Preventing fraudulent payments from being made on your e-commerce site is to some extent a game of compromise.
On the one hand, you need robust fraud checking to make it extremely difficult for a fraudulent transaction to take place. On the other hand, you also need the payment process in the checkout to be as frictionless as possible so that genuine customers are not deterred, and legitimate orders are not declined.
Striking a balance between the two is an ongoing challenge for retailers. Fraudsters are always on the lookout for vulnerabilities to exploit and are increasingly sophisticated in their activities, so it pays to be alert and understand what steps you can take to reduce the risk of fraud taking place on your e-commerce site.
If you are using the CitrusPay Payment Gateway to accept card payments on your site, there are a number of fraud checks in place that have been set up to try and achieve the best possible combination of security and useability, in accordance with industry guidelines. In this article, we detail what is in place and why it's there.
The Address and CV2 Verification Service (AVS/CV2) is a service provided by credit card processors and issuing banks to help you detect suspicious credit card transactions and prevent credit card fraud.
The service checks the billing address and CV2 security code ('three digits on the back') submitted by the Cardholder with the details on record at the card-issuing bank. This is done as part of the authorisation of the transaction. Your Acquirer returns a response code indicating the degree of matching, and you can decide whether the transaction should be accepted or rejected. Rejected transactions will have their authorisations reversed.
AVS is one of the most common tools used to prevent credit card fraud. However, it is only available in a limited number of countries, mainly UK, USA and Canada. It is also not a foolproof system since only the numeric characters in the address are matched and therefore flats or house names can cause false negatives.
By default, your CitrusPay Payment Gateway is set up with the following AVS/CV2 check values:
The provided value partially matches the details on record. This is currently not supported for CV2 security code values (so the customer must always provide the exact CV2 value) but is useful for address and postcode values which may differ slightly in format.
The provided value completely fails to match the details on record.
The checks were not performed by the card issuer. As mentioned above, not all card issuers support checking, so accepting this value means that you can still accept payments from customers with cards issued in countries where AVS/CV2 checks are not available.
The results of the checks are not known. This could be due to the Issuer not supporting the checks or having problems performing the checking. Again, accepting a Not Known value is useful for customers with overseas-issued cards.
With these values in place, the aim is to twofold:
1) Allow the broadest range of customers to be able to make a successful payment, on the basis that the billing details they provide meet the necessary criteria supported by their card issuer.
2) Prevent payments from being accepted purely from the information visible on a payment card. By rejecting transactions where the billing address and postcode do not match those on record with the card issuer, we are aiming to reduce the possibility of a lost or stolen card being used to make a payment, as the person attempting to make the payment is less likely to know the address to which the card is registered.
Online transactions made using Visa, Mastercard or American Express payment cards can use the 3D Secure authentication system also known as Verified by Visa, Mastercard SecureCode and American Express SafeKey.
This system provides a means for card issuers to verify the identity of the Cardholder, typically by asking them to enter a password or secret code that only they should know. This provides extra security to an online transaction since even if the Cardholder's card details are fraudulently obtained, it is less likely that the secret is also obtained. For a successfully authenticated Cardholder, the risks of fraud are therefore significantly reduced.
Participating card issuers offer you a guarantee of payment for successful online transactions that have been authenticated using 3D Secure. This means that if there is a dispute or chargeback for a transaction for fraud reasons (e.g. the Cardholder disputes that they made or authorised the transaction) then you will typically not be liable for the dispute/chargeback costs. This is referred to as 'liability shift'. There are some differences in the treatment of liability shift by the different card brands so you should check on the exact details with your Acquirer.
By default, your CitrusPay Payment Gateway is set up with the following 3D Secure check values in order to ensure that Strong Customer Authentication (SCA) is enforced:
Cardholder or the issuer is not enrolled in the system.
The Cardholder failed to provide the correct authentication details.
3D Secure authentication was not attempted due to the card issuer or the payment card not supporting the system. The majority of card issuers support the 3D Secure system.
3D Secure authentication could not be performed, possibly due to a system or communications problem.
What if I want to make changes to the default settings?
We believe that the default settings strike a balance between robust security for the retailer and ease of use for the consumer. Amending the settings without understanding the possible consequences has the potential to leave the retailer exposed to greater risk of fraud and resulting chargebacks.
As such, access to the fraud settings is not available directly through the Cloud MT user interface, and if you do wish to make any changes, you will need to contact the Citrus-Lime Helpdesk Team to discuss this. No changes will be made to 3D Secure settings.