When setting up an online store, it can be an exciting time. You are building your website, uploading images of your items for sale and building out a loyal customer base that will help you increase sales as you lift your brand from nothing to a recognized symbol. Like many customers who have reached out to Signifyd, chargebacks and fraud was never even on their radar, until they got one.
Signifyd often receives phone calls that follow a format similar to this, “Hi, this is Joe from ABC company and I need help right away. I just got an email from my bank telling me that they are reversing the funds on this really expensive order and I don’t know what to do. The guy sounded legit, I looked him up but now he is saying he didn’t place that order but I already shipped the product. I need to prove that he placed the order!!”
Such frantic phone calls are often heartbreaking because more often than not the merchant who called in is ultimately going to lose out on both their cash and their product. Banks frequently side with the cardholders, and re-reversing funds is very difficult. Many merchants don’t take into account that fraudsters will answer the phone and talk to them, or that a fraudster will manipulate his IP address to give the appearance of living at the cardholders residence. Even worse are legitimate cardholders with a history of buyers remorse or are purposely seeking to steal online through the chargeback process.
So when merchants first start selling online and they see an odd order, it’s not unusual to them that if they should be able to get a hold of the customer that they should be able to ‘sort things out’. It is only after they realize that they have been duped do they become fully aware of the risks of selling online. But selling online is the future, and is on pace to replace retail shopping. So learning about chargebacks is very important for merchants looking to avoid them.
To learn fully about chargebacks, check out a previous post that Signifyd wrote up that helps define what is a chargeback. In todays post though, lets get the facts on the table. The fact is, if you have a chargeback there is very little you can do about it. The key is learning how to avoid them, and there is a tool on merchants side. Everyone online leaves a digital footprint. From the devices they use, the social networks they log into or the emails and phone numbers they register online. From the moment they create any kind of a presence, it has a history and that history can be either good or bad but it is never neutral. And that history can be tracked and is by companies like Signifyd.
Currently only about 5% of all shopping is done online, and yet that number poised to explode in the coming years. With that expansion is going to come all sorts of histories that internet users are going to leave behind. Every email, every IP address, ever card used is going to have a history of good transactions or of fraudulent ones. The key is to find and utilize that data in the fight against chargebacks.
Don’t fight chargebacks, avoid them.
Signifyd has an enormous database of knowledge, and plugs into other database providers to fill in the gaps that we currently don’t have to provide a global user database of internet history. Every time a shopper makes a purchase from one of our merchants, we can tell that merchant if the IP, phone number, device, card, email, and address or social media account is a good account or if it has fraud or chargebacks in its past.
Research shows that in the war against online thefts, the trend is going away from one off users making bad purchases online and is going towards cyber gangs who steal online. Therefore, if a Russian gang for example steals an American’s credit card and places a delivery address that Signifyd has registered as a bad address known for fraudulent orders or is associated with chargebacks, Signifyd can alert the merchant and advise them to cancel the order.
Tracking all of these histories by themselves would be an arduous task for any one merchant to tackle by themselves, but with Signifyd merchants get unprecedented analysis into their customers and who is most likely a good customer and who will likely place a chargeback.
So if you are a small but fast growing merchant who has just been hit by a chargeback, we offer our condolences. It’s a brutal growing pain, and likely won’t be the last chargeback you ever go through. But the collective power of the Internet is a tool that’s on your side through Signifyd, and together we can stop those who would seek to steal from you.
If you are a merchant who is suffering from chargebacks, consider signing up for a 2 week free trial with Signifyd and witness for yourself what professional fraud prevention services can do for you company and bottom line. Reach us at email@example.com
In the wake of Target’s disclosure that upwards of 40 million cards were compromised, a tsunami of public outrage and public opinions have been raised in discussions about how this happened and what Target should have done to stop it.
According to the Wall Street Journal. Target has already reported that sales are down as shoppers stay away out of fear. Consumers are still cautious about Target, and they are afraid of making purchases there. But should they be?
Are consumers liable?
On Christmas Eve, Visa took out a full page ad in the Wall Street Journal advertising their Zero Liability policy. A quick check on Visa’s policy advertises three steps. 1. Shop worry-free. 2. Report Suspicious Charges. 3. Get quick resolution and provisional credit. A similar check on Mastercard’s website spells out a similar policy. They in fact also call it the zero-liability policy.
Visa and Mastercard absolutely dominate the credit and debit card market in the U.S. with a combined total of roughly 85% market share. What this means for affected Target shoppers is that for any cards that have been stolen and fraudulently used they will have effectively zero financial liability for bad purchases.
So if the card holder isn’t liable, then who is? The answer often depends on where the criminals use the cards.
Online versus physical stores matter in fraud
For companies with a physical retail location, as long as they followed standard card issuer procedure by asking for ID and collecting a signature during checkout, then most of the time the card issuer will absorb the costs. For online companies though any orders purchased with stolen data will be charged against the online store.
For online companies, this means that for the time being they have to operate under the premise that there are an additional 40 million bad cards circulating in the US market, and that any one of them could be used against them and cost their business if they don’t stop the transaction.
Now for some perspective, according to a recent joint study by the US Census Bureau and Experian among others, there are roughly 1.5 billion active credit cards in circulation in the U.S. This equals out to about 5 cards for every U.S. citizen. This is a double edged sword for online merchants. The good news is that there are a significant amount of legitimate cards ready to make purchases, and credit cards are still the easiest way for online merchants to accept payment. The bad news is that with so many cards in circulation, online merchants have a plethora of potentially bad transactions coming their way. The real card holder may not even be aware their card is being used fraudulently if it is not their primary credit or debit card.
So who is most liable?
So who’s really at risk because of Target’s data breach? It’s not the hackers who stole the data. These stealthy online criminals almost never use their stolen information, instead using online market places to sell off the card numbers to less technical criminals who then use them to make purchases or drain accounts. It also generally is not merchants with physical locations, because criminals realize that their stolen data has a time limit before the real card holder cancels the account and shopping in person takes time and risk. Target and web based merchants are the real victims. In fee’s alone it is estimated that Target will have to pay the card issuers $3.6 billion for exposing consumer data. But it is the online merchants who are primarily at risk, and they are liable for every stolen Target card that they process.
For months or even years now, these web based business will have to take a little extra care to validate each order from their purchases to ensure that they don’t process a transaction from a stolen card until all the stolen Target cards are cancelled or out of circulation. That is until the next breach.
Online shopping has spiked in the last 5 years, crossing the trillion dollar threshold in 2012. Embracing the consumer preference for internet shopping, many new businesses are only available through the web. Yet a surprisingly low number of new merchants are taking measures to protect themselves from internet fraud. While many online business owners are convinced that any fraud activity on a card is largely the domain of banks and credit card issuers, internet retailers are simply unaware that in the world of ‘card not present’ (internet purchases), they are liable for bad purchases run through their stores.
For many people, the word ‘fraud’ can seem complex and overwhelming. ‘What is fraud?’ ‘How does fraud work?’ These are common questions that are actually very simple to answer. If an individual had cash stolen from their wallet, and that cash was then used in a purchase by the thief, that crime would be described as theft. The money doesn’t belong to the thief, it belongs to our victim. In fraud, this crime works exactly the same way. Only this time the thief takes the credit/debit card instead of the cash. The law states that only legal cardholders can use cards issued to them. When a thief steals a card and uses it, the thief is pretending to be that legal cardholder and racks up charges in their name. Every charge the thief makes with the stolen credit card is considered a fraudulent (bad) transaction.
If all merchants had to worry about was physical credit cards being stolen, then this wouldn’t be much of an issue. But with data breaches becoming increasing common, the financial information of tens of millions of consumers are now in the hands of cyber cartels looking to use their newly acquired information as quickly as possible. With the ability to purchase almost anything online, criminal are increasingly using their stolen data for online purchases instead of placing the stolen information on fraudulent cards to make “card present” transactions in retail stores.
With all of this fraudulent information floating around in cyberspace, it can be difficult to know what the best course of action is. Accepting credit cards is a sure fire way to expose a business to theft, but clamping down on card transactions will place a financial chokehold on a business that most likely would be fatal.
The key for businesses is to understand what they are liable for. When a business decides to accept payment from a card issuer or bank, they are accepting the terms and conditions passed down by them. What that entails is also accepting the established industry standards that are almost entirely uniform in the industry. Card issuers and banks have no ability to track if a card (or card data) has been obtained by unauthorized persons. The only way to know that an issue has arisen is when the card/card data is used in a purchase. Because a merchant has the greatest ability to stop a criminal in their tracks, card issues and banks place the financial liability on merchants for any fraudulent orders that they process.
To dig deeper into the issue, merchants need to understand the technical lingo that is written into merchant contracts. Many merchants take the assumption that if a transaction is authorized then it is a legitimate transaction. That is not the case. When a card processor runs a card and authorizes, it is simply verifying that the funds are available, the card is not reported as stolen or declined and the consumer’s credit limit has not been hit. An authorization is not running a report as to likelihood of the card being stolen or not, or if it is a risky transaction or good order. Once a merchants accepts funds, the liability now fully rests on them.
E-Commerce fraud is exploding for multiple reasons, but one simple yet major reason that it is exploding so fast is that many individuals simply do not check their credit card statements every day. While there are always going to be that subset of vigilant consumers who set mobile alerts for any purchases and check their cards daily, many consumers wait for their statement to be released before they look over their purchases. By then many weeks or months could have passed before they recognize the unauthorized transactions used on their cards.
Banks and card issuers do their best to look for irregular card activity by calling their customers to verify transactions they might have made. If someone goes on a road trip and suddenly makes multiple purchases in another state, a card is frequently frozen and the cardholder is typically contacted to verify if they did indeed make those purchases. But card issuers can only look for irregularities in a card holders account, and pending any drastic activity changes are powerless to know if a card is being used in a legal or illegal manner.
All merchants are accountable for and suffer chargebacks
To help account for this, and also to help deal with bad businesses, most card issuers offer card holders a 3 to 6 month chargeback grace period. For those not in the know, chargebacks are every merchant’s worst nightmare. Chargebacks occur when a cardholder contacts the card issuer to request a refund from a merchant. This would occur because the customer would somehow be unable to obtain a refund from the merchant or that the merchant is refusing to offer a refund to the customer. To read more about chargebacks and how to stop them read our series on chargebacks. Once a chargeback is initiated by the cardholder, the card issuer will deduct the funds from the merchants account and debit it to the card holders account.
The merchant can fight this process by providing evidence to the card issuer that the customer did in fact make a purchase, received the product intact, and is in the wrong. But in the case of a fraudulent purchase that causes the real card holder to initiate a chargeback against the merchant, ignorance of the card’s misuse by the merchant won’t stop the funds from being forcibly deducted. Many card issuers will hold a portion of the funds generated by sales through their cards in a reserve account that is held explicitly for the purpose of reimbursing card holders from bad transactions. The card issuers themselves cannot risk the liability that their merchants could run up thousands of bad orders and then not be able to pay the cardholders back. This reserve account is created because the credit card companies and banks only have a limited amount of money available to repay their customers at any given time from their own accounts. So by establishing a safety net between themselves and the merchant, they help prevent a shock withdrawal from the merchants account in the case of a large chargeback while guaranteeing that the card issuer can repay the card holder instantly.
To add insult to injury, merchants who have multiple chargebacks against them risk ever compounding fee’s as well as being placed on a chargeback monitoring program. If merchants are unable to bring the chargeback rate down, they risk be blacklisted by the card issuer either temporarily or permanently, which can drastically cut revenues for that business.
So what is a retailer to do?
No matter what the purchase, or the volume of transactions that merchant may be accepting at any given month, all transactions paid for by credit card need to be vetted.
But verifying transactions can be difficult as tying an online identity to an offline real person can take a significant amount of research. But there are common steps that all merchants can take that will significantly reduce the probability that they will process a fraudulent order or accept business from someone who serially conducts chargebacks.
1. Always, always, always collect and examine CVV2 and AVS and examine them closely
CVV2 is the 3 digit code on the back of a credit card that is separate from the 16 digit number sequence on the front. The code is a secondary backup to ensure that the card is actually in the hands of the cardholder and is never stored on file in a transaction history unlike a credit card number.
AVS stands for Address Verification System. When entering in a billing address, all merchants need to ensure that the billing address entered into the checkout matches that of the address tied to the card. If a customer repeatedly fails AVS, that is a staggering red flag. There is no reason that a real customer would be unable to identify what the billing address is for the card unless the card was being used illegally.
2. Ensuring that billing and shipping match are critical.
Billing and shipping always go together, and if they don’t it is normally an issue. Merchants always need to carefully examine why a customer would not ship to their billing address. Are they shipping to family? Are they shipping to friends? What connection does the purchaser have to the recipient? Many merchants will cancel orders that have a billing/shipping mismatch, while others have a large amount of research that goes into verifying if the customer is the true card holder. In an instance of a billing/shipping mismatch, a merchant always wants to ensure that during the checkout the customer didn’t fail the AVS or CVV2. Additionally, it is recommended to merchants that they call the customer to verify the recipient of the delivery.
3. Always get a signature for delivery
When purchasing online, often times the simplest fraud ideas are the most effective. And nothing is simpler than claiming that you never received your package. For any kind of high value order, ensure that the customer who made the purchase is the one who signs for delivery. By getting a signature, you ensure that the customer can’t later force a chargeback against you and you ensure that fraud isn’t later claimed. A major source of fraud for merchants is reshipping fraud, where a fraudster will purchase a product on the web and have it shipped to a middleman who then mails the product to him. Requiring a signature from the cardholder stops reshipping fraud in its tracks as a fraudster would have no ability to get the real cardholders signature nor would any middleman be able to accurately forge a signature.
4. Always check IP
Internet Protocol, the location of the computer the customer is using, is normally a dead giveaway to the truthfulness of the transaction. Is your customers billing and shipping in Indiana, but the IP is from Egypt? Well, that’s probably a fraudulent transaction. While the IP address can fluctuate a few miles from the address of the customer, it should never be in excess of 50 miles. Any IP address that is far from the address of the customer indicates either three things. 1. The customer is away on business. 2. The customer is on vacation. 3. This is a bad transaction. Many fraudsters attempt to mask their IP location by going through regional proxy servers, but these are easily detected and are simply another indicator of an online criminal.
5. A customer with a bad user name or email is almost always a bad customer
According to surveys over the last couple of years, the vast majority of customers will reuse the same username for most websites, and only maintain 2-3 email addresses at any given time. What this means for merchants is that if you encounter an email that doesn’t contain the name of the customer, red flags should immediately be raised. If an individual consequently gives you a user name that is full of strange characters or numbers that is normally an indication that this customer doesn’t intend to be a returning purchaser. Many merchants require that a customer verify their profile by clicking on a link sent to the customers email address to verify if this indeed is a human and not a bot. If the email address entered in the creation of the profile is different than the email address stored on file by the card holder that additionally is an indicator that something suspicious is going on in the order.
6. Be on the lookout for multiple purchase attempts, and protect your store against attacks
Fraudsters rarely have a complete data set on the individual of whom they are impersonating when making purchases online. They may be able to fill in the card number, name and address but fail the CVV2. They might have stolen the wrong email address, or they could be trying to make a purchase from the other side of the globe. If there are instances of multiple attempts, with repeated failures in a critical field a merchant will want to permanently decline that customer and every data point associated with the transactions.
7. Check the shipping address
If your customer is shipping to a Fedex store, or to a park P.O. box, that might be a red flag that they are trying to hide their location. If the location is a known drop ship address, or has a history of fraud associated with it, why take the risk of shipping to that address?. Using address verificaction services such as Whitepages.com to run the address is a crucial step in every transaction to ensure that a customer who claims the address is their own is not in fact using an illegitimate address to avoid detection while running bad transactions.
Fraud prevention takes time!
Criminals are drawn to online companies like gravity, the larger the business the stronger the pull. Fraud prevention is a difficult, time consuming process that only grows more and more important as a company increases its sales. With liability solely on the internet retailers, Signifyd finds that the vast majority of merchants take a cautious approach and tend to decline any suspicious orders as well as declining most international orders. Without having a data verification service to tell merchants if a customer is using a proxy to mask his IP or to verify his address, merchants can be at a loss to confidently decline or accept an order.
Signifyd provides the tools merchants need to quickly verify their orders.
Looking up 5 orders a day might not be an issue for company, but if your company finds itself suddenly needing to review 75, 100, 200+ orders a day it can quickly become an overwhelming and all day long task. And without a uniform way of doing each search a company can find it is simply approving or declining orders ” based on their gut”. Signifyd provides companies a way to quickly ensure that they don’t rack up huge losses by accepting payment from multiple stolen credit cards or get hit by numerous chargebacks. Signifyd runs reverse IP lookups to detect proxies, verifies a customers address, checks bin to verify the cards origin, looks through social media to double check a customer’s true identity, and gives merchants a customer’s shopping history to highlight any possible fraud or chargebacks that can be associated with them. Signifyd scores transactions at an average of 200 milliseconds and works with merchants from the largest on the web to merchants who have just set up shop. If you run a business and are concerned about chargebacks and fraud and want to learn more please reach out to us at firstname.lastname@example.org to learn more!
Signifyd Seeks to Upend E-commerce Fraud with First Technology that Analyzes Footprints of Fraudulent Customers
SANTA CLARA, CA – October 16, 2013 – Signifyd today announced the launch of the first e-commerce fraud platform that seeks to dramatically reduce a retailer’s exposure to chargebacks and fraud by analyzing data footprints to bridge the gap between online and offline consumer identities.
Signifyd’s machine learning algorithms use customer intelligence to evaluate the risks of an incoming order in real time. The company’s technology assesses 120 risk indicators and looks for footprints in online and offline data sources, such as the Social Graph, device fingerprints, IP geo-location, proxy detection, customer history, issuing bank data, cross-merchant blacklists, transaction velocity, search engines and public records to determine the validity of a transaction. For example, if a consumer is making a purchase from an IP address located in San Francisco but the consumer’s billing address is in France, existing fraud solutions will decline or manually review this transaction. Signifyd looks to see which country the card was issued and the strength of the consumer’s social profile. If the consumer’s Twitter account indicates they live around San Francisco and the issuing card bank was in France, Signifyd may approve this transaction. Signifyd assigns all transactions a score to notify retailers of fraud, and is the only top fraud vendor to guarantee payments in the case of chargebacks resulting from approved transactions.
E-commerce is estimated to be about $1.5 trillion in 2013. Merchants are estimated to lose 1 percent of revenue in fraud and lose an additional 3 percent annually in wrongly declined transactions. That means merchants are not only affected by losses, but are also losing billions in good revenue due to existing fraud solutions.
“E-commerce fraud detection has been one of the most critical and time consuming processes for online retailers, but most fraud detection tools aren’t suited for today’s cybercriminal who is becoming increasing adept and advanced,” said Rajesh Ramanand, co-founder and CEO of Signifyd. “We’re bringing much needed innovation to the fraud solution market. By using Signifyd, retailers can now make decisions in real time about the validity of a customer without worrying about a fraudulent transaction costing them money or a valid transaction being declined.”
For smaller retailers, e-commerce fraud is especially taxing, so much so that 57 percent of smaller merchants still do not screen for fraudulent transactions, despite SMBs losing millions annually in chargebacks and being least able to absorb the lost money and customers from inadequate or nonexistent fraud detection strategies.
“With Signifyd, we’ve been able to increase revenue by 15 percent by selling into markets that we were previously cautious about,” said Ahmed Khattak, founder and CEO of GSM Nation, who sells unlocked cell phones online. “We’ve done this while simultaneously keeping chargebacks very low and reducing manual reviews by 80 percent. Signifyd has been a terrific ally in growing our business.”
Integration with Signifyd takes fewer than 5 minutes to perform on partner platforms like Shopify and Magento, and its low price points for SMB retailers makes best-in-class fraud protection available to every online seller immediately. In addition to GSM Nation, Signifyd provides fraud detection and prevention solutions for many of the Fortune 1000 retailers including Build.com, Wayfair.com, MakerBot and Petflow.com. Signifyd was founded in 2011 by former PayPal and FedEx executives Rajesh Ramanand and Michael Liberty, and is funded by one of the largest, most respected VC firms, Andreessen Horowitz. Earlier this year the startup won the prestigious Merchant Risk Council Award for the Best Emerging Technology.
Headquartered in Palo Alto, CA, Signifyd was founded in 2011 by Rajesh Ramanand and Mike Liberty, a team of veteran risk and fraud experts from PayPal, to help online businesses prevent payment fraud. Signifyd’s full-service cloud platform simplifies fraud detection allowing businesses to increase sales while reducing fraud losses. Signifyd is in use by multiple companies on the Fortune 1000 and Internet Retailer Top 500 list. The Company is backed by top tier Venture Capital firms such as Andreessen Horowitz, Data Collective, IA Ventures, QED Investors, Resolute.VC and Tekton Ventures. For more information about Signifyd, please visit http://www.signifyd.com.
This is a repost from CoinDesk
Bitcoin sales service btcQuick says that it has achieved nearly $2m in sales.
Colorado-based CEO Jerrod Bunce started the company in November 2012, after trying to buy bitcoins and getting frustrated with bitcoin sales site BitInstant, a service that enabled customers to buy and sell bitcoin but which was criticized for its slow service.
“I thought to myself ‘I can build this to be better’,” he said. He then coded the site in PHP, using the Twitter Bootstrap front end.
When users request to purchase bitcoins using US dollars, btcQuick buys the equivalent amount in bitcoins from an exchange, which it then sends to the customer’s bitcoin address, or to their email address using Inputs.io.
The firm started slowly, growing with the help of $120,000 in funding from private investors and crowdfunding, says Bunce. It has grown substantially over the last few months, according to Bunce, who showed CoinDesk proof of his monthly sales figures. The firm is currently doing a little over $500,000 in business, he said.
BtcQuick’s model is to be among the fastest to provide bitcoins, if not necessarily the cheapest. It charges a 7.5% fee on transactions, but this can slide to as little as 3% given enough volume. Transactions made by credit card are settled in a couple of hours.
Most of its sales (70.5%) are from the US, said Bunce, who added that the company is also selling to users in countries including Canada, Australia, Argentina, China, Germany and the UK. On average, a single transaction is $175. Bunce said:
“We have mainly been spread around by word of mouth, but have recently started advertising on reddit, dailybitcoins and via Google CPC ads.”
Customers are expected to go through verification procedures by proving their identity, says the firm, which then allows them to purchase bitcoins using a credit or debit card. “I expect this to change as we work towards FinCen compliance,” he concluded.
The company doesn’t yet have compliance, but is working with US lawyer Marco Santori (the Bitcoin Foundation’s regulatory affairs committee chair) on this issue.
In the meantime, Bunce is contemplating pulling out of three US states – New York, California, and Texas – until the issue is resolved.
“California and New York don’t hold a large percentage of our business,” he says. Those two states have both hit bitcoin-related organisations with subpoenas or warning notices in the past few months.
In the meantime, btcQuick is doing its best to follow KYC rules and stop fraud on its network. It has a deal with miiCard, under which it uses the site’s identification hardware to verify customer identities. It gives customers who use Miicard a 1% discount from the original fee as part of a silver membership
The company also uses a fraud detection system from Signifyd, which Bunce says offers the firm greater assurance that malicious actors are not trying to game its network.
The site that inspired Bunce, BitInstant, which was operated by New York-based Charlie Shrem, shut down on 13th July to work on a service upgrade. The site, which would have been a competitor to btcQuick, has still not reopened. It was subsequently hit with a class-action lawsuit by angry customers.
If you are interested in learning more about Signifyd please reach out to us at email@example.com