How a business can fight fraudulent online orders
Ask a question.
Dear Your Business Credit,
My company was victimized by online credit card fraud. A stolen credit card was used, and we shipped our product to an address different than the billing address of the credit card. We reported this to our local police. Our credit card processor says that we are responsible, but I don’t trust that answer. – Shai
I’m sorry to hear that your business was victimized by fraudsters. Sadly, there are so many online crooks out there that every business owner needs to be very vigilant about fraud.
You’re wise to get a second opinion on what the merchant processor told you. To find out what your responsibilities are, I checked with Jen Lee, an attorney with offices in San Ramon and Tracy, California, who frequently advises clients on debt-related matters and is a co-author of “Preventing Credit Card Fraud: A Complete Guide for Everyone from Merchants to Consumers,” a book that will be published in March 2017.
She recommended that you review your merchant services agreement with an attorney to see what it says about liability for fraudulent transactions. If the agreement shows you are not liable, you and your attorney should have grounds to dispute the processor’s contention that you are responsible for the fraud.
However, it does seem likely in this case that the merchant processor is correct.
“Generally speaking, for online transactions where the merchant does not see the actual card, the merchant ends up assuming the liability for fraudulent transactions and ends up losing out twice – once for the shipped merchandise that is likely forever lost and then having to pay back the bank for the fraudulent charges,” Lee said in an email.
As you already know, fraud can be costly. So what can you do to prevent it in the future? First, I’d take a look at the fraud-prevention guidelines for merchants issued by Visa, Mastercard and any other cards you accept. Visa, for instance, suggests that merchants processing “card-not-present” transactions confirm orders sent somewhere other than a customer’s billing address by reaching out to the customers through a point of contact associated with the billing address, not the ship-to address.
Visa points to several red flags that may suggest fraud: a first-time shopper, a larger than normal order, an order that includes several of the same item, an order with many big-ticket items, rush or overnight shipping requested and shipping to an international address.
Other possible warning signs of fraud, Visa notes, are transactions with similar account numbers, transactions placed on multiple cards that all ship to the same address, multiple transactions on one card over a short period, multiple transactions on a single card with one billing address that are being sent to multiple shipping addresses, multiple cards used from a single IP address and orders from internet addresses that make use of free email services.
Of course, there’s an element of judgment here. If you sell holiday gift baskets and a regular customer is sending three baskets to different addresses, they could well be legitimate transactions. Nonetheless, it wouldn’t hurt to confirm the transactions with such a customer at the phone number or email address normally associated with the billing address. Many consumers have been victimized by identity thieves and will appreciate the efforts you take to protect them from unauthorized use of their card.
If you want to add an extra layer of scrutiny of credit card transactions, technology can give you an assist. Online merchants can join Verified by Visa and Mastercard SecureCode, services that verify the identity of consumers who have opted in for the programs.
“These are both products that assist in helping merchants detect non-authenticated customers using a card that has been compromised,” said Seth Ruden, senior fraud consultant at ACI Worldwide, which provides electronic banking and payment solutions for financial institutions, merchants, billers and processors. American Express offers a similar product called SafeKey.
It should get easier for online merchants to verify ecommerce solutions in the near future, thanks to advances in areas such as biometrics. I’d recommend paying close attention to news of new fraud-prevention technologies. They could end up saving you a bundle.
Meet CreditCards.com's reader Q&A experts
Does a personal finance problem have you worried? Monday through Saturday, CreditCards.com's Q&A experts answer questions from readers. Ask a question, or click on any expert to see their previous answers.
- How to handle an employee misusing a business credit card – If you're a business and issuing employees cards, make sure you have the right system in place to avoid inappropriate charges ...
- I used the company credit card for a personal purchase – What to do if you use your corporate credit card for a personal expense ...
- How long can a payment processor hold funds from my business? – If payment processors are holding on to funds to investigate transactions, there are some best practices to make the system smoother ...