Understanding Transaction Verification process
Over the years, I've come across dozens of procedure lists for top-tier merchants regarding online transations and fraud reduction. I'll detail several companies verification procedures below.
While most virtual carders are aware of the various procedures in place to verify orders placed online, few actually understand the implementation of fraud scoring, and the order in which these verification methods are used.
The Risk Management Toolkit
• AVS
• CVV
• IP/GEO/BIN
• Cardholder Authentication (VbV/MSC)
• Phone Verifications
• Manual Order Reviews
• Chargebacks & Representments
• PCI Compliance & Data Security
AVS - Address Verification Service
How It Works
•Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be).
Implementation
•Available on any Internet merchant account and virtually any Payment Gateway.
•Most gateways provide an AVS configuration area where you can specify whether you want to automatically“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match.
Benefits
•Easy to implement Limitations
•Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.
•A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases– will also contain the necessary information to provide a valid AVS match result.
Recommendation
•If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not beconsidered a primary means of verifying the validity of a transaction. Nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results.
CVV – Card Verification Value
How It Works
•A service with many names – CVV2, CVC2, CID – but the premise is the same for all.
•Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV is NOT generally encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.
Implementation
•Available on any Internet merchant account and virtually any Payment Gateway.
•Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do notsettle) an authorization that has an CVV non-match or non-entry.
Benefits
•Works for virtually ALL cardholder accounts – both U.S. and international.
•There is no valid reason why a legitimate cardholder, in pos******* of the card, would not be able to enter a 100% matching numberfor this.
•Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.
Limitations
•CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring Transactions.
Recommendation
•CVV is a recommended service to utilize for ALL initial transactions processed. Based on our internal charge-back analysis, merchants can reduce their fraud ratesby as much as 70% by simply requiring a matching CVV result.
IP/GEO/BIN Scrubbing
How It Works
•Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California ordering from Europe?)
•Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer isusing an US-issued credit card but they are from Europe?)
•Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction.
Implementation
•Custom direct integration into a service such as MaxMind.com
•Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,ASPDotNetStorefront.
•Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.
•Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.
Benefits
•Fast, Cost Effective and Non-Intrusive
•Provides merchants with an excellent “do the pieces fit consistently?” analysis.
•Can block up to 89% of all fraud if properly implemented
Limitations
•Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)
•Proxy database is always in a real-time process of being updated as new proxies open up.
Recommendation
•IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk” formore intensive scrubbing vs. being an outright decline.
Examples of what IP Geo-Location can tell you:
YELLOW ALERTS
•Free E-mail Address: is the user ordering from a free e-mail address?
•Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)
•BIN Country Match: does the BIN # from the card match the country the user states they are in?
•BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?
•BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?
RED ALERTS
•Country Match: does the country that the user is ordering from match where they state they are ordering from?
•High Risk Country: is the user ordering from one of the designated high risk countries?
•Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
•Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
•High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
•Ship Forwarding Address: is the user specifying a known drop shipping address
IP/GEO/BIN Scrubbing (Continued)
Open/Anonymous Proxies: an open proxy is often a compromised “zombie” computer running a proxy service that was installed by a computer virus or hacker. The computer is then used to commit credit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an on going battle as new ones pop up and may remain undetected for some time.
26% of orders placed with from open proxies on the MaxMind min Fraud service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from anopen/anonymous proxy.
High-Risk Countries: these are countries that have a disproportionate amount of fraudulent orders, specificallyEgypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine and Vietnam. 32% of orders placed through the MaxMind min Fraud service from high-risk countries were fraudulent. Extra verification steps should be required for any transaction originating from a high risk country.
Country Mismatch: this takes place when the IP geolocation country of the customer does not match their billing country. 21% of orders placed with a country mismatch on the MaxMind m******* service ended up being fraudulent. Extra verification steps are recommended for any transaction with a country mismatch.
Results that speak for themselves:
ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After implementing MaxMind, losses were reduced by 90%.
MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting atleast 60 chargebacks and $6,000 in unnecessary costs.
Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for smalland medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4% while reducing its chargebacks by 90%.
365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced byover 96% from more than $10,000 per month to less than $500 per month. At this point, most charge backs are general order disputes as opposed to fraud.
Over the years, I've come across dozens of procedure lists for top-tier merchants regarding online transations and fraud reduction. I'll detail several companies verification procedures below.
While most virtual carders are aware of the various procedures in place to verify orders placed online, few actually understand the implementation of fraud scoring, and the order in which these verification methods are used.
The Risk Management Toolkit
• AVS
• CVV
• IP/GEO/BIN
• Cardholder Authentication (VbV/MSC)
• Phone Verifications
• Manual Order Reviews
• Chargebacks & Representments
• PCI Compliance & Data Security
AVS - Address Verification Service
How It Works
•Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be).
Implementation
•Available on any Internet merchant account and virtually any Payment Gateway.
•Most gateways provide an AVS configuration area where you can specify whether you want to automatically“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match.
Benefits
•Easy to implement Limitations
•Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.
•A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases– will also contain the necessary information to provide a valid AVS match result.
Recommendation
•If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not beconsidered a primary means of verifying the validity of a transaction. Nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results.
CVV – Card Verification Value
How It Works
•A service with many names – CVV2, CVC2, CID – but the premise is the same for all.
•Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV is NOT generally encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.
Implementation
•Available on any Internet merchant account and virtually any Payment Gateway.
•Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do notsettle) an authorization that has an CVV non-match or non-entry.
Benefits
•Works for virtually ALL cardholder accounts – both U.S. and international.
•There is no valid reason why a legitimate cardholder, in pos******* of the card, would not be able to enter a 100% matching numberfor this.
•Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.
Limitations
•CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring Transactions.
Recommendation
•CVV is a recommended service to utilize for ALL initial transactions processed. Based on our internal charge-back analysis, merchants can reduce their fraud ratesby as much as 70% by simply requiring a matching CVV result.
IP/GEO/BIN Scrubbing
How It Works
•Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California ordering from Europe?)
•Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer isusing an US-issued credit card but they are from Europe?)
•Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction.
Implementation
•Custom direct integration into a service such as MaxMind.com
•Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,ASPDotNetStorefront.
•Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.
•Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.
Benefits
•Fast, Cost Effective and Non-Intrusive
•Provides merchants with an excellent “do the pieces fit consistently?” analysis.
•Can block up to 89% of all fraud if properly implemented
Limitations
•Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)
•Proxy database is always in a real-time process of being updated as new proxies open up.
Recommendation
•IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk” formore intensive scrubbing vs. being an outright decline.
Examples of what IP Geo-Location can tell you:
YELLOW ALERTS
•Free E-mail Address: is the user ordering from a free e-mail address?
•Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)
•BIN Country Match: does the BIN # from the card match the country the user states they are in?
•BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?
•BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?
RED ALERTS
•Country Match: does the country that the user is ordering from match where they state they are ordering from?
•High Risk Country: is the user ordering from one of the designated high risk countries?
•Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
•Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
•High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
•Ship Forwarding Address: is the user specifying a known drop shipping address
IP/GEO/BIN Scrubbing (Continued)
Open/Anonymous Proxies: an open proxy is often a compromised “zombie” computer running a proxy service that was installed by a computer virus or hacker. The computer is then used to commit credit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an on going battle as new ones pop up and may remain undetected for some time.
26% of orders placed with from open proxies on the MaxMind min Fraud service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from anopen/anonymous proxy.
High-Risk Countries: these are countries that have a disproportionate amount of fraudulent orders, specificallyEgypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine and Vietnam. 32% of orders placed through the MaxMind min Fraud service from high-risk countries were fraudulent. Extra verification steps should be required for any transaction originating from a high risk country.
Country Mismatch: this takes place when the IP geolocation country of the customer does not match their billing country. 21% of orders placed with a country mismatch on the MaxMind m******* service ended up being fraudulent. Extra verification steps are recommended for any transaction with a country mismatch.
Results that speak for themselves:
ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After implementing MaxMind, losses were reduced by 90%.
MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting atleast 60 chargebacks and $6,000 in unnecessary costs.
Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for smalland medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4% while reducing its chargebacks by 90%.
365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced byover 96% from more than $10,000 per month to less than $500 per month. At this point, most charge backs are general order disputes as opposed to fraud.