How To Reduce Credit Card Fraud for Ecommerce Merchants
Credit card fraud is the number 1 type of identity theft fraud, and we are facing some alarming statistics. In 2018 alone, $24.26 billion was lost due to this type of cybercrime, indicating an 18.4% increase from the previous year. And where do these fraudulent transactions take place? Mostly online. Some 81% of credit card fraud happens during “card not present” sales, so e-commerce and online shopping seem to be creating more opportunities for cybercriminals to perform evil acts. Fraudsters need only obtain a victim’s credit card number, thus evading detection.
Now, let’s talk about the billions of dollars lost due to credit card fraud. Who pays for this? In most cases, not the credit card holder. The federal laws of a majority of countries protect consumers from unauthorized credit card transactions. As a consequence, the terms of service of credit card companies conform to these laws. According to a study, credit card issuers incurred around $19 billion losses, while merchants incurred $8.64 billion, both due to credit card fraud.
Therefore, if you are a cybersecurity manager for an e-commerce company, your job is crucial. There is a need to beef up your company’s security to avoid losing a massive amount of money, and IP geolocation data could be beneficial. Here are five tactics that could help e-commerce merchants reduce credit card fraud.
5 Ways to Reduce Credit Card Fraud
An IP address can tell you several things about a user. The geolocation data gleaned from IP Geolocation API, for instance, shows you from what city, region, state, province, and country a website visitor originates. You would also know the person’s time zone and postal code. Compare and analyze all these details with other data, and you can check for inconsistencies and indications of malicious activities in the following manner:
1. Require Additional Measures for Users from High-Risk Countries
Catering to international customers is one way for e-commerce merchants to increase sales. While this is a legitimate goal, there is also a need to be wary of orders placed in countries with a high rate of credit card fraud occurrences. IP Geolocation API automatically detects a user’s location, so you can add more security measures when the user is from a high-risk country.
To illustrate, we ran the IP address 83[.]166[.]244[.]189 on the demo version of the API. The IP address is considered an indicator of compromise (IoC) associated with a credit card skimmer.
IP Geolocation API detected that the IP address is from Moscow, Russia. While there are of course tons of legitimate consumers in the country, merchants should also note that it is home to fraudsters that have already stolen approximately $20 million. As such, retailers need to take additional precautions, such as requesting more proof of identification or having the credit card company enforce multi-factor authentication.
2. Scrutinize Proxy Users
There are several legitimate uses of virtual private networks (VPNs) and proxy servers. VPNs, for one, were initially designed to allow remote connections so that people can work away from their offices. Recently, almost 30% of users use proxy servers to access the Internet. However, a good portion of these proxy users comprises bad actors trying to hide their tracks when committing online fraud.
As such, e-commerce merchants could better protect themselves and their customers by adding security measures when an order goes through a proxy server. There are even businesses that block proxy users altogether, such as Nordstrom. We were unable to access the Nordstrom online shop once we connected via a VPN.
3. Compare the User’s Billing Address with Their IP Address
Besides the use of proxy servers, there are two possible reasons why the billing address of a credit card holder differs from his/her IP address. First, the card user might be currently traveling and is just aiming to make a transaction online while away.
The second reason is credit card fraud. More specifically, the real credit card owner could be residing in the U.S., for example, hence the U.S. billing address. The fraudster, on the other hand, could be located in the opposite part of the world and so the IP address that IP Geolocation API would detect doesn’t coincide with his/her billing address on record.
In both cases, you can contact the issuing bank to request multi-factor authentication or ask the user for additional information directly so he/she can prove their identity.
4. Check the Validity of the User’s Email Address
Business-to-business (B2B) e-commerce companies can compare the email address’s domain with those returned by IP Geolocation API as a way to verify a user’s identity. For instance, the API returned three domains that resolve to the IP address (83[.]166[.]244[.]189) in our example above. Hypothetically, the email address that an enterprise is likely to use when ordering from a B2B merchant should contain any of these domains:
- autocapital[.]pw
- http[.]ps
- y5[.]ms
Any inconsistency should raise a red flag and prompt an investigation. Besides, threat actors tend to use disposable email addresses, which are obtainable for free. Merchants should, therefore, verify the validity and existence of the email addresses that customers use. By doing so, they reduce the risk of credit card fraud.
5. Check If the User’s Phone Number Matches His/Her Zip Code
Among the data that IP Geolocation API returns is the user’s zip code. To verify the customer’s identity, merchants can demand a phone number that matches the IP address’s zip code. By doing so, they create a safety net in case the credit card payment does not go through. The process could further help lessen credit card fraud, especially when fraudsters don’t have such details from the real owner.
Final Words
There are many ways for fraudsters to get hold of a victim’s credit card details. Phishing and injecting malware are just a couple of them. While credit cardholders have the responsibility to take care of their credentials, e-commerce merchants have more to lose and have to share the burden of a breach too. Remember that when a transaction is reported as fraud, merchants might end up not getting paid for items they have already shipped.
Security measures beyond the standard protocols should thus be adopted. Merchants should consider employing tools such as IP Geolocation API since geolocation data can help them reduce credit card fraud, as we explained in this post. Ultimately, the API can help merchants beef up their cybersecurity posture, protecting them not only from credit card fraud but also from other forms of cybercrime. Other than that, the API would also enable e-commerce merchants to implement geo-targeting, social media advertising, geo-based redirection, and geolocation marketing, among others.