E-commerce and online fraud

Date: September-2007 (Revised)

You have created a website and you have managed to increase traffic, offer competitive prices, and receive considerable sales from your shopping cart every month. Still, you are ready to give up on your online store and forget about Internet selling for good. Why is that? No doubt, you are overwhelmed by cases of fraud.

When you sell on the Internet, the credit card payments you take are only provisional. That is, there is a window during which the credit card charge may be cancelled.

But delivering goods that go unpaid is not the only problem. A potential consequence of suffering too many chargebacks is having your Internet merchant account revoked.

What can be done to minimize fraud, or even wipe it out completely?

A lot can be done, provided you have the right tools. Comersus shopping cart includes its own fraud prevention features and also supports the use of third-party services for order and payment validation and related tools offered by payment gatways.

Shopping cart fraud prevention features

Comersus includes a fraud prevention subsystem that is enabled and configured from the Backoffice. Two modes are available: caution and paranoid. At caution mode, your store will save suspicious orders as usual but send a warning email to the administrator. If your store is set to paranoid mode, the order will be blocked and prevented from checking out.

Comersus also allows you to create a "bait product" at a ridiculous price that will lure possible frauders. Fraud buyers don't intend to pay for what they purchase, so they won't mind the high price.

You can also create a database of suspicious text strings that are typical of fraudulent orders. Especially in digital good stores, frauders tend to post orders at unusual hours when monitoring is scarce, with dummy names such as Test or John Doe, that will be blocked automatically by Comersus if you have configured these keywords. Other advanced features include blocking orders due to invalid IP address and modifying this default functionality for specific cases.

Third-party validation services

Internal shopping cart features are useful in helping reduce levels of fraud, but Comersus includes integration with third-party service providers that can combine to wipe out the problem completely.

One of these service providers is Precharge.

Comersus stores taking offline credit card payments may want to configure Precharge to avoid fraudulent payments, since in this type of order the payment itself is not authorized: the card number entered is only checked against valid numbers for that type of credit card. To enable the service, simply load your Precharge merchant number and keys at Comersus/BackOffice/Settings.

Comersus sends a request to the Precharge server in real time with the customer's personal information and credit card. Precharge will return an accept or decline response based on their scoring system for transaction risk levels. Declined orders will be blocked from offline payment.

The Precharge service can be combined with most online payment systems as well. We have not included this integration by default since there are over 70 gateways available and this combination would be a specific requirement.

Another recently-added service is MaxMind. Configuration is similar: the MaxMind license key is loaded at Comersus/BackOffice/Settings, and then offline transactions can be filtered with the MaxMind fraud prevention service.

Comersus sends MaxMind the customer's personal information, IP address, email address domain, and other useful information to assess the transaction. The MaxMind servers send a response for accept or decline in real time, after checking the information with a GeoIP geolocation metrics system, and detectors for free emails, frauder emails, anonymous proxies, and IPs from high-risk countries.

MaxMind even offers a free service to test their solution and use some filters without any monthly fees.

Gateway fraud prevention tools

Payment gateways are interested in reducing fraud rates as well, so several of them support advanced fraud prevention systems. Most systems include configuring the merchant account from a proprietary control panel to decline payments that don't meet certain criteria:

- AVS: this system checks the address entered by the customer against the address where the statement is delivered for the credit card number provided. The downside is that it is only available in certain countries and it's not always valid for foreign cards.
- IP: gateways keep databases of IP addresses used for past frauds. Payments from countries with high fraud rates are usually blocked.
- CVV2: this is a code present on the back of credit cards, or sometimes on the front (for example in American Express cards). If the CVV2 is not entered or does not coincide with records for the card, the payment may be declined. This code should not be stored by merchants, so it means an additional method of fraud prevention.

Payment gateways that don't require a merchant account, such as 2Checkout, also perform manual checks by specialized staff who may even call the potential buyer if they suspect fraud.

Comersus sends payment gateways all optional information to enable full enjoyment of fraud prevention tools.

Conclusion

Fraud should not deter you from running your online store. Choosing the right shopping cart and third-party tools will no doubt minimize occurrences of fraud to the extent that they become no more than a minor and rare concern.