Results 1 to 18 of 18
  1. #1
    Join Date
    Sep 2005
    Posts
    79

    About AVS and order screening in general

    Two questions:

    1) Is the address verification system only applicable to US credit card holders? If the transaction response for customers outside the U.S. is returning Address and Zip Code Do Not Match when one would expect it to be Unknown AVS Response, where would the problem lie? (If it returns the former one time and the latter the next, why would that happen?) Would that be an issue with the payment gateway?

    2) How to verify or screen orders (for digital goods), especially from customers outside the U.S. when no AVS information is available? Also, how do you handle it if it seems that a U.S. customer has given you an outdated address? (e.g., if they made attempts that were declined using another address.)

    I recently graduated from paypal to a real merchant account and sometimes unsure of how far to go in screening orders.

    Some things I do:

    - Compare billing address to IP location
    - Look for contact information on web site
    - Look at domain registration contact information
    - Look at nature of business
    - Sometimes make phone call to verify order

    What sorts of things make you suspicious of fraud or risk?

    Wanting to make money, but wanting to minimize the risk of chargebacks. How do you strike a balance?

    Any suggestions welcome

  2. #2
    Actually, I have been wondering WHO has the best screening database on the market.

    Well-hated IBILL processed MILLIONS of dollars (and didn't pay a bunch of us!) -- but they were known for their tight control on fraud. You can now use them as a gateway with your own merchant account (so you control the money). I would be interested to know how well it is working.

    From what I see, they charge from $.25 to $1.00 based on the services they provide. May not be a bad way to go ... if their full database is available to you. Although come-to-think-about-it, I remember getting loads of complaints from people (users) who hated ibill because they could never get approved. I wonder ....


    CCBILL has to be the daddy of them all and must have an incredible fraud screening system by now (one would hope) as they have survived the storm time-in and time-out. But they don't process on customer's merchant accounts from what I can tell.

    Most of the other gateways and services offer avs and such - but rarely do you see much in the line of fraud screening and risk management other than the very basics.

    I also remember that one processor placed a call to every person who attempted a charge; the person had to validate the charge by phone before they were granted access. But I can't remember who this was or if I had read that it worked.

    Anyone else with comments?

  3. #3
    PS:

    How to verify or screen orders (for digital goods), especially from customers outside the U.S. when no AVS information is available?
    1. AVS only works in the US.

    Compare billing address to IP location
    I can fake my IP to your site. Just tell me which country (on in the case of the US), which state do you want me to appear "from" and I'll hit your site with a proxy from that area.

    Sometimes make phone call to verify order
    I think this helps. You can also use some of the search engines online to determine if you are calling an IP, Cell or regular phone line -- although with number portability, this is getting more and more difficult.



    On one service, we used to call the bank on every charge to verify the name on the card and full address data. Some banks wouldn't cooperate.


    What sorts of things make you suspicious of fraud or risk?
    Sorry, I had to laugh at this one. Because the only answer I could muster was "Are they paying you with a credit card over the internet?" -- then you should be suspicious.

  4. #4
    In general, AVS only works for the US. In the US, sometimes you can get a Does Not match response instead of Unknown when the customer is entering a 9 digit zip and issuer has a 5 digit zip on file, or vice versa. I don't know why you would get differing responses on international orders.

    In terms of fighting fraud, it sounds like you are doing the right things. Generally, if its practical, the best defense is giving each transaction the "hairy eyeball" before you settle it. If it looks weird, there is usually a problem. Collecting a phone number and calling to verifiy if you are suspicious is always a good idea.

    Other ways to combat fraud:

    You can also collect the CVV2 number (number on the back of the card).

    Use Verified by Visa and MasterCard Sercure Code.

    For digital goods or monthly services, one technique is to do a blind authorization for a small amount ($0.10 - $1.00) and require your customer to get the exact amount from their issuer and submit it back to you before you activate their service, complete delivery, etc.
    Dave
    PH: 800-761-7475
    PH: 802-876-5087
    www.RiskPayments.com

  5. #5
    Join Date
    Sep 2005
    Posts
    79
    Thanks for your responses. I get the feeling my suspicion and scrutiny are not "over the top".

    Quote Originally Posted by custsrvcrep

    I can fake my IP to your site...
    Would the following be a dependable way of detecting that?

    $forwarded_ip = getenv('HTTP_X_FORWARDED_FOR');

    I always check CVV2. I haven't accepted a single order where there wasn't a match. That seems to be broadly available, but Verified by Visa and MasterCard Sercure Code is less so, correct?

  6. #6
    It is definitely best to err on the side of caution. A lot of it is common sense. The more you review your orders, the better you will get at sniffing out the problems.

    Another thing to keep in mind with international orders is that certain countries (Nigeria, Vietnam, for example) are hotbeds for fraud, so you might consider blocking sales from those countries altogether. You can get a list from your provider.

    Contact your merchant account provider and ask them if they support VbyV and SecureCode. If they do, it's not hard to implement. Its not as widely used as AVS and CVV2, but more and more providers are getting on board with it.
    Dave
    PH: 800-761-7475
    PH: 802-876-5087
    www.RiskPayments.com

  7. #7
    Join Date
    Aug 2003
    Location
    Chesapeake, VA
    Posts
    3,379
    Cardholder Authentication (i.e. "Verified by Visa and MasterCard SecureCode") are available with virtually all payment gateways on the marketplace now so it is usually quite simple to set this up.

    Just keep in mind that the protection is not unlimited. You ARE, however, protected against approximately 60% of the chargeback reason codes - particularly those pertaining to the "I didn't do it", "I didn't authorize it"-types).

    In addition, VBV/MSC will not protect you against a recurring transaction as in order to provide you with the protection, it must be done at the point of sale with the cardholder "present" (albeit via the Internet).

    I definitely recommend considering Cardholder Authentication if you will be doing high ticket sales of any kind but particularly those which are prone to fraud and resale.

    The other option is to setup an automated phone verification system using a service like FraudGate, Varilogix or some of the other comparable solutions on the market today. By using these systems, you can provide the online customer with a PIN # or Invoice #, then have an automated system dial them at their stated number and verbally ask them to enter it in - thus authenticating that they are actually present there.

    Some of these systems will also do an automatic GEO/BIN/IP-reverse lookup to provide extra security and some can even determine if the # being called is a cell/mobile phone or not.

    If you do not have a vast order volume, then manual phone calls placed by your or your staff would do an equally good job. All of these methods along with AVS & CVV (properly configured) can help you a great deal towards reducing your risk of fraudulent sales.
    CDGcommerce.com - Trusted Merchant Account Solutions since 1998
    Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
    We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance.
    Learn more today at http://www.cdgcommerce.com - we look forward to helping your business grow!

  8. #8
    Join Date
    Apr 2005
    Location
    San Francisco, CA
    Posts
    1,029
    I have 3 VISA cards (credit/debit) - all from 3 different banks - when I'm trying to pay using them by Verifed By VISA - ALL of them return with error "This service is NOT available for your card" and this is well known banks such as CapitalOne, Wells Fargo and US Bank - I think is TOO early to speak about VBV - it's still in testing stage and don't supported by many banks.

  9. #9
    Join Date
    May 2003
    Posts
    267
    1. AVS works not only in US but also in about 50% of UK and Canada.

    2. For GeoIP screening as well as other IP based fraud monitoring I highly recommend MaxMind services. Just be carefull with settings. It tends to flag some OK transactions.

    3. Yes. VbV/SCMC is great but not ideal solution and if you won't accept cards of non-enrolled banks you loose about 50% of sales. (CapitalOne and Wells sucks really big time with enrollment to 3D secure to my surprise. Do they think they would loose money?).

    4. Forget IBill and their fraud monitoring system. It worked well 6 years ago, but now IMHO it's ancient.

    5. Fraudgate (phone verification) would be great for transaction that did not pass 3D secure authentication.

    I think combination of all the above tools including CVV check together in some sort of consolidated fraud monitoring system would eliminate all your possible chargebacks regardless of how "high-risky" is your business.


    Businessamerica, you said
    one technique is to do a blind authorization for a small amount ($0.10 - $1.00) and require your customer to get the exact amount from their issuer and submit it back to you before you activate their service, complete delivery, etc.'
    hOW DO YOU ACTUALY DO THAT (IN PROCESSING TERMS)? THX
    Amirocms.com

  10. #10
    Join Date
    Sep 2005
    Posts
    79
    Quote Originally Posted by Leksus
    1. AVS works not only in US but also in about 50% of UK and Canada.
    An example from yesterday morning of why I asked question 1 above:

    Customer from Spain makes 6 attempts to make a payment, each time getting the response: Address and Zip Code Do Not Match

    ( 4 of these attempts were within a span of 5 minutes in spite of the fact that my processing control settings are supposed to limit repeats from same ip to 2 within 15 minutes, but that's another subject)

    Finally on the seventh attempt, customer enters same address and postal code as an earlier entry but this time gets the response: Unknown AVS Response (all the transactions Visa)

    Weird?

  11. #11
    Join Date
    May 2003
    Posts
    267
    Hmm... that's strange. For non-AVS supported countries we are getting smth like " Service not supported by issuer " response from Authorize. I never saw a case like you described with this Spanish customer. After all, AVS worked, right?

    Nevertheless, we have bunch of transactions that passed VbV/MCSC but were declined by Authorize with responses like "The cardholder authentication value is invalid" or "Transaction is declined" and that pisses me off, because cardholders funds remaining still authorized for a couple of days and VbV/MCSC is OK. Does anybody here know what are those responses before I ask Authorize.net directly?
    Amirocms.com

  12. #12
    Join Date
    Sep 2005
    Posts
    79
    Quote Originally Posted by Leksus
    Hmm... that's strange. For non-AVS supported countries we are getting smth like " Service not supported by issuer " response from Authorize. I never saw a case like you described with this Spanish customer. After all, AVS worked, right?
    It didn't work the way I would like, no. I want to allow non U.S. customers transactions to be approved, then I can assess whether there is sufficient information to actually process the order without undue risk.

    According to my settings in processing controls non U.S. customers' transactions should be approved with responses like Unknown AVS Response, or Non-Domestic AVS Info Not Available, or AVS Service Not Supported, or Non AVS participant outside of US. That has generally worked fine but I recently started to get a few Address and Zip Code Do Not Match responses for customers from countries like Spain, Netherlands etc. They might complain that they have entered the correct information. But how do I know?

    But then the one I described, where the person enters the same address and postal code and gets two different responses within just a minute or two That's what leaves me scratching my head!

    To me, Address and Zip Code Do Not Match seems an inappropriate response for a card holder from Spain, Netherlands, etc.
    Last edited by Shawna888; 11-23-2005 at 01:56 PM.

  13. #13
    Quote Originally Posted by steven-v
    I have 3 VISA cards (credit/debit) - all from 3 different banks - when I'm trying to pay using them by Verifed By VISA - ALL of them return with error "This service is NOT available for your card" and this is well known banks such as CapitalOne, Wells Fargo and US Bank - I think is TOO early to speak about VBV - it's still in testing stage and don't supported by many banks.
    Your cards must be activated for vbv to use it.
    If you get this message when trying to buy smth, - it is not the way it should be. Non-vbv cards shouldnt be declined, they only should be checked for vbv presence and if it is there, - to prompt for vbv password.
    In case there's no vbv activation, transaction should go on silently as usual Visa transaction.

    Even in this case u'll be protected from 60% of chargebacks if correct vbv authentification was done.

    Hope it helps

  14. #14
    Quote Originally Posted by steven-v
    I have 3 VISA cards (credit/debit) - all from 3 different banks - when I'm trying to pay using them by Verifed By VISA - ALL of them return with error "This service is NOT available for your card" and this is well known banks such as CapitalOne, Wells Fargo and US Bank - I think is TOO early to speak about VBV - it's still in testing stage and don't supported by many banks.
    You are correct. Not all issuers support these programs but it really doesn't matter from a Verified by Visa Merchant's standpoint:

    Verified by Visa Site
    http://usa.visa.com/business/accepti...ement/vbv.html

    "Merchants who use Verified by Visa are protected from fraud-related chargebacks on all personal Visa cards—credit or debit, domestic, or international—whether or not the issuer or cardholder is participating in Verified by Visa"

  15. #15
    Join Date
    May 2003
    Posts
    267
    Quote Originally Posted by CardinalCommerce
    You are correct. Not all issuers support these programs but it really doesn't matter from a Verified by Visa Merchant's standpoint:

    Verified by Visa Site
    http://usa.visa.com/business/accepti...ement/vbv.html
    Although it might be correct from Visa standpoint it takes some guts to fight those rules with the issuer bank. Here's our recent example: customer from France, French bank issued Visa card, bank is not enrolled in VbV. Made a chargeback on code 83 (no holder authorization). Because we have recorded VbV authorization attempt, all necessary info was submitted to the acquirer to reverse this chargeback. Seems to be no problem? Hah, wild guess Here's what we got from our bank:

    "Unfortunately, the information provided was not sufficient to represent the transaction back to the issuing bank for payment. NO PROOF established cardholder participated in transaction and WAS NO PROOF this transaction utilized VbV."

    From merchant standpoint such respond is unacceptable because we should be protected! Since this is not a first time where our bank seems to be totaly impotent to stand up for its merchants I wonder if Cardinal Commerce can step in and help to represent such type reversals directly to Visa. Are there any solutions? Thank you.
    Amirocms.com

  16. #16
    Leksus,

    Please report this information through the support site. Once we analyze the data on the transcation we will help represent the data to your Acquirer.

  17. #17
    To the rest of the WHT Community,

    When you have to represent the data elements on international chargebacks there is a procedure required to present the VbV information.

  18. Quote Originally Posted by Leksus
    From merchant standpoint such respond is unacceptable because we should be protected! Since this is not a first time where our bank seems to be totaly impotent to stand up for its merchants I wonder if Cardinal Commerce can step in and help to represent such type reversals directly to Visa. Are there any solutions? Thank you.
    It stinks to be the merchant in a dispute, but here is what to keep in mind when you are looking at your protection, or lack there of, in a dispute:

    What is the intended purpose of credit? Is it to make like easier for merchants? No. The reason credit cards exist is to encourage consumer spending. As such, most, if not all, protection goes to the consumer.
    The downside of this, is if you are a merchant who gets a chargeback, you will likely lose out on your money and lost product. However, it benefits you, because the consumer will continue to use credit to buy things, even when thye have no money (merchants must just hope the chargeback was an isolated incident and not a pattern, in which case, the spending does you no good).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •