The online market in the UK is expected to treble in size within the next five years, reaching a staggering £19.2 billion (source: Verdict). Following the introduction of Chip and PIN cards, many retailers are concerned that this market increase will lead to a growth in cardholder not present (CNP) fraud. While Chip and PIN cards have improved the fraud rate on the high street, the technology to prevent CNP fraud online is still some time away.

With some high street banks still months away from the introduction of a card-reader which will generate a one-time PIN number allowing the customer to shop online, what can retailers do to improve their chances of combating Internet fraud? Here are some tips to help retailers defeat Internet fraudsters:

Eyeball every transaction. One of the most effective methods of combating Internet fraud is to 'eyeball' every transaction for obvious abnormalities. For example, unusually high order volumes within one transaction. Although this is not always a cost-effective or practical solution for every retailer, depending on volumes, it acts as the first check-point for any obvious fraudulent transactions.

Examine each transaction against a predetermined set of business rules. Treat every transaction as a potentially fraudulent order, and do not process any order until it has passed basic tests. Implement a scoring or risk assessment system to evaluate each order, base this upon the size and value of transaction and on the personal details submitted by the consumer.

Implement your own hot-lists recording previously detected fraud. This will enable you to check that the customer has not previously ordered with a different address, that the delivery addresses match the cardholder address and if the address has been the source of previously detected fraud. Ensure that your terms and conditions clearly state why you collect personal information and what will be done with it, so as not to attract the wrath of the Data Protection Registrar.

Check the customer name matches or links with the e-mail address. If the forename and or surname does not appear in the email address this may indicate a suspicious transaction.

Check address and post-code of the cardholder originate within the UK. Unless you're expecting international orders pay close attention to orders that originate outside the UK. You're ability for legal or financial redress may be hindered by cross-border transactions.

Check customer phone number is in the correct format. You may decide a mobile contact number is too risky for a high value transaction.

Check that all card numbers pass a basic 'LHUN/Modulus 10' check. All credit card companies use card numbers that comply with a specific formula. Modulus 10 cannot validate the transaction itself but will ensure the card number supplied is at least in a valid format. MOD10 costs nothing, can be obtained easily and can be implemented with a few lines of code. Most e-commerce solutions will typically use some or all of these checks, and all can be implemented at a relatively low cost.

Third-party verification systems should be used to authenticate information that cannot be checked internally. This information includes address verification, credit verification and payment service provider (PSP) verification.

Ensure your systems are flexible. If your in-house checks indicate potential fraud contact the consumer by phone to verify the order details. Genuine consumers will answer the phone and will normally appreciate your call, which can only reflect positively on their perception of your customer service.

Online fraud is often cited as a barrier by retailers considering trading online, and with CNP fraud costing UK businesses £150.8 million in 2004 (source: APACS). The fact is that there are currently no 'one-stop' solutions to prevent Internet fraud, but retailers can protect themselves from the vast majority of fraud attempts with easily implementable anti-fraud tools. Fraudsters will always try to stay one step ahead, so the better understanding you have of fraud, the better chance you stand of detecting it and reducing the risk to your business.

BIOS, Nov 11, 05 | Print | Send | Comments (0) | Posted In Security