e-Commerce Safety

What are the real risks of e-commerce, both for the customer and the merchant? Let's start with the customer because that's actually an easier problem.

Customer's Risk

If you believe the stories, the customer's biggest risk is having his or her credit card number stolen as it travels from the customer's computer to the merchant's web site. Don't believe the stories. Almost all e-commerce credit-card transactions are now done via a secure connection, and very few card numbers are stolen during this phase of the transaction. You are much more likely to have your card number stolen when you hand over your card to a waiter in a restaurant to pay for a meal.

The bigger risk to the customer is the dishonest merchant who accepts credit-cards for payment for legitimate sales and then sells the numbers. This risk exists in over-the-counter sales also, of course, but it's a little harder to size up your merchant over the web.

Even then, most states limit a customer's liability for fraudulent use of a credit card, so the risks are generally quite manageable.

Merchant's Risk

The merchant's risk should be manageable too, shouldn't it? Once you get an authorization code, aren't you protected? Unfortunately, probably not.

E-commerce credit-card transactions are classified as Card Not Present transactions by the credit-card industry. Card Not Present transactions carry a higher risk of fraud, a problem that the credit-card industry solves by dumping the risk onto the merchant.

Here's how this works: If you have the credit card in hand (that is, the customer is standing in front of you and hands you the card) and you swipe it through your card reader, you are protected – the card processing organization takes the risk and eats the loss if the card is fraudulent.

If, however, the customer enters the card number via the web or reads it to you over the phone, you are not protected – should the card turn out to be fraudulent after you have shipped the order, you're stuck with the loss.

But what about the authorization code? Doesn't that mean the card is good? Nope. The authorization code just tells you that the credit card account is not overdrawn and the card is not on the current list of stolen cards. It does not ensure that you will get paid.

Protection

There is no absolute protection against credit-card fraud. But there is a lot you can do to minimize it. Here are some tactics that some find work well. You don't have to use all of these, but if you find you are having fraud problems, it's worth escalating your defenses.

• Use Address Verification service (AVS). This is a service that checks that the address the customer gave you is the same as the billing address on the credit card.
• Refuse to accept orders from free web-based email accounts (hotmail, msn, juno, etc.)
• Refuse to accept orders from IP addresses in eastern Europe (some vendors have reported a fraud rate from such IP addresses as high as 90%)
• Check the CVV2 code. This goes by several names depending on the type of credit card, but it is the 3- or 4-number code printed (not embossed) on the back of the card. Usually a customer won't have this unless he has the card in his hand. Note that some merchants report a large number of unwarranted declines using this code.
• Be very suspicious of orders where the billing address and the shipping address are different.
• Also be suspicious of large orders placed late at night.
• Consider subscribing to a fraud-detection service such as antifraud.com (http://www.antifraud.com). For $10/month, they provide a variety of services that can help detect fraud before you get burned.

If you are selling a shippable product, you have one more protection – holding off on shipment for 24 hours. That gives you a while to check out any orders that seem suspicious. Call customers whose orders have potential problems (your order form does requires a phone number, doesn't it?)..

Charge Backs

There's one additional hazard in the credit-card business – charge backs. This can occur any time a customer complains to his credit-card company that a charge is not legitimate. "Not legitimate" can mean the customer is not happy with the product, claims he didn't receive the product, or claims he never placed the order.

The credit-card company usually investigates each claim, and if it finds the claim valid it forces a refund for the credit-card holder. The merchant has some say in the process, however. If, for example, the customer claims the order was not delivered and you can show proof of delivery (a signature on a shipper's form), the charge back will be denied.

If it's a simple matter of an unhappy but honest customer you may be able to negotiate some resolution such as a return. But it's clear that merchants can protect themselves by keeping good records and having the shipper get a signature for high-value deliveries.