Reducing Online Credit Card Fraud

Credit card company figures show that 90 per cent of consumers are reimbursed when their cards are used fraudulently, while 75 per cent of online retailers have to eat the cost when they're the victims of credit card fraud. There is currently no way to avoid this ludicrously high risk, though it can be reduced.
April 4, 2000

Unfortunately, online payment remains a major area of Internet immaturity. Payment and data transfer security are allied problems. When buyer and seller meet physically to exchange money for goods, trust is less of an issue than when two entities deal blind online.

Though buyers - rightly - distrust online credit card payments, merchants suffer more from credit fraud. This is because most online payment is by credit or debit cards, and the payment protocols for these were originally intended for face to face sales where the cardholder and card are both physically present.

Physical presence offers security based on a customer signature and card imprint. But the merchant is almost always responsible for losses when sales are made on a 'Cardholder Not Present' basis even when the vendor has obtained authorisation from the card issuer.
Security And Privacy

There are two areas of concern: ensuring the privacy of data involved in the transaction to re-assure the buyer, and ensuring the buyer is engaged in a valid transaction - for the benefit of the seller.

The first is most easily solved using SSL (Secure Socket Layer) an encryption protocol built into current browsers and supported by most Web servers. Base Apache doesn't support it for patent reasons (RSA owns certain algorithms in the US) but Apache SSL does.

Using SSL once it's enabled is straightforward - simply change Web page references to https:// instead of http://, like so:

This posts the contents of a form back to you using SSL.
Digital Certificates

SSL is only half of the solution, though. Customers want to feel confidence in your company. This is achieved using a 'trusted third party' which begs its own questions.

TTP's are simple in principle. The TTP is a public company which provides a vendor with a digital certificate. This confirms to the customer that the company they think they're dealing with is who it claims to be. Digital certificates can be bought from many companies including Verisign and Thawte. They require a fair amount of company documentation.
Public Key Encryption

Both SSL and the digital certificates require encryption. This is provided using asymmetrical - aka public key - encryption. This requires two keys: public and private. The public key is published and can be used by anyone to encrypt anything but only the private key can decrypt it.

An SSL exchange is carried out using a public key given to your browser by the server. The digital certificate provider confirms that the key belongs to a valid certificate used by the company at the domain where the transaction is taking place. In effect, it's a three way transaction, but each party can only access the information it needs to do its job.
Trusting Customers

To accept online credit card payments with a minimum level of confidence you need two services: a merchant account - either your own or access to one via a third party - and real time authorisation.

Taking credit card payments online for overnight processing is commercial insanity. Anyone can create credit card details which will pass validation checks - including expiry dates - using one of dozens of freely available programs on the Net.

In practice, realtime credit card transactions are pre-authorised to a set value provided the vendor checks card numbers against a supplied hot list. Transactions over the limit must be authorised. This doesn't guarantee you'll be paid but it eliminates the more incompetent criminals.

Authorisation is a two part process. First the customer sends in the order by secure form (using SSL). The details on the card and the amount are then sent from your server to the authorising company (only larger concerns deal directly with banks). The authorising company runs the check with the card issuing bank then authorises or denies it immediately.
Merchant Services

Small or new companies and those with a small turnover may have to turn to a third party such as Earthport to handle credit and debit card sales, though banks are beginning to target ecommerce more aggressively.

For example, in the UK NatWest Bank has bought 13 per cent of WorldPay and now offers - through WorldPay - online payment services in most currencies. This enables its business customers to integrate online payments with their existing banking services. In fact, NatWest offers customers WorldPay software. This model is likely to be followed by other banks - though don't expect them to assume any of the risk.

Third party online payment facilitators are as reluctant as banks to expose themselves to risk. You may find it difficult to get accepted, the service may be stopped for no apparent reason, payment can be slow and you may have to work in a different currency. It also tends to be expensive. Retail swipe commission rates vary between under 1.5 per cent and four per cent while online rates tend to start at 4.5 per cent and just keep going up. Eight per cent and higher is common.
MOTO Matters

Online credit payments are classed as Mail Order and Telephone Order sales by credit card companies, yet suffer far higher chargeback rates. While the Visa and MasterCard quote overall card fraud at around 0.08 per cent of all transactions, online fraud (for which no separate figures are released) is estimated by online traders at somewhere between three and five percent. The figures are higher than for mail order or telephone sales. The fact that neither Visa nor MasterCard will provide such figures should give all online retailers pause for thought.

Mail order companies are safer because they can get signatures - an actual piece of paper changes hands. Telephone sales have CLI (Caller Line Identification) information to add to address verification (in the US at least) - though pay as you go cellphones have dramatically increased telephone fraud. Online retailers, though, often have no more than an email order containing a card number via a free email account.
Game, SET and Match

There is a technique to enforce non-repudiation of online credit card orders. Secure Electronic Transaction is an encrypted online payment method which keeps all information on a need to know basis, automatically confirms the card and its holder are valid, guarantees payments and is network protocol independent. It's also too complex to describe here.

So far it has made no impact on consumers because it requires them to hold and manage digital certificates, while many have trouble just hanging on to their Net access password. It will continue to make no impact until it can be used from any location in the form of a smartcard. This places it several years down the line.
Protection Service

As an online vendor, your exposure to credit card fraud depends to a large extent on what you're selling. Intangibles are the easiest target. Top of the list by far are adult sex sites. Although there are no published figures, anecdotal evidence suggests companies handling sex site signups often set swipe commission rates as high as 50 per cent, using the income generated to hide chargebacks.

Software sales, pay per view sites, gambling sites, informational sites and so on are equally at risk. Indeed, many will no longer take orders from free email account holders or overseas customers. Microsoft's Expedia set aside $6 million for credit card fraud in 1999 but most online retailers refuse to divulge fraud figures for fear of losing customer confidence.

Large ticket item sales are just as risky. For example, many online retailers now refuse to accept orders with different billing and delivery addresses. Even this doesn't help if someone is prepared to set up fake credit card accounts using empty house addresses - and there are criminal organisations exploiting the weaknesses of the credit card system in this and other ways.

It's a problem which can only get worse without a change to a more secure online payment system which both proves the identity of both parties and cannot be repudiated. Both sellers and buyers must have confidence in online sales. If online sales don't become more secure vendors will either insist on payment up front or become uneconomic as their increased sales costs penalise their customers for buying online.
Ten Anti-Fraud Tips For Online Vendors

1. Even though it might be a hassle, insist on a mailing address, zip or postal code and phone number of the buyer and then check them out to ensure they aren't fake.

2. Insist on a faxed customer signature and a faxed photocopy of the credit card (from a photocopy is fine).

3. If you can't contact the buyer by phone or the phone number is unreachable, then don't process the order

4. Use Address Verification services where they're available

5. Be extremely wary of shipping overseas - it can be hard to pursue claims abroad. Eastern Europe is seen by many as a high risk area.

6. Check the email address against the name on the credit card. If the real name doesn't match the email name then you definitely want more reassurance before processing the order.

7. Refuse to process orders from free email domains unless you have incontrovertible proof of the buyer's identity.

8. Never ship products to postal box numbers. Always insist on a physical shipping address.

9. Check the DNS table of the remote IP of the customer. Find out the remote server's geographic area and check it against the address of the customer. Few people connect to the Net using a long distance call. You also need to check the mailing address, phone number and email address of the server, though thieves can also set up servers too.

10. Be especially careful of those wanting higher priced fast delivery or otherwise being price insensitive. Thieves don't care how much it costs as they don't plan to pay.