Fraud Prevention
Fraud Prevention
Credit card fraud is fast growing problem for online merchants. As a merchant, you are liable for every processed credit card transaction even if fraudulent. Fraud can hurt your business in the following ways: lost revenue, wasted productivity, and penalties such as charge backs and higher interchange rates.
The UltraCart fraud prevention system is a set of industry leading rules that will help protect your UltraCart store from potential customer fraud. The fraud prevention system configuration is located at:
How it Works
The fraud prevention system utilizes a set of rules that are run against the order before credit card processing takes place. The rules compare the details of the current order and previous transactions to determine if a fraudulent action is taking place. If a rule is broken then the merchant can decide to reject the transaction or send the order to Accounts Receivable for further review.
Rules fall into five different types:
Rule Type | Description |
---|---|
Exemption | These rules are the first ones checked by the system. If an order matches these rules then the order is exempted from all other rules. These rules are typically added to exempt your office or call center from the fraud prevention system during the order taking process. |
Credit Card | These rules focus around checking the credit card for fraud. This includes checks like number of attempts, changing the card, blocking prepaid/gift, etc. |
Credit Card (Premium) | This rule checks and confirms if Card Type = Prepaid or Gift Card. This is a premium feature ($0.05 per card validated). |
IP/Subnet | These rules focus on the origination of the order traffic and velocity of the orders originating from a portion of the internet. |
Address | These rules focus on the addresses on the order and allow merchants to block known fraudsters (establish fraud filter on a fraudulent order) or hold orders for review that have different billing/shipping addresses. |
Address (Premium) | These rules are a premium feature ($0.01/card validated) |
Affiliate | These rules attempt to block affiliates from submitting fraudulent orders in an attempt to earn commissions. |
Configuring Rules
The top section of the page displays all the rules that can be configured on an UltraCart account like the screen shot below.
Notice below that each rule reads like a simple sentence. So if I want to decline transactions over $500 then I would enter the amount, select the desire action from the drop down list and click apply.
After clicking the apply button a popup dialog will appear allowing the configuration of additional options/filters for the rule as shown below.
In this example we have configured a custom decline message to display to the customer and then clicked apply. Other filters include:
- Items - the rule will only execute if the order contains one of these items. For example if you are blocking prepaid/gift cards you would want to filter it down to only the item(s) that represent the free trial.
- Gateway - the rule will only apply if one of the checked rotating transaction gateways is being used.
- Screen Branding - the rule will only apply to the selected screen branding theme.
When an optional filter is left empty/unchecked then the rule will apply to all of the items, gateways, or screen branding themes accordingly.
After we click the Apply button the page will automatically scroll down to the Established Rules and highlight the new rule. Below is an example of how the rule we just configured appears.
Note Regarding Exemption Rules
Adding IP Exemption Rules
When adding an IP Exemption, the dialog window that appears is the same one as is used with adding decline rules. Just go ahead and save that dialog window and the exemption rule will be created.
Establishing Fraud Filters based on the details of a placed order
When you encounter an order that you deem fraudulent, you can create fraud filters based  upon the following order details:
- IP Address RangeÂ
- Credit Card XXXX-XXXX-XXXX-0664 (Full credit card will be used for filter)
- Address (Numeric portion of street & Zip Code / Postal Code)
- Email Address
"If prepaid or gift card"
Note: This Fraud filter rule is provided via a 3rd party service that can determine if the CC number provided by the customer is either a prepaid or gift card. This could be useful in auto filtering customers from auto order "Trial" purchases that are configured with a very small initial purchase price ("pay only shipping today" type offers) as these types of recurring billing can be targets for 'scammers' using cards that have just enough money on the card to pass the initial validation of the trial purchase but not enough to cover the subsequent purchase(s).
PLEASE NOTE THAT THIS SERVICE WILL ACCRUE A $0.01 SERVICE FEE FOR EACH CARD VALIDATED.
 The charge applies to every single CC validated, but there is order caching. So, don't get dinged for multiple authorization attempts on the checkout. For example, if the customer initially entered the wrong billing address causing a decline due to AVS mismatch then, corrected the details and resubmitted the order, the $0.01 fee would be applied only once, not for each authorization attempt.
Order Handling for flagged orders
The fraud rules have a setting for how to handle the fraudulent checkout/order.
There are four possible choices for fraudulent order handling:
- "Flag for review" → Sends the order to the Accounts Receivable and places a note in merchant comments.
- "Process payment and modify" → Processes the payment and then modifies the order (i.e. - tagging a value into the custom field)
- "Process payment and review" → Processes the payment and then places the order into the Fraud Review order management page.
- "Decline transaction" → Gives the customer a decline message at the point of finalizing the order.
Flag for Review
If you select the flagged for review option then the orders will be sent to:
Home → Order Management → Accounts Receivable
When you bring up the order within Accounts Receivable the merchant notes will contain an automatic note generated by the fraud rule. In the example below the order tripped the rule "If transaction exceeds 25.00, then flag for review". You can see the merchant comments has a note informing the user why the order was sent to the Accounts Receivable department.
User Notifications
Make sure that you have configured one or more users to receive the "Process Credit Card Payment" & "Fraud Review" notification located:
Home  →  Configuration  →  Users
Receipt Email
By default the customer will receive a receipt email even if their order is sent to Accounts Receivable for review.Â
If you want to change this behavior, navigate:
Home  →  Configuration  →  Email Notifications → Email Templates
For the receipt template choose the option "Hold Receipt Until Payment Processes". This will cause the receipt email to be held until you successfully process the payment within the Accounts Receivable section.
Visit Email Notifications page at: Email Templates - Email Notifications
Best Practices
Wow, there sure is a lot of functionality in the fraud prevention system, but I'm new to fraud prevention so what are the best practices for an initial setup?
Category | Rule | Recommend Value | Comments |
---|---|---|---|
Exemption | If IP address matches | Enter the IP address for your office and/or call center | If you don't know what you IP address is then go to http://www.ipchicken.com and it will tell you your IP address. |
Exemption | If Customer logged into profile with pricing tier | You typically don't want to block your B2B customers with profiles for any reason. | |
Credit Card | If single transaction exceeds | 2X average sale = flag for review, 4X average sale = decline | Make sure fraudsters aren't using your store to test the maximum card limits. |
Credit Card | If user changes credit card number this many times for attempted transactions | 4 | Make sure fraudsters aren't testing a bunch of cards on your account to find valid ones. |
Credit Card | If prepaid or gift card (Note: This is a 3rd party service and will cost you $0.05/card validated) | Use this rule on your free trial items. See this blog post for the importance of this rule. | |
IP/Subnet | If weekly attempted transaction count for IP Subnet Exceeds | 10 | Prevent fishing attempts from the same IP addresses. |
Address | If fraud score exceeds | 5 = Flag For Review | This is our legacy fraud prevention system which uses a 3rd party and provides a good holistic check of the order. |
Address | If billing address does not match shipping | Flag for Review | Use this if you have high value products and strict AVS checking configured on your credit card rules. |
Affiliate | If affiliate generates multiple sales with the same IP address within one week  | The same IP rarely should be generating multiple sales. You must be using the UltraCart affiliate system for this rule to work. |
Reporting
UltraCart collects statistics of how each rule performs on a daily basis. To access the report go to:
Home → Reporting → Fraud Rule Statistics Report
The report is easy to run. Just pick a date range as shown below. There are quick selectors on the right to make things easy.
The report that opens is an Excel spreadsheet as shown below.
For each rule there is a column by date of the number of times the rule was checked, # of declines (or exemptions), # of passes, and percentages. The far right column of the spreadsheet will summarize the information for the date range. In this example spreadsheet we can see that the rule to block prepaid/gift cards on our free trial blocked 3.85% of the transactions for the time period.
Frequently Asked Questions
Q: What message does the customer receive when they trip a fraud filter?
A: If the fraud rule is set to decline and you did not enter an optional customer message than the message "Your payment has been declined. Â Make sure the billing address matches the location that the credit card statement is mailed. Â Please verify the information and try again." is returned to the customer. Â
Q: Will the customer receive a receipt if the order is held for review?
A: See the Flag For Review section above which covers this. Â There are options on the email notification configuration that you can adjust.
Q: I have linked multiple UltraCart Accounts together, if I link a new account, will the existing fraud rules apply?
A: Yes, the existing fraud rules be auto populated to newly linked accounts.
Q: Can I block an email domain, so that orders are not placed from a free email provider?
A: Yes, simply add an email rule where the email is *@thedomain.com. This would then allow you to decline, or send any order into A/R with said email address.