CardSystems gained notoriety last year when they experienced that largest loss of financial and credit card date in history. As many as 40 million credit card numbers were compromised after CardSystem’s database was hacked. The database was apparently unencrypted resulting in a potential total loss of customer information.

CardSystems was acquired by pay By Touch shortly after the incident and CardSystems subsequent breakup. Pay By Touch must now implement a third-party managed information security program for the next 20 years.

Paypal and other financial institution phishing is a major concern for many individuals and businesses. I personally get several hundred phishing emails per day and a huge percentage of them are ebay and paypal phishing attempts.

Phishing is type of fraud where an email is sent to a person and the sender of the email is acting like a major institution, trying to get the user to log into their website. What the person getting the email sees when they click on the link, is a duplicate of the real website, made by he person sending the email. The duplicate website will have a form that the user inputs information into, and is normally a login box. Once the user enters their information and presses submit, the information is sent to the person who sent the email. The phisher just obtained the login information from the person who was phished. They also now have full access to whatever website the user-name and password are used at. They can empty your bank account, make fake ebay purchases, or anything else that the website allows them to do, and they are doing it as you…

Phishing a normally easy to spot, but recently I have been receiving better planned and implemented websites and phishing emails.

The sure proof guide to not getting phished.
First off you need to know two things. First, reporting phishing attempts does absolutely nothing, so don’t waste your time. Phishing attempts and the website’s that go with them are almost always hijacked, so reporting them will not lead authorities or anyone else to the responsible party. Second, there is nothing you can do to stop getting phishing emails, so don’t concern yourself with that one either.

1. Don’t Click
The most important thing to do, to not get phished, is to never click on a link in an email that asks, requests, begs, prays, or anything else in attempt to get you to login or even access a website. If you need to access the website, open a new browser window, type the website address in the new window, and login to the website from there. Whether you think the email is a phishing attempt or not, this is just plain common sense to protect yourself. If you never click on a link to a phishing website, you will never be a victim of phishing fraud.

2. Delete any identified phishing emails
Identifying phishing emails can be difficult, but a few simple flags will tell a phishing email from a real email almost every time. One thing you should have is a computer based email program. Online email like yahoo or hotmail, are terrible at helping a user to identify a phishing email. If you need an online email, I recommend using gmail, which also allows POP3 access from your home computer. Use Microsoft Outlook or Outlook Express to view your gmail emails. Using Outlook or Outlook Express will allow you to view extra information that is sent with each email. Whether you use an online program or Outlook, there are several flags that will make phishing emails stand out.

1. Email sender is not who the message is from.
   • The email sender in the header or the from box is different than who the message appears to be from. This would be like getting an email from chase bank, but in the FROM: field, Reply-To: field or in the header itself the message is from someone9876@earthlink.com.
2. The link that the page wants you to click on is a large, fake, or obscure address.
   • A phishing email will always try to get you to visit the fake website to enter your information. When you place your mouse over the link, look at the URL that appears. Another way to view the link in a web based email is to right click on the link and select ‘copy target’ or ‘copy link location’. Then paste the link in your web browser address bar and look at the link. If the email is real, the link will be directly to the website organization. If the email is fake, it will normally have a large obscure website address.
   • Good Link: http://www.paypal.com/us/
   • Bad Link: http://mabarrackfurniture.com.au/images/www.paypal.com/cgi-bin/webscr.php?cmd=_login-run
3. The email ends up in your spam box.
   • As simple as it seems, emails that end up getting hit by spam filters are filtered for a reason. While recently I have been seeing phishing emails routinely make it through the most strict spam filters, the majority of phishing emails will get caught in web based, and outlook spam filters. If it goes in your spam folder, it did so for a reason, so be extra careful with that email.

3. Use a different email address if you run websites
This is targeted at webmasters and others who manage websites. If you have websites and you have customer service email addresses on them, never use those email addresses for paypal, ebay, your bank, or any other personal, financial, or access related purposes. Keep the email addresses on your websites completely independent of ones you use for paypal, ebay, etc. The reason is that, spammers get huge lists of email addresses by scrubbing websites for email addresses. They send phishing emails to the email addresses that they collect. If the phishing emails you get are sent to the email addresses that your website’s use, then you instantly know that they are fake.

4. If you click on a link, make sure you are where you should be
If you do click on a link in your email, make sure that the link sends you to the actual organization’s website and not a fake. Look at the address bar. Does it look right?

Notice how the link in the address bar is not paypal, but the page looks just like the login page. This a phishing page. Never enter your information if the address in the bar is different from the organization that you are trying to visit.

A good phishing example:
This example is one of the best phishing emails I have ever seen. It instantly made me want to click on the link. It passed every spam filter I have and if I did not know exactly what to look for in a phishing email, I could have been a victim of it.

(more…)

You probably won’t end up paying the bill, but a stolen credit card can still cost you big in time and aggravation. Here’s how to protect yourself online and off.

In some ways, credit card fraud isn’t the problem it’s often made out to be.

Visa says fraud accounts for about 7 cents of every $100 spent on its credit cards, an all-time low and about half the rate of 10 years ago. Add to that the fact that the major credit card companies have “zero liability” policies, which means the vast majority of consumers who are victims don’t wind up paying a dime out of their own pockets.

This is a great article targeted at consumers about how to protect themselves from credit card fraud, and how credit card fraud effects them.

http://moneycentral.msn.com/content/Banking/creditcardsmarts/P87328.asp

I just started a new blog today, after making yesterday’s post. The blog is going to be geared toward web usability, increasing customer conversion on and offline and anything else related to making a business sell better.

Hopefully it can become a great resource for business owners.

AbyV.org – Conversion Marketing Blog

I was online today purchasing some network hardware for the company, and after visiting about 20 different sites, all with similar prices, it was only one site that ended up getting my business.

It made me wonder why, of all the websites that I visited, and all the shopping carts I added products to, did I chose the one that I did. I then remembered reading a shopping cart abandonment article a few weeks ago, and I put my experience and the article together. I normally don’t write about this specific topic even though it is one of my strongest areas, but so many sites are making the same simple mistakes.

Why I abandoned so many shopping carts:

1. Required Customer Registration.
2. Not listing accepted payment methods.
3. Not listing shipping prices early enough.

You can read articles all you want about shopping cart abandonment and user conversion, and while there are probably hundreds of reasons why a customer might abandon a shopping cart, there are three above all others that will kill your customer base. These three are coincidentally the same three that caused me to leave so many websites.

1. Required Registration: The number one shopping cart killer in my research and personal opinion is requiring customers to register before they can place an order. Customer registration can be a very useful tool, and can greatly improve future experience with customer support and tracking, but don’t require it. Not everyone wants to register with your website. If every website I place an order with required me to register, I would have several hundred memberships each year across the internet. If you require registration, you just lose me, as well as a huge amount of other potential customers from ever ordering from your site.

Offer registration as an option, and give users the specific benefits of registering, but also allow an easy way to place an order without doing it.

2. Not showing what methods of payment you accept: While not quite as annoying, this one comes in at a close second to required registration. When I get to an ecommerce site, especially one that has lots of products that can be found at several thousand similar websites across the internet, I need to know how I can pay. I should know long before I think about checking out, how I am able to pay for the merchandise that I want. What if I want to use the company Amex card, or I need to use paypal today. Let me know how I can pay. If I cant find it at the very latest by the shopping cart page, you can probably consider my business lost. I shouldn’t have to search for this, it should be in a very conspicuous place on every single page of the website. The footer and sidebar make excellent places to put a website’s accepted payment methods.

To compound problems, if you only show your accepted payment methods after a visitor is forced to register, you can probably assume that you are loosing 50% or more of the people who otherwise would have made a purchase from you.

3. Not showing shipping prices early on: Shipping prices allow a bit more leniency because you cant normally give a shipping price until a visitor’s order is summed up, but show the shipping prices as soon as they can possibly be generated. Don’t wait until the payment form. Show them on the shopping cart page if possible. Or, if you have fixed shipping prices, give customers an idea of how much their order will cost to ship.

It doesn’t get any more frustrating than going through a checkout process, to later find that my bicycle handlebar grips which cost $10 are going to cost $35 to ship FedEx ground.

You are not amazon.com:
Unless you sell something that is absolutely unique that everyone wants, or your prices are so low that your visitors are willing to jump through hoops to buy from you, don’t do any of these on your website. Make it as convenient and easy as possible for your visitors to make a purchase from you, and your visitors will reward you for it. Use common sense when designing a website and shopping cart. If something doesn’t have a useful purpose or is confusing, get rid of it. There are hundreds if not thousands of things that can help or hurt a website’s customer conversion rate, but these three will make a marked difference in almost every website’s efficiency.

Visa has put out a warning to consumers and businesses about POS system flaws that can jeopardize credit and debit card holder’s security. These POS systems are used by many of America’s largest retail chains.

Visa USA Inc. is warning that two versions of popular software installed at cash registers could be used to steal information from credit and debit cards.

The software, which is used by retailers to help ring up transactions, can be used — sometimes inadvertently — in a way that allows the cash register to store customer data, such as personal-identification numbers used in debit-card transactions. Under card-industry guidelines, retailers aren’t supposed to store that information because it can fall into criminal hands if a computer system is hacked or an unauthorized person gains access to it…

The software company ‘Fujitsu Transaction Solutions Inc.’ denies that its software is being used to steal customer data. Visa has not specified whether the data is being recorded as result of a glitch or from malicious intent.

These reports come several weeks after reports of large amounts of debit card fraud has been traced to OfficeMax stores around the US.

This story can be found at the Wall Street Journal Online: http://online.wsj.com/ but is available by subscription only.

I wish I could say that every business that is placed on a terminated merchants file deserves it. Unfortunately I would be absolutely lying to say so.

The Terminated Merchants File (TMF) or match file is basically a list of merchants that have had their merchant accounts closed down by their processing bank on negative terms. This list, which resembles McCarthy’s black list during the cold war, is a stop-all flag that credit card processing companies in America abide by. If you are placed on the match file, you, any partner of your business, your business itself, and possibly anyone at your address can not sign up for a merchant account with a US based processing bank. Processing companies take the match file very seriously.

How to get on the list:
When a merchant ends their contract with a merchant provider in a negative way, their name can be placed on this list. Unfortunately, not all business placed on the list even know they are on it until they try to get setup processing credit cards with another company. The rules to place a merchant on the list are fairly limited, but seem often abused.

The easiest way to get on the list is to close your contract with a merchant provider and not pay your final bill. Failing to fulfill your contract is almost a guarantee that you will get put on the match file. Your final bill includes any processing costs that you owe, but also includes any monthly, yearly, or termination fees that were specified on your merchant contract. You are also liable for 6 months past the settlement date of the final transaction that was processed on your merchant account. The settlement date is defined as the date that the service or merchandise was fully delivered to and accepted by the customer. Basically, if you sold someone a 1 year magazine subscription, you are liable 6 months after they get their last issue.

Merchants are normally placed on the TMF file for failing to pay their final bill, but can also be placed on it for reasons that can be out of their control. High chargeback ratios, processing fraudulent transactions and breaking a merchant account contract are other common reasons for being placed on the TMF. Running your own credit card through your own merchant account can also get your account closed and TMF’d.

What to do to get off the file:
The only company in the world that can get you off the TMF, is the company that put you on it. It does not matter who you talk to, what they promise, who they are, or anything else, it always comes down to the company that put you on it. Business normally learn that they are on the TMF when they try to open a merchant account with another company.

The company that puts a merchant on the TMF is the processor that is taking on the risk of allowing the business to process with them. These are often the back end companies that you may have never had any personal contact with. FDMS, Nova, Global, and others are back-end processors. Merchant Service Providers and resellers are not normally the companies that can put a merchant on the TMF, unless they are taking on the risk of your credit card processing, so calling them may have no effect, but regardless, the company you signed up your merchant account with is who you should contact first.

After you find that you are placed on the TMF, assuming that you don’t know why you’re on the list, you should first call your former merchant account provider. You are going to be inevitable led on a wild goose chase of phone tag with different departments in the company. Hopefully you can reach someone who can give you answers within a person or two. You may finally be referred to the processing bank itself, but in either case, after some diligent calling you should be able to track down someone who can inform you of your situation. The most important thing to remember right now is to remain calm and courteous to every person you talk to, no matter how upset or angry you may be. Yelling and acting aggressively toward people at this state is only going to create problems. It is understandable that you are frustrated with the situation, but most of the people you talk to do not have the ability to directly change things. Once you reach someone that can explain your situation to you, possibly in the risk department, they should be able to tell you why you are on the match file and what you need to do to get off the file. At this point make sure you get a more direct phone number for someone that you can correspond with about the situation.

Depending on why you are on the TMF, it can be easy to impossible to get off the TMF. If you are on it for committing fraud yourself through your own merchant account, don’t count on ever getting off. Processors do not like fraud in any way, and if you as a business owner were the cause of it, they will not ever want to provide services to you again.

If a business was placed on the match file for a high chargeback ratio, time is normally the only thing that will get the business off. The processor needs to know that they aren’t going to get stuck with any unanswered bills from the merchant’s former customer’s Chargebacks.

If you didn’t pay your final bill, it may just be a matter of making good on your debt with your former processor. I have seen this as low as a few dollars, and the merchant was removed about a week after they made payment.

Unfortunately the majority of the time it is not that simple to get off the match file. It normally takes several weeks to get off the match file. Sometimes it takes negotiations to get charges cleared up, or fees removed. At this point every case is unique. If after a few weeks you are not making any headway, you may need to consult a lawyer. Processors normally use a system called arbitration to avoid taking individual cases to court. It is cheaper than going to a court, and the results are often better for both parties.

It is a good idea to have a clear understand the rules of Visa and MasterCard. Knowing about the match file, and the general regulations of Visa and MasterCard can help a lot when trying to get off of it.

If you need legal assistance in getting of the Match file, you will unquestionably need a lawyer that has experience in bankcard law. Here are a few resources to help you if you find yourself in that situation. I do not personally have experience with these companies but several have been recommended to me and these seem reputable. Use your own judgement before choosing an attorney.
http://www.merchantcreditcardlaw.com/
http://www.riandalaw.com/
http://www.adamatlas.com/

How to stay off the match file:
Signing up with the wrong processor greatly increases a businesses chance to ever get put on a match file, especially for incidental reasons. I personally recommend signing up for a merchant account with FDMS or Nova as the back end processor, as businesses with these companies are much less likely to experience problems with the match file. In any case, make sure the provisions of the merchant account application, particularly the contract period and any associated termination fees are well understood before signing.

Related Posts:
Why are some companies offering free credit card terminals with their merchant accounts?
What Does All This Mean? – Merchant Account Fees
Credit Card Processing No No’s
Avoiding a Bad Merchant Service Provider

Credit card fraud is a menacing problem for everyone. It helps to drive businesses prices up and drives up the price to process credit cards.

Companies have responded to businesses needs and have created fraud detection and prevention systems. These systems are used in conjunction with a payment gateway, will help businesses recognize and prevent fraud on their websites. Visa and MasterCard have also created their own prevention systems that enable card holders to create a secret password, similar to a PIN number. The Visa and MasterCard systems called Verified by Visa and MasterCard Secure code are integrated into a website to provide a secondary checkout option for cardholders who are signed up for these systems.

How fraud detection works:
There are two types of fraud detection systems. The first is tied into a merchant’s payment gateway and works in real time to prevent and detect fraud. The second is a 3rd party application where card numbers can be entered and the system generates a score based on a number of fraud qualifying factors.

Real-Time Fraud Prevention:
Fraud detection systems monitor credit card transactions that are processed through a businesses payment gateway, and look for certain signs that would indicate fraud. These systems check for anything from numerous transactions being entered from a single IP address, to advanced card number algorithm abnormalities. Real time systems can be setup to either flag a transaction for later review or can be setup to automatically decline a transaction.

3rd Party Systems:
3rd party systems are normally not tied directly into a merchant’s payment gateway, but can still be very effective in detecting fraud. 3rd party systems normally check for IP address and domain occurrences, bank information, area code and zip code occurrences, shipping and billing address occurrences, proxy web browsing, and many others. The system will generate a fraud score based on all of the information provided with each transaction. The higher the fraud score, the more likely the transaction is to be fraudulent. Merchants can batch process all of their transactions before they are shipped, and then determine whether to ship certain items based on the fraud score.

Who needs a fraud prevention system?
Fraud prevention is not needed for every business. For many, it would be simply a waste of money. Businesses that have a history of being targeted with credit card fraud should look into a fraud prevention system. Businesses that sell high dollar items online should also look into fraud prevention, as the loss of a single item can be very significant. All businesses should review their current practives to ensure that they are doing everything they can including requiring AVS and CVV for the transactions, before they look into a fraud prevention system.

What does fraud prevention cost?
Fraud prevention systems vary in cost. Some charge on a per transaction basis, some charge per month, and some charge a flat rate for a certain number of transactions. Rates vary anywhere from about $.005 per transaction to several hundred or thousand dollar per month. The cost is determined by the volume of transaction checked each month, the type of prevention system (3rd party or real-time), and the complexity of the system.

Where can I get a fraud prevention system?
Most payment gateways now offer real time fraud prevention systems. If you are using authorize.net, Verisign, or Network Merchants, you have the option of using their integrated real-time prevention and detection systems.

Authorize.net – Fraud Detection Suite
Verisign – Fraud Protection Services
Network Merchants – iSpyFraud Protection

For businesses looking for 3rd party fraud prevention and detection systems there are a variety or 3rd party systems for this purpose. Search on the internet for fraud prevention or fraud detection systems. Here is a list of a few of the services that are available.

Fractals – http://www.alaric-systems.co.uk/fractals.htm
MaxMind – http://www.maxmind.com/
ClearCommerce – http://www.clearcommerce.com/

Overview:
Fraud detection or prevention systems are by no means a perfect solution for preventing fraud, but they can help to reduct the amount of fraud that is processed through a website. With human review and fraud detection, it is still not possible to completely eliminate fraud for many businesses.

Related Blog Posts:
What does a fraudulent transaction look like?

AVS, short for ‘Address Verification System’ is a simple verification tool businesses use, that verifies the billing address of the credit card. AVS can verify the billing ZIP code and / or the street address of the card. AVS currently is only available for cardholders in the US.

When a business keys a credit card into their terminal vs. swiping it, their terminal prompts them for an address or zip code, and this is the AVS system. When a merchant uses a online payment gateway to key in transactions, the gateway processes with the AVS system as long as an address and ZIP code are entered along with the transaction information.

AVS costs a little extra:
Normally AVS has an additional fee with it when a transaction is processed using the AVS system. This fee is normally $.05 – $.07 per each AVS transaction, and is charged in addition to the standard transaction fee for processing the credit card.

Many business owners see this additional fee, and not knowing the effects of not using it, decide to not use it so that they can save this additional 5 cents. What they don’t know and may never realize is that if AVS is not used on a keyed transaction, that transaction will downgrade to non-qualified. A non-qualified transaction is the lowest qualification level for a transaction, and has a much higher processing rate than with a qualified or mid-qualified transaction. Retail businesses will automatically downgrade to mid-qualified when keying in transactions, but will also downgrade to non-qualified when AVS is not used.

How much does it cost?
Depending on your merchant contract, a non-qualified transaction can cost as much as 2% and $.50 or more extra per transaction. What this can mean is that if you have a keyed merchant account setup at 2.3% with a transaction fee of $.25 per transaction, the downgrade to non-qualified can increase this to 4.3% and a $.75 transaction fee. Your costs to process the transaction nearly doubled, because of the desire to save a nickel. Not all merchant account downgrade fees are this bad, but they all are significantly more than the $.05 for keying in a transaction.

Use AVS!
For keyed merchants, AVS is required and should be used on every transaction. In addition to your transactions being more expensive by not using AVS, AVS is a very good fraud prevention system. For retail merchants, enter your customers billing ZIP code when you have to key in that occasional transaction.

The $.05 is much cheaper than the additional processing fee you will pay for downgrading to non-qualified.

Being in the credit card processing business for several years, there is one thing that has always bothered me. The lack of the ability to verify the name of a person placing an order over a website or over the phone.

Lets just make a scenario to show exactly what I am referring to. Lets take John, a married middle age business man with 2 teenage boys. One day John’s oldest boy James, decides to ‘borrow’ John’s credit card to place an order online without asking.

James goes online to an ecommerce website, finds the product he was looking for. James is shopping at a large internet retailer that uses the latest fraud detection and prevention technologies. When he goes to fill out the customer information, he puts his name and address in both the shipping and billing address fields, as he doesn’t want anyone to know that he ordered with his dad’s credit card. After everything is filled out, he presses the place order button. 3 days later he receives the package he ordered.

What exactly is the problem here?
James just placed a credit card order with someone else’s credit card in his own name. To make matters worse, he probably could have entered any address within the same zip code as the card holder’s billing address.

To test this system myself
I placed an order through several websites using my address but using my father’s card. In the billing field there is small text that states “Enter card holder’s name exactly as it appears on the card”. Needless to say, I entered my own name instead. We live in the same zip code, and just as I thought, every transaction processed perfectly, and the items were delivered to me at my home address. The card might as well have been mine, because the business obviously cant tell the difference. To further add to the problem, I added one of his cards to my paypal account. Paypal is a little better and I did have to enter his street address, as paypal uses the street address and the zip code to validate a credit card’s owner, but again, no name verification. On paypal, since my own credit card is attached to my billing address, I can still ship confirmed to my address using his card.

I made sure to shop only at websites that had the words, enter name exactly as it appears on your credit card.

Liability:
If John sees his statement and doesn’t recognize that $400 charge, he can request a chargeback from his bank. When the company that shipped the product shows his bank that the order was not placed by John, they lose the chargeback. It doesn’t even matter if the product was shipped to John’s house.

In a nutshell:

What is the point of having a field asking, ‘please enter your name exactly as it appears on your card’?

The complete lack of an electronic name verification is a gaping hole in credit card security. If there were name verification, I can see potential problems that could arise if someone enters their own name incorrectly. But, if every form I fill out asks me to enter the name exactly as it appears on the card, there shouldn’t be a problem. If I have the card in my hand, I can copy the name right off the card.

Additional programs like Verified by Visa and MasterCard secure code are great concepts which greatly reduce any chance of fraud, but are expensive and difficult to implement. Small to medium sized ecommerce websites are years away for having easy access to these tools.

AVS (Address Verification):
Address verification should be used on every transaction that is processed through a website or over the phone. Address verification can either check the zip code of the card holder, or can check the zip code and the street address of the card holder. While checking both the street address and zip code better ensures that actual street address of the card holder is being used. But, in using street and zip address verification, I have received a huge number of declines due to the street address field being very temperamental.

As long as the address verification data passes when a transaction is processed, it doesn’t matter who’s name appears on the card. The business could be shipping to Mickey Mouse, but as long as that address matches, everything is fine. Until banks come up with a universally electronic system to verify names, like AVS, the risk of this type of fraud will not go away. While it is not considered a major source of fraud, it is not something that should be overlooked, especially since the liability always falls in the hands of the businesses accepting credit cards.