If you accept credit cards as a form of payment on your website, you know that the risk of fraud is always present. But there are a few things you can do to protect yourself and your business from would-be scammers.
Use the Recommended Gateway Capture Setting
Unless otherwise required by your gateway provider, we always recommend that you use the default capture setting: Authorize at Sale, Capture at Shipping. With this setting enabled, credit cards are authorized for the purchase amount as soon as an order is placed, but you still have time to review the order before you capture the payment and ship the items. In most cases of online credit card fraud, the store owner (you!) is liable for chargebacks and fees incurred by capturing funds on a fraudulent order, so it’s important that you review each order before you capture the payment.
To make sure you’re using the most secure payment setting, go to Settings > Payment and click Alternative Settings at the bottom of the page.
You can learn more about transaction settings in the "Payment Gateway Transaction Settings" section of our payment settings article.
Examine AVS and CVV2 Responses
The Address Verification System (AVS) compares the numeric portion of the billing address (ZIP code and/or street address) that the customer enters during checkout to the information in the card issuer’s database. If there are any discrepancies, it’s probably a good idea to take a closer look. While an AVS mismatch doesn’t always signify fraud, it should serve as an indication to inspect the order more closely.
On your Order Details page, the AVS response field is located in the Payment Log section. You’ll see a single letter that represents a specific classification designated by your gateway provider. For example, the Authorize.net AVS response code “Y” means the street address and the first five digits of the ZIP code match perfectly.
Card Verification Codes (CVCs) have different names depending on the credit card company (Visa, for example, calls it the CVV2 code), but no matter what they’re called, they all serve the same purpose: to provide an added layer of security against card-not-present fraud. Since the card verification code is simply printed on the card and its data is not stored in the magnetic strip, it makes it much more difficult for someone to use the card fraudulently without actually having the physical card in their possession.
The CVV2 response code is also located in the Payment Log section of the Order Details page. Like the AVS response code, the CVV2 code corresponds to a classification specified by your payment gateway provider.
By default, your Volusion store requires CVV2 codes at checkout. You can change this setting by going to Settings > Config Variables and selecting Checkout Variables from the Filter menu.
Keep in mind that if you use Authorize and Capture at Shipping as your payment capture method, your checkout screen will not ask customers for a CVV2 number. Payment Card Industry (PCI) guidelines mandate that a CVC only be requested if it’s being checked in real time by the card issuer.
Use Good Judgment and Be Proactive
There are plenty of sophisticated tools and safeguards to help you stay a step ahead of the criminals, but oftentimes your best resource is intuition. You may have an order that looks completely benign and ordinary on paper, but something about it just doesn’t seem right. You’re well within your rights as a store owner to reach out to a customer if you have any questions or concerns. Give them a call, ask them a few questions, and trust your instincts. Most honest customers will appreciate your diligence. Even when you do business in the digital world, there’s no substitute for human interaction.
Here are a few more tips in addition to the points we’ve already covered:
- Always examine the billing address prior to shipment, even when the AVS response indicates no sign of fraud.
- Use extra caution on all orders requesting shipment to a different location than the billing address.
- Perform a reverse lookup on the phone number or the billing address.
- Be certain the customer’s IP (Internet Protocol) address and ISP (Internet Service Provider) are in reasonable proximity to the billing address.
- Be wary of international orders from high-risk regions like Southeast Asia, the Middle East, Africa, Eastern Europe, and Central America.
- Watch for multiple failed order attempts from the same purchaser.
- Use your IP Firewall to block fraudsters from repeat attempts.
- Be wary of email addresses that contain random-looking character sequences, especially addresses provided through free services like Yahoo, Gmail, or Hotmail.
- Look closely at any order placed with an email address that includes a different name than the cardholder’s.
- Be cautious with orders that have unusually high transaction totals.
- Take advantage of Volusion’s Fraud Score service.
Use Fraud Score
A subscription to Volusion’s Fraud Score service can take a lot of the legwork out of the order review process. With Fraud Score, many of the points discussed above are automated and factored in to a formula that evaluates the risk factors associated with an order. You can learn more about Fraud Score by reading the FAQs on our website.
Remain Optimistically Guarded
Ultimately, the majority of online shoppers are honest people making legitimate purchases, so there’s no need to be paranoid. Good judgment, common sense, and due diligence are usually enough to keep the scammers at bay.