Fraudulent credit card purchases caused US and Canadian e-commerce sites to lose over $3.4 billion in 2012*. That is a big number and difficult to grasp so let’s put it this way: If every man, woman and child in the US and Canada kicked in $10 we still couldn’t cover the loss.
Sadly, any enterprise that accepts payment for goods or services over the internet – or over the phone – is a likely target for fraud. Every e-commerce business from Amazon.com to a local crafts seller can be hit with fraudulent payments. If fraud is inescapable with online sales then we need to minimize our exposure to loss.
But I Got an Authorization Number
Nothing is as jarring as finding out that an authorization code on a purchase doesn’t guarantee payment. When a card is used to make a purchase the credit card processor verifies that the card number is properly formatted and authentic, that the account isn’t closed or overdrawn, and that there hasn’t been a ‘Hold’ placed on the account. Most processors will do an address verification (AVS) check too. Next the amount of the purchase is deducted from the card holder’s credit limit and an authorization number is given to the merchant.
The purchase authorization number does not mean that the person using the card information is authorized to do so. Nor does the authorization number guarantee payment to the merchant. In fact, a card holder can challenge a purchase for up to six months after the purchase date (a challenge creates a chargeback from the bank to the merchant.)
I don’t know for sure, but based on my experience it seems reasonable to assume that the vast majority of the $3.4 billion in fraudulent sales likely had an authorization number given by the card processor.
The process of getting an authorization number is only the first step in fraud prevention. For more protection we have to setup our own systems and fraud detection methods.
Pain Tolerance
There is a fine line to walk as an e-commerce merchant. We want secure transactions but we must make the purchase process easy to navigate. If we make it too difficult or complex to purchase from our sites our prospects will shop elsewhere.
The first step in creating a fraud prevention system is to decide a tolerable level of pain. We must answer the question “At what dollar level do we kick in our full fraud prevention measures?” That question isn't an easy one to answer, but there are a few points to consider that can help steer the decision.
For most e-commerce sites there is a dollar value below which fraud almost never happens. For example, from sales records it might be discovered that over 95% of fraud happens on sales over $175.00. Given the low incidence of fraud on sales below this amount we now have a starting point for our decision process.
The reason we want to find this break point is that we must draw a line across our sales graph below which we let the automated authorization system take care of itself. We need to define the lower limit of our suspect sales range because any transaction we choose to put through our fraud program will require an investment of time. The cost of every minute used to vet a sale comes off the profit margin of the transaction.
Here is something that I have noticed over time; it’s the 80/20 rule at work. Very often the dollar value arrived at by the method described above will find 80% of online sales at or below the threshold and 20% of sales above it. I've always attributed this to the belief that fraudsters seem to prefer making a few big purchases quickly - before the bogus or stolen card information they are using gets flagged.
Establish Responsibility
Transaction placed online that are over the dollar value established need to be manually put through the fraud prevention system. For the process to be managed with the least amount of system failure somebody has to be in charge and somebody else has to be designated as backup. Fraud prevention is a ‘without fail’ directive; it can’t be left undone because somebody is on vacation or out ill.
I have found it helpful to have two different individuals involved with the process. The first is the person responsible for flagging sales and putting them through the fraud prevention process. The second person has the ultimate go / no-go call based on the information provided by the first person. Dividing up the responsibilities gives the company a better chance of catching errors.
Next, the Metrics
After establishing the transaction value tipping point and assigning responsibilities for fraud prevention, it’s time to create the scorecard used to evaluate targeted transactions. In the next chapter we will discuss fraud warning signs leading up to several tools and steps for a manual fraud prevention process.
FACT: Nationwide, over 25% of all online transactions are put through a manual fraud review process.
