For years, I’ve been a supporter of the Address Verification Service (AVS), especially when it comes to e-commerce. I’ve seen it protect merchants from thousands of dollars in loses. As a former e-commerce business owner myself (co-owner of 2BigFeet.com), I used it to identify and prevent countless fraudulent orders that would have otherwise resulted in chargebacks. But too often, I hear stories from business owners about a time when AVS flagged an order from a “good customer.” As a result, some merchants have lost faith in the system and have abandoned it altogether. Just because of one or two bad experiences, these merchants willingly risk accepting bogus orders (and certain chargebacks) rather than risk angering good customers with false positives.

Most e-commerce businesses use AVS to reject fraudulent orders before they ever reach your fulfillment department, so you typically won’t know how many were blocked. And, since criminals don’t usually call and complain about their rejected orders, the false positives receive a disproportionate amount of attention. That being said, I’ll agree that AVS is not perfect. But many of the problems that legitimate customers experience are the fault of card issuing banks, not the AVS system itself. If you’ll follow the steps outlined in this post, you can reduce your false positives to a manageable number and benefit from the added security AVS offers.

1. If your customer’s order is rejected, she’s already going to be disappointed. First, and foremost, don’t allow your shopping cart to make the situation worse! The goal here is to have the affected customer call your customer service number immediately. Some carts use default messages that were obviously written by cold-hearted programmers, not warm-hearted customer service professionals. If you don’t know what message your rejected customers are seeing, put yourself in their shoes. Place a test order using a bad address. If the resulting message could make customers feel at fault or ignorant, change it. Avoid words like “mistake.” (Men, if you’re not the warm, fuzzy type, get a woman to help you.) Make sure your customers believe you really want to help fix this minor issue, or they’ll leave without giving you the chance.
2. Often, the customer will have already called the card issuing bank prior to calling you. If the bank told the customer the charge was approved (indirectly placing the blame on you), the customer may already be irritated when you answer the phone. You should understand, and be prepared to explain, that all orders must be approved by both the card issuing bank and the payment gateway. Since the bank only verifies the customer’s available credit, it will approve most orders. But your gateway checks addresses using the AVS system. And if the gateway is not satisfied with the AVS results, it will deny the order (even if the bank has already approved it.)
3. When the customer calls, apologize for the inconvenience. Explain that the problem could be the result of a bank error. Assure her that you’ll do everything possible to get the order approved. Finally, ask the customer if she has changed addresses within the past five years. Although this may sound like a strange question, it is very important. If the customer ever received her credit card statements at another address, regardless of how long it’s been, ask for that address. Beg for it, if necessary, even if she assures you that she’s shopped elsewhere using her new billing address. (Due to different merchants, different payment gateways, and different AVS thresholds, your business could refuse an order that another business might have approved.)
4. Try the order again, using the old billing address in place of the newer address. For reasons I don’t completely understand, inserting the old address corrects the problem about 75% of the time. It’s my theory that some banks’ computers use one set of address fields for mailing monthly statements and another set of fields for AVS. I suppose that when customers move and notify their card issuing banks, the banks may update the fields used for statements and forget to update the AVS fields. I haven’t been able to confirm this, but it makes sense. Using this approach, I’ve seen orders approved using addresses that were 5 years out-of-date!
5. If this doesn’t work, you should apologize and ask the customer to try another credit card. If the customer doesn’t have another card, you’ll have to choose to either a) disable AVS long enough to force the order through, or b) turn the customer away. In my seven years of e-commerce management, during which we approved tens of thousands of orders, I could count on one hand the number of times I had to make this choice.

Hopefully, this procedure will help you get more out of the Address Verification System. Keep in mind, though, that AVS does have other limitations. AVS usually will not verify customers with billing addresses outside the U.S. And if your customer is using a card issuing bank located outside the U.S., AVS may experience problems there, as well. Otherwise, you should be able to count on the AVS system to work nearly 100% of the time.

I’m happy to provide this information free of charge. If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts. You can also follow me on Twitter, where I regularly post short tips. I promise to never spam you or pressure you. Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

If you use a credit card terminal, and you’ve had it reprogrammed in the past year or two, you may have noticed some new steps were added to the checkout process. In these steps, the terminal may prompt you to enter additional information about the card or transaction. Unless you understand the purpose of these steps, you may see them as a waste of time and even be tempted to skip over them altogether. But doing so would be a mistake! In this post, I’ll explain the four most commonly used security features found on credit card terminals.  I’ll tell you what information your terminal is requesting and how it benefits you to supply that information.

1. Zip Code and/or Street Number – This information is usually requested when you hand-key a transaction received by phone, mail, or online. When you enter the card number and submit the authorization request, the address information, along with the dollar amount, is sent to your customer’s card issuing bank for approval. Banks that participate in the Address Verification Service (AVS) will compare this information to their customer files to ensure you have spoken with the actual cardholder. (The theory is that bad guys shopping with stolen credit card numbers won’t have access to the address and zip code.) Skipping this step adds unnecessary risk, and will probably result in the transaction being downgraded. In other words, the acquiring bank (represented by your credit card processor) will charge you a higher rate because you made the transaction riskier than it would have been otherwise.
2. Enter the Last 4 Digits of Card Number – You may have seen this security feature and thought it was a waste of time if no one explained the importance of it. Stolen credit card numbers cause problems for banks and merchants alike, but the problem used to be limited to stores that accepted orders by phone, mail, or online. But now, bad guys can buy equipment allowing them to erase and re-record magnetic strips. This means they can steal authentic credit cards, erase them, and reload the cards with data stolen from other people. These respectable looking cards can then be sold on the streets and used in any retail store. To defend against these cards, merchants are prompted to enter the last 4 digits embossed on the card. If the card has been reloaded, those numbers won’t match the numbers on the magnetic strip. The charge will be denied, saving you from a costly chargeback.
3. Order Number or Market Data – Depending on how your account was set up, your terminal may request an order number when you enter hand-keyed transactions. If you’re prompted for this information, don’t skip it. Doing so may result in the transaction being downgraded. If you prefer, you may be able to speed up this process by entering a single digit (i.e., 1) for every order. Check with your credit card processor to be sure.
4. CVV or Security Code – The security code or Card Verification Value (CVV) is the most recent addition to terminal security. E-commerce merchants started requesting this information within the past 5 years, and more recently, it has spread to retail terminals. It is only requested in cases where the card is not present, such as mail orders, phone orders, or Internet orders. The CVV is a 3-digit number printed on the right end of signature strips on Visa, MasterCard, and Discover cards. American Express uses a four digit number printed on the front. The theory is that a bad guy shopping with a stolen card number will not have access to the CVV, since these numbers can’t be printed on receipts, monthly statements, etc. Requiring your customer to have the physical credit card in-hand to place an order with your store reduces your risk of fraud and helps protect you against costly chargebacks.

As time passes, credit card processors and card issuing banks will continue to introduce new features to combat fraud. Their goal is to protect everyone involved in processing credit cards, including you, the business owner. Using these features protects your business and lowers your overall costs. If your current processor isn’t doing enough to protect your business, please give me a call. I’d be happy to talk to you.

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

With the abundance of stolen credit card data, it had to happen sooner or later… The thugs who purchase these numbers grew tired of only being able to use them online. They perfected a trick that allows them to use stolen CC numbers in respectable brick-and-mortar retail businesses. They only needed a source for stolen plastic credit cards and a magnetic strip writer. Now, they “reprogram” stolen cards by loading stolen CC data onto the magnetic strips on back, and Voila!, authentic-looking credit cards with no monthly payments required!

Now, many credit card processors program terminals to identify these cards before the bad guys can leave with your stuff. It’s simply a matter of comparing the account numbers on the front of the card to the information read from the magnetic strip on back. For every transaction, your terminal should prompt you to enter the last 4 digits from the face of the credit card. The terminal then compares that to the numbers it scanned from the back. If there’s no match, there’s trouble!

Like most security features, this requires merchants to spend a few seconds keying in information. When this feature first appeared, some of my merchants resisted because they “knew most of their customers” or because their businesses “don’t attract that kind of customer.” Several times, at the merchant’s request, I even disabled that feature. But since then, I’ve suggested that all merchants leave the extra layer of protection in place. In short, you don’t have to own a pool hall or a tattoo parlor to be subject to stolen cards. And if you can protect yourself by entering four numbers, I say “Just do it!”

If your CC processor uses this feature to help protect your business, you can breathe a little easier. Make sure your employees understand why it’s important. But if your processor doesn’t think this protection is necessary for your business, or if your terminal doesn’t offer this feature, please call me. I’ll be happy to examine your current practices and make suggestions how you can better safeguard your business.

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

A few years ago, my business partner and I learned a hard lesson about how crooks operate and what they’ll do to validate stolen credit card numbers. I was a co-owner of www.2BigFeet.com, an e-commerce business specializing in extreme size men’s shoes. Like most e-commerce businesses, we used a payment gateway to gather authorizations. And like most, we notified our customers within a few seconds whether or not their order was approved. At the time, we were using AVS to validate addresses, and we were careful to never ship suspicious orders without contacting the customer first. In short, we were doing everything right.

The problem occurred during our busiest time of the year. Our website, shopping cart, and gateway were set to automatically pre-authorize credit cards before we ever saw the orders. That kept us from having to deal with declined credit cards. One morning, we received a handful of orders for inexpensive items like socks. The orders came from Nigeria and were identical for the most part. AVS had flagged the orders, so when the “customer” didn’t reply to my emails, I suspected the orders were bogus and set them aside. We made a change in our gateway settings to automatically reject all future orders from Nigeria, and we continued going about our business. Over the next few days, hundreds more of these bogus orders were attempted. All were rejected, and all were ignored.

A couple of weeks later, our banker called to see what was wrong. Our checking account was in the negative! After asking the banker some questions, we realized none of our deposits (from our legitimate busy-season sales) had reached the bank since the first orders from Nigeria had arrived. After doing some research, we learned that credit card thieves will select websites that pre-authorize cards, and then use those websites as a tool to validate their stolen card numbers before selling them. (They didn’t want our socks, just our “service.”) To make a long and painful story short, our processor, Total Merchant Services, had noticed the flood of attempts being made against our website and had put a hold on all our deposits. Those deposits were from legitimate orders received during our busiest season of the year. TMS had 2 weeks’ worth of our sales, and they wouldn’t release it for six months!

In hindsight, we couldn’t have prevented the credit card thieves from placing orders on our website. But we could have (and should have) removed their incentive by turning off the pre-authorization feature when we first noticed the pattern. That would have inconvenienced us for a day or two, but it might have prevented our processor from taking action.

Here’s one more thing you should do if you ever experience this situation, or anything similar.Call your credit card processor and tell them about it. Processors have forgotten more about credit card fraud than you will ever know. You pay for their services, so don’t hesitate to call on them. And lastly, if your processor doesn’t bend over backwards to help you, find another processor.  I’d be happy to help you locate one!

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

One of my larger e-commerce clients called the other day. This merchant has been with me for about a year. The owner originally signed with me not because of the savings (and yes, there were savings), but because of the experience I had as a prior Internet business owner. Because this merchant sells high-value items, she enlisted my help with fraud prevention, and over the past year, we implemented a series of safeguards to cut down on fraudulent orders and the resulting chargebacks.

When I answered the call, it wasn’t the business owner on the phone. It was one of her newer employees. The young man (a CSR) had spent the better part of the day trying to complete a $4,000 order for a customer. Authorize.net had rejected the customer’s card numerous times, despite the card issuing bank’s insistence that it had authorized every transaction. The CSR was confused and wanted to know if I would help him “force the order through.”

After a few minutes of Q&A, the rest of the story unfolded. This customer had first contacted my client via phone, but he delayed placing his order for several days. Now that his card was being rejected, the customer insisted that the CSR keep trying, using a different variation of the address each time. The customer was also insistent that his order be delivered faster than the website’s estimated normal delivery time. So… the customer was casual at first, but now he was in a rush? My “uh-oh alarm” began to beep.

I answered the CSR’s question about “forcing the transaction” by asking a question of my own: Would the CSR accept responsibility if the transaction turned out to be fraudulent? Of course, he answered “no.” I explained how the website’s security measures worked, and why his boss wanted them in place. I told him that although it was possible to turn the features off long enough for the card to be approved, I couldn’t recommend it. I also pointed out that it can be a sign of trouble when customers are impatient or make unreasonable shipping demands.

Drawing from my own past experiences, I named several things that can cause similar problems. For instance, if the AVS match requirements are set too high, the gateway can mistake good orders for bad. Also, some card issuing banks will update a cardholder’s change of address just enough to get their statements delivered, but then leave the old address visible in other fields used by AVS. I explained to him how he could rule out those possibilities. Other than that, I reminded him that the security features were there for a reason, and I suggested that he allow them to do their job.

In the end, the customer turned out to be legitimate. When the CSR explained the situation, the customer wired the funds to the merchant. We never found out exactly why Authorize.net had blocked the authorization. Regardless, the security features continue to work 99% of the time. And the merchant remains confident in her safeguards, even it they do complicate an order from time to time. At least problems like this don’t result in chargebacks.

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

If you own or manage an e-commerce business, and you’re not using the Address Verification Service (AVS) to help validate orders, you’re increasing your exposure to chargebacks. Like most security measures, AVS is not perfect. For instance, it only works with participating banks, which limits its effectiveness overseas. But, at the very least, it can be used to separate your customers into two broad groups: those who are almost certain to be legitimate and those you should give a second look.

Take a few minutes to read this article I posted at the Bank of America forum for small business owners. The article describes the risks you take if you either fail to use AVS on your commercial website or you choose to ignore the warnings received from AVS. This is the true story of how my own Internet business, 2BigFeet.com, ignored the signs and lost a lot of money. If you’ve never heard of AVS, or you’re just not using it now, take a look. Hopefully, it’ll help you avoid the hard lesson we learned.

And one last thing… there is no cost to credit card processors for AVS. In fact, your credit card processor should offer it for free and encourage you to use it. After all, reducing chargebacks benefits both processors and merchants. If your processor is padding their profits by charging an AVS fee, whose interests are they protecting?

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

Are you old enough to remember knucklebusters? If not, let me explain. Before credit card terminals made instant authorizations possible, merchants used imprinters to make physical imprints of credit cards showing the amount and date of the sale, along with the store’s name and address. The customer would sign the copy, thereby proving the card had been physically present in the store.

The term “knucklebuster” referred to what could happen if a store employee wasn’t careful. Sliding the mechanism from side to side not only imprinted the raised card numbers onto the carbon paper receipt, it was loud and potentially dangerous. But the result was worth the risk, and may still be today. With the raised numbers of the credit card physically imprinted onto the receipt, the cardholder couldn’t dispute that the card had been physically present in that particular store.

Today, imprinters have gone the way of the dinosaur. Modern credit card terminals read the magnetic strip on the back of cards, and that serves as undisputable proof (in the eyes of Visa/MasterCard/Discover) that a card was used at a particular location. But we all know that magnetic strips can lose their magnetism over time. When that happens, you (the merchant) simply hand-key the credit card information into the terminal. But what if the customer denies having ever been in your store? What then? Without proof, you will lose the chargeback every single time! Yes, you read that right. You will lose every chargeback, unless you have a knucklebuster to use as backup. And in case you’re wondering, no, a photocopy of a credit card is not just as good as a physical impression.

It may seem like overkill, but a physical imprint of a credit card can mean the different between losing a chargeback and winning it. And if the charge was a large dollar amount (let’s say you sold a set of dining room furniture or a new riding lawnmower), the knucklebuster will be worth its weight in cash!

Whenever I sign up new retail merchants, I always remind them to use their imprinter as backup for all hand-keyed transactions. Orion Payment Systems, the processor I represent, sends every new merchant a customized imprinter name plate. And if a merchant doesn’t have an imprinter, I can provide one for just a few dollars. Did your current processor take the time to warn you about this topic? If not, why?

If you’re happy with the service you’re currently getting from your credit card processor, that’s great! But if your processor isn’t living up to your expectations, I’d appreciate the opportunity to show you what you’ve been missing. Feel free to give me a call.

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!