merchant account tips: proven methods for reducing online credit card fraud & risk

Produced by Chris West, CDGcommerce

Proven Methods for Reducing Online Fraud & Risk

Increase your sales without increasing your risk!


The Goal of this Presentation

We all want more sales. We all want less fraud.

The question quickly becomes – how do we reach that “optimal” point of maximizing our sales while minimizing the amount of fraud losses that we encounter?

The goal of this presentation is to help you answer exactly that question for your business using an analysis of the tools that can help you and real life examples from our industry.

There are no “perfect solutions” or “silver bullets” – but by intelligently combining a variety of techniques, you can truly get the best of both worlds.


Fraud: How & Why They Do It

Common Methods of Compromise• Physical Card Skimming – as much as 40% by some estimates• “Phishing” E-mails & Attacks – we have all seen many of these• Security Breaches

– External Attacks (Packet Sniffing, Direct Hacking, etc.)– Internal Attacks (“Inside Jobs” from Disgruntled Employees, etc.)

• The “Secondary Market” of Card Sharing Forums/Chats• Card Testing Attacks – to determine which cards are still valid

Common Motivations Behind Fraud• Selling them to other Fraudsters for Profit (now a $1B industry)• Steal Easy-to-Resell Products• “Steal & Spam” (host hopping for bulk e-mail campaigns)• “Because I can” (ego motivated)


The Risk Management Toolkit

• AVS

• CVV

• IP/GEO/BIN

• Cardholder Authentication (VbV/MSC)

• Phone Verifications

• Manual Order Reviews

• Chargebacks & Representments

• PCI Compliance & Data Security


AVS - Address Verification Service

How It Works• Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual

Address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be)

Implementation• Available on any Internet merchant account and virtually any Payment Gateway• Most gateways provide an AVS configuration area where you can specify whether you want to automatically

“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match

Benefits• Easy to implement

Limitations• Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.• A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases

– will also contain the necessary information to provide a valid AVS match result.

Recommendation• If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions

but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not be considered a primary means of verifying the validity of a transaction.

PORTFOLIO METRIC: nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results. However, 50% of our portfolio CB’s still have FULL AVS match results.


CVV – Card Verification Value

How It Works• A service with many names – CVV2, CVC2, CID – but the premise is the same for all• Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV

is NOT encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.

Implementation• Available on any Internet merchant account and virtually any Payment Gateway• Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do not

settle) an authorization that has an CVV non-match or non-entry

Benefits• Works for virtually ALL cardholder accounts – both U.S. and international• There is no valid reason why a legitimate cardholder, in possession of the card, would not be able to enter a 100% matching

number for this.• Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.

Limitations• CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring

Transactions.

Recommendation• CVV is a recommended service to utilize for ALL initial transactions processed.

PORTFOLIO METRIC: based on our internal chargeback analysis, merchants can reduce their fraud rates by as much as 70% by simply requiring a matching CVV result.


IP/GEO/BIN Scrubbing

How It Works• Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California

ordering from Europe?)• Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer is

using an US-issued credit card but they are from Europe?)• Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction

Implementation• Custom direct integration into a service such as MaxMind.com• Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,

ASPDotNetStorefront.• Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.• Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.

Benefits• Fast, Cost Effective and Non-Intrusive• Provides merchants with an excellent “do the pieces fit consistently?” analysis• Can block up to 89% of all fraud if properly implemented

Limitations• Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)• Proxy database is always in a real-time process of being updated as new proxies open up

Recommendation• IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk”

for more intensive scrubbing vs. being an outright decline.



INSIDER INSIGHT:

Since 2002, MaxMind.com has provided geo-location and online fraud detection tools. Over 6,000 e-commerce businesses currently benefit from MaxMind and clients include About.com, AT&T, Dupont, Earthlink, eBay, IBM, Lexis Nexis, Lycos, Match.com, Morgan Stanley, Orbitz, Red Hat, Reed Elsevier, Sony, Walgreens, Wal-Mart, Warner Brothers, WebEx and Yahoo!.

MaxMind’s minFraud service – which has screened over 100,000,000 transactions - combines IP Address Reputation with a Collaboration Network of more than 10,000 merchants to piece together the most relevant risk indicators that are the consistent earmarks of a fraudulent transaction.



Examples of what IP Geo-Location can tell you:

YELLOW ALERTS:Free E-mail Address: is the user ordering from a free e-mail address?

Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)

BIN Country Match: does the BIN # from the card match the country the user states they are in?

BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?

BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?

RED ALERTS:Country Match: does the country that the user is ordering from match where they state they are ordering from?

High Risk Country: is the user ordering from one of the designated high risk countries?

Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?

Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?

High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?

Ship Forwarding Address: is the user specifying a known drop shipping address

Now let’s take a look at some interesting stats on the above…



Open/Anonymous Proxies: an open proxy is often a compromised“zombie” computer running a proxy service that was installed by acomputer virus or hacker. The computer is then used to commitcredit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an ongoing battle as new ones pop up and may remain undetected for some time.

26% of orders placed with from open proxies on the MaxMind minFraud

service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from anopen/anonymous proxy.



High-Risk Countries: these are countries that have a

disproportionate amount of fraudulent orders, specifically

Egypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,

Nigeria, Pakistan, Romania, Serbia and Montenegro,

Ukraine and Vietnam.

32% of orders placed through the MaxMind minFraud

service from high-risk countries were fraudulent. Extra

verification steps should be required for any

transaction originating from a high risk country.



Country Mismatch: this takes place when the IP

geolocation country of the customer does not match their

billing country.

21% of orders placed with a country mismatch on the

MaxMind minFraud service ended up being fraudulent.

Extra verification steps are recommended for any

transaction with a country mismatch.



Results that speak for themselves:

ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services

to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it

sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After

implementing MaxMind, losses were reduced by 90%.

MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting

has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house

checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting at

least 60 chargebacks and $6,000 in unnecessary costs.

Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for small

and medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4%

while reducing its chargebacks by 90%.

365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base

that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced by

over 96% from more than $10,000 per month to less than $500 per month. At this point, most chargebacks

are general order disputes as opposed to fraud.


Cardholder Authentication

How It Works• Verified by Visa (VbV) / MasterCard SecureCode (MSC) is a unique fraud protection tool provided by Visa and MasterCard whereby

cardholders can specify a secret password that only their bank knows to use as an added authentication factor.• VbV & MSC protects both cardholders & merchants against unauthorized use of the card. Liability protection shifts from the acquiring bank (and

merchant) to the issuing bank on an authenticated transaction.• Think of VbV/MSC as an “insurance policy against fraudulent transactions” – it helps out a lot but there are always certain limitations

Implementation• Utilize a Shopping Cart/Billing System that has a VbV/MSC module already integrated such as X-Cart, LiteCommerce, Cart32,

ASPDotNetStorefront, Lagarde, PinnacleCart, Miva Merchant or a solution with available modules such as osCommerce or ZenCart.• Utilize a Payment Gateway that has built-in support for VbV/MSC such as the Quantum Payment Gateway, Authorize.Net and others• Custom direct integration into CardinalCommerce.com• Additional fees apply with most gateways & merchant processors – ranging from FREE to several hundred dollars setup fees, $10-50 per

month, $0.15-0.25 per transaction, depending on who the service is acquired through.

Benefits• Actually blocks chargebacks (and chargeback fees!) for covered Reason Codes from reaching the merchant• Provides liability protection for both enrolled & non-enrolled cardholder• Virtually impossible to get a false declines• Provides substantially enhanced chargeback representment case even when Chargeback Block coverage does not exist

Limitations• Certain limitations to coverage exist – please see the Coverage Matrix on the next page• Chargeback blocking is only available on an initial transaction – not a subsequent Recurring Trans

Recommendation• VbV/MSC should be used for ALL initial transactions for merchants with Large Tickets or a High Risk Profile.• VbV/MSC should be strongly considered for use with all other merchant types as well due to its substantial benefits.



INSIDER INSIGHT:

Cardinal Commerce is the leading provider of cardholder authentication (Verified by Visa / MasterCard SecureCode) and provides authentication services to more than 30,000 merchants worldwide with more than $100 billion worth of authenticated transactions processed since its inception.

In 2007, VbV/MSC was the most sought after fraud tool by major merchants. VbV/MSC is the only technology sponsored by the Card Associations which truly helps to level the playing field between the Issuing & Acquiring side with E-Commerce transactions.


Cardholder AuthenticationWhen you use VbV/MSC, you are in very good company…


Cardholder AuthenticationResults that speak for themselves:

Geeks.com:

Chris Beatty, Customer Service and Order Processing Manager of Geeks.com comments, "We have been able to approve more orders, faster. We spend less time reviewing orders protected by Verified by Visa, but still maintain our confidence in the validity of the order.“ “Overall, we consider using Verified by Visa and MasterCard SecureCode an eCommerce industry best practice that can decrease chargebacks and increase consumer confidence," comments Chris Herzog, Geeks.com, VP of eCommerce Development.

TigerDirect:

“We now have the ability to reduce our processing rates, make fraud significantly easier to identify and ultimately reduce fraud by utilizing Verified by Visa and MasterCard SecureCode,” said Joe Dunne, Executive Vice President for TigerDirect. “On top of it all, we were able to re-deploy staff and turn eCommerce order reviewers into eCommerce order takers, how much better can it get?”

Crucial Technology:

“Since our implementation of Verified by Visa and MasterCard SecureCode, we have seen significant reduction in chargebacks,” said Shane Baker, Global Credit Manager for Crucial Technology. “We also feel our participation in leading-edge fraud prevention programs acts as a deterrent to potential fraudsters.”

PORTFOLIO METRIC: nearly 60% of the Chargeback Reason Codes from our Internet merchant portfolio are covered by VbV/MSC.


Cardholder AuthenticationWhy these clients have all used VbV/MSC:

Transaction liability• Card-not-present, no guarantees

Chargebacks• Acquirer fines• Lost merchandise

Extensive Fraud Screening * Manual Review and 3rd party services

* False negatives - turning away good customers* False positives - accepting fraud

Low Conversion Rates* Insulted customers can’t pay the way they want* Insulted customers turned away as too risky* Lost ‘repeat business’ compounds impact

International Orders - added risk but also added market opportunity* Bill To/Ship To does not match•No AVS available (as mentioned earlier)



• Fraudulent Chargeback Blocking on all U.S. consumer Visa

transactions regardless of cardholder enrollment• There is NO automatic Chargeback Blocking with international,

corporate or prepaid gift cards• Fraud Liability Shifted to Card Issuer• Accept International Orders with Protection

Programs extend Worldwide• Dramatically Lower Manual Review• Current Enrollment – over 380,000,000 cards enrolled in VbV to date• Increase Conversion

Consumers feel safer shopping on your site and in turn, spend more

Verified by Visa Benefits Coverage Specifics:



• Chargeback Blocking on interregional and intraregional transactions (non-U.S.) regardless of cardholder enrollment

• There is NO automatic Chargeback Blocking for U.S. transactions• MasterCard offers chargeback representment rights for US to US authenticated

transactions– If a chargeback is issued for reason codes 37, 63 or 49, the merchant may represent the

transaction to have it reversed– When a consumer enters a PIN at checkout, ECI and CAVV data will be attached to that

transaction thus ‘securing’ that order• Fraud Liability Shifted to Card Issuer• Accept International Orders with Protection (see next slide)• Dramatically Lower Manual Review • Enrollment - MSC is currently enabled on 250,000 web sites and run on 20% of all e-

commerce transactions globally• Increase Conversion

– Consumers feel safer shopping on your site and in turn, spend more

MasterCard SecureCode Coverage Specifics:



Verified by Visa

23: Invalid T&E83: Fraudulent MOTO/Ecommerce75: Cardholder does not recognize

MasterCard SecureCode37: Non Cardholder Authorization63: Cardholder Does Not Recognize49: Questionable Merchant Activity

Covered Chargeback Reason Codes:

Here’s an easy way to know if VbV/MSC would help you – look at the CB Reason Code on the CB’s that you have already received!


Cardholder Authentication Non-Enrolled Authentication Experience

There is no change in the user checkout process


Cardholder AuthenticationPre-Enrolled Authentication Experience

Presented to cardholders after suggested enrollment advertising from issuer

Enrollment Is Optional


Cardholder AuthenticationEnrolled Authentication Experience

Secure inline frame prompt from issuer – for cardholders who already voluntarily enrolled


Phone Verification Calls

How It Works• Phone verification calls can be done manually by employees OR done through an automated system that provides the online

purchaser with a special PIN # or keyword and then calls them up on the phone and asks them to enter the information. The latter can be done 24 x 7 x 365 without any actual employees present.

• By calling up the customer at their specified phone #, it is possible to verify that the number itself is valid and that the customer actually is present. With a stolen card or fraudulent purchase, it is very unlikely that you will ever reached a live human being.

Implementation• Use an existing 3rd party service such as TeleSign.com, Varilogix.com, DialVerify• Build your own VOIP system to make automated phone calls to customers

Benefits• Reliable method for validating “proof of life” on the part of a remote purchaser.• Automated implementations can save employee time & cost.• You can use the phone call as a dual “verification plus welcome” call for the customer.

Limitations• Additional fees apply when using an automated solution – the costs can be a per-minute fee based on destination phone # or a flat

monthly fee which includes a specific amount of calls with overage costs for calls above and beyond that.• For international sales, there can be a language barrier issue and/or telecom connection problems under certain circumstances.• By using VOIP lines or prepaid wireless, a savvy fraudster can still get past this method of fraud scrubbing although this is still the

exception to the rule – most still do not want any phone # that can directly reach them if they can avoid it. (In addition, some systems can determine whether the # being called is a VOIP or pre-paid phone, etc.)

Recommendation• Phone Verification calls should be implemented on a case by case basis depending on the merchant’s risk profile. For high ticket or

higher risk transactions, phone verification calls should be used. The decision to use Manual Calls vs. Automated Calls depends on the frequency of calls, order fulfillment speed needed to be competitive and staff availability.



INSIDER INSIGHT:

Ace-Host is a leading Web hosting company that currently serves the needs of more than 40,000 webmasters worldwide. Jerald Darow, one of the founders, was kind enough to share his company’s internal order verification process. Many aspects of this process were developed on a trial & error basis as a result of various fraud losses early on and Jerald’s hope is that other Web hosting companies can benefit from what his organization has learned along the way.



AceHost Order Review Process:

STEP ONE: INITIAL ORDER SCREENING PROCESS• Use Varilogix + ModernBill for the initial automated phone verification process• Use VbV/MSC for Dedicated Server Orders (which are higher tickets by nature)

STEP TWO: COMPLETE ORDER REVIEW & DECISION•Use custom order review system – which ties into ModernBill – to review the results of the IP/BIN/GEO results as per the screenshot and review to get an overall assessment of how risky the transaction appears•Pay close attention to the Phone Area Code Checking against User-entered State Address (U.S. only)•Pay close attention to the Bank BIN-to-IP comparison to ensure that Credit Card is from the same Country.


Manual Order Review

How It Works• Using the “Mark 1 Eyeball” method, you review the information on an order to make sure that it makes sense and is consistent with

previous order patterns. In addition, you can cross-check WHOIS, review a customer’s Web site and take other subjective steps. A manual review also helps to flag situations such as:

• Nonsensical e-mail, phone or address information (“1234 Test Street”, “123-456-7890”, “1 Gonna Git You Drive”• A large ticket purchase without prior discussion that normally would entail extensive prior negotiation• A large ticket transaction that the customer wants rushed to them regardless of the shipping cost• Too many risk factors together (high fraud score, AVS non-match, CVV non-match, unable to reach customer, mis-matching IP/GEO/BIN scoring

Implementation• This process requires employee time. Employees must be tasked to review every order manually before capture/settlement OR

only to review flagged orders that are considered higher risk.• For additional verification, employees could request supporting documents such as: Copy of Credit Card, Copy of Credit Card

Statement, Copy of Government-issued Photo ID, Copy of Utility Bill or Bank Statement. (keep in mind that some of the above will be objectional to legitimate purchasers and so there could be a trade off in the form of lost sales)

Benefits• Subjective analysis - the human brain is the best single tool against fighting fraud… as long as the benefits provided by the other

tools in the toolkit are used in conjunction with it.

Limitations• Employee time & cost are the biggest limitation for manual order reviews.

Recommendation• Manual order review is always recommended for high ticket or high risk transactions. For other scenarios, it is a case by case

analysis which is largely dependent on the merchant’s risk profile.


Manual Order Review

INSIDER INSIGHT:

Hostgator is the world’s leading provider of reseller accounts with over 20,000 resellers and 1,000,000 websites on its shared and reseller plans. Hostgator has done an excellent job managing its online order risk throughout its incredible growth as a business and Brent Oxley, the founder & owner was kind enough to share his company’s internal method for manual order review & phone verifications.


Manual Order Review

Hostgator Order Review Process:STEP ONE: INITIAL ORDER SCREENING PROCESS• Check IP/GEO fraud score and distance to billing• Do a WHOIS search (dnsstuff.com, iptools.com)• If PayPal, verify to make sure the name and e-mail matches info in ModernBill• Require additional verification on any account with the following words in their domain:

proxy bank warez forex torrent paypal lolita hyip• All accounts with Proxy Score of over 3.00 must verify by sending in supporting docs.• IRAN: no accounts can be accepted from Iran due to legal/trade restrictions.• CHINA: payment must be made via Western Union or bank wire transfer.• NIGERIA/SOUTH AFRICA (ZA): verification via Photo ID + Copy of Credit Card required. If paying by PayPal, the government ID must match

with what we have on file• GREAT BRITAIN: has larger distance scores so try to do a WHOIS and verify details carefully• ROMANIA: usually has a high fraud score so check WHOIS and verify details carefully• If in doubt, make a Phone Verification Call – verify the domain, last 4 of CC and address (see STEP TWO)

STEP TWO: CALL EVERY ACCOUNT YOU ARE ABOUT TO MARK AS “FRAUD” BEFORE DECLINING IT:- If they answer and verify the info - activate the account!- If they do not answer but name on voicemail matches, leave message and activate- If they do not answer and voicemail is non-specific, leave a message and pend- If the number is invalid, mark the account as fraud and cancel the order- If they do not speak English, mention you will send an e-mail and notate the ticket


Other Fraud Prevention Tools

• IP Velocity Scrubbing – recommended for all merchants to avoid card testing attacks.

• Split Charge with Customer Verification – a great idea but not widely implemented yet.

• Stolen Card Alert Services – an interesting idea; success depends on scale.

• Credit Bureau Identity Verification – an interesting idea but one that has realized mixed success.


Chargebacks & Representments

• The Mechanics of a Visa/MasterCard ChargebackA chargeback takes place when a cardholder disputes a transaction with a merchant. The cardholder must specify a reason which is then translated into

one of a large list of possible “Reason Codes.” The Issuing Bank sends through the chargeback and reverses the original transaction with the Acquiring

Bank. The Acquiring Bank debits the merchant for the sale amount plus a chargeback fee and notifies the merchant. It is then up to the merchant to

submit a “re-presentment” of the original sale along with a rebuttal as to why the chargeback was invalid. If successful, the sales funds are once again

debited from the Issuing Bank (and cardholder), transmitted to the Acquirer and deposited back to the Merchant.

• First ChargebacksThe first Chargeback initiated between a Cardholder and a Merchant is considered the “First” chargeback. However, this does not mean that it is the

only Chargeback that can take place. However, in most cases if a merchant wins the representment/rebuttal, the case is closed. The rules that govern

chargeback disputes are very extensive – they literally take up a book that is over 1.5 inches thick just for the Visa rules.

• Second Chargebacks & the Arbitration ProcessUnder certain circumstances, a 2nd chargeback between the same Cardholder and Merchant can be initiated by the Issuing Bank pertaining to the same

transaction. Normally this is submitted under a different Reason Code. If the merchant wishes to dispute this, the process then will go to Arbitration

whereby each party will state their case before a panel from Visa or MasterCard. The problem here is that there are filing fees and other costs that will

be borne by the merchant if the merchant loses the case. Since these fees are often in excess of $400, the only time the risk of arbitration makes sense

is when there is a very large ticket involved AND the merchant’s case is extremely solid. Most of the time, one of these two situations is not the case and

so the better course of action is to pursue collection of the payment through the civil/legal side.



• Keys to Avoiding Non-Fraud Chargebacks– Make sure that the Domain and DBA/Merchant Descriptor match closely– Make sure that your Merchant Phone # is always kept up to date with your merchant processor– Make sure that any customer inquiries about a transaction are responded to in a very timely manner– Make sure that instructions for cancellation of service are clearly understood and that it is not difficult to do so– Make sure to clearly and promptly communicate if there is ever a billing error to avoid a chargeback– “If in doubt, refund it out” – it just isn’t worth the headache on a small ticket to argue over a TOS or AUP only to get

a CB

• Keys for Successful Chargeback Representments– Respond in a timely manner to any chargeback advisories that you receive– Clearly notate if there was a positive CVV, AVS or CAVV match on the transaction– Clearly notate if you have a faxed signature from the cardholder– If you have correspondence from the customer or proof of delivery, include all of this information– Remember: you will lose 100% of the chargebacks that you do not even ATTEMPT to combat!

PORTFOLIO METRIC: nearly 42% of the representments attempted by our merchants have been successful



• Chargeback Ratios & High Risk Merchant Monitoring ProgramsIt is up to each individual merchant processor how they want to set their acceptable chargeback thresholds for their

merchants. Most merchant processors set a guideline of 1% chargeback volume-to-sales volume. The actual Visa and

MasterCard internal thresholds vary from 1-2.5% based on volume-to-volume or # of CB to # of sales measurements. Under

certain circumstances, a larger volume merchant can be placed on the Visa or MasterCard high risk merchant monitoring

programs. This is NOT a happy place to be and penalty fees can quickly start to ramp up into the tens of thousands of dollars.

This also brings additional and unwanted scrutiny upon the merchant processor with the Associations and in many cases, a

merchant processor will politely (or not so politely!) request that a merchant move their processing elsewhere if this begins to

happen. The best way to address this is to avoid this situation in the first place using the methods outlined in this presentation.

PORTFOLIO METRIC: the average CB ratio for our Internet merchant portfolio is only 0.003%.

• Disputes with Other Non-Visa/MasterCard Card BrandsOther card brands (Amex, Discover, JCB) and payment methods like PayPal have their own specificdispute policies.


PCI DSS Compliance & Data Security

• What is PCI DSS and why it is important

PCI DSS is the Payment Card Industry’s Data Security Standards. It exists to provide a common set of security standards that all market participants

can agree to adhere to… instead of having to comply with varying guidelines from every different card brand and processor. Due to the amount of

reputational risk and financial exposure that exists whenever there is a well publicized security breach and cardholder data is compromised, Visa and

MasterCard have embarked on an extensive campaign to ensure that all participants in their networks adhere to these guidelines to minimize the

likelihood of future compromises. In turn, this has put pressure on Acquiring Banks to ensure that their Merchants are also PCI compliant. A good

reference site to look at for the full PCI standards is at:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

• The Recent Myth of “PCI Compliance Fees”

A lot of merchant processors have been using the recent buzz about PCI to leverage additional fees onto their merchant bases under the auspices of it

being “required” by Visa and MasterCaard. This is simply NOT the case. Most Internet merchants are Level 4 merchants and it is completely up to the

Acquiring Bank what they want to require. Under almost all circumstances, a detailed internal review and a Self-Assessment form by itself should be the

only necessary action step needed by most merchants. External scanning is certainly encouraged as well and some acquiring banks may mandate this

in the future for their Level 4 merchants.

• The Road Towards PCI Compliance

There is no easy or quick way to ensure PCI compliance. The 12-Step process can indeed be an arduous undertaking. There are a few quick pointers

that are worth sharing on this, however: (THIS IS BY NO MEANS AN EXHAUSTIVE LIST!)– Avoid direct storage (even if encrypted) of cardholder data if possible and outsource this to a PCI-certified gateway.– If you must store data, make sure never to store CVV data under any circumstances. This is a major Visa/MC violation.– If you do store data, ensure that it is encrypted and that the decryption key is not stored on the same server(s) as your data.– If you do store data, ensure that you have a separate firewall dedicated to that database server which only allows authenticated connections from your Web server or

other non-public IP’s.– Make sure to segregate applications – one application per server. Do not have a Web server that also runs a database or a database server that also handles your e-mail.– Make sure that your server/network requires 2-factor authentication in order to gain physical access to any equipment.– Make sure to develop and maintain a compliant security policy manual, use strong passwords and log all activity carefully.


Let’s Fight Fraud Together!

Thank you for reading…

We hope you enjoyed the presentation!Questions? Feedback? Ideas? Tips?

E-mail: social @ cdgcommerce.com

Chris West

CDGcommerce

www.cdgcommerce.com

merchant account tips: proven methods for reducing online credit card fraud & risk

Economy & Finance

cvv nonmatch

recommendation cvv

avs mismatch

limitations cvv data

cvv card verification

valid avs match result

cardholder s card

avs configuration area