Authorize.net also provides a white paper to assist merchants in reducing vulnerability to Cyber Thieves. Please download the white paper at this link: Click Here
Read what others are saying: Click Here
Key Points to Remember:
- Authorize.net employs industry standards to validate credit cards based on the Card Security Identification Code on the back of the credit card, or in the case of American Express, a four-digit number on the front of the card.
- If this card code is entered correctly into the site, Authorize.net will validate the card will pass and an approval will be given.
- Authorize.net employs industry standards for AVS or Address Verifications Services. The settings are in your Authorize.net Merchant Portal under ACCOUNT and are defaulted to validate the credit card to the statement billing address and five-digit zip code associated to the card.
- Each distributor can update these settings and provide even stricter requirements, however the stricter the rule the more DECLINES you will receive at the Point of Sale.
- Authorize.net will DECLINE a card if the card has been reported stolen.
- Panda uses Authorize.net to conform to the PCI Data Security Standards. We do this to avoid the expense of being certified which can cost over $15,000 per distributor with yearly audit fees.
- Panda DOES NOT STORE CREDIT CARD INFORMATION ON OUR SERVERS.
- Panda only allows credit card transactions on Panda distributor websites that have verifiable and clickable SSL Encryption Certificates at the Secure Order Payment Page where credit card information is entered.
- What is SSL Encryption? Read this: https://www.thawte.com/ssl-digital-certificates/ssl123/index.html?click=main-nav-products-ssl123
- Most of Panda's websites use the basic encryption, mainly because distributors have a hard time understanding the value.
- We recommend that as you learn more about safeguarding information on your website you will consider a higher level of encryption.
- All distributors have a unique SSL certificate tied to a distributor’s unique web IP address. WE DO NOT HAVE A SERVER CERTIFICATE THAT IS COMMON TO EVERY DISTRIBUTOR. As more and more credit card processors tighten up on the PCI policies, we have simply developed our technology to conform to their recommended level of encryption and do not take any short cuts with a common certificate.
- We are compliant with every processor's request to safeguard credit card information.
Here is what Authorize.net cannot do to prevent fraud.
- Cyber Thieves are not just dumpster diving for receipts and credit card statements. They are much more sophisticated and are scanning the Internet for vulnerable servers that store credit card information. In one key stroke the Cyber Thieves can download a customer’s identity and credit card information.
- Cyber Thieves immediately duplicate these cards and sell them or begin using them to purchase goods online.
- Cyber Thieves know everything about the Bill To and Ship To, Card Number, Expiration Date and Card Identification Code. They simply query the server and obtain a complete download.
When the Cyber Thieves have thousands of credit cards, they begin their scheme. And this is where we begin our story about two of Panda's distributors.
- The Cyber Thief goes online and orders high-ticket items. Instrumentation is a favorite. They may also buy large quantities of one item.
- They indicate the Bill To and enter a fake Name, Phone and Email, but they know the information they need for validation. Remember, the credit card companies have only one mechanism for validation—Address, Zip Code and the Card Code.
- The Term used is “card not present” which simply means no one is physically handing you the credit card. So your risk is naturally higher.
- The Cyber Thief has the product shipped to a completely different address.
- Often times the address is hundreds if not thousands of miles away from the Bill To Address.
The Bill To Address must validate back to the Credit Card Statement. Again, the Cyber Thief knows this information.
The Face of Fraud:
Now the story gets interesting. At this point the fraud takes on a new level of deception as the Cyber Thief has typically staked out an unsuspecting person that:
- Is not home to accept deliveries.
- Believes they are receiving a package, signs for the package without being home, and indicates that the deliverer can leave it at the door.
- Often is a senior citizen who accepts the package thinking it is for a neighbor.
The Cyber Thief then simply goes to the unsuspecting person and asks for the package or picks the package up at the house where the resident is not home. Bingo! They now have the goods, bought with a stolen credit. Next stop, eBay!
How can you prevent this scenario from happening?
- Any order over $500 that has a different Bill To than the Ship To should be an ALERT.
- If you are unable to contact the person via email or phone. ALERT.
- If there are misspellings in any part of the Bill To or Ship To Address. ALERT.
- If the order is for a large value of merchandise. ALERT, ALERT.
- If the person ordering wants to split the order amount across several credit cards. ALERT, ALERT, ALERT.
- If they want CASH BACK from an order. BIG TIME ALERT.
At this point all of your Fraud Alert Senses should be in high gear. No order should be fulfilled without first running the card and the transaction past your Merchant Services Fraud Detection Division. No order should be shipped without attempting to make contact with the user, speaking to them, and verifying that the Ship To person is aware of the package and is expecting it.
Even if you make contact, be aware that the Cyber Criminals may be a involved in a ring and may be routing the calls to accomplices. So trust your gut on this.
Cyber Thieves are smart. They are criminals and they know there are people out there that simply can't imagine someone would do such a thing. It is happening and you need to be on ALERT!
The End of the Story
Our distributors who fell victim to the Package Delivery Scheme were lucky. The unsuspecting residents or Ship To recipients called the distributor distraught about the package delivery. They actually thought their card was stolen and they would be liable for the merchandise. In each instance the Ship To person was an unknowing accomplice in the fraud. They were the drop off or hand off person.
The distributors were able to retrieve their Instruments, which were MSA Instruments each costing over $1700 each. Each order was for two Instruments. The distributors lost the Freight and now have a debt to the supplier, which hopefully MSA will graciously return at no charge.
But this could have been so much worse.
So just remember, Authorize.net will validate a credit card based on the criteria that the industry as established as the only method for security. You are the best defense against cyber crime. Use your common sense, trust your gut, and train your people. Do a reverse lookup on an address online. Simply go to Google.com and type in the address in the Google box. Ex: 123 Main Street, Anytown, WI 53051. See what comes up. It may be a vacant lot!
It’s exciting to get large orders. They happen every day and most are legitimate. But don't be lulled into thinking everyone in the cyber world is nice and wants to do business with you.
It’s better to be safe than sorry. If the order is legit your online customer will appreciate your extra effort to validate his/her identity and ensure that the identity is safe with you.
Where to report internet frauds and scams: http://www.elsop.com/wrc/complain.htm
Credit Card Liability: What's in Your Wallet?
Most of you know that if your credit card is ever lost or stolen, you're only liable for up to $50 in fraudulent charges.
But did you also know that you could be liable for LESS money, under certain circumstances?
And did you know that this liability law does NOT apply to debit cards?
According to the Federal Trade Commission, The Fair Credit Billing Act guarantees that, "your maximum liability under federal law for unauthorized use of your credit card is $50."
But, if you report the loss of your credit card BEFORE fraudulent charges are made, you cannot be held responsible for ANY of those charges. In other words, you owe nothing.
Here's another fact most people don't know: "If the loss involves your credit card number, but not the card itself, you have no liability for unauthorized use."
Plus, if you're a good customer, your credit card company will often waive the $50 liability.
That's the good news. Now here's the bad news. If your DEBIT card is lost or stolen, your liability is just $50, but ONLY if you report the loss/theft within two days after you realize your card is missing.
And, if you neglect to notify your bank that your debit card has gone missing within 60 days after your bank statement containing the unauthorized use is mailed to you, you could lose EVERYTHING in your checking and overdraft accounts.
Also, even if you're not ultimately responsible for the debit card losses, if the theft results in your checking account being emptied and that causes your checks to bounce, you may still be liable for the fees.
To protect yourself against fraudulent charges on your debit card, contact your financial institution to learn about their liability policies. A few debit card issuers offer better protection than the federal government.
For example, some debit card issuers offer consumers "zero liability" in cases of fraud, theft or unauthorized usage, as long as the cardholder reports the problem within two business days after discovery.
And, if it takes longer than two days, these cardholders are only liable for a maximum of $50 in charges.
To borrow a phrase from the popular Capital One commercial—it pays to know "what's in your wallet”. |
