We operate an e-commerce website, and we're facing some big problems with payments. Very often, some customers get credit card data and use those in our store. So when the real credit card owner gets their bill, they cancel this transaction, and we lose the money and the products.
We don't have access to the customer's card number, this is fully controlled by Cielo.
Any thoughts on how we can prevent this situation?
Any thoughts on how we can prevent this situation?
1) Fraud is higher with CNP (Card Not Present) transactions, not the least because it's easiest to get away with. If the purchaser says they never received it and files with the card company, the card company takes their side unless you have a signed slip - which CNP transactions never have. So for that particular type of fraud, there's little you can do, except evaluate what it costs your business and adjust your prices to compensate.
2) Your processor (Cielo in this case, apparently) should be performing various anti-fraud steps to determine if the transaction is likely to go through or not. Some processors work harder at this then others, so you may want to look into your alternatives for payment processing. A processor that puts more effort in at that layer might cost more, but it might also be worth it. (Disclaimer: I work for a processor, but know nothing at all about Cielo, and don't know if they're likely to be doing a good job for you or not - go forth and research). These are steps that the processor can take but you really can't, because you don't have access to the same amount of information they build in the aggregate and the level of information they get back from the credit card acquirers. So it's not a build-it-yourself type of thing.
Typically the payment processors are not tasked to detect fraud. They get a single API call with a CC number and details and a billing address and they just check with the info the bank has on file. Most businesses do not decline the order even if the billing address is not a match; you have an option to ask your payment processor to decline the order based on AVS code (Address Verification).
To detect if an order is a fraud, more information must be fed into the analysis, and credit card details may not be needed at all. Usually, big rushed orders where the billing and shipping addresses are different and the order is put from an international IP may indicate a fraud. Also, if an order is put after a number of different credit cards were tried, possibly, it is a fraud. You can manually check these details for each order, if you get a handful of orders everyday. You can look at the google map for the shipping address and check the IP that the request came from. See how far they are from each other. Social engineering data is also a key; you can check poeple on LinkedIn to see if they exist and look legit.
But this can go out of hand, if you have a large number of orders. There are many fraud detection service providers that you can call their API, provide the transaction details, and they will give you a score indicating how risky the order is. Examples of them are SignifyD, MaxMind, SiftScience, Riskified, Kount.
Sounds like you are using a hosted Payment Service Provide (PSP). Suggest having a discussion with them about how you can reduce your chargebacks and fraud levels. If they don't have someone you have that discussion with consider changing providers. Also talk to your acquiring bank as they may also have technology or processes they can enable.
Some things they should be able to enable which will reduce your fraud levels:
Risk scoring - this will use combination of data gathered on the customer browser to perform device identification, IP address and device blacklisting, velocity (e.g. same credit card used in different countries in a short time), reported stolen cards, high fraud risk items e.g. iPads etc to provide a risk score for the transaction and customer. Good software taps into things like an e-Fraud network (RSA service) to pool fraud knowledge from around the world. You can set actions based on the risk score e.g. a score from 1-1000, below 500 accept transaction, 500-800 require additional steps, above 800 reject or require different payment method
Merchant specific rules - you can require basic checks such as AVS (Address validation i.e. the billing address entered matches the card address), CVS (validation of the card security code). Other simple rules can be based on the item type or item or basket value. Again you can take additional action or reject based on the responses to these.
3D Secure (3DS) - this means that the user needs to enter their Verified by Visa (VbV), Mastercard Secure Code or Amex password to which is validated by the card issuer to process the transaction. 3DS should also provide you liability transfer, so if the 3DS is approved, and there is a chargeback the card issuer will take liability rather than you as the merchant.
Adaptive authentication - based on the risk score you may want to require additional authentication e.g. a secret question they entered on registration, or an SMS with a one time password sent to their registered mobile to process the transaction.
Alternative payment options - you can transfer some of your risk and potentially get additional customers by offering options such as Google checkout or Paypal for example. These providers have fraud detection and prevention systems and again liability shift can be negotiated in certain cases.
Some of these steps may be an additional cost, they may also result in an increased drop out rate of your customers. So you will have to measure these costs relative to your fraud levels and tune to get to an optimal balance for your business. Hope that helps and good luck!
