Credit-Card Fraud
By: Mike • Case Study • 742 Words • May 19, 2010 • 1,300 Views
Credit-Card Fraud
FRAUD
MANY OF MY FRIENDS and acquaintances are still reluctant to use their credit-card numbers on the Internet, even to buy from well-known merchants over secure connections, and even when their credit-card issuers offer full protection against fraudulent charges. This side of the Internet fraud problem has received much more attention than the other side: that Internet merchants have no really effective way to protect themselves against credit-card fraud.
Standard credit-card processing software will give the merchant an approval if the card account is valid, and has enough open credit to cover the sale. For cards issued by U.S. banks, there is an additional security feature called Address Verification System, or AVS. This compares the billing address associated with the card with the one entered by the merchant. The system works fairly well for goods shipped to billing addresses in the U.S.
But there are two major gaps in protection. First, and most seriously, there is no AVS for cards issued by foreign banks. In other words, there is no way for a merchant to use the standard credit-card processing system to guarantee that a foreign credit-card transaction is valid. This forces them to use heuristic, and sometimes arbitrary, measures for fraud screening. My company, for example, won't fulfill orders from Romania, having been burned a few times too many. Customers with hotmail or other free, Web-based e-mail accounts have a point or two against them. Express shipping, ordering many items, and ordering the latest games (instead of reference or educational software) all reduce the likelihood that we'll accept the order. The case is similar for U.S. cards when the goods are shipped to an address other than the card's billing address.
If we guess wrong and ship an order that turns out to be fraudulent - we usually find out months later - we get a "chargeback," meaning that the amount we received for the order is taken back from us. If we guess wrong the other way, refusing to ship a legitimate order, we risk alienating potential customers. My company manages to keep its chargbacks very low, but it's frustrating to be in this situation where there is no way to avoid doing the wrong thing from time to time. There are commercial fraud-screening services that filter credit-card transactions automatically, applying these and other checks, but they are not perfect. We have had limited success referring fraudulent transactions to collection agencies.
How can Internet credit-card thieves work with such impunity? After all, they must give their addresses in order to receive their ill-gotten