One Way to Fight Credit Card Fraud

Last week I wrote about our troubles as a small business with credit card fraud. Thanks to everyone who wrote in and responded with comments. In particular, thanks to John Small who elaborated on the ClickZ Forum about how most merchant account providers (including our lame one, Card Service International) don’t do things that they should. Especially with credit cards drawn on international banks.

At the Economic Crime Summit last May in Austin, Texas, it was announced that Visa would penalize businesses $100 for each instance if their chargebacks on international orders exceeds 5 percent in a month.

For those who don’t know, a chargeback is a charge that is reversed because a customer contests it – usually because someone stole the card number. Chargebacks are calculated as a percentage of transaction volume in a month. So, for example, if $20,000 goes through your merchant account in one month, and $200 gets charged back against your account, you’ve got a 1 percent chargeback rate.

So Visa is fining us $100 on top of whatever the chargeback amount was. If you are selling a $10 item, you could be in serious trouble.

You gotta love the huevos on Visa. The company enables the fraud to occur by building such a lax system, and we merchants pay for it.

Most of our chargebacks come from international orders. Every order we’ve ever gotten from Malaysia has been a chargeback. So it got me thinking that it might make sense not to do business with anyone coming (or appearing to come) from Malaysia anymore.

(I know that sounds harsh, telling a whole country, in effect, “Sorry, we don’t want your business.” In the real world, if you were to put a sign in your window saying, “No Malaysians,” you’d get into all sorts of trouble – and understandably so.)

So the way I decided to block orders coming from a Malaysian IP was to add a “deny from” command to our .htaccess file.

I talked about the .htaccess file a while back when I wrote about creating redirects on your site. Here is a quick recap of that.

Your .htaccess file (note the period in front of the “h”) is a text file in your root directory (the directory where your index.html file is). If it isn’t there, you can easily make one. Your .htaccess file basically tells the server: “Hey, server. If a page request comes in that looks like this, do this instead.”

OK, this next part is very important, so read it twice: Do not edit your .htaccess file with anything other than a text editor. Let me write that again: DO NOT edit your .htaccess file with anything other than a text editor.

The reason is that the “do this if the page request looks like this” command needs to be on a single line. The downside of word processors is they like to put line breaks in lines of text that they think are too long. Text editors, on the contrary, don’t. If you upload a .htaccess file that has line breaks within a command line, you’ll totally screw your web server to the point where it will crash.

So now that we have that out of the way, here’s how to add a command to your .htaccess file to deny access to specific IP addresses.

Put this at the top of your .htaccess file:

order allow,deny
allow from all

And you can add as many “deny from” statements as you want. Just be sure you start each one “deny from” and have only one IP address (or domain name) per line.

You can also do it with partial IP addresses and partial domains. This is how you block whole countries. For example, our friends in Malaysia have IP addresses that start with “161.142”, so I just put that in and any IP address starting with that number is blocked.

There are two caveats to this method.

Caveat one is that a smart hacker can fake an IP address (called IP address spoofing). But it is my opinion that most of this type of fraud is committed by not-so-smart hackers whose skills are not up to IP address spoofing.

Caveat two is that IP addresses aren’t issued in any pattern. And they are recycled. So I can’t say for certain I’ve shut out the whole country of Malaysia from my site. But I have made it a little more difficult for someone coming from an IP address starting with 161.142 to steal from me.

Oh, there is a third caveat: By blocking out some bad guys, I’ve also blocked out some good. But the ratio of fraudulent purchases to legitimate purchases has been such that it made business sense for us to do it. Maybe it doesn’t in your case. Each business needs to decide for itself.

Related reading