Beyond Address Verification for International Merchants
The Address Verification System, or AVS, verifies the numeric portions of a cardholder’s billing address. The numbers in the street address and the zip code provided are compared to the street address and zip code on file with the cardholders issuing bank. AVS is an important tool for detecting the use of stolen credit cards and account numbers and card not present fraud prevention. If either the street address or zip code do not match the information on file with the cardholder’s bank, it is an indicator to the merchant that the card or account number may be stolen or fraudulent, or that the transaction may be unauthorized by the cardholder. Unfortunately, AVS is not widely supported outside of North America, and Visa and MasterCard AVS systems currently only work in the US, Canada, and the United Kingdom. (American Express AVS is more widely supported internationally and works in more countries).
International merchants or US merchants who sell to international markets should consider supplementing AVS with additional fraud detection measures to compensate for the lack of Address Verification results in countries outside of the US, Canada, and the United Kingdom.
BIN Verification
The first six digits of a credit card account number are called the Bank Identification Number (BIN) or Issuer ID. The BIN identifies the issuing bank of the credit card. BIN verification tools allow the merchant to identify the issuing bank of the credit card, the country where the bank is located, and the bank’s telephone number. If the cardholder billing address or shipping address are in a different country than the bank, it could indicate card not present fraud using a stolen card or account number. The BIN can also identify the account number as a prepaid debit card. Prepaid debit cards are harder to track and identify the cardholder, and could indicate fraud. Prepaid debit cards are also often used in affiliate fraud and they will hold enough funds to pay for the smaller initial set up fee or trial offer of a product, but not enough to pay for the membership or subscription, resulting in a decline on the first recurring billing charge.
IP Address Verification
Geo-IP Address matching allows the merchant to determine whether the Internet Protocol Address (IP) of the computer from which the order was placed matches the billing and shipping address of the credit card or account number. IP addresses that do not match the billing and shipping addresses or that are located in different countries than the billing and shipping addresses could indicate fraudulent card not present activity.
Open Proxy and Anonymous IP Addresses
Anonymous open proxy IP addresses allow a buyer to conceal their identity or use another computer for an online transaction and hide their identity and location. The use of an Open Proxy could indicate organized fraudulent activity or the use of a zombie computer to commit fraud. Open Proxy IP addresses are widely used in affiliate fraud and allow buyers to place orders anonymously.
Avoid Free Email Addresses
Free web-based email services like Hotmail, Yahoo, and Gmail are untraceable and ideally suited for committing card not present fraud. Consider requiring buyers to provide a valid Internet Service Provider (ISP) email address that can be traced to the end user in the event of fraud.
Avoid Pre-Paid or Mobile Phones
Pre-paid and mobile phones, like free web-based email, are difficult to trace. Prepaid plans require no user registration to activate the service. The use of a prepaid or mobile phone could indicate card not present fraud. Consider requiring the customer to provide a landline phone number for verification of the order.
CVV2 / CSC
Failure to enter the correct Card Verification Value (CVV2) or Card Verification Code (CVC) should trigger an automatic decline of the sale. The CVV2 / CSC are the 3 or 4 digit number appearing on the back of the card or on the front of the card after the card number. It is used in card not present transactions to validate that the actual credit card is present and not just the credit card number. Incorrect CVV2 / CSC information is a leading indicator of card not present fraud. Lack of the correct CVV2 / CSC indicates that the card is not in the possession of the buyer and therefore it’s possible the sale is unauthorized.
3-D Secure Payer Authentication
If a merchant has implemented Verified by Visa and Mastercard Securecode 3-D Secure payer authentication, and a transaction by a cardholder enrolled in the program fails authentication, then the sale should be declined. When an enrolled card fails authentication, it means that the buyer has failed to provide the correct password for the card. This indicates that the card is not in the possession of the cardholder and therefore it’s possible the sale is unauthorized. Failure of 3-D Secure payer authentication is an indicator of card not present fraud.