Tips For Preventing eCommerce Fraud

by Larry Kilroy Jan 15, 2019

As sales growth in the eCommerce sector of the wine and spirits industry continues, so does the increase in online stores that have been touched in some way by fraud. In most cases, the experience is limited to fraudulent orders and "charge backs". However, even minor fraud is reminder enough to make any merchant audit their eCommerce presence. Adhering to best practices minimizes the chance of losses at the hands of some of the shadier actors out on the internet.

Luckily, there are proven methods to mitigate the risk to your store. Here are tips to help your eCommerce site avoid being targeted with fraudulent activity.

Choose a eCommerce platform that prioritizes security and fraud prevention

Very rarely does it make sense for a merchant to build their own eCommerce solution from scratch. There are many platforms, often tailored for your industry, that bake in many of the best practices for preventing fraud. Choosing a reputable platform reduces worry by you and your staff, as the platform is expected to be following standard practices. Enabling the storage of sensitive customer data like credit card numbers has been replaced with encryption. Requiring strong passwords for customer accounts and using 24/7/365 monitoring services tuned to watch for suspicious internet traffic activity are other must-haves.

Let the experts worry about combatting fraud while you focus on growing your business.

Bottlenose never stores sensitive customer information. And while we know it can be annoying that we require customers to reset their passwords instead of being able to send them their existing one, that is an example of us continually reviewing and making changes to adhere to best security practices.

Additionally, we use multiple 3rd party monitoring systems that alert us to suspicious activity.

Meet and maintain PCI Compliance

PCI Compliance is a set of requirements designed to maintain a secure environment for companies and platforms that process, store or transmit credit card information. PCI compliance is a proactive customer protection strategy. Merchants who seek PCI compliance must go through a review process that includes self-assessments and ongoing 3rd party scans and audits. For more information about PCI Compliance, visit the PCI Compliance Guide.

While PCI Compliance is the responsibility of the merchant (they consider factors beyond our service in your business), Bottlenose will work with you and do everything on our end to make sure your eCommerce platform meets the requirements for your business to be PCI Compliant.

Use secure certificates (SSL) for all checkout and login web pages

The technology that drives Secure Socket Layer (SSL) Certificates is always advancing. SSL ensures encryption between the customer's browser and your website, often represented by the little lock icon in your browser's address bar. While SSL has always been considered a requirement for pages that exchange sensitive user data, modern web browsers like Google's Chrome have recently adopted a policy of not displaying ANY pages not protected using a secure certificate. Due to ongoing improvements to SSL necessary to combat increasingly sophisticated fraud schemes, it is always recommended you allow your platform provider to handle your eCommerce SSL requirements.

The Bottlenose platform is a cloud based Software As Service (SASS) product. That means that not only do you receive the newest features as they are released, we handle all of the server security work, including SSL certificates. All of this is included in your monthly fee.

Use address verification (AVS) and credit card security codes (CVV2,CVC2,CID)

The three or four numbers that represent CVV2,CVC2 or CID are probably already familiar to you from your brick and mortar store. These numbers, printed on the physical card but never on receipts, are designed to ensure the credit card is in possession of the person making the payment. Once a transaction is processed, the credit card issuer responds to the processing platform with a reply confirming or rejecting the validity of the code. These code checks are just as important on an eCommerce transaction as they are on a store terminal.

A card account address verification (AVS) however is a best practice online while something you likely do not use in your physical store. There are multiple levels of AVS, the most basic simply confirming the Zip Code of the card's account holder. Most eCommerce platforms will also offer street address level checks. Often only the AVS check for zip code will decline the transaction. Failure to match for the others will allow for pre-authorization and return a code warning the merchant that there was not an exact match. This behavior is based on the reality that many time people will use "Street" vs. "ST" or "APT #" instead of "#" on their credit card account on file and on the "Billing Information" form on an eCommerce site. These checks leave it to the merchant to determine whether to "capture" the payment and fulfill the order or to void and cancel.

Regardless of the payment gateway you use to process transactions with your Bottlenose eCommerce store, which all have most AVS and CVV best practices built in), we offer tools to help the merchant make good decisions about suspect transactions in your administrative area. For example, on all orders the shipping and billing addresses can be opened and viewed in Google Maps right from the order page with a single click. For many merchants, this is a first step when investigating whether a AVS street level match fail is legitimate. We will continue to build these additional fraud detection tools and put them into our customers hands as we identify and develop them.

Keep a log of past fraudulent transactions

Often fraudulent activity is done at scale, meaning many perpetrators are involved and many attempts are made, often on the same eCommerce sites. Data such as billing and shipping addresses as well as "client information" (most often an IP address) are often reused by rings attempting to place fraudulent orders on eCommerce sites. Therefore, it can be useful to keep a file that stores fraudulent orders for use in preventing future attempts. Having this file along with paying attention to a street-level AVS failure code, can often time be the difference between shipping to a legitimate customer or declining a fraudulent transaction.

Beyond the Shipping and Billing addresses, Bottlenose also surfaces the “Client Info” to the merchant on every oder placed. This allows you to quickly view the IP address of the user placing the order and compare it to known bad actors if you have kept a record.

Additionally, Bottlenose performs this at the server level for larger scale fraud attempt blocking the IP addresses of known hackers and fraudsters keeping them from ever reaching your site in the first place.

Back to our Blog

Get all our Tips & Updates Right Away

Subscribe to receive an email whenever we publish a new blog entry.