How do you fight credit card fraud?

I believe almost every merchant who accepts credit card payments on her website has faced credit card fraud at least once - the kind of fraud where merchants are tricked by carders (criminals who use stolen credit card numbers to make purchases over the Internet).

The kind of business we do is highly attractive to carders – we sell software products, which are shipped over the Internet in a matter of seconds (there is no hard media shipping). Carders are likely to purchase stuff which they will receive instantly, before a transaction had been recognized as a fraud. That is why the whole industry of online sales related to online products delivery (e.g. software, music, electronic books, website templates and many more) is influenced by credit card fraud. 

However, no matter what kind of online business you are in, if you accept credit card payments on your website, it means that sooner or later you will have to face credit card fraud. This kind of activity has really high volumes nowadays.

Here is an example - I have just looked at Shop-Script order list and noticed that for the past 2 days there were 12 attempts of fraud credit card payments! Fortunately, our support team is highly trained on identifying carders - we identify nearly 99% of fraudulent orders and void all such transactions.

However, fighting fraud is not that hard!
Here I only refer to manual card payments verification, in which merchant verifies card payment and settles it manually in his payment gateway account if approved; automated fraud fighting systems is a whole other story and is not a subject of this post.

Backed by our experience, I will present a brief list of issues that should considered when verifying a credit card transaction:

• Email address:
  This is the first thing to check! Take a look at your customer’s email address. If it is something like superhack2007@yahoo.com, I guarantee you this is a pure fraud. And if it is sales@mysmallfamilybusiness.com, most likely you have a genuine order.
  What you should pay attention to is whether email address is registered on a free email service (e.g. @yahoo.com, @gmail.com) or a commercial domain name (@somecompany.com). Emails on commercial domain names are of much less suspicion on fraud.
  If email address is free, that does not mean that you have a carder (unless it becomes obvious from the name before @ symbol) - it only means that you should perform more thorough investigation on the transaction.
• IP address:
  If your customer passed email test, check his IP address (in Shop-Script you can find IP address on the order details screen of backend). There are various web services which allow getting physical address information on IP address. I suggest you to use SmartWhois from All Net Tools free tool. Copy customer IP address (e.g. 127.0.0.1) to clipboard and paste it on SmartWhois website - you will be shown on whose name this IP address is registered.
  The only thing you should pay attention to in this information is the country. Make sure it matches the country where the customer would like the order to be shipped.
• Telephone call:
  Give your customer a telephone call. Though carder can indicate his own phone number in order details, this is where you can easily identify fraud - just listen to the way he talks on the phone. You may even ask something like “Oh, I have a friend living just near you! How is the weather over there today?” - it is unlikely that a carder will answer this question
• Overnight orders:
  Consider what time it is at the address where an order came from.
• Order amount:
  Be aware that a carder is likely to exploit the fact that he is not using his own money to pay for the purchase. He might think something like “Since this is not my money, I might as well order this, and this, and that …”. Investigate more thoroughly if order amount is bigger than average.
• Online search:
  Try searching for the customer white pages over the Internet, e.g. www.anywho.com (US), www.infospace.com/home/white-pages/world (links to international directories).
  Searching for the customer’s email in major search engines might also be useful if it is a highly suspicious case.

Credit card verification is not a straight forward process, and described issues are only basics. There is no 100% guideline on identifying credit card fraud - this is like playing ‘hide and seek’. It could seem to be fraudulent, though turn genuine after you contact customer.

With time you will see that carder identification is an easy procedure - I’m sure that with some practice you will be able to identify carder from the first sight!