As a Volusion merchant, you have many tools available to for reviewing orders and spotting potentially fraudulent transactions. There are also things you can do with your store settings to further protect yourself from chargebacks!
The following tools and features can be used to increase your business security and verify the validity of your orders.
Credit Card Authorization / Capture Mode 💳
As you may notice, the Authorize at Sale, Capture at Shipping option for receiving credit card payments is marked as the recommended option. This is the standard policy for many ecommerce businesses, and is the default setting for your store. Essentially, this lets you review the details of each transaction before you collect payment or ship the order!
IP Lookup Tool 👀
In the Order Total section of each Order details page, you'll see This Order was Placed ONLINE Via IP Address 188.8.131.52. The IP Address is a clickable link which will take you to an IP lookup site and show you the geographical origin of the IP Address!
Once you find out the location of the IP address, you can compare it to the order's billing and shipping addresses to see if they match. If they don't match, you can contact the customer to verify their order and payment information before proceeding.
Address Match 🏘️
Most payment processing gateways verify a customer's credit card number against the billing address they provide at checkout to make sure it's the same address on file with the card-issuing bank. Often, there is a minimum amount of information that must match in order for the transaction to be approved. If you're a Verified Volusion Merchant, your payment gateway is most likely Authorize.net, whose AVS (Address Verification System) can return responses for ZIP code matches, street address matches and the combinations of these. You can look up the AVS responses in your gateway's documentation to find out how closely the information matches, and how comfortable you feel processing the order.
Security Code Match 🔢
The CVV2 is Visa’s name for the 3-digit security code printed on the back of the card. MasterCard calls it the CVC2, and Discover and American Express call it the CID. Since this data is not embossed on the card or stored in its magnetic stripe, it cannot be stolen through many methods used to steal other crucial card details. Having a security code match significantly reduces the risk of a fraudulent transaction!
Depending on your gateway*, you may not be able to completely decline a transaction based on a mismatched security code alone. Instead, you'll want to make sure that you have Require_CVV2_Security_Number Config Variable enabled to collect the security code on the checkout page.
To learn how to turn it on, see "Why doesn't my checkout process require the CVV2 number?". Additionally, you'll want to make sure that you have the security code check turned on in your gateway so the gateway can send back a CVV2 response to your store's order details page. You can find the CVV2 gateway response in the Payment Log section of the order details page, under the AVS match. Check with your gateway to find out what response indicates a match, a no-match, and a not-available (meaning the customer did not fill in the CVV2 field).
*Authorize.net does allow you to reject transactions based on a CVV2 mismatch. Log in to your Authorize.net gateway account and go to Account > Settings > Card Code Verification to set up a new order decline filter!
SSL Certificate 🔒
An SSL certificate is a tool that ensures the safe communication of sensitive data (e.g. personally identifying information and credit card numbers) between websites. The SSL certificate encrypts this information as it's transferred between internet sites.
For most payment gateways, an SSL Certificate is required to accept credit cards directly through your store. The industry standard for payment data encryption is 128-bit, so it is advised that you stay above this recommended minimum when choosing a SSL Certificate. Check out the high-security, low-cost SSL Certificates Volusion has to offer!
Fraud Score 🕵️
Fraud Score is a feature that you can add to your monthly hosting which checks incoming data for orders against a full database of fraud information to assign each order a score. Based on the score, you can see where orders fall on a scale of risk: Minimal, Moderate, and High.
In addition to these tools, there are a few things you should keep in mind as you review your orders. Some of these things may seem obvious, but double checking can protect you from a lot of hassle later if you were to process an order that turns out to be fraudulent!
Check the Basic Information 🤔
Be wary of orders that have drastically different shipping and billing addresses, particularly if the shipping address is in a different country. You'll probably see different shipping and billing addresses for legitimate orders from time to time, as gift orders are very popular, but watch for address information that simply looks wrong. If your gut tells you that there may be something wrong with the order, check it with the order page tools to see if any other information looks suspicious.
Also check that the name registered on the credit card and the name provided as contact information are similar. You can find the contact information that the customer provided under Billing below the Order Total section, and the name on the credit card in the Payments & Credits section.
Watch for Unusually Large Orders 🐘
In particular, you should be wary orders that have a large quantity of a single item, especially if you sell higher-priced items. For example, it isn't likely that a single customer would need 15 digital cameras or 20 smartphones! Essentially, if an order is so large that is looks too good to be true, it probably is.
Look for Previous Declines 🙅
When you go to Orders > Process Orders, you'll see a list of all New and Processing orders. Any orders that have been Declined are logged immediately as Cancelled orders, so they will not appear in the main orders grid. If you see a large gap in the incremented order ID numbers on the main orders grid, it may be because there are a number of Declined orders that are not showing.
Use the Filter menu to view All Orders, including Cancelled orders. You may notice that a customer tried to process an order 5 or even 20 times before they were able to successfully place an order.
In this situation, you may want to contact the customer and ask if they had trouble placing their order. If the customer does not respond to emails or calls about their order, then the contact information they provided may not be valid, and the 20 declined orders may have been 20 attempts to push through a fraudulent transaction.
If the customer does respond to your questions about the order process, then you can double check and troubleshoot the functionality of your storefront and make improvements as needed.
Beware of High-Risk Geographies 🌐
Be aware of countries that tend to harbor internet fraud. High problem areas tend to be China, Southeast Asia, India, the former Soviet Union, the Eastern block of Europe and East Africa. If you see an IP address from one of these countries, shipping the order might not be worth it unless you can contact the customer and verify the card.
Additionally, many merchants have begun using Volusion's IP Firewall tool to block all IPs in these high-risk geographies. Particularly since many merchants only offer shipping within their own country or continent, blocking these risky ranges of IP addresses doesn't adversely affect site traffic.
Ease Your Fears by Reaching Out 🤝
If you have any doubts about the legitimacy of an order, it's up to you to decide if you want to reach out to your customers and verify order and payment information. Most customers will not be offended if you reach out to verify their identity; in fact, most of them will appreciate your diligence!
By reaching out to the customer, you may also find fake contact information. For example, if a customer enters firstname.lastname@example.org as their email, or 123-456-7890 as their phone number, then the credit card they used may not even belong to them.
Avoiding Chargebacks 💸
In addition to requiring the security code, checking the IP, matching the addresses and other actions you're taking to protect yourself, you can also protect yourself from people who take advantage of online retailers in another way: chargebacks.
There are a few reasons why customers can legally ask for a chargeback. Among these reasons, customers are able to claim that they were misled on your site, or that they never received the merchandise you shipped. Some simple additions to your checkout and order process can protect you from the most blatant abuses of the chargeback system.
Require Signature on Delivery 🖋️
Particularly for large transactions, this may be worth the extra expense. By requiring a signature, your customer cannot make the claim that they never received the merchandise, since they would be liable for the package after it is signed for.
Add "Terms and Conditions" to Your Checkout 🛒
Adding a custom field to your checkout page that asks customers to agree to your Terms and Conditions can also protect you from claims about customers not knowing your store policies.
Whether or not the customer reads the terms and conditions, you will still have a record that they agreed to the information and it becomes their responsibility to know the agreement. A terms and conditions custom field, along with accurate product descriptions, will help you defend yourself from claims that your site is misleading.
To learn how to modify your store's Terms and Conditions, see "Make it Personal: Updating Your Store's Informational Pages".
As ecommerce continues to grow as an industry, online security is an increasingly important issue that you must address to keep yourself and your customers safe from fraudsters and scammers. Using the tools and resources at your disposal can save you time and money, no matter how big your business is!