FRAUD PREVENTION GUIDE

FRAUD PREVENTION GUIDE The aim of this guide is to help merchants mitigate the risk of accepting fraudulent cardholder transactions; UPG has a range o...
Author: Doris Heath
7 downloads 0 Views 681KB Size
FRAUD PREVENTION GUIDE The aim of this guide is to help merchants mitigate the risk of accepting fraudulent cardholder transactions; UPG has a range of security checks that can be deployed to help protect your business. We also work with a range of industry partners who provide more complex and comprehensive identity management and fraud screening tools, particularly for merchants operating in high risk markets. We would be happy to make formal introductions to discuss more bespoke requirements. Our goal in this document is to describe the Fraud Management Tools available for UPG customers. The tools are designed to be used by merchants to be able to block transaction from being processed based on various rules. The tools include: •

Address Verification Service (AVS) and



Cardholder Verification Code (CVC) settings



Bank Identification Number (BIN)



Geographic Tracking via IP location



3D Secure (MasterCard Secure Code and Verified by Visa)

Support If you require any further help or advice regarding this document, or you have ideas about how it can be improved, please get in touch with a member of our Customer Service Centre team on 0845 269 6645 (for international callers +44 1827 68882) or [email protected]

Commercial In Confidence Version 1.2

1

TABLE OF CONTENTS Overview ................................................................................................................................ 3 AVS and CVC checks (Address and 3 digit codes) ......................................................................... 4 BIN Dependent Processing........................................................................................................ 6 Setting up BIN Dependent Processing..................................................................................... 7 Enabling BIN dependent processing in your Account ................................................................ 7 Geographic Tracking via IP location ........................................................................................... 9 3DSecure Code...................................................................................................................... 10 How does 3DSecure work?.................................................................................................. 10 How to setup 3DSecure Code on your website ...................................................................... 11

Commercial In Confidence Version 1.2

2

OVERVIEW Managing fraud is all about looking at the risks to your business and deciding what levels of risk you are comfortable with, a large business with small value packets and high margins will have a different view to a small merchant with high value goods and lower margins. It is important to understand that fraud management settings are fixed in our service to give a really good baseline of protection, if you feel that you have a particular risk, you should give us a call and we can advise which specialist risk management companies can “top-up” our services. The services are based around factual data, from which we make decisions, sometimes good customers get refused by fraud screens, known as a “false positive” an example may be that a person moves and doesn’t tell their bank and they therefore fail an Address Verification Check; so whilst the systems aren’t fool proof they are recommended for use by all the banks. Fraud mitigation systems are also employed by the banks to protect the cardholders, merchants and the banks against fraud. For example a velocity check (Time gap between purchases) might show that a card has been on a bit of a spending spree, they may initially decline the transaction and ask to speak to the cardholder to determine if it is a stolen card or a ‘committed shopper’. The card processing system in the UK is extremely fast, largely because it is fairly rudimentary in its message format, the clearest example being that it largely ignores Alpha characters and only uses numeric values. For this reason the systems do not check the names on cards and ignore the Alpha characters in a postcode. Finally, it is worth bearing in mind that some merchant banks may charge you a non-secure fee (as much as 1% of transactions) if you do not submit AVS, CVC or 3DS details with specific transactions. In particular the use of 3DSecure can mean that the bank will stand any fraud charges on protected transactions for qualifying merchants; this can really make a difference and should be used wherever possible.

Commercial In Confidence Version 1.2

3

AVS AND CVC CHECKS (ADDRESS AND 3 DIGIT CODES) Providing that you capture good address data details in your payment form and the CVC code located at the back of the card are checked in real-time by your acquiring bank. It is advisable to use a postcode lookup tool to collect the address data correctly and not to allow cardholders to “free type” the data, as this facility is used to limit the fraud of address manipulation. We would recommend either www.gbgroup.co.uk or www.postcodeanywhere.co.uk as providers of this useful functionality. The results of CVC and AVS checks are passed back to us by the bank and we display them in your transaction viewing area as follows: •ALL MATCH •SECURITY CODE MATCH ONLY •ADDRESS MATCH ONLY •NO DATA MATCHES •DATA NOT CHECKED Just as the banks, we will advise you of the status of these checks so that you can decide how you want to proceed, we will not block a transaction that returned an invalid AVS or CVC check. The “false positive” rate for these systems is at a level that can exceed the average fraud levels in the UK, so the cost of interpreting and managing the data is a cost to your business that needs considering. Please note: CVC verification is stated as mandatory by Visa and recommended by MasterCard. We strongly recommend that you always capture and send the CVC number for processing.

POSSIBLE REASONS FOR A GENUINE TRANSACTION TO FAIL A CVC CHECK:  The CVC number was input incorrectly  The card issuing bank doesn’t support the check POSSIBLE REASONS FOR A GENUINE TRANSACTION TO FAIL AN AVS CHECK:  The address details are input incorrectly Commercial In Confidence Version 1.2

4

 The card issuing bank doesn’t support the check (in some countries outside of the UK)  The cardholder hasn’t registered the card under the right address details  The format of the address is unusual i.e. a house name instead of a house number, flat 24b etc.

You can decide not to fulfil an order if you are at all suspicious based on the AVS/CVC response. To benefit from AVS and CVC checks you will need to ensure you are submitting these values in your payment form as mapped fields. All mapped field names are listed within the Settings>Form Field Settings page in your User Control Panel. If you still would like us to fail all transactions that do not pass either the AVS, CVC or both checks by default, please submit a request to our Customer Service Centre via [email protected] . Below are screenshots of the default setting, please specify how you would like us to change the options in your request:

Commercial In Confidence Version 1.2

5

Please note: whilst we can fail these transactions, as far as the banks are concerned, the transactions are authorised and the funds reserved on the card. We cannot reverse the authorisation or affect how long the card issuing bank keeps hold on the funds in this scenario although it is usually only about 5-7 working days.

BIN DEPENDENT PROCESSING BIN describes the first few digits of a card; imagine that card numbers are a little like telephone numbers and the first part of the card number gives us the routing information on where we should request the authorisation of funds. By way of comparison: For phones, 0121 relates to a Birmingham phone number, 0207 certain parts of London For Cards, 5 is a MasterCard and a card starting with 4 is a Visa, the next digits tell us the bank, the card type, who processes the payments for the bank and even who printed the cards. So a card starting with 5435 56 is a NatWest Gold Charge card in GBP and was printed by GyD Iberica.

Commercial In Confidence Version 1.2

6

BIN Dependent Processing simply uses processing rules based upon the country in which the card was issued in to determine whether to proceed with the transaction. It is primarily used where merchants wish to restrict the acceptance of payments to UK issued cards. When BIN Dependent Processing is deployed, transactions are referred to our fraud management tools before they are sent to the acquiring bank for authorisation. Based on the account’s settings and the results of the BIN check, we will either continue to process the transaction or block it at this point. Where a transaction has been blocked because of the settings, the customer will be given a standard response with the reason “Card Declined by Merchant”, in the interest of fraud prevention the customer will not be given a more descriptive response. If the BIN Dependent Processing check passes and has determined that the transaction is to be continued, remaining transaction processing will continue.

e.g. you may decide to block credit cards that originate in a country you don’t supply, or have identified a particular trading risk. Please note: When a transaction passes the BIN Dependent Processing check it is not a guarantee of a subsequent authorisation and also these management tools do not affect or influence any questions about liability for fraudulent transactions.

SETTING UP BIN DEPENDENT PROCESSING This service can be set up on a Premium Account only. Customers with a Basic or Standard Account will have to upgrade their account to use the service. To enable BIN Dependent Processing, you will need to contact UPG to have the facility set up on your account (a setup fee normally applies). Once the facility has been set up, the configuration settings will be available from within your User Control Panel in Settings > Advanced Settings.

ENABLING BIN DEPENDENT PROCESSING IN YOUR ACCOUNT Card Look Up When the Fraud Management tools are activated we will look up to see if the card has a UK issued PAN (long card number); this check is performed based on the BIN number of the card. The configurable options for this check are: Accept a transaction if the PAN is a UK issued PAN or non-UK issued PAN Commercial In Confidence Version 1.2

7

Accept a transaction only if the PAN is a UK issued PAN Accept a transaction only if the PAN is a non-UK issued PAN

Default Handling When the BIN Dependent Processing check cannot be carried out for an unexpected reason, a default setting can be selected to determine whether to continue with the transaction or not.

Commercial In Confidence Version 1.2

8

GEOGRAPHIC TRACKING VIA IP LOCATION Available in our Standard and Premium packages. We log the IP location of the customer and display it to your within the transaction detail. Comparing it to the country the card was issued in might help you when determining if a transaction is fraudulent.

Commercial In Confidence Version 1.2

9

3DSECURE CODE Also known as Verified by Visa/MasterCard SecureCode 3DSecure is a simple, password-protected identity-checking service that helps to decrease the risk of online shopping for you and your customers. It adds another authentication step for online payments. Please note that you will not be able to accept Maestro cards without 3DSecure Verification. 3DSecure is not designed to be used with manual MOTO transactions.

HOW DOES 3DSECURE WORK? 1. The cardholder completes your normal payment form. 2. UPG connects to Visa/Mastercard to ascertain whether the card range is registered for 3DS and to receive directions to where the banks’ 3DS page is located. 3. If the card range is not registered for 3DS, UPG will handle the transaction based on your default settings. 4. If the card range is registered for 3DS, UPG will re-direct the customer to the 3DS page hosted by their card issuing bank. Here they will be asked to either enrol for 3DS (if they have not used 3DS on this card before) or to input their secure password (if they are enrolled). 5. Following successful enrolment/authentication, the cardholder is then redirected back to our server and the transaction proceeds for authorisation. (If the enrolment or authentication fails then, it could result in the transaction being aborted at that point and lost). 6. If the transaction is authorised, the cardholder sees your usual confirmation page. If it is not authorised, the cardholder sees your usual decline page. 7. There are several possible outcomes to the verification and you are asked to select default handling rules for these when you turn 3DS on in your account. These are explained to you in detail when your 3DS is ready to use.

Commercial In Confidence Version 1.2

10

HOW TO SETUP 3DSECURE CODE ON YOUR WEBSITE Please submit a request to add 3DS to your account via [email protected]. Please quote your account reference when you do so. Upon receipt of your request, we will contact your merchant acquiring bank and ask them to register your merchant number with Visa/MasterCard. The registration process and subsequent testing at our end takes on average 2-3 working days for a Barclays merchant and 5-7 working days for all other acquirers. We will notify you via email when the process is complete and you can activate 3DS on your account.

Commercial In Confidence Version 1.2

11