If you want to rip off a small online business, look no further than the credit card companies themselves. They may be the most significant force aiding and abetting criminals in history.
Here’s what I mean.
There is a new hacking tool on the scene that has the ability to rip multiple products off the virtual shelves of your online store and then proceed to the checkout with a fake card number, cardholder name, and address. It does it all in one convenient step.
What tipped us off was an order that was larger than usual. When we called the fraud unit at Visa and gave the Visa representative the “customer’s” card number, name, address, and ZIP code, nothing matched. In fact, the representative was really surprised such a transaction could go through approved.
When I called our merchant account provider, CardService International (a company we’ve had nothing but problems with, by the way), I found out it was just “sort of” approved.
It turns out all that is necessary for a charge to be approved is that there is enough money available in the account. If things like address or name or ZIP code don’t match, the charge is still approved but these discrepancies are noted in the transaction confirmation email sent out by CardService. Then it is up to the merchant to decide if it wants to take the chance and process the transaction.
Well, I looked at the confirmation email pertaining to the transaction in question and found it contained alphabet soup – a hodgepodge of codes and numbers, none of which gave any indication something was suspicious.
I pointed out to the customer service rep I was talking to that if I have to check every transaction confirmation email that comes through my system, then I’ve lost the advantage of real-time authorization. I still have to manually confirm each transaction. Furthermore, by approving the charge and just “warning” me (if you can call it that), the credit card companies have now unfairly thrown the responsibility back on my shoulders.
“It’s your own fault,” the argument goes. “We warned you.”
My guess is many small-business owners like myself have no idea that “approved” doesn’t mean everything checks out A-OK and that we’re totally responsible for the fraud committed in our stores even though we had no hand in creating the fraud-ridden system developed by the credit card companies, and they give us no tools to protect ourselves against it.
Want to know another way to beat the system? Use a card number drawn on an international bank. We know for certain Visa doesn’t care if it’s fraudulent. Here’s what happened to us.
An order came though in which the email address was a Hotmail account, the physical address was in Texas, the IP came out of Iceland, and the card was drawn on a bank in Tokyo. Obviously something was wrong here. So we called Visa. A Visa representative told us WE needed to call the bank in Tokyo and cancel the card. “But isn’t Visa worldwide?” we asked. “Yes,” the representative said, “but we don’t call international banks. You need to call.”
Yeah, right. I’m going to take the time to place an international call at my expense to a bank in a country whose language I don’t even speak to discuss a bad card number it issued. It is easier to refuse the order and ban the card number from our system. That, of course, helps us but doesn’t prevent the person from trying to use the card again somewhere else. And, in reality, it is a temporary fix for us since it is so easy to create new numbers on the fly.
So what can we as small-business owners do? In the short term, we are on our own. The best thing we can do is flag orders that:
- Are international
- Contain an email address from a free email account provider
- Are larger than an average order
- Have an IP address that is different than the physical address given in the order
In the long term, I’d like to see:
- Credit card companies get their heads out of their glutei maximi, plug the holes in their system, and start supporting merchants with real tools and support to combat fraud
- Shopping-cart developers build stronger checks into their software and allow the online store owner to customize the type of suspicious activity the cart looks for (We basically had to build this ourselves at Booklocker.com.)
I’m telling you people, rampant credit card fraud has the potential to kill e-commerce faster than anything else.
Where is Janet Reno when you need her?