May 7, 2008
 

I’ve been accepting credit cards online for quite a while, since 1991 in fact (17 years). Over the years, I have learned how to reduce credit card fraud chargebacks on the various stores I own or manage for clients. It took quite a while to learn the best possible methods for ensuring that the customer is legitimate at the time of purchase. At most, I have gotten three chargebacks in a 12-month period out of thousands of online orders in the same period.

 

It is not hard. However, it does require diligence on every order you accept. Even if you are a seasoned online merchant the guideline below may give you ideas or remind you that due diligence is the key to protecting yourself from credit card chargebacks.
 
Note that there are hyperlinks in this guideline. I use these trusted sources every day. Rest assured these sites and services (all free) will help you.
 

Reducing Online Credit Card Fraud Guidelines

 

This guide covers both US and Overseas order acceptance and shipping. If you only accept and ship orders in the United States reducing fraud is a bit easier. Remember though, just because your customer resides in the United States does not mean the order is 100% legitimate.

 

Many new online merchants may be a bit confused about (numeric) IP addresses. Trust me they are your friend. Each computer that connects to the Internet is assigned an “Internet Protocol” numeric address and is much like a street address for your home. Occasionally these IP addresses are spoofed (faked). However, I have found this to be a rare occurrence.  It is very hard to completly fake an IP address, very hard.
  

Each country on the planet earth is assigned IP address blocks, or groups of numeric addresses. You can look these IP addresses up and match the IP address to a country, states and sometimes a particular city. The important thing is to make sure that the IP address matches the general geographic location in relation to the customers billing or shipping address. As I go through the guideline, I will provide links so that you can lookup IP addresses of your customers.
 

As an online merchant that sells and ships good all over the planet, I have requirements that I place on each store that accepts credit cards

 

1. I have certain countries that I do not accept credit card (or PayPal) payments from due to the high percentage of credit card and online fraud. I have listed below the only countries I accept payments from or ship products to. Of course, you should decide for yourself if you are going to take orders from outside of the US or not. My list of acceptable countries is for your reference only, and should not be considered a perfect solution.
 

Countries that I accept credit cards from: Argentina, Australia, Austria, Belize, Belgium, Bolivia, Brazil, Canada, Chile, Caribbean, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, Iceland, Ireland, Israel, Italy, Jamaica, Japan, Jordan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Paraguay, Philippines, Poland, Portugal, Puerto Rico, Saudi Arabia, Singapore, South Africa (only), Spain, Sweden, Switzerland, Taiwan, U.A.E. (United Arab Emirates – Saudi Arabia), United Kingdom, United States and Uruguay.

 

If the country is not on my list, I do not accept orders from it and will void the order. I’ve been bitten once or twice by shipping products to countries not on my list. I no longer make exceptions. It isn’t worth the possibility of a chargeback. Chargebacks are expensive and too many of them can cause you to lose your merchant account.

 

2. I check ALL order IP addresses against the billing address of the credit card (I only ship to the card billing address). To place an order on my stores you must enter the credit card billing address and it must match. I used a credit card gateway called Authorize.net (www.authorize.net) to tie my online credit cards to my local bank account. Authorize.net has certain fraud detection features (Card Code Verification and Address Verification Service) that you can setup to check to make sure the billing address and zip code matches what the customer inputs when ordering. If it does not match your requirements, the credit card will be declined. It works and prevents fraud 99.95% of the time.  I will go into detail about checking IP addresses further on in this guideline.

 

However, online fraudsters have used legitimate information to get past the Authorize.net checks. That is why I check IP addresses especially for digital downloads such as eBooks, Graphics content, music, images, software, etc. The IP address check will stop 99.99% of the digital download fraud. I will cover the IP lookup further on in this guideline. If your online store software does not record the customers IP address, find store software that does.

 

3. I require customers to use the three-digit security code from the back of the credit card or the four-digit code from the front of American Express cards. It’s called a CVV code. Most fraudsters don’t have access to this number unless they actually have the card in hand or somehow tricked someone into divulging the number. It is rare that this happens but has happened to me on occasion. Again, the IP address lookup helps limit fraudulent orders from getting through. If your online store software doesn’t have the option to require the CVV security code then fond software that does have the option to require it.

 

4. I state on my stores (at time of checkout) that customers are not to use free email accounts to place orders (hotmail, yahoo, etc.). I state that if a free email account is used that further scrutiny will be placed on the order such as a phone call, more internet investigation (reverse phone number lookup, Google map lookup, deeper IP address lookup, etc.)  and could delay the order substantially. Most customers will use their ISP email address, as they want their product to be shipped as quickly as possible. If you handle overseas orders you may want to familiarize yourself with overseas free email providers (if you aren’t sure then check it).

 

5. I personally do not automate digital downloads. I don’t care how convenient it is for me or the customer (eBooks, digital photos, music, software, etc). I manually check the customers information and manually activate the download.

 

Fraudsters prey on stores that have unattended/automated processing and approval systems. If you feel comfortable with automated delivery without human intervention, then by all means do so, just be prepared for many credit card chargebacks. Mark my words on that.

 

I put a statement in the order emails and online receipts that digital delivery purchases are manually activated and I state a general time for processing. Something to the effect of activation can take 15 minutes to one hour during normal business hours and that orders placed after hours will be processed the following morning. Most customers will accept it, be sure to state clearly the business hours and processing times so that the customer will be patient and not drive you mad with harsh emails. I rarely have a customer email me, as I am very clear about processing times, in the order email receipt and online receipt. This not only protects you, but also protects all credit card users that purchase from you. It reduces your fraud liability as well.

 

Be prompt in processing orders as well. Being timely and attentive to your customers will net you more sales as they *will* tell others about the great customer service experience they had. I receive many sales because happy customers told others about how I take care of them. I live by this rule.

 

As an aside, your store software should store credit card numbers in encrypted format. If your store application does not do this, then find software that will. It protects you from fraud and your potential customers from identity theft.

 

The above is a guide to what you should do when accepting online orders. The next portion of this guideline goes into detail on how to easily check IP addresses, perform reverse phone number lookups, etc.

 

 

One of the most important things you should do when processing online orders is to check the actual location of the customer. As I mentioned earlier each computer is assigned a unique numeric address called an IP Address and they are assigned by country. IP addresses are your friends. IP address lookups will reduce your fraud rates by an order of magnitude.

 

There are several online (free) sources to check IP address and geographic location. My favorite is IronPort’s SenderBase and is covers nearly every IP address on the planet and you can look up the details (country, state, city, etc) for each IP address lookup. SenderBase is also a good source for mail server administrators to locate sources of Spam. Below is a quick walk-though on using SenderBase.

 

Note that large ISP’s may be in another city than the address of your customer’s credit card billing information (such as EarthLink, AOL, most cable companies), so don’t live and die by the IP address matching the exact city or state. If I am skeptical of the order/customer I look at several factors such as check the physical address in Google maps, use reverse phone number lookups (see further down) and many times, I will call the customer to verify.

 

Many sophisticated fraud artists have access to much of this information, however it is easy to check and verify that the person holding the card placed the order. I find that the IP address lookups prevent more than 90 to 95 percent of the fraud attempts I see each month.

 

 

 

 

 enter the IP address

 

 

 

 Results from IP address search

 

 

SenderBase (www.senderbase.org) is a great anti-fraud resource and will cover about 98% of the IP addresses you look up. Occasionally it will not be able to lookup an address for an unknown reason. However, there are several Internet Registry’s for assigned (IP ) numbers. The list below covers the assigned number registries.

 

SenderBase will give you the proper Whois lookup for that IP address even when it cannot give you more details on it.

 

American Register for Internet Numbers (ARIN) – Search for and lookup IP addresses located in the US, Canada and several outlying islands.

 

Asia Pacific Network Information Center (APIC) – Search for and lookup IP addresses located in Asian countries.

 

Latin American and Caribbean Internet Addresses Registry (LACNIC) – Search for and lookup IP addresses located in South America and the Caribbean.

 

RIPE – European Internet Address Registry  -  Search for and lookup IP addresses located in European countries.

 

African Network Information Center – Search for and lookup IP Addresses located in Africa.

 

SenderBase is the quickest and easiest way to look up IP addresses, however the above number registries covers the entire globe.

 

 

It is harder to look up overseas address and phone number information. However, for US orders you have a plethora of ways to verify your customer, often without having to contact them directly. Most often fraudsters use free (throwaway) email address and legitimate customers will not mind giving you their (paid for) ISP email address. Fraudsters are unlikely to use their real email address when attempting to defraud you. I am not saying not be diligent in checking every order. However, I personally place more scrutiny on orders that are associated with a free email account. I have only had four fraudulent orders that actually used a non-free email account in nearly 17 years of accepting credit cards online.

 

 

I use several free reverse phone number lookup services to make sure the phone number matches the general geographic area as the customers billing address. A reverse phone number lookup will provide the address (or general city/state) by simply entering the phone number. Often times a customer will use a cell phone number. While the reverse phone lookup will not provide a specific address for a cell phone number, it will provide the city and state of the phone provider (will generally match the customers billing city or area). Even in the cases of cell phone numbers, reverse phone lookups will give you an added layer of comfort that the customer is in the general area as their address and phone number.

 

The below services are all free. Never pay for reverse phone number lookup information, if you cannot find what you need with the services below chances are a paid for service will not be any more helpful other than taking your money for nothing.

 

PhoneNumber.com – Lookup addresses and areas by phone number. Enter the phone number in xxx-xxx-xxxx format.

 

YellowBook Business Reverse Lookup

 

TollFreePhone.com -  800, 888, 877, 866 reverse phone number lookup

 

Anywho.com -  AT&T provided reverse phone lookup.

 

While reverse phone number lookup are not 100% effective, it will help you to decide whether to accept or ship and order.

 

Use Google Maps it is a good address lookup if you feel the need. It does not hurt especially when shipping expensive products.

 

A Final Word