2 minute read

Reducing the risk of card not present fraud

Tuesday, January 31, 2023

2 minute read

Many businesses accept Card Not Present (CNP) transactions on a daily basis, either over the phone or via a website. In the majority of cases, there are no problems with these orders, but there’s an increased risk when accepting CNP transactions as there isn’t a 100% guarantee that the person placing the order is the genuine cardholder. You also have less protection than you’d have if you were processing transactions via Chip and PIN, as your business will be financially liable if a transaction is later reported as fraudulent. To help reduce the chances of your business being targeted by fraudsters, there are a number of checks that should always be made:

Address Verification Service (AVS) check

This checks the property number and the numeric part of the postal code against the card issuer’s records. If this check isn’t verified, this may be a sign that the card being used isn’t from Canada and the order may be fraudulent.

CVV2 check

The CVV2 number (sometimes called the CVV number or security code) is the three-digit number printed on the back of a credit or debit card. If the CVV2 check fails, this is a clear sign that the customer may be using compromised card details. However, if the check does pass, this is still not a guarantee that you’re dealing with the genuine cardholder.
The results of these two checks will be printed on the terminal receipt when you carry out a CNP transaction, so check the terminal’s user guide for information on how this information should be displayed. If you don’t have a user guide, they can often be found online by searching for the model of the terminal.

Use of multiple cards and declined attempts

Fraudsters often buy batches of compromised card details and will try each set of card details until they can get one to work. If you’re seeing multiple declines when trying to process a transaction, you should be careful about proceeding with the order.

Pick-up fraud scam

This is one of the most common fraud scams we see. A new customer places an order for goods over the phone and says that they, or a courier/taxi, will pick the goods up. The fraudster may have the correct name and address details of the genuine cardholder, so things like the AVS check may pass. Sometimes, we see cases where a fraudster is prepared to travel a considerable distance to purchase goods that they could easily get closer to home, so be careful with orders like these. As the goods are being picked up there’s also no way to confirm where they’re actually going, so if you’re in doubt, ask the customer to bring their card with them and do the transaction as Chip and PIN. If an order’s being picked up by a courier, ask them to only deliver to the specified address.

Ordering and delivery

  • Take care when you’re given an alternative delivery address, particularly if it’s in a totally different location to the billing address. Some merchants have successfully prevented fraud by contacting the person at the billing address before sending out orders, so this may be worth considering

  • Be careful if a customer wants you to send out the goods very urgently and is prepared to pay delivery costs that are very high compared to the value of the goods, or if they repeatedly contact you to chase up their order. They may well be trying to have the goods delivered before the card is canceled and you’re alerted to the fraud.

  • Use websites such as 192.com, yell.com, Google, and Streetview to verify customers and delivery addresses. For example, if you’re being asked to deliver goods to a business, then be careful if the address they give you is for a residential property. Businesses can also be checked to make sure they actually exist. If possible, you should also ask for a landline number instead of a mobile number, especially for business customers.

  • Some merchants, who deal mainly with other businesses, have avoided being targeted by fraudsters by asking new customers to pay for orders by bank transfer or cheque and only offering to accept card payments from them once a business relationship has been established over time.

  • If you’re taking orders via a website, we strongly recommend that you have 3D Secure 2 (Verified by Visa and Mastercard Securecode) in place. In the majority of cases, the liability for any fraudulent transactions will then be switched from your business to the card issuer.