How to Reduce Credit Card Fraud

Credit card fraud can be curtailed through a variety of measures

The big daddy of 2005s many credit card heists was probably the CardSystems breach, which put as many as 40 million credit card numbers at risk. Thats one compromised credit card number for every 18 adults in the United States. So what exactly are merchants doing to prevent credit card fraud? Heres a snapshot from Sharper Image, the San Franciscobased retailer of high-end doodads, which earned revenue last year of $760 million.

1. The Chargeback

When a customer hands a credit card to a cashier, the credit card company usually assumes liability if the card turns out to be stolen. But with online and telephone transactionsdubbed "card-not-present" transactionsmerchants assume this liability. If a cardholder disputes a charge, it comes back to bite the merchant in whats known as a chargeback. According to the Merchant Risk Council, a trade group, retailers that dont manage credit card fraud can have chargeback percentages in the double-digits.

2. The Fraud File

As a longtime catalog retailer, Sharper Image has been compiling for the past 25 years a list of names, addresses and ZIP codes that have been associated with chargebacks. "It doesnt mean that every address in that file is a fraud or a bad person," CSO Joe Williams says. "It means that there has been some fraud activity reported, one way or another, at that address. Someone at that address may have been a victim." This so-called fraud file, or negative list, is used to verify all card-not-present orders, both online and on the telephone.

3. The Attempt

After fraudsters obtain stolen credit card numberswhich are now being sold online complete with the security codestheyll try to use them to purchase products for resale. At Sharper Image, crooks might place multiple orders for camcorders and other expensive products online, often opting for overnight delivery. Sometimes they try to evade fraud detection by calling not the toll-free number but a local store, where the person who answers the phone works on commission. They may even try to go through TDD operators who assist the hearing-impaired, thinking that those orders will escape notice. But every card-not-present order gets the same scrutiny because Sharper Images goal is to limit all chargebacks.

4. The Match

Each night, all card-not-present orders are matched against the fraud file, which has hundreds of thousands of addresses. The system also looks for irregularities in the credit card information or mailing addresses that differ from billing addresses. "You have to do this cheaply, or you cut into your profits, and you have to do it quickly because customers do not want their orders delayed," Williams says.

5. The Screening

The next day, fraud screeners in the processing department review all the transactions that have been flagged. Most of the orders get released for shipping within secondsfor instance, when a customer has previously had an order shipped to an alternate address, with no resulting chargeback.

6. The Screeching Stop

When an order is truly suspect, fraud screeners may call the bank to verify some information about the cardholder. If theyre still unsure of the order, they call the cardholder. "Well just verify whether theyve placed the order," Williams says. "In many cases they say, No, I havent ordered anything from you. Then we know its a fraud, so we just drop the order." On average, he says, it costs less than a dollar to do the highest level of screening for a suspect order. Potentially significant trendssuch as a large number of purchase attempts with the same delivery addressare reported to law enforcement.

7. The Payoff

In 2004, Sharper Image stopped $13 million in merchandise from going out its doorscompared with $2 million three years earlier. Williams attributes this dramatic jump mostly to the escalation of Internet fraud over the past years. Chargebacks for Internet and telephone orders were an impressively low 0.33 percent. (Anything less than 1 percent is a good number, according to the Merchant Risk Council.) "Probably the trickiest thing about the whole process is that the profile of a fraud person is exactly the profile of a top customer," Williams says. "They buy a lot, and they want it now."

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful cybersecurity companies