Optimising against online card fraud

Since the introduction of the second Payment Services Directive (PSD2), Multi Factor Authentication (MFA) has become ‘the norm’ for all of us. MFA might be completed through your bank’s app, a one-time passcode, or via facial recognition on your smart phone. 

Whatever the route, processing transactions on cards issued in the European Economic Area (EEA) and the UK has become a whole lot safer for businesses.  

Unfortunately, not all online sales fall under the PSD2 regulation. So we would recommend you review your security settings with your gateway provider and use the following recommendations, to maximize your ability to stop fraudsters.

3D Secure – Though this is not mandated on cards issued outside of the EEA or the UK, you can still request that any transaction that is attempted at your website is processed as fully secured. Each card brand has their own version of 3D Secure and asking your gateway provider to activate this will provide full security against fraudulent sales. If you choose to make 3D Secure optional, ensure you speak to your provider so you will understand which transactions have been processed as 3D Secure and which have not. 

Fraud Prevention Triggers – Each gateway provider will offer their own suite of fraud prevention triggers that can be used to reduce fraud. These may include velocity checks, IP checks, excessive decline monitoring etc. Speak to your provider and make sure you have optimised your anti-fraud measures.

Captcha – Implementing a Captcha will help deter card testing attacks on your website. Captchas establish if a user is a human or a robot.

Sense check – We always recommend you complete a sense check of orders received, especially with a new customer or for larger amounts than normal. Think:

• Are you seeing a sudden spike in sales volume? This might be a sign you are being targeted, check back over your recent orders to see if there are patterns to the orders to suggest fraud
• Are orders coming in at unusual times? Multiple orders late at night might be a sign this is a fraudster rather than a genuine customer. 
• Are customers buying unusual items (e.g. smart phones, tablets etc.) in bulk? If the buying pattern is unusual compared to your normal sales, this might be a sign of fraud. 
• Are there multiple declines on different cards before the sale goes through? This might be a sign that a fraudster is testing different cards before finding one with sufficient funds available. 
• Does the delivery address match the billing address? If there is a significant difference in the billing and delivery address it might be a sign that the card does not belong to the customer. 
• Are you seeing multiple orders for the same delivery address but using multiple different cards? Over the course of days, if you are seeing a customer using multiple cards this again might be a sign of a concerted fraud attack. 
• If it’s an international sale, could the customer make this purchase closer to home for cheaper? While ecommerce does open up a world of possibilities, the cost of shipping means that unless your product is unique, the customer is likely to be able to find it cheaper and quicker close to home. 

By implementing strong anti-fraud controls on your gateway and using common sense when reviewing orders you stand a strong chance of being able to prevent your business being hit by fraud.