or 'blocks'), to detect and block various shopper details,
based on your previous experience. For example, your added filters could detect - and block -
orders from known fraudulent shopper names, or various ranges of email and IP addresses.

Please refer to Screening in Procedures to Adopt for further details, and contact us if you
want to apply country blocks.

No Risk Result

If no risk result is shown on a transaction, this indicates that no alert was issued from the Risk
Management service for that transaction.

However, this does not necessarily guarantee that it is a good transaction, standard
cautionary measures should also be taken before shipping. For more information, please
refer to Checks to Make and Procedures to Adopt.

Blocked Transactions - What You and the Shopper will See

Generally we pass on indications of risk to you so that you may make further investigations.
However, we may very occasionally block transactions where specific risk criteria have been
identified.

What You Will See


Blocked transactions will be reported as 'Refused' in the Merchant Interface, as shown in the
following table.

Refused This transaction has not been processed, as it matches


(Merchant) the criteria that you have specified to decline. The
shopper is advised to contact you for further
information.

Refused This transaction has not been processed, as it matches


(WorldPay) target criteria specified in WorldPay anti-fraud systems.
The shopper is advised to contact you for further
information.

What the Shopper will See


If a transaction is declined, the shopper will be presented with the following message.

Return to Pay Page

We are unable to process the transaction at this time. Check you have
entered the correct details or retry with another card. Alternatively,
contact the merchant to arrange an alternative means of payment.

The option to retry with another card allows legitimate shoppers to consider their options.

13
Introduction to Fraud

Note that all refused transactions will continue to be reported in the


Merchant Interface and the shopper will be advised, whilst trying to pay,
that the transaction was ‘not authorised’.

Scope of Blocked Transactions for Multiple Merchant Ids

This section is relevant only if you have a number of Merchant Ids within an Administration Id.

Generally, when you set a block with the Risk Management service, the scope of the block
will be at the Administration Id level, that is, it will apply to all of your Merchant Ids within your
Administration Id.

Please contact us if you want to be able to specify blocks that are specific to particular
Merchant Ids.

What the Risk Management Results Mean and What Action is


Needed
Thefollowing table provides explanations of the Warning and Caution alerts issued by Risk
Management service, and recommends how you should respond.

Such warnings are purely for your information - the shopper is NOT alerted. If the transaction
has been authorised by the bank, the shopper will assume that the transaction is being
processed. Shoppers are alerted only if a transaction is actually blocked - please refer to
Blocked Transactions - What You See for details.

Risk result what does it mean? what do I do about it?

CAUTION A Caution indicates You may wish to carry out


inconsistencies in the further checks before
transaction characteristics fulfilling the order. For
that warrant further example, send an email to
checks. These the shopper's email
inconsistencies may be address to confirm that it
based on discrepancies in exists.
the billing or email address
details.

For example the email


address is incorrectly
formatted or the email
domain does not exist.

WARNING Whilst not generated by We strongly recommend


absolute evidence of fraud, that you carry out further
a Warning indicates a checks before fulfilling the
greater level of doubt order.
concerning the transaction
than does a Caution.

For example, the card

14
Introduction to Fraud

issue country does not


match the billing address
country.

Note that where an Address Verification and country code comparison


produces a 'match' result but a Warning or Caution alert is still generated
we recommend that you carry out further checks, as described in Checks
to Make.

Please also refer to When You Suspect Fraud if you wish to take further action.

Additional Information About the Reason for an Alert

Unfortunately, we cannot provide you with additional information regarding the exact reason
for an alert. The parameters used by the Risk Management service to provide you with alerts
may change over time, it is important that we protect the details of its operation to make it as
difficult as possible for fraudsters to circumvent the system.

We are also prevented by Data Protection legislation from divulging details of specific
shoppers' purchasing activities with other merchants other than to the proper authorities.

15
Introduction to Fraud

Checks to Make
This chapter describes the checks you can make as part of your managing fraud strategy.
We strongly suggest that you consider the checks described in this chapter, and to implement
those with specific relevance for your type of business.

The checks can be incorporated into your managing fraud procedures, please refer to
Procedures to Adopt for more details.

Note that when you identify high-risk names, email addresses and IP
addresses by using the checks, you can update the referral lists in the Risk
Management service to provide blocks against them.

Name and Contact Checks


The following checks can help to identify a fraudster, you should consider implementing them
as risk indicators in your managing fraud procedures:

A shopper whose name is not correctly formatted and/or shows nonsense details.
A mobile phone as the contact number.
Check that the area code of the phone number matches with the address by using
one of the free web-based look-up programs such as (UK only)
http://www.ukphoneinfo.com/section/tci/locator.shtml.
Check the shopper name with Directory Enquiries http://www.bt.com/directory-
enquiries/dq_home.jsp (UK) and http://www.infobel.com (outside the UK) to verify the
address and telephone number.
Small discrepancies in shopper name and contact information carry a lesser overall risk, as
shoppers sometimes make minor errors when entering their details.

The Risk Management service enables you to automatically block transactions from specified
cardholder names.

Email and IP Address Checks


The following checks can help to identify a fraudster, consider implementing them as risk
indicators in your managing fraud procedures:

Email - free-site email addresses (for example, noname@mail.com), carry a higher


risk than those provided by an ISP that require the user to register properly (for
example, noname@aol.com). Free email also offers a route to create a convincing
looking address such as drwatson@consultant.com.
Check email addresses - try opening the domain of the email in a browser (such as,
www.consultant.com in the above example). You may find the domain isn't registered
or is registered in another country.

If the domain looks ok, send an email to the email address supplied to confirm that it
exists, if it doesn’t it may be returned by your email server as undeliverable. Note that
the delay before the response is received depends on your email server and may be

16
Introduction to Fraud

several hours, to determine the typical delay you should send some test mails to non-
existent email addresses.

Shoppers often make mistakes when entering their email addresses and some of
these are easy to pick up, such as another character where the '@' symbol should
be, misspelling of .co.uk, .com, etc. You may also be able to detect obvious
misspelling by comparing the name with the email address.
If you aren’t able to identify an obvious problem and if the email address cannot be
delivered, you should try to contact the shopper on the telephone number provided.
IP address - the IP address is a unique identifying number given to a PC, usually by
an Internet Service Provider (ISP), when it connects to the internet. An ISP will reuse
IP addresses as users connect and disconnect but the addresses will always be from
a specific range allocated to the ISP.

Check the IP address supplied on the order confirmation with Free IP Address
Lookup at http://www.ip-to-location.com/free.asp and verify that the IP country
matches the billing country.
The Risk Management service enables you to automatically block transactions from IP
addresses that you know from experience have been associated with fraud in the past. As IP
addresses are re-used, blocking a single address is usually a short-term remedy as the
shopper can reconnect to the ISP and get a new IP address. Screening a range of addresses
is much more powerful.

However, blocking any address should be approached with caution. You could easily block a
very wide range of addresses and accidentally include a significant portion of another ISP’s
users such as AOL.

17
Introduction to Fraud

Address Checks
The following checks can help to identify a fraudster, consider implementing them as risk
indicators in your managing fraud procedures.

Address checking is a very useful measure. A fraudster who has obtained card data by
copying elements from a card will not usually have the genuine user's billing address so must
invent one.

The following are indicators of elevated fraud risk:

a shopper who provides an incomplete billing address


a shopper who refuses to confirm their credit/debit card and billing address details to
you
delivery address not the same as the billing address
an export delivery address, particularly to certain countries (please refer to the table
in Country Checks for a list of high risk countries)
temporary address such as a hotel or boarding house
check the shopper name with Directory Enquiries http://www.bt.com/directory-
enquiries/dq_home.jsp (UK) and http://www.infobel.com (outside the UK) to verify the
address and telephone number.
None of these indicators are absolute evidence of fraud. For example, a shopper could be on
holiday, in which case the delivery address may not match the billing address.

Small discrepancies in shopper address/location information carry a lesser overall risk, as


shoppers often make minor errors when entering their details.

Order Checks
The following checks can help to identify a fraudster, consider implementing them as risk
indicators in your managing fraud procedures:

a shopper ordering unusually large amounts of an item without any preference for the
size, colour, make or model
an existing shopper who suddenly orders an unusually large volume of goods
a small order or, conversely, a big order
top-of-the range item or multiples ordered
a repeat order shortly after the first, which is in itself unusual
call the phone number to confirm the order details and check that the number and
shopper exist.

If it is normal for your shoppers to buy from you repeatedly in a short period
of time, and you correspondingly receive false alerts from our Risk
Management service, please contact us and we will review your alert
parameters.

18
Introduction to Fraud

Delivery Checks
The following checks can help to identify a fraudster, consider implementing them as risk
indicators in your managing fraud procedures:

a request for fast delivery has been made


where the delivery cost is immaterial - genuine shoppers are often reluctant to pay for
expensive delivery options
delivery address not the same as the billing address
an export delivery address, particularly to certain countries (please refer to the table
in Country Checks for a list of high risk countries)
temporary address such as a hotel or boarding house
instruction to leave goods on doorstep (or similar).

Country Checks
Carrying out checks on shoppers whose billing country does not match the country in which
the card was issued can help identify fraudsters. This particular result is shown on your email
confirmation, and in the Merchant Interface and we advise implementing this as risk indicator
in your managing fraud procedures.

High-Risk Countries
The countries identified in the table below are considered high-risk as purchases originating
from them have much higher incidences of fraud. To help you identify fraudsters, payments
made by shoppers with IP (Internet Protocol) addresses in these countries are likely to be
declined by our fraud screening tool (Risk Management service).

If a shopper purchases their goods/services from, or requests delivery to one of the countries
shown in the table below, we advise you carry out further manual checks before deciding to
accept the transaction.

If you are having specific issues with fraud from one or more countries you can request to
add more country restrictions to your Risk Management service. A country restriction can
stop all future orders where at least one of the following shopper details matches your
country criteria.

Billing country
Card issue country
IP country

Note that this may only be requested as an anti-fraud measure, it must not
be used as part of a business process, that is, to limit your orders to
regions where you have shipping options available.

19
Introduction to Fraud

Pattern Checks
The following checks can help to identify a fraudster, consider implementing them as risk
indicators in your managing fraud procedures:

Unusual buying patterns by the shopper, for example, unusually frequent purchasing.
Fraudsters often make repeat purchases and some part of the order detail is usually
common, for example, the same email address.

20
Introduction to Fraud

Procedures to Adopt
This chapter describes procedures you can adopt to help reduce your risk of fraud. We
strongly suggest that you consider the procedures described in this chapter, and implement
those with specific relevance for your type of business.

Your managing fraud procedures should incorporate some of the checks described in Checks
to Make.

Note that trading rules can affect the level of risk you are exposed to. For
example, you cannot refuse to sell on the basis of the cardholder country
alone - in such a case you will need to review the other details before you
can say "No".

Define Your Risks


You should define the fraud risks specific to your business and use them when developing
your managing fraud procedures. The risks will depend upon various factors, such as, the
type of business or industry you are in, the type of goods or services you supply, their price
level, the countries you deliver to, etc.

You are at greater risk from fraud if you supply high value, branded or otherwise easily traded
consumer products that are easy to transport and store.

New enterprises that are not well known retailers also tend to attract fraudsters, who
speculate that the merchants will be inexperienced. Similarly, in the service industries, those
services that seem easy to deny having been booked or received also rank highly for fraud
risk.

You can consider many areas, few of which are as follows:

Your order acceptance risks. For example, you can review all orders above a certain
amount.
Your delivery risks. For example, you can only provide immediate shipping to trusted
shoppers such as those who have traded with you and have a good record, or you
can decide to immediately ship all orders below a certain value if the automated tools
do not provide alerts.
Your chargeback history. If you are experiencing too many chargebacks we
recommend that you reassess your existing procedures and adopt procedures to
review your chargeback history at regular intervals.

High chargeback/fraud levels could affect our ability to provide you with a
payment service because of card programs rules relating to excessive
chargebacks/frauds.

21
Introduction to Fraud

Order Acceptance
Adopt an order acceptance procedure, which includes an accept, review, reject process.
There should be no doubt about which orders can be filled immediately and which should be
reviewed. You could include some or all of the following:

establish the criteria for which orders you will accept - for example, orders below £15
where both Address Verification and Card Security Code match
establish the criteria for which orders should be reviewed – for example, all orders
over £75, and all orders with either Address Verification or Card Security Code
mismatch
establish the criteria for which orders should be rejected – for example, all orders
over £75 where both Address Verification and Card Security Code mismatch and the
delivery address differs from the billing address.
Capture delay can be used to provide additional time for you to check orders before capturing
the payment.

Respond to Alerts
Adopt a procedure, tailored to your business that specifies how you will respond to alerts.

For example, you may want orders with Caution alerts to be filled if the order value is below
a certain limit, but want a review of all orders with Warning alerts, regardless of the order
value.

An alerts procedure can be quite simple, such as the one shown below.

To the Staff of One Stop Shop

Alerts Procedure

Manually review any transaction that has


generated a Warning alert from the Risk
Management service.

Manually review any transaction over £30 that


has generated a Caution alert from the Risk
Management service.

22
Introduction to Fraud

Screening
Adopt a screening procedure that clearly identifies and blocks risky names, email addresses
and IP addresses, etc.

As part of that procedure you should specify the conditions under which you carry out
updates to the referral lists in the Risk Management service. For example, every week or as
soon as you have information about a suspicious name or IP address.

We recommend that you include the following checks in your screening procedure:

Name and Contact Checks

Email and IP Address Checks

Country Checks
Contact us if you want to restrict high-risk countries.

Payment Methods
Adopt a procedure that specifies the acceptance level for each payment method you select.

Select your payment methods in accordance with your risk; consider their specifications and
acceptance level in your target audience. Make sure you understand the specifics of each
method. For instance, some card schemes do not support Authentication and, hence, do not
support Chargeback Liability Shift, which means that you are always liable for chargebacks
rather than the card issuer.

Note that future changes to legislation may affect payment methods for
certain kinds of online business. For example, recent legislation in the USA
has banned credit card payments for online gambling.

Customer Registration
If you have specific risks and your target customer group will tolerate it, then you might
consider an enforced registration procedure for new customers that will exclude some of the
potentially riskier shoppers. For example, allowing a probation period during which customers
build up a payment history.

Predefine and publish the conditions for registration and for upgrade to full membership. For
example, include: the minimum number of orders; the minimum time frame as a customer;
and similar.

If incidents do occur, move the customer in question from your client list to a suspense file,
against which new orders can be checked.

Consider including the following items for registration:

require full name and address details - do not accept free ISP-addresses (@hotmail
and such), since no registration with these providers is required and consumers
therefore remain untraceable
require registration in current telephone directory (for ex-directory applicants ask for
phone bill details)

23
Introduction to Fraud

do not accept only mobile phone numbers


offer limited choice of payment methods initially
limit the acceptance level per payment method
set maximum amount/value per order for the first (few)orders
deliver goods to the customer's registered home address only
insist on receipt by this registered shopper, proper identification, and physical
presentation of the card.

Delivery Procedure
Adopt a delivery procedure, including, for example, some of the following - depending on your
risk:

limitations to the countries where you deliver


deliver to the registered shopper only
ask for faxed identification (driving license, utility bill) beforehand if the person
receiving the goods will be a person other than the registered shopper
retain proof of delivery for at least 12 months
instruct carriers to never leave a delivery at the door, especially if instructed to do so
by the shopper and/or if it is a high value order - this may be an indication that a
criminal is using some unwitting person's house as a drop-off point
when delivering a private purchase to the shopper's office address, only deliver to the
shopper personally - use a signed for method of delivery and clearly mark the
packaging with instructions that only the shopper should sign for it
never deliver to generic addresses such as office buildings, post offices, airports,
railway stations, industrial areas, without specific information on the recipient’s exact
location and identity - if you do decide to deliver, insist on full identification and if
possible only accept irrevocable payments for these orders
only provide immediate shipping to shoppers you feel very sure about, such as those
who have traded with you before and have a good record.

Website Warning
State clearly on your website that, in case of fraud, the proper authorities will be informed and
legal action will be taken.

Communications
Ensure that all personnel involved, including external suppliers, such as delivery and parcel
services, as well as your own staff, are fully aware of your procedures and their importance.

For example, ensure that your delivery service knows that they should not leave goods on the
doorstep, if this is a part of your delivery procedure.

24
Introduction to Fraud

When You Suspect Fraud


This chapter advises you about our recommended practices when you suspect fraud. The
sections listed below describe what you should do if you decide not to fulfil a transaction.

If you are in doubt about a transaction, we cannot stress enough the importance of
completing further, manual checks, as the final decision lies with you.

Note that when you identify high-risk names, email addresses and IP
addresses, you can update the referral lists in the Risk Management
service to provide blocks against them.

Taking Action
If your decision is NOT to proceed with a transaction you must advise the shopper you are
not going to fulfil the order and either promptly perform a full refund using the Merchant
Interface, or, if you are using automated capture with capture delay, you must cancel the
payment manually with the Merchant Interface .

Reporting Suspected Fraud

If you believe that you have fraudulent transactions on your account, or have discovered an
attempted deception against you, you can contact your local police station to report the
suspected crime directly to them (regardless of where the suspect crime/point of delivery is).

The most effective way to report the suspected crime is to submit your complaint in writing to
the police using the form produced by APACS, which can be found at
http://www.cardwatch.org.uk.

Note that in the United Kingdom, all crime is reported territorially to the
local police stations and not directly to the National Hi-Tech Crime Unit
(NHTCU). Please visit the NHTCU website www.NHTCU.org for further
information regarding the role of this organization.

Communicating with Your Shopper


If you decide not to proceed with an order you should be careful about how you inform the
shopper. In particular, you should avoid relaying information about the integrity of the
shopper, as some of those you reject will almost certainly be genuine (just as some of the
acceptances may be fraudsters).

You need to ensure that your terms and conditions are clearly visible to shoppers before they
place orders and ideally the checkout process should include explicit acceptance of the terms
by the shopper before an order can be placed. You should include your right to reject orders
and specify the point in the order/delivery process where the order is accepted. You should
take specific legal advice in relation to your business and applicable law. However, a possible
clause to cover this would be as follows:

25
Introduction to Fraud

"Order acceptance and the completion of the contract between you and us will take
place on the dispatch to you of the Products ordered, unless we have notified you that
we do not accept your order, or you have cancelled it in accordance with the
instructions in How to Cancel an Order.

Non-acceptance of an order may be a result of one of the following:

The product you ordered being unavailable from stock.


Our inability to obtain authorisation for your payment.
The identification of a pricing or product description error.
Your failure to meet the eligibility to order criteria set out in the main Terms
and Conditions."

26
Introduction to Fraud

Chargebacks - Avoiding Losses


This chapter describes how to help avoid chargeback losses due to fraud.

We strongly recommend that you consider the checks and procedures described in this
guide, and implement those with specific relevance for your business requirements. We also
recommend that you enroll with cardholder authentication schemes such as Verified by Visa,
MasterCard SecureCode for MasterCard and Maestro, and American Express SafeKey.
Please contact us if you want to enroll.

Avoiding Chargebacks Due to Fraud


When a shopper uses a card in person, checks can be carried out at the point of sale (for
example, with a signature check), and the card scheme rules ordinarily require that the issuer
is to bear losses.

With online transactions, there is usually no written evidence that the cardholder used the
card or that they received the goods or services. The liability for losses related to online
transactions therefore lies with you. Although you might not be able to avoid fraud-related
chargebacks completely, you can reduce your losses by adopting appropriate procedures, as
described in this guide.

You can also benefit from Liability Shift by enrolling with the cardholder authentication
schemes such as Verified by Visa, MasterCard SecureCode for MasterCard and Maestro,
and American Express SafeKey. Please contact us to enroll.

Chargeback Liability Shift

If you are enabled for cardholder authentication schemes you can protect your business from
certain fraud-related chargebacks on card transactions.

According to Visa, over 80% of all chargebacks fall into fraud-related category. Liability for
this type of chargeback passes from the merchant to the card issuer, even if the card issuer
is not a participating member of the scheme or if the cardholder is not enrolled.

These authentication schemes are designed to increase confidence in online shopping and to
reduce your exposure to fraud. For more information about authentication schemes, please
refer to the Cardholder Authentication Guide and Cardholder Authentication.

Note that some card schemes do not support authentication or Chargeback


Liability Shift, which means that you are liable for chargebacks rather than
the card issuer.

27