For the eCommerce business, online card fraud (also called remote purchase fraud) is, and probably always will be, a serious concern.
The worry weighs heavy that any transaction could be instantaneously reversed if it’s shown to be fraudulent, draining your bank account and your stockroom.
Unfortunately, the anonymity granted by the internet has resulted in a steady increase in online card fraud.
Take a look at the following statistics.
£398.2 million: Remote purchase losses on UK-issued cards [Source]
20%: Year-on-year remote purchase fraud increase [Source]
70%: Of all card fraud is remote purchase [Source]
It gets worse for merchants too as, when it comes to online card fraud, liability falls on the merchant. If you process a fraudulent transaction, it’s up to you to shoulder the losses if it’s discovered.
The way liability falls means it’s in your best interest to prevent as many fraudulent transactions as possible. I’m going to show you how to do it.
3 Strategies for Reducing Online Card Fraud
Your fraud prevention plan doesn’t have to be some huge, leather bound tome that runs to several hundred pages.
Simple strategies executed well can provide robust protection against fraudulent transactions and save your business time, money and stock.
#1: Block brute force attacks
Think of a combination lock. Big metal hoop connected to a chunky metal body with three dials on the side. Each dial can be rotated to show any digit between zero and nine, which gives, in total, 1,000 different combinations of digits and dials.
Now, imagine you don’t know the correct combination. How do you get it open?
The most basic strategy is to start at combination 0-0-0 and try every single unique arrangement of digits and dials all the way up to 9-9-9.
Does 0-0-0 work? Nope. Does 0-0-1 work? Nope Does 0-0-2 work? Nope Does 0-0-3 work? Nope. Okay, you get the picture.
It’s incredibly inefficient but using this strategy means you will eventually find the correct combination.
This nefarious strategy is called a brute force attack and, unfortunately, it works for eCommerce systems, too.
However, instead of combinations, hackers are trying to guess passwords and instead of a person laboriously trying every password, fraudsters use malicious software.
This software works much quicker than a human and can try hundreds or thousands of passwords every single minute.
Once fraudsters guess a customer’s password, they’ll place as many orders as they can until the account is frozen.
The good news is that there’s a super easy way to block brute force attacks.
You see, real users might make one or two mistakes when entering their details but they will almost certainly never enter the wrong password 50 times in a row.
Simply block users after they enter the wrong details five or ten times in a row and you’ll stop the vast majority of brute force attacks!
#2: Use Verified by Visa, SecureCode or American Express
Way back in 2001, Visa launched an additional security protocol for online card payments called Verified by Visa.
This protocol sits on top of existing card payment systems and is designed to deliver an extra security check to the purchaser to make sure they are actually the registered cardholder.
Verified by Visa usually asks the customer to enter an extra password separate from their password for your website. If the password doesn’t match the records held by the network, the transaction is rejected.
And it’s not just Visa that runs this sort of system. Most other networks have developed a similar protocol, for example, Mastercard has SecureCode and American Express has Safekey.
Collectively, these security protocols are known as 3-D Secure.
Now, I know what you’re thinking. 3-D Secure checks will wreck conversion rates, right?
Well, no. Or, at least, not any more.
When 3-D Secure first launched, it earned an awful reputation and it was actually pretty justified. The security protocols would deliver checks to every single customer regardless of whether the transaction looked legitimate or not.
And the customer, who had almost certainly forgotten their special password, was blocked from completing their transaction.
Thankfully, things are better now. The networks have refined their systems so that additional checks are only delivered for transactions with high risk profiles.
This improved delivery service means 3-D Secure checks still protect you from fraudulent without alienating legitimate customers.
#3: Geolocation, geolocation, geolocation
Geolocation services usually work alongside address comparison tools. However, unlike the address comparison tools, geolocation services use the user’s IP address to actually identify their exact physical location in the world.
Once you know where someone actually is, you can compare that to the cardholder’s address or delivery address and decide whether the transaction looks legitimate.
If the customer is in Belize and the card is registered in Birmingham, the system will flag or block the transaction.
About the Author
Stephen Hart is the former CFO of Worldpay and current CEO of Cardswitcher, the UK’s leading price comparison website for merchant services.