Lately reports of the amount of credit card information that has been compromised are staggering. It’s getting a little scary to be a consumer in these times, let alone a business owner who might be held accountable if fraudulent transactions happen on your customers’ cards.
What’s an entrepeneur to do?
Well, one option to help keep people from stealing customer information would be not to keep any cardholder information around.
One way to keep the burden off your business is to use customer lookup and card on file functions (something like the features offered in the Intellivative Payments API and Intellivative Merchant Portal). These functions were originally designed for convenience, but when used in lieu of storing the sensitive customer information at your business, they can also act as fraud prevention tools.
By using these two features in tandem, you can save customer billing, shipping, and cardholder account information for later retrieval on a secured server. This allows you quick access to the information, but you don’t have to worry about how to protect it from fraudsters. You leave the burden of protecting your customer information to an expert in security–unless security is your business, you may be better off leaving it to the experts.
That doesn’t help if your payment solutions provider is compromised for some reason, but hopefully they are taking steps to ensure that doesn’t happen. I know we are continually updating security at Intellivative. We make it our mission to keep your customer information safe and secure.
You will also need access to previous payment receipts in case there’s a chargeback, so make sure your payment provider offers secure access to those as well or you’ll end up keeping copies of receipts around, which kind of defeats the purpose.
If you’re worried about how to store your customers’ information safely, perhaps the best solution is just not to store it at all!
Lately reports of the amount of credit card information that has been compromised are staggering. It’s getting a little scary to be a consumer in these times, let alone a business owner who might be held accountable if fraudulent transactions happen on your customers’ cards.
What’s an entrepeneur to do?
Well, one option to help keep people from stealing customer information would be not to keep any cardholder information around.
One way to keep the burden off your business is to use customer lookup and card on file functions (something like the features offered in the Intellivative Payments API and Intellivative Merchant Portal). These functions were originally designed for convenience, but when used in lieu of storing the sensitive customer information at your business, they can also act as fraud prevention tools.
By using these two features in tandem, you can save customer billing, shipping, and cardholder account information for later retrieval on a secured server. This allows you quick access to the information, but you don’t have to worry about how to protect it from fraudsters. You leave the burden of protecting your customer information to an expert in security–unless security is your business, you may be better off leaving it to the experts.
That doesn’t help if your payment solutions provider is compromised for some reason, but hopefully they are taking steps to ensure that doesn’t happen. I know we are continually updating security at Intellivative. We make it our mission to keep your customer information safe and secure.
You will also need access to previous payment receipts in case there’s a chargeback, so make sure your payment provider offers secure access to those as well or you’ll end up keeping copies of receipts around, which kind of defeats the purpose.
If you’re worried about how to store your customers’ information safely, perhaps the best solution is just not to store it at all!
Earlier today we published a guide on AVS and CVV and how these fraud prevention tools can help you in determining whether or not to process an order. There is some evidence, though, that in the e-commerce process, requiring the CVV code can actually reduce conversion rates. Get Elastic has published a report on a study done for the top 100 online retailers and found:
Conversion rates were a full 40% higher where Top 100 retailers did not request a CVV (Card Verification Value), yet over 55% of them do.
Does that mean you should stop using the CVV code on your e-commerce web site?
Not necessarily. This study was with the top 100 retailers. You should consider whether or not it makes sense to use it for YOUR business:
- Does your business have a high rate of fraud? If so, you might want to use it even if it does lower conversion rates.
- How much does each fraudulent transaction cost you? If fraudulent transactions hurt your business significantly, then yes, it might behoove you to use CVV, but if a fraudulent transaction has no real impact on your bottom line, perhaps you might want to scrap that CVV.
- Does CVV lower conversion rates on YOUR e-commerce web site? Just because the top 100 retailers experienced this, it doesn’t necessarily mean that it’s true for you. The only way to really know that is to test it. You can use what is commonly referred to as an A|B test–send half of your traffic to the page with the CVV, half to a page without the CVV. See whether there is any difference in conversion. Then determine whether that difference in conversion is worth the increase in fraudulent transactions.
If you decide you’re going to do some A/B testing, here are some resources on A/B testing to help you out:
Sometimes when you’re processing a payment, the address verification and card code things might seem like an extra unnecessary step. Do you really need to use them?
First of all, what are AVS and CVV?
The address verification service (AVS) was created to help reduce fraudulent payments by comparing the address sent with the payment with the address on file for the cardholder at the card-issuing bank. If the two addresses don’t match, clearly there’s a higher probability of fraud. However, a non-match doesn’t necessarily mean it’s fraud. People move–and there’s usually a time lag in updating addresses with the issuing bank.
The card code (also called CVV, CVC, CVV2, or CID) is a 3 or 4-digit code typically printed on the signature line on the back of the card. The idea is if a card number is stolen by electronic means, the thief would not have this code along with the card number–so if a transaction includes a card number along with a card code that matches the code on the back of the card, it’s less likely to be fraudulent. That is also the reason why you are not allowed to store the card code.
Do I need to use AVS and CVV?
It depends. Whether you really need (or want) to use these fraud prevention tools depend on a few different factors:
- How are you running the transaction? Did you swipe the card through a card-swipe device or type it in?
- Is the customer standing in front of you? Or did you receive their payment information over the phone, via the mail, or over the Internet? Is this payment part of an e-commerce transaction?
- How risky is your business? Is fraud a concern for your business? Do you get a lot of chargebacks–or is that a relatively once-in-a-blue-moon occurrence for you?
- Are you selling within your own country, or internationally?
- Will it make a difference in your transaction fees?
- How will you use these tools? What do you do with the AVS and CVV responses?
What type of order is it?
Some types of transactions benefit more from AVS and CVV than others. When you are running a retail store and swiping the customer’s credit card through your POS machine, there’s less of a need for address verification or card code. But when you’re typing the card number in, it becomes more important. Now the risk of fraud has gone up, so it behooves you to take the time to at least key in the customer’s zip code.
Now if the order is received via some remote method–like the phone or mail or Internet–the risk goes up even further, so that’s when AVS and CVV become really important.
Will it make a difference in my transaction fees?
When you don’t use AVS in a riskier situation, the card associations get nervous. It’s not just you as a a merchant that’s assuming risk in that situation, some of the responsibility falls on them, so when the risk level goes up, the card associations charge more by downgrading the transaction to what they call a non-qualified transaction. Transactions have three levels of qualification: qualified (lower risk), mid-qual (medium risk), and non-qual (high risk).
The merchant account blog shows a good example of what can happen to your fees for a keyed transaction that downgrades because AVS wasn’t used – fees can be pretty steep:
Depending on your merchant contract, a non-qualified transaction can cost as much as 2% and $.50 or more extra per transaction. What this can mean is that if you have a keyed merchant account setup at 2.3% with a transaction fee of $.25 per transaction, the downgrade to non-qualified can increase this to 4.3% and a $.75 transaction fee. Your costs to process the transaction nearly doubled …
Multiply that by 100 or 1,000 transactions and your costs for doing business just increased significantly. Let’s use the example above with a $100 average ticket and 100 transactions in a month. Say your processor charges you 5 cents per AVS request.
With AVS (so you get the qualified rate):
- AVS costs: 100 x $0.05 = $5.00
- Discount rate: $100 x 100 x 2% = $200.00
- Transaction fees: 100 x $0.25 = $25.00
- Total: $230.00 for $10,000 transaction volume.
Now, try it without AVS (transactions downgrade so you pay the non-qualified rate):
- AVS costs: $0.00 because you didn’t use it.
- Discount rate: $100 x 100 x 4.3% = $430.00
- Transaction fees: 100 x $0.75 = $75.00
- Total: $505.00 for $10,000 transaction volume.
In a retail situation, it’s not this clear-cut because not ALL your transactions would downgrade (only your keyed transactions that didn’t have AVS, but for a mail order catalog or e-commerce situation, those extra fees can really add up. If you’re already accepting credit cards, check your processing agreement to see what your fees for qualified vs. non-qualified transactions are–and watch your monthly statement to see if your transactions are running as qualified, mid-qualified, or non-qualifed.
So besides extra fees, what good are AVS and card code?
The real purpose of AVS and CVV is not for giving your payment processor another opportunity to charge you more–they are intended to help YOU make better decisions on whether or not to accept certain orders. They’re not perfect tools and they can’t give you a yes/no answer on whether a transaction is fraudulent–that’s got to be your call. But AVS and card code can only help you if you use them as tools for screening out potential fraudulent orders.
If you decide AVS and CVV are helpful to your business, in your order fulfillment process, you should have a method for flagging orders that don’t match address or card code and at the very least manually review them. Some merchants take an extra step and contact the person who placed the order to inquire about the reason for the mismatch–others simply review the data and make a decision. Some others develop their own automated logic so they don’t have to think about it. Whatever you choose to do, make sure it fits your business.
How do I know what these cryptic response codes mean?
Depending on what system you’re using, the results may look different, but typically AVS responses are 3-letter codes that look something like this:
YYY
- The first letter indicates whether or not the address matched the address on file. A “Y” indicates that at least part of the address did match. If it starts with an “N”, it did not match.
- The second letter tells you how much of the address matched. A “YN” would mean that the numeric portion of the street address matched, but the zip code did not.
- The third letter is the response from the authorizing bank and it varies by card type.
- Sometimes all or part of the address verification isn’t available. When this is the case, you might see an “X” in the response–a “YX” means the address portion matched, but the zip code comparison was not available.
Responses that indicate AVS isn’t going to help in your decision:
- If you get an “E” in the response, it means there was an error occurred during the AVS check.
- A “G” or an “I” in the response means the card-issuing bank is outside the U.S. and does not support AVS. International transactions are iffy on whether or not they support AVS–if you do a lot of business outside the U.S., AVS probably won’t help you with fraud screening very much.
- An “S” in the response means the issuing bank doesn’t support AVS.
- A “U” in the response means that address information isn’t available for this card.
Card code responses are one letter only:
- “M” means it matched = lower probability of fraud
- “N” means it did not match (or it’s invalid), so there’s a higher probability of fraud.
- “P” means the card code check wasn’t processed, and “U” means the card issuing bank isn’t registered. These two responses give you no information to help your decision.
Just make sure you understand the impacts of these tools on your business and your fees and you make an informed decision as to whether and how you use them.
