EMV Credit Cards help make retail shopping more secure. Each card comes with an embedded chip that assigns a unique transaction ID to every purchase. Customers must also either sign their name or enter a personal identification number (PIN) in order to successfully authorize each transaction. However, these extra security features aren't really applicable when shopping online.
With most e-purchases, anonymous customers simply provide the following information:
- 16 digit credit card #'s
- 4-digit expiration dates
- 3-digit CVV2 or CVC2 codes.
This makes it easy for fraudsters to make fraudulent transactions.
What Can These Merchants Do?
To protect themselves, however, merchants can choose to enhance their verification process by requiring the card holder to enter additional information such as their billing address (AVS), zip code and phone numbers. Additionally, they can come up with a plan for how to identify post-EMV online fraud. Here is an example of points merchants could put in their plan:
1. Manually review suspect orders with:
Mismatched billing and shipping addresses. Use free tools like Google Earth to verify the customer’s shipping address.
Order amounts are greater than your customer’s average order amount (e.g. $100).
Shipping to addresses beyond your normal geographic reach. If you normally ship orders within 25 miles of your primary location, you may want to review orders being shipped beyond 25 miles.
Small ticket amounts (e.g. $25) with expedited shipping requests
2. When a possibly fraudulent transaction is detected, report the order to the store owner.
In addition, your merchant's plan should include security basics to help limit the risk of a breach, such as:
Don’t surf the web on the same machine used to access your administration and payment processor
Always use complex passwords and update them on a regular basis
Ensure that every machine on the network is properly equipped with up to date antivirus software
Encourage your merchant to create a plan that fits their business and go over it with their employees a couple of times a year. This plan should be a living document: as you find new fraud attempts, add new instructions to the document. Use this time to also ensure that your customer-facing policies (shipping and terms of service) match your internal policies and are kept up to date.
While Address Verification on its own might not be the best method to detect fraud, it can still help as part of a layered fraud strategy. To get the best card-not-present interchange rates, merchants should at least be sending the "bill to" zip code. The issuing bank will send back the appropriate AVS and CVV response, but it is ultimately up to the merchant to decide when to fail a transaction. Keep in mind that a CVV mismatch response means the cardholder did not have possession of the card at the time of the purchase. These orders should always be viewed as suspect and manually reviewed.
There is a trade-off when it comes to address verification settings and fraud: strict settings might reduce overall fraud, but could also reduce legitimate orders. Relaxed settings might not reduce fraud but will allow for legitimate orders to succeed.
It is recommended that merchants fail mismatched billing zip and mismatched CVV orders every time.