Accepting Credit Card Payments Online

3 August 2000
If your e-commerce business is to succeed, you will take credit cards. The problem is that the anonymity afforded by the Internet makes the Net a great place to use a stolen credit card. If you want to minimize your risk of being victimized by credit card fraud, you must implement proper procedures.

The simple fact is that credit cards are the fuel that fires e-commerce. Clearly, they're the payment method of choice.

Just as clear is that the Internet is a great place to create or assume a false identity. If you doubt this, then visit your nearest chat room where everybody is a perfect physical specimen.

While online credit card fraud is a problem, the benefits should outweigh the losses. The trick is to develop a set of systems that minimize your losses by flagging and preventing fraudulent transactions.

For an e-commerce credit card fraud prevention system to work, it needs to be highly automated so that it's cost effective. You want to minimize manual screening methods or what's often called "exception processing." It's expensive and it frustrates legitimate customers because they don't get a routine and fast confirmation that you've accepted their order.

"Card Not Present Transaction"

Unlike a retail transaction in a store, a credit card purchase over the Net is treated like a telephone or mail order. In the parlance of the credit card industry, it's a "Card Not Present Transaction." As a practical matter, what that means is that you, as the merchant, are assuming more risk than a storefront retailer. With this type of transaction, you will be the big loser if the card is bad even if the bank "approved" the sale.

Still, if you overuse exception processing, you'll never be able to scale your e-commerce transaction. You don't want the cost of manually handling credit cards to unduly eat into your profits.

Understanding Your Risks

Experts estimate fraud rates for online credit card sales at between 1% and 8% and sometimes higher. You can judge your risk level by looking at what it is you sell. Things like consumer electronics and "digital goods" have the highest fraud rate. ("Digital goods" are those things that you can "deliver" over the Net like software, games, graphics and information. Until Mr. Spock figures out how to beam a t-shirt through a modem, it doesn't include physical goods.)

Digital goods are more of a problem because there's less of a delivery trail to follow once you discover the fraud. Credit card thieves know this and use it to their advantage.

There is no foolproof method available to eliminate online credit card fraud. It will always be a more difficult environment for credit cards than a physical retail store. The retail store can minimize its risks by looking for embedded holograms, fine line printing, signature comparisons and photographs of the cardholder.

Even a telephone order has some human interaction, which can be used to catch some types of fraud. The Internet transaction has none of these advantages.

There is no single perfect indicia of fraud upon which your e-commerce business can rely. Still, a thing like a "billing address" that's different from the "ship-to" address is statistically risky, but people do send gifts and often do have different legitimate addresses. A customer with a free e-mail account (like a address) is riskier than a customer with an e-mail address that goes to LocalInternetServiceProvider.Net, but millions of people use free e-mail addresses and never commit fraud.

To successfully minimize Internet credit card fraud, you have to rely upon systems that use artificial intelligence to "score" a number of factors that tend to be indicators of potential fraud. Without listing a hundred such factors that artificial intelligence software might use, here are a few examples to give you a feel for how this technology works.

One would be the number of times the cards has been used in the last few hours. A high rate of recent use tends to show possible fraudulent activity.

Another would include nonsensical input. Here, the software evaluates the data entered in the name and address fields. Good software looks for geographical location consistency so that if the zip code doesn't match the area code, the software should know it.

A bad sign is obscenities on the order. It's usually a sign of a customer who's not quite the customer around which you want to build your profit and loss statement.

One final example is what's called "product category frequency." Here, the artificial intelligence is wary if the customer is trying to buy a particular product more often than would normally be expected.

With the help of sophisticated artificial intelligence, you can reduce your risk of being victimized by credit card fraud. To maximize the profits of your e-commerce business, you need to take a close look at the technologies available to you.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at:

If you have any comments, please send them to

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.