For those of you who have an online business that sells products, I put this together for you.

My clients have been having more and more issues just within the last three to four months. Issues almost seemed to spike. Maybe they find a site and start targeting. It sucks.

Here are some general guidelines on what to look for, but you can read the full post I wrote on my site.

https://spidercreations.net/cu...it-card-fraud-scams/

The general scam we see almost always involves different billing and shipping addresses. First, you must ensure the AVS system is configured correctly.

When configuring your credit card address verification system (AVS), you have a few options. At a minimum, you must ensure ZIP code matching is on. It is strongly suggested you also turn on address verification, even though AVS is known to have issues verifying PO Boxes.

Along with setting up the AVS system to help, you can also monitor orders for these red flags.

• The email address for the order is not what you expect.
  
• The email address uses an unfamiliar top-level domain, such as .win, .xyz, .top, .tk, .sbs or something else suspicious.
  
• Calling the phone number provided in the order immediately rolls to a generic voicemail. Criminals use free services like Google Voice.
  
• The shipping address and billing address are far apart.
  
• The shipping and billing addresses are different, and the shipping method selected is an expedited service like FedEx Overnight.
  Multiple order attempts are made (the first transaction is declined), but the criminal tries again with a different stolen card using a different billing address and the same shipping address.
  Billing and shipping addresses that are the same address, city and state but have different ZIP codes. (Your eye will frequently miss the different ZIP codes.)
  
• If your AVS system can flag or put orders on hold if the ZIP code matches but the address does not match, we suggest you implement that feature to give you some time to review the order manually.
  
• You should never manually change a shipping address after an order is placed unless you have verified the order and done your due diligence to ensure its legitimacy.
  

Specific to the first item above, you may find “Ben Franklin” placed the order, but the email address is kathyRCfoose@gmail.com. The above should be considered red flags, and you should manually review the order before shipping it out. Watch for strange combinations of capital letters in email addresses.

If you are not checking at least ZIP codes, you will be the victim of fraud. In many recent cases, checking ZIP codes was not enough.

Criminals have contacted the online stores via chat or email support, politely requesting that a retailer change the shipping address. Again, do not change a shipping address until you have done your due diligence.

Great information and a nice reminder. Thanks

I just wrote a credit card processing system for the company I work for. You have given some excellent advice.

Very good advice on taking the zip code associated with the billing address. The entire address verification can be a bit tricky and cause false declines. An example would be Salt Lake City street addresses. 1st South and 1st East is equivalent to 100 South and 100 East. I did implement using an address normalization service that would turn the example address into 100 South and 100 East. That helped but the "normalization" got pricey pretty fast. We finally went to just checking the zip. A little nerve wracking at first but we have yet to be burned by that. YMMV.

We did hit a few problems with billing and shipping addresses being far apart. The problem would be shipping a gift to a grand child. Another example would be what my wife did shipping to our house in Kansas City when our billing address is in Salt Lake City. Management decided they wanted me to cancel the billing and shipping address being far apart checks.

We've never changed a shipping address but my app does allow it. I'm going to bring that up with management. I don't see any downside to implementing the no shipping address changes. Thanks for the tip!

One thing not mentioned that you might want to consider if you do a lot of business online. Our credit card processor is JP Morgan. They offer a service where your web page takes the CC info, uses a proprietary encryption algorithm (Java script provided by JPM), and then sends the encrypted CC number, expiration date, and CVV code to us. The only unencrypted info we have is the last 4 of the number. When we send the encrypted info in for processing JPM knows how to process it. We NEVER see the entire number, expiration date, and CVV code. If we get hacked either internally or externally we have no liability for the info being leaked. As with address verification it will cost more but the peace of mind may be worth it. FYI, JP Morgan is not the only processor that offers that service.

quote:

Originally posted by Bytes:
...

One thing not mentioned that you might want to consider if you do a lot of business online. Our credit card processor is JP Morgan. They offer a service where your web page takes the CC info, uses a proprietary encryption algorithm (Java script provided by JPM), and then sends the encrypted CC number, expiration date, and CVV code to us. The only unencrypted info we have is the last 4 of the number. When we send the encrypted info in for processing JPM knows how to process it. We NEVER see the entire number, expiration date, and CVV code. If we get hacked either internally or externally we have no liability for the info being leaked. As with address verification it will cost more but the peace of mind may be worth it. FYI, JP Morgan is not the only processor that offers that service.

Yup. My clients are all on WordPress/WooCommerce and use various processors—mostly Authorize.net or NMI for the gateways. The plugins tie into the gateway via account credentials or APIs. Almost nothing is stored in the WordPress app, and even when we log in directly to the gateways, we can only see the last four numbers, type of card (MC/V/AMEX) and the expiration date.

The data transfer is encrypted, but we can still do voids and returns as needed through the WooCommerce application.

This all is good since it makes PCI compliance a lot easier. "We know nothing..." So, we are protected regarding CC details if there is a hack.

quote:

We finally went to just checking the zip. A little nerve wracking at first but we have yet to be burned by that. YMMV.

On this issue, we did get burned a couple of times. It was all tied into the eBay Triangulation Scam I detailed in that article.

For those of you who buy on eBay - especially stuff like optics - please read the article linked above.

In short, if you order on eBay and get a product - that may or may not be the correct item - from some other online store, you may unknowingly be involved in a scam to steal from the online store you received the package from.

Interestingly, banks and credit card companies could stop 99 percent of this if they wanted to.

They just do not want to because it hurts their bottom line.