This post is applicable only if your product has no contact whatsoever with card data (you’re completing SAQ-A) and is processing card-not-present (CNP) transactions exclusively. These are just recommendations for how to keep your product from being among the low hanging fruit where fraud is concerned.
Credit Card Fraud Overview
Contrary to what might seem presumptive, the majority of successful CNP credit card fraud isn’t perpetrated by someone who targeted you. Credit card data has often passed through many pairs of hands before it’s used for any serious level of fraud – once obtained, the data is more than likely to be onsold in bulk for cash by whomever was responsible for the initial theft.
At some stage in this process, the card will need to be verified, which is where the first serious fraud risk presents itself. Verification is typically conducted by making a small, fairly innocuous charge to the card. You may have had your card suspended by the issuer in the past for a charge that seemed so small it surely didn’t warrant the attention, but chances are they were more concerned about what may follow. The small charge, however, is not the real risk to the merchant either – the real risk is the chargeback.
The consumer credit industry has things set up so that the merchant is ultimately responsible for fraud occurring on their account. In addition to losing the value of the transaction so that it can be returned to the defrauded cardholder, the merchant will be assessed a “fee” of typically around 15-20$ per fraudulent transaction. You can imagine this adds up to some pretty expensive fees over time, especially if the goods supplied were not infinitely available. While larger merchants may be able to eat those kinds of costs, or find additional ways to prevent fraud, this typically hurts the little guy much more.
Below are some suggestions on ways a merchant can attempt to avoid occurrences of fraud on their site along with some basic best-practices when accepting credit card payments.
- Ensure you have a barrier to entry that can’t be bypassed in an automated fashion A (decent) captcha would do the job (can’t really go past reCaptcha 2.0 these days).
- Always have a way of getting in touch with the person claiming to be the cardholder. If you suspect fraud, you’ll want to be able to make contact.
- The smaller the amount, the higher the potential risk of fraud (see fraud overview). If it fits your model, allow customers to run larger transactions and spend the balance in smaller increments.
- Enable any fraud protection or prevention mechanisms offered by your card processor.
- Enable any alerts offered by your processor. These should also include alerts not directly related to fraud, such as settlement summaries, payment notifications or chargeback alerts. Just like monitoring your infrastructure!
- Be very responsive to disputes or chargebacks. You’ll want to be in good standing if it comes to contest. If you do contest one, provide as much information as humanly possible, the decision is often final can be very expensive for a repeat customer.
- Enable MFA with your processor, and depending on the nature of and amounts involved in your transactions, enable it on your site as well.
- Ensure duplicate transaction checking is always functional. Some people find it easier to request a chargeback from their institution than to take the matter up with the merchant.
- Try to have some sane limits on what can be done on your site (limit the number of CCs per account, upper and lower limits on transaction amounts etc).
- Allow users to store CCs (a “wallet” or “vault”). It will help you keep track of card usage since you don’t have direct access to the card details, and also adds to customer satisfaction and trust.
- When a charge is declined, display the actual error to user so they can fix it, instead of running an invalid card multiple times which could be interpreted negatively by your processor.
- Reauthenticate the user (e.g. prompt for password), or preferably the card (e.g. prompt for CVV), when buying patterns change (new shipping address, browsing from adifferent geographic location etc.
- Collect full name and billing information. Not only will this stymie a fraudster without billing information, but it could be very helpful in a chargeback dispute.
- Support 3d-secure (Verified by Visa, Mastercard Securecode) where possible. Hopefully it will be more broadly supported in the future.
- Use a modern payment processor that allows iframes or hosted fields, it looks much more professional.
- Use an EV SSL certificate for the domain on which you’re accepting the payments. They’re quite cheap now, and can really help with consumer trust.
- You may have heard of EMV or chip-and-pin, and how it will save the world from credit card fraud once and for all. Don’t get too excited, it doesn’t protect CNP transactions whatsoever.