[Previous] [Next] - [Index] [Thread Index] - [Previous in Thread] [Next in Thread]

Subject: RE: [uk-netmarketing] Re: Offline Verification of Credit Cards
From: Ken Cowley
Date: Mon, 12 Feb 2001 14:25:08 -0000

Cybersource and similar services will check patterns of attempted card usage
versus predicted 'normal' patterns. These can be very accurate, and
essentially the 'dial' can be turned to give whatever threshold required.
The result of requiring less than 1% chargebacks will be higher 'false
positives', with the false positives (legit customers turned down) dropping
the more extensive the data.

Also you don't have to manually check against the electoral roll - there are
on-line services around charging 'per check' and you can buy CD and server
licences from the likes of Capscan if you are reasonably competent (you can
do ASP programming) and want to set up an automatic check yourself.

Some checks like these are already offered by the card processing
companies - ask your payment service provider.

In the US AVS (address verification) is available on the card network -
matching first address line and zipcode against what is held by the issuer.
Similar for Europe has been on the cards (sorry!) for ages. To utilise this
you must feed transactions into a US acquirer as a Uk acquirer will simply
pass what is accepted by the UK network over to the US.

A comprehensive 'same day' online service would:

1) Check each card against your own bad card/bad address list (it is in
order under the data protection act to retain customer and card details for
your own customers if users are warned that this may happen 'for security
purposes' and provided that are not passed willy-nilly to other
2) Pass each surviving transaction through the card network for an
authorisation (but not completion)
3) Ensure a US banking relationship for the US cards to utilise AVS in that
4) Pass surviving transactions that went through authorisation through a
'neural network' card usage pattern detector such as CyberSource's, or
Retail Decision's eBitGuard service - these will usually give a score for
how closely the transaction matched experienced 'bad' transactions and will
provide more accuracy the more detail you provide (client IP address, time
of day, cookies enabled/not...)
5) If possible apply these pattern-matching checks on a batch of the day's
transactions, not immediately. Scams have particular patterns (try a little
one first, if it passes then 'up the order') which are picked up better, the
longer the batch run you feed in (obviously this implies batching the card
auth requests also)
6) Address check where available (not all electoral rolls are available
7) For passes, NOW confirm the transaction on the card network. For fails,
8) As well as pass/fail score thresholds, have a 'refer' setting where you
fax the issuing bank (who in this country will usually give a 24 hr
confirmation of name and address details)
9) If in doubt, decline all cross-border transactions as your gut-feel will
usually only work on your own patch

As an aside, the card networks and issuers have their own pattern matching
at the account level which is why you may occasionally have your own card
declined or be rung from a call centre enquiring whether a particular
transaction was legit. Eg if you usually spend �500 a month with a maximum
transaction of �150 and you suddenly blitz the card.

You can pre-book an amount out of a credit card, which is what hire car
firms and hotels do. This amounts to authorising an amount 'forward' for
more than is likely to be the charge - to see if the customer is 'good for
it'. The user will not be able to spend this money. This indicates a tactic
for risk reduction on the web - authorising way more than the amount
required, before actually completing only on what is wanted. Sounds weird,
but fewer scamsters will stand a big hit, so authorising �200 for a CD
before completing only on �12.99 will reduce the fraud rate.

The fraud situation is very much a 'low probability of a big problem'
scenario like being hit by an asteroid - if bad people with ripped-off cards
decide YOU are a soft touch you can be put out of business. On the other
hand you can cruise along in ignorance quite happily. Bad product categories
are anything easily 'fenceable' - mobile phones, brown goods; and anything
downloaded. Attempted fraud rates in high risk categories (mobiles, 'adult')
that I have been informed of are up to 25%. I haven't seen a summary
anywhere of attempted fraud by category - I guess that retailers will view
this as sensitive info.

High volume retailers will by definition have a bigger database against
which to check potential bad transactions. Cybersource (who Amazon use) pool
not only Amazon's but also hundreds of other retailers' transactions and
hence have a good idea what constitutes a bad-looking attempted purchase.
Moreover Amazon are generally in easily manageable territory - someone
trying to scam them is not going to order single books or CDs so they can
easily apply a rule checking orders only above a certain value, and build
that threshold as they have more experience shipping to a particular
card/address combination.

Electronic transaction verification is a dynamic field and there are
developments all the time. With GUS/experian now gearing up for e-commerce I
hope that experian (who know not only your address but also what mortgage
you have) will have an economical on-line offering sooner rather than later.
Anyone on the list from them?

A radical alternative to all the above is one of the services where the
customer registers with a service who do all the checking IN ADVANCE and you
only accept cards from that source. I seem to remember that protx was one
such and I think that there's one operating in France. The idea here is that
they've checked the address by phone with the issuer if necessary and in
general checked things out for you.

Ken Cowley
New Product Development
Global Internet Billing
598-608 Chiswick High Road
W4 5RT


+44 (0)20 8612 8612
DDI: +44(0)20 8612 6142
Mob: +44 (0)7909 526822

kcowleyatglintbill [dot] com

-----Original Message-----
From: Robin Edwards [robinatclockworx [dot] co [dot] uk (mailto:robinatclockworx [dot] co [dot] uk)]
Sent: 12 February 2001 09:58
To: uk-netmarketing from chinwag
Subject: [uk-netmarketing] Re: Offline Verification of Credit Cards

Definitely great stuff if you can make it apply to you.

Obviously this is a big problem for merchants trying to ship goods for next
day delivery. I wonder if they are hit by a higher percentage of fraudulent
transactions as a result? Also, the high volume guys, such as Amazon, would
find it very difficult to manually check every name, address and phone
number against the electoral register. I know they use fraud screening
services, such as Cybersource, but can that validate name against address
and telephone number automatically?

Anyone got any figures on how big a problem CC fraud is in the UK for
various sectors?

Robin Edwards
T: +44 1543 252370 F: +44 1543 420761
E: robinatclockworx [dot] co [dot] uk W: http://www.clockworx.com/ W2:

[Sam says: msg chopped]

  Re: [uk-netmarketing] Re: Offline Verifi, Ben Thompson

  RE: [uk-netmarketing] Re: Offline Verifi, Robin Edwards

[Previous] [Next] - [Index] [Thread Index] - [Next in Thread] [Previous in Thread]