When it comes to e-commerce fraud prevention it is often easy to overlook some very basic controls that are already available to us. Credit card processors will frequently offer many user selectable settings that can help deter fraud.
Limit Attempts
This is perhaps one of the best controls that help limit fraud. By setting how many attempts a purchaser has to get an authorization we can weed out a large percentage of fraudsters. For example, you might set a limit of three attempts per hour. If that number is exceeded, any further attempts – even if correct – will be declined.
I have seen instances where a purchase was submitted 20 to 30 times as the thief tried different combinations of card numbers and personal information. By setting a reasonable number of attempts we can throw a roadblock up to fraud purchases without significantly inconveniencing our customers.
Limiting Geography
This control can be tricky, but it’s worth the effort. While we might be flattered to think that our goods or services are in demand worldwide, a significant percentage of fraud originates outside of the US. On most card authorization API’s it is possible to permit or decline transactions based on the country of origin.
Choose these settings with care; we don’t want to cut off opportunity. Is Canada OK but the Caribbean on the do not ship list? Make your decisions with your shipping or delivery options in mind. Realize that once the shipped goods leave the US you likely will have no further control to stop shipment and little enforcement on collections.
Exact or Near Match
A few credit authorization controls offer settings that increase or decrease sensitivity to the accuracy of the information supplied. For example, you may be able to choose settings that allow an authorization if the name, zip code, and card number are correct but the address isn’t an exact match.
By making changes to the exact match settings we are trying to make it easier for our clients to be successful in completing a transaction. But if we do this we are making it easier for a fraudulent sale to get through too. While this group of match settings can be powerful tools in our overall sales process, please think through each change and be prepared to measure outcomes over time to make sure the new settings are effective.
Note: match control settings may be problematic for corporate or government purchasers. An authorized purchaser may have permission to place orders but be unclear what the billing address is for the card.
Many Options
These are the top three controls available on most credit processing API’s. It’s likely that yours has many more settings available covering a range of variables and conditions. Our advice is to make changes slowly and deliberately. While some of the settings such as geographic limits may be easy to judge, others may behave in a more subtle way. Keep a log of changes made and measure both successful and rejected sales over time.
Change only a limited number of variables at one time and be prepared to undo them if the outcome has an immediate negative impact. Keeping an eye on transaction counts as well as declined percentages can quickly identify settings changes that might be too drastic.
It helps to keep in mind that a valid customer whose card is rejected is more likely to shop elsewhere than to give your website a second chance. Even more reason to make settings changes slowly over time and to monitor outcomes closely.
