信用卡反欺诈步骤总结
This chapter describes procedures you can adopt to help reduce your risk of fraud. We strongly suggest that you consider the procedures described in this chapter, and implement those with specific relevance for your type of business.
Your managing fraud procedures should incorporate some of the checks described in
Checks to Make.
Note that trading rules can affect the level of risk you are exposed to.
For example, you cannot refuse to sell on the basis of the cardholder country alone - in such a case you will need to review the other details before you can say "No".
Define Your Risks
You should define the fraud risks specific to your business and use them when developing your managing fraud procedures. The risks will depend upon various factors, such as, the type of business or industry you are in, the type of goods or services you supply, their price level, the countries you deliver to, etc.
You are at greater risk from fraud if you supply high value, branded or otherwise easily traded consumer products that are easy to transport and store.
New enterprises that are not well known retailers also tend to attract fraudsters, who speculate that the merchants will be inexperienced. Similarly, in the service industries, those services that seem easy to deny having been booked or received also rank highly for fraud risk.
There are many other areas for you to consider, a few are listed below:
your order acceptance risks - for example, so that you review all orders above a certain amount
your delivery risks - for example, so that you only provide immediate shipping to shoppers you feel very sure about, such as those who have traded with you before and have a good record, or you may decide to immediately ship all orders below a certain value if the automated tools do not provide alerts
your chargeback history - if you are experiencing too many chargebacks you may need to reassess your some or all of your existing procedures - perhaps you should adopt a procedure so that your chargeback history is reviewed at regular intervals.
You should be aware that high chargeback/fraud levels could affect our ability to provide you with a payment service because of card programs rules relating to excessive chargebacks/frauds.
Order Acceptance
Adopt an order acceptance procedure, which includes an accept, review, reject process.
There should be no doubt about which orders can be filled immediately and which should be reviewed. You could include some or all of the following:
establish the criteria for which orders you will accept - for example, orders below £15 where both Address Verification and Card Security Code match
establish the criteria for which orders should be reviewed – for example, all orders over £75, and all orders with either Address Verification or Card Security Code mismatch
establish the criteria for which orders should be rejected – for example, all orders over £75 where both Address Verification and Card Security Code mismatch and the delivery address differs from the billing address.
Capture delay can be used to provide additional time for you to check orders before capturing the payment.
Respond to Alerts
Adopt a procedure, tailored to your business, that specifies how you will respond to alerts.
For example, you may want orders with Caution alerts to be filled if the order value is below a certain limit, but want a review of all orders with Warning alerts, regardless of the order value.
An alerts procedure can be quite simple, such as the one shown below.
Screening
Adopt a screening procedure that clearly identifies and blocks risky names, email addresses and IP addresses, etc.
As part of that procedure you should specify the conditions under which you carry out updates to the referral lists in the Risk Management Module. For example, every week or as soon as you have information about a suspicious name or IP address.
Consider including the following checks in your screening procedure:
Name and Contact Checks
Email and IP Address Checks
Country Checks
Contact us if you want to restrict high-risk countries.
Payment Methods
Adopt a procedure that specifies the acceptance level for each payment method you select.
Select your payment methods in accordance with your risk; consider their specifications and acceptance level in your target audience. Make sure you understand the specifics of each method. For instance, some card schemes do not support Authentication and, hence, do not support Chargeback Liability Shift, which means that you are always liable for chargebacks rather than the card issuer.
Note that future changes to legislation may affect payment methods for certain kinds of online business. For example, recent legislation in the USA has banned credit card payments for online gambling.
Customer Registration
If you have specific risks and your target customer group will tolerate it, then you might consider an enforced registration procedure for new customers that will exclude some of the potentially riskier shoppers. For example, allowing a probation period during which customers build up a payment history.
Predefine and publish the conditions for registration and for upgrade to full membership.
For example, include: the minimum number of orders; the minimum time frame as a customer; and similar.
If incidents do occur, move the customer in question from your client list to a suspense file, against which new orders can be checked.
Consider including the following items for registration:
require full name and address details - do not accept free ISP-addresses (@hotmail and such), since no registration with these providers is required and consumers therefore remain untraceable
require registration in current telephone directory (for ex-directory applicants ask for phone bill details)
do not accept only mobile phone numbers
offer limited choice of payment methods initially
limit the acceptance level per payment method
set maximum amount/value per order for the first (few)orders
deliver goods to the customer's registered home address only
insist on receipt by this registered shopper, proper identification, and physical presentation of the card.
Delivery Procedure
Adopt a delivery procedure, including, for example, some of the following - depending on your risk:
limitations to the countries where you deliver
deliver to the registered shopper only
ask for faxed identification (driving license, utility bill) beforehand if the person receiving the goods will be a person other than the registered shopper
retain proof of delivery for at least 12 months
instruct carriers to never leave a delivery at the door, especially if instructed to do so by the shopper and/or if it is a high value order - this may be an indication that a criminal is using some unwitting person's house as a drop-off point
when delivering a private purchase to the shopper's office address, only deliver to the shopper personally - use a signed for method of delivery and clearly mark the packaging with instructions that only the shopper should sign for it
never deliver to generic addresses such as office buildings, post offices, airports, railway stations, industrial areas, without specific information on the recipient’s exact location and identity - if you do decide to deliver, insist on full identification and if possible only accept irrevocable payments for these orders
only provide immediate shipping to shoppers you feel very sure about, such as those who have traded with you before and have a good record.
Website Warning
State clearly on your website that, in case of fraud, the proper authorities will be informed and legal action will be taken.
Communications
Ensure that all personnel involved, including external suppliers, such as delivery and parcel services, as well as your own staff, are fully aware of your procedures and their importance.
For example, ensure that your delivery service knows that they should not leave goods on the doorstep, if this is a part of your delivery procedure.
Your managing fraud procedures should incorporate some of the checks described in
Checks to Make.
Note that trading rules can affect the level of risk you are exposed to.
For example, you cannot refuse to sell on the basis of the cardholder country alone - in such a case you will need to review the other details before you can say "No".
Define Your Risks
You should define the fraud risks specific to your business and use them when developing your managing fraud procedures. The risks will depend upon various factors, such as, the type of business or industry you are in, the type of goods or services you supply, their price level, the countries you deliver to, etc.
You are at greater risk from fraud if you supply high value, branded or otherwise easily traded consumer products that are easy to transport and store.
New enterprises that are not well known retailers also tend to attract fraudsters, who speculate that the merchants will be inexperienced. Similarly, in the service industries, those services that seem easy to deny having been booked or received also rank highly for fraud risk.
There are many other areas for you to consider, a few are listed below:
your order acceptance risks - for example, so that you review all orders above a certain amount
your delivery risks - for example, so that you only provide immediate shipping to shoppers you feel very sure about, such as those who have traded with you before and have a good record, or you may decide to immediately ship all orders below a certain value if the automated tools do not provide alerts
your chargeback history - if you are experiencing too many chargebacks you may need to reassess your some or all of your existing procedures - perhaps you should adopt a procedure so that your chargeback history is reviewed at regular intervals.
You should be aware that high chargeback/fraud levels could affect our ability to provide you with a payment service because of card programs rules relating to excessive chargebacks/frauds.
Order Acceptance
Adopt an order acceptance procedure, which includes an accept, review, reject process.
There should be no doubt about which orders can be filled immediately and which should be reviewed. You could include some or all of the following:
establish the criteria for which orders you will accept - for example, orders below £15 where both Address Verification and Card Security Code match
establish the criteria for which orders should be reviewed – for example, all orders over £75, and all orders with either Address Verification or Card Security Code mismatch
establish the criteria for which orders should be rejected – for example, all orders over £75 where both Address Verification and Card Security Code mismatch and the delivery address differs from the billing address.
Capture delay can be used to provide additional time for you to check orders before capturing the payment.
Respond to Alerts
Adopt a procedure, tailored to your business, that specifies how you will respond to alerts.
For example, you may want orders with Caution alerts to be filled if the order value is below a certain limit, but want a review of all orders with Warning alerts, regardless of the order value.
An alerts procedure can be quite simple, such as the one shown below.
Screening
Adopt a screening procedure that clearly identifies and blocks risky names, email addresses and IP addresses, etc.
As part of that procedure you should specify the conditions under which you carry out updates to the referral lists in the Risk Management Module. For example, every week or as soon as you have information about a suspicious name or IP address.
Consider including the following checks in your screening procedure:
Name and Contact Checks
Email and IP Address Checks
Country Checks
Contact us if you want to restrict high-risk countries.
Payment Methods
Adopt a procedure that specifies the acceptance level for each payment method you select.
Select your payment methods in accordance with your risk; consider their specifications and acceptance level in your target audience. Make sure you understand the specifics of each method. For instance, some card schemes do not support Authentication and, hence, do not support Chargeback Liability Shift, which means that you are always liable for chargebacks rather than the card issuer.
Note that future changes to legislation may affect payment methods for certain kinds of online business. For example, recent legislation in the USA has banned credit card payments for online gambling.
Customer Registration
If you have specific risks and your target customer group will tolerate it, then you might consider an enforced registration procedure for new customers that will exclude some of the potentially riskier shoppers. For example, allowing a probation period during which customers build up a payment history.
Predefine and publish the conditions for registration and for upgrade to full membership.
For example, include: the minimum number of orders; the minimum time frame as a customer; and similar.
If incidents do occur, move the customer in question from your client list to a suspense file, against which new orders can be checked.
Consider including the following items for registration:
require full name and address details - do not accept free ISP-addresses (@hotmail and such), since no registration with these providers is required and consumers therefore remain untraceable
require registration in current telephone directory (for ex-directory applicants ask for phone bill details)
do not accept only mobile phone numbers
offer limited choice of payment methods initially
limit the acceptance level per payment method
set maximum amount/value per order for the first (few)orders
deliver goods to the customer's registered home address only
insist on receipt by this registered shopper, proper identification, and physical presentation of the card.
Delivery Procedure
Adopt a delivery procedure, including, for example, some of the following - depending on your risk:
limitations to the countries where you deliver
deliver to the registered shopper only
ask for faxed identification (driving license, utility bill) beforehand if the person receiving the goods will be a person other than the registered shopper
retain proof of delivery for at least 12 months
instruct carriers to never leave a delivery at the door, especially if instructed to do so by the shopper and/or if it is a high value order - this may be an indication that a criminal is using some unwitting person's house as a drop-off point
when delivering a private purchase to the shopper's office address, only deliver to the shopper personally - use a signed for method of delivery and clearly mark the packaging with instructions that only the shopper should sign for it
never deliver to generic addresses such as office buildings, post offices, airports, railway stations, industrial areas, without specific information on the recipient’s exact location and identity - if you do decide to deliver, insist on full identification and if possible only accept irrevocable payments for these orders
only provide immediate shipping to shoppers you feel very sure about, such as those who have traded with you before and have a good record.
Website Warning
State clearly on your website that, in case of fraud, the proper authorities will be informed and legal action will be taken.
Communications
Ensure that all personnel involved, including external suppliers, such as delivery and parcel services, as well as your own staff, are fully aware of your procedures and their importance.
For example, ensure that your delivery service knows that they should not leave goods on the doorstep, if this is a part of your delivery procedure.