Information on Merchant Accounts,
Ecommerce and Credit Card Processing

March 9th, 2006 by Jamie Estep

Enter your name exactly as it appears on your credit card… Why?

Filed in: Ecommerce, Merchant Accounts, My Favorite Posts |

Being in the credit card processing business for several years, there is one thing that has always bothered me. The lack of the ability to verify the name of a person placing an order over a website or over the phone.

Lets just make a scenario to show exactly what I am referring to. Lets take John, a married middle age business man with 2 teenage boys. One day John’s oldest boy James, decides to ‘borrow’ John’s credit card to place an order online without asking.

James goes online to an ecommerce website, finds the product he was looking for. James is shopping at a large internet retailer that uses the latest fraud detection and prevention technologies. When he goes to fill out the customer information, he puts his name and address in both the shipping and billing address fields, as he doesn’t want anyone to know that he ordered with his dad’s credit card. After everything is filled out, he presses the place order button. 3 days later he receives the package he ordered.

What exactly is the problem here?
James just placed a credit card order with someone else’s credit card in his own name. To make matters worse, he probably could have entered any address within the same zip code as the card holder’s billing address.

To test this system myself
I placed an order through several websites using my address but using my father’s card. In the billing field there is small text that states “Enter card holder’s name exactly as it appears on the card”. Needless to say, I entered my own name instead. We live in the same zip code, and just as I thought, every transaction processed perfectly, and the items were delivered to me at my home address. The card might as well have been mine, because the business obviously cant tell the difference. To further add to the problem, I added one of his cards to my paypal account. Paypal is a little better and I did have to enter his street address, as paypal uses the street address and the zip code to validate a credit card’s owner, but again, no name verification. On paypal, since my own credit card is attached to my billing address, I can still ship confirmed to my address using his card.

I made sure to shop only at websites that had the words, enter name exactly as it appears on your credit card.

Liability:
If John sees his statement and doesn’t recognize that $400 charge, he can request a chargeback from his bank. When the company that shipped the product shows his bank that the order was not placed by John, they lose the chargeback. It doesn’t even matter if the product was shipped to John’s house.

In a nutshell:

What is the point of having a field asking, ‘please enter your name exactly as it appears on your card’?

The complete lack of an electronic name verification is a gaping hole in credit card security. If there were name verification, I can see potential problems that could arise if someone enters their own name incorrectly. But, if every form I fill out asks me to enter the name exactly as it appears on the card, there shouldn’t be a problem. If I have the card in my hand, I can copy the name right off the card.

Additional programs like Verified by Visa and MasterCard secure code are great concepts which greatly reduce any chance of fraud, but are expensive and difficult to implement. Small to medium sized ecommerce websites are years away for having easy access to these tools.

AVS (Address Verification):
Address verification should be used on every transaction that is processed through a website or over the phone. Address verification can either check the zip code of the card holder, or can check the zip code and the street address of the card holder. While checking both the street address and zip code better ensures that actual street address of the card holder is being used. But, in using street and zip address verification, I have received a huge number of declines due to the street address field being very temperamental.

As long as the address verification data passes when a transaction is processed, it doesn’t matter who’s name appears on the card. The business could be shipping to Mickey Mouse, but as long as that address matches, everything is fine. Until banks come up with a universally electronic system to verify names, like AVS, the risk of this type of fraud will not go away. While it is not considered a major source of fraud, it is not something that should be overlooked, especially since the liability always falls in the hands of the businesses accepting credit cards.

Comments are closed.