Credit Card Fraud Detection: Tools & Resources

Credit card fraud is an umbrella term used to describe theft that involves the use of a credit, debit, or other payment card. People who engage in credit card fraud either want to steal money from the card or collect goods without legitimate payment.

It’s an unfortunate reality online business owners have to battle every single day. As long as you’re collecting payments through a debit or credit card, you’re at risk and credit card fraud detection should be a priority.

Even though most payment processors have tools in place to reduce and prevent credit card fraud, the ultimate responsibility lies with you.

This article looks at the types of credit card fraud, the implications, and credit card fraud detection strategies to keep you safe.

Types of credit card fraud

It’s important to understand the forms fraud can take before you implement a credit card fraud detection program. That way, you’ll be more likely to catch most instances because you know what you’re looking for.

There are countless variations on a few core fraud types with more coming to light as hackers and identity thieves become more sophisticated. You can find online first fraud schemes listed by the FBI.

Application fraud

This type of fraud happens as a result of identity theft. Someone has enough information to apply for a credit card in another person’s name. The reason it’s possible is because they steal supporting documents (or make copies) only you should have in order to substantiate their claim. The main responsibility for prevention lies with the banks but no system is 100% secure.

Manual & electronic credit card imprints

This occurs when a person skims the information available on the magnetic strip of a credit card. With that information, they create a fake card which is used to perform transactions not authorized by the true owner. Fortunately, this method of credit card fraud isn’t applicable to online businesses because they don’t scan cards.

Card not present (CNP) fraud

This simply means the person using card details isn’t in physical possession of the card. For example, the account number and expiry date of the card are in possession of a third party which then uses it to perform transactions.

The card number and expiry date may also be in possession of a third party which allows them to use it online, over the phone, or via mail. They usually lack the CVV (credit verification value) but since there are a limited number of combinations, they’ll guess until they find it. This fraud accounts for billions of dollars in losses every year.

Cost of card not present fraud in billions of dollars

Counterfeit card

This is similar to manual & electronic card imprints. There are two variations.

  1. The magnetic card details are copied and used to create a working replica.
  2. The fraudster has the card details which they use to create a fake plastic card. When they swipe the card, it won’t work but they’re able to convince the vendor it’s an error. The merchant ends up keying in the card details.

Lost & stolen cards

This is the original form of credit card fraud and the one most people are familiar with. A card is either lost or stolen and falls into the hands of criminals. They then use it to make purchases until the card holder realizes the card is missing and cancels it. 

Implications of credit card fraud

It can be tempting to say you’ll just refund fraudulent transactions. Unfortunately, credit card fraud detection is much more difficult after an order goes through. What incentive do you have to block orders that appear legitimate and actively reduce your conversion rate?

Here’s the thing. The median loss a small merchant experiences as a result of fraud is the same as the median loss a large merchant experiences. It may hurt much more for a smaller merchant. In this case, prevention is better than a cure.

There are two major implications of credit card fraud for your business.

Being dropped by your payment processor

Payment processors require merchants to stay below a certain threshold of chargebacks which is usually 1-2%. This is a requirement of their upstream partners and if they allow accounts in poor standing to continue operations, they face the risk of losing the ability to process payments.

If the merchant isn’t in line with those chargeback limits, they’ll ask them to get them under control, give them a time limit, and then bar them from their service if they’re unable to comply.

It’s already hard enough to find a suitable payment processor. Losing your account because of the actions of others is never fun.

Added expense

Before you’re dropped by a payment processor, multiple chargebacks would’ve been filed. A chargeback is a demand by a credit card issuer to make good the loss on a fraudulent or unauthorized transaction.

Disputes are usually sided in favor of the customer (sometimes this is done even if you have supporting evidence). Almost all payment processors charge a fee for chargebacks against your account.

These fees add up when you’re the victim of consistent credit card fraud so it’s in your best interest to prevent them from ever happening.

Credit card fraud detection and prevention

At this point, you’re well aware of the types of credit card fraud and how they can impact your business. Let’s switch gears and focus on credit card fraud detection methods and tools which will help keep you safe.

In addition to what I’ll share here, you can find more information in the PayPal security center.

Credit card fraud detection methods and tools

There are tons of methods and tools at your disposal but we’ll focus on the most effective ones to get you started.

Postal address checks

The address verification service (AVS) can play an important role in detecting credit card fraud right at the source. It’s an automated system that compares the billing address used in a credit card transaction against the address on file at the bank.

If these addresses don’t match at all (the address on file is Chicago but they entered a New York address) then the transaction will be denied. If the addresses are similar then the bank will often approve the transaction and send a response code that tells you how close the addresses are.

In the second case, it’s up to you as a merchant to approve or deny the transaction. AVS isn’t a comprehensive fraud detection mechanism alone. It’s one part of many moving pieces.

Customer order history

This is especially relevant if you allow customers to create accounts on your website. By and large, people make similar purchases when it comes to dollar amount and where the purchases go. If someone who spends around a hundred dollars spends $500 or more, it could be cause for concern.

Conversely, if someone ships all of their orders to an address in Chicago but suddenly receives goods in Texas or Atlanta, it could be worth looking into.

Of course, they could’ve moved or decided to spend more so it’s important to reach out to them and understand what’s happening before taking decisive action. 

Require the CVV (CVV2, CVC2, CID)

This is the three (sometimes four) digit number at the back of credit and debit cards. PCI rules prevent merchants from storing the CVV, credit card number, and name together.

The only way for the fraudster to get this is to have stolen the physical card or copied the number. Most payment processors either require you to collect this information at the point of payment or allow you to collect it as an extra security measure.

Velocity Checks

Many fraud attempts involve quickly trying multiple card combinations at the point of checkout to find working details. This is similar to what’s known as a brute force login attack.

You can cut down on this type of fraud by setting limits for how many times humans are able to enter credit card information. If anyone exceeds the stipulated amount of attempts you can throttle their access.

Risk Assessment

Credit card fraud detection doesn’t exist in a bubble. One factor alone may not make the transaction risky but many factors taken together may prove worrisome.

For example, someone had a partial address match using AVS, got the CVV correct, was shipping to a far-flung place, and had an IP address from a different country. Individually, these factors may not raise a red flag but taken together it seems suspicious.

You can set up custom rules for risk scoring that looks at multiple inputs to calculate a score. If the score is beyond the threshold you set then the transaction is flagged for further review by you or someone on your team.

Familiarize yourself with tools from your payment processor

Any payment processor worth your business has built-in tools for fraud detection. For example, Stripe has Radar and Authorize.net has customizable filters.

Fraud detection works a bit differently with each one but all of them are effective at what they do.

It’s up to you to familiarize yourself with them and implement them in your business. If you do, they can have a marked impact on fraud reduction in your business.

If they’re left alone then the larger your business grows the more fraud will be committed. That’s not why you built your company.

Conclusion

Credit card fraud detection isn’t something any of us can afford to play with. The costs and implications are too real.

The best option is to choose solutions with built-in security features which allow you to customize what constitutes a red flag.

There’s a fine line to walk here.

If your rules are too strict then many legitimate transactions will be flagged and customers will leave as a result. If your rules are too lax then fraudsters will be able to pierce your firewalls.

With that in mind, continually review your data and stay up on best practices to protect you and your business. In this instance, the best defense is a good offence.

Let me know how you go about credit card fraud detection in the comments and don’t forget to share.