Fraud Prevention Tips
To help restrict fraudulent activity on your account we recommend utilising the standard fraud prevention tools and our additional validation techniques.
AVS checking is a vital part of fraud prevention. This will indicate whether the numeric values in the first line of the shopper’s address and post code matched the card issuer’s records. Similarly the CV2 check confirms that the 3-digit code the shopper says is on the back of their card (or the front if an AMEX card) matches the card issuer’s records. Further information on this can be found on page 7 in our Fraud Prevention guide here.
3D Secure is a way to authenticate a card holder during a purchase and is an integral part of fraud prevention. It can help provide liability cover through your merchant bank, and multiple merchant banks offer better processing rates for transactions verified through 3D Secure. From the 14 March 2022 all card issuers, Payment Service Providers (like Opayo) and merchants will be required to support or facilitate 3D Secure version 2, therefore we recommend all our merchants activate this as soon as possible in addition to 3D Secure version 1. Further information on how to setup 3D Secure rules can be found on page 11 in the Fraud Prevention guide here.
This is used to block specific shopper data elements. The restriction tools can be useful if you do not want to process orders from specific card issuing countries, country geolocates (IP address prefix for the countries), specific IP addresses or specific BIN ranges. Further information on these blocks can be found on page 9 in the MySagePay User Guide here. Transactions containing a blocked shopper data element will be declined by Opayo.
If you set-up AVS and CV2 rules, along with 3DS v1 and v2 and an order passes those fraud prevention tools this shows positive behaviour from the customer. Generally, if the customer has passed AVS/CV2 verification, the billing address is the same as the delivery address and 3D Secure has been successful, it’s unlikely the order is fraudulent. This is because a fraudster is not likely to order goods using a stolen card, be able to successfully authenticate themselves via 3DS, and send the goods to where the card is registered to.
If you are still not sure whether the transaction is genuine or not after the above checks have been performed, we recommend using some of the following additional validation techniques get see if there is anything else that will help legitimise the order.
You can search transaction data from the last seven years in MySagePay, this can save you time and effort if you have previously verified the customer before shipping the goods. Please find some of the recommended search fields below:
- Last 4 digits of the card used – You can search on the last 4 digits of the card used for the transaction via the advanced search feature, further information on this can be found on page 16 in the MySagePay user guide.
This can be very useful to see if other payments have been made using the same card and customer information. If the search returns results for other transactions, we recommended checking the card holder name/address information is consistent for the customer. If previous orders from over 2 months ago have been processed and shipped using the same card/address information and no chargeback has been performed, it’s unlikely that the order will be fraudulent.
- Search on the address used for the transaction – You can do this via the search tab as per page 23 in the MySagePay user guide.
This will also give you visibility on whether repeat customer names/card combinations have been seen before at specific addresses. If you have found consistent history for the customer with transactions made over 2 months ago, then it will be unlikely that the transaction is fraudulent. On the other hand, if you have seen multiple names/card combinations going to the same address we would advise you to further validate the customer.
- Check the card issuing country against the IP address – You can view both the card issuing country and IP address used for the transaction as per page 18 in the MySagePay user guide in the following locations:
IP address: This is in the “Client location” section within the “Additional Details” tab
Card issuing country: This is displayed in the “Additional card details” section within the “Authorisation Details” tab.
If the Card issuing country does not match the IP address, billing and delivery address, it is a cause for concern and these orders are normally deemed as a high risk.
- If the AVS results have matched, however the billing address is different to the delivery address – There can be several different reasons for this, for example if the order was made by a relative or if the customer wants the product delivered to a temporary address, however this can also be a sign of fraudulent behaviour. As a part of best practice, we always recommend trying to validate the customer first if you have no previous record of them on your account. If the customer refuses to go through validation, then maybe suggest sending the products to the billing address only, as this will be a more secure option.
- Is the delivery address associated with a registered business? - If you can find a legitimate company relating to the address it will not likely be a fraudster, as no fraudster would want to be traced back to a legitimate workplace. You can try locating the company via web searchers, or by checking companies house.
If you find a legitimate company, you could send a curtesy email to the customer using their work email domain, or you could try calling the customer from the contact number on the company website.
If AVS checking has not matched and the delivery address is not registered to a business. – Then it may be worth getting additional validation from the customer before shipping the goods as no apparent links in customer information can be a high risk.
Can you locate the delivery address on Google maps? - Google maps can be a good tool to identify any suspect delivery addresses. Although we can’t judge a book by its cover, you should be able to identify if a customer has ordered excessive amounts of large goods to a relatively small flat or apartment. Again, if in doubt maybe try validating the customer before shipping the goods.
Order trends – If the customer has ordered several of the same things, such as several TVs, clothes in serval different sizes etc., this could be a high risk. In this situation we recommend requesting more information from the customer to further validate them.
Click and Collect customers - If the transaction has been processed via a click and collect service and the goods are not being delivered, then we recommend the customer provides photo ID that shows the billing address used when collecting the goods. Click and collect orders can be high risk since they cannot be traced to a specific delivery address.
- PO Box or locker deliveries – Take extreme caution with these type of orders because once the goods have been delivered, there is no way to see who has collected them. In general, we don’t recommend shipping to either BO Box or locker addresses.
Request additional information
If you cannot validate the customer, you may need to ask for additional information. Please see some examples of what to ask for below:
- Photo of a drivers licence showing the same billing address used in the purchase.
- Utility bill – again showing address and linking customer information.
- Screenshot of online bank statement showing billing address.
N.B. Further validating the customer will not cover the vendor in the event of a chargeback. For further advice on chargeback cover via 3-D Secure, please contact your merchant provider.