RE: [uk-netmarketing] Re: Offline Verification of Credit Cards

[Ken Cowley]

Cybersource and similar services will check patterns of attempted card usage

versus predicted 'normal' patterns. These can be very accurate, and

essentially the 'dial' can be turned to give whatever threshold required.

The result of requiring less than 1% chargebacks will be higher 'false

positives', with the false positives (legit customers turned down) dropping

the more extensive the data.


Also you don't have to manually check against the electoral roll - there are

on-line services around charging 'per check' and you can buy CD and server

licences from the likes of Capscan if you are reasonably competent (you can

do ASP programming) and want to set up an automatic check yourself.


Some checks like these are already offered by the card processing

companies - ask your payment service provider.


In the US AVS (address verification) is available on the card network -

matching first address line and zipcode against what is held by the issuer.

Similar for Europe has been on the cards (sorry!) for ages. To utilise this

you must feed transactions into a US acquirer as a Uk acquirer will simply

pass what is accepted by the UK network over to the US.


A comprehensive 'same day' online service would:


1) Check each card against your own bad card/bad address list (it is in

order under the data protection act to retain customer and card details for

your own customers if users are warned that this may happen 'for security

purposes' and provided that are not passed willy-nilly to other

organisations)

2) Pass each surviving transaction through the card network for an

authorisation (but not completion)

3) Ensure a US banking relationship for the US cards to utilise AVS in that

country

4) Pass surviving transactions that went through authorisation through a

'neural network' card usage pattern detector such as CyberSource's, or

Retail Decision's eBitGuard service - these will usually give a score for

how closely the transaction matched experienced 'bad' transactions and will

provide more accuracy the more detail you provide (client IP address, time

of day, cookies enabled/not...)

5) If possible apply these pattern-matching checks on a batch of the day's

transactions, not immediately. Scams have particular patterns (try a little

one first, if it passes then 'up the order') which are picked up better, the

longer the batch run you feed in (obviously this implies batching the card

auth requests also)

6) Address check where available (not all electoral rolls are available

electronically)

7) For passes, NOW confirm the transaction on the card network. For fails,

cancel.

8) As well as pass/fail score thresholds, have a 'refer' setting where you

fax the issuing bank (who in this country will usually give a 24 hr

confirmation of name and address details)

9) If in doubt, decline all cross-border transactions as your gut-feel will

usually only work on your own patch


As an aside, the card networks and issuers have their own pattern matching

at the account level which is why you may occasionally have your own card

declined or be rung from a call centre enquiring whether a particular

transaction was legit. Eg if you usually spend �500 a month with a maximum

transaction of �150 and you suddenly blitz the card.


You can pre-book an amount out of a credit card, which is what hire car

firms and hotels do. This amounts to authorising an amount 'forward' for

more than is likely to be the charge - to see if the customer is 'good for

it'. The user will not be able to spend this money. This indicates a tactic

for risk reduction on the web - authorising way more than the amount

required, before actually completing only on what is wanted. Sounds weird,

but fewer scamsters will stand a big hit, so authorising �200 for a CD

before completing only on �12.99 will reduce the fraud rate.


The fraud situation is very much a 'low probability of a big problem'

scenario like being hit by an asteroid - if bad people with ripped-off cards

decide YOU are a soft touch you can be put out of business. On the other

hand you can cruise along in ignorance quite happily. Bad product categories

are anything easily 'fenceable' - mobile phones, brown goods; and anything

downloaded. Attempted fraud rates in high risk categories (mobiles, 'adult')

that I have been informed of are up to 25%. I haven't seen a summary

anywhere of attempted fraud by category - I guess that retailers will view

this as sensitive info.


High volume retailers will by definition have a bigger database against

which to check potential bad transactions. Cybersource (who Amazon use) pool

not only Amazon's but also hundreds of other retailers' transactions and

hence have a good idea what constitutes a bad-looking attempted purchase.

Moreover Amazon are generally in easily manageable territory - someone

trying to scam them is not going to order single books or CDs so they can

easily apply a rule checking orders only above a certain value, and build

that threshold as they have more experience shipping to a particular

card/address combination.


Electronic transaction verification is a dynamic field and there are

developments all the time. With GUS/experian now gearing up for e-commerce I

hope that experian (who know not only your address but also what mortgage

you have) will have an economical on-line offering sooner rather than later.

Anyone on the list from them?


A radical alternative to all the above is one of the services where the

customer registers with a service who do all the checking IN ADVANCE and you

only accept cards from that source. I seem to remember that protx was one

such and I think that there's one operating in France. The idea here is that

they've checked the address by phone with the issuer if necessary and in

general checked things out for you.


Ken Cowley

New Product Development

Global Internet Billing

598-608 Chiswick High Road

London

W4 5RT


http://www.glintbill.com


+44 (0)20 8612 8612

DDI: +44(0)20 8612 6142

Mob: +44 (0)7909 526822

kcowleyglintbill [dot] com

-----Original Message-----

From: Robin Edwards [

robinclockworx [dot] co [dot] uk (mailto:robinclockworx [dot] co [dot] uk)

]

Sent: 12 February 2001 09:58

To: uk-netmarketing from chinwag

Subject: [uk-netmarketing] Re: Offline Verification of Credit Cards



Definitely great stuff if you can make it apply to you.


Obviously this is a big problem for merchants trying to ship goods for next

day delivery. I wonder if they are hit by a higher percentage of fraudulent

transactions as a result? Also, the high volume guys, such as Amazon, would

find it very difficult to manually check every name, address and phone

number against the electoral register. I know they use fraud screening

services, such as Cybersource, but can that validate name against address

and telephone number automatically?


Anyone got any figures on how big a problem CC fraud is in the UK for

various sectors?



--

Robin Edwards

Clockworx

T: +44 1543 252370           F: +44 1543 420761

E:

robinclockworx [dot] co [dot] uk

   W: http://www.clockworx.com/ W2:

http://www.shopworx.net/


[Sam says: msg chopped]