Fighting Online Payment Fraud

It’s the classic good news/bad news scenario.

Online merchants are prospering as consumers increasingly take to their computers and smart phones to shop — that’s the good news.

The bad news is that cyber criminals are following online money like sharks following blood. According to the most recent LexisNexis® True Cost of Fraud℠ Study[1], eCommerce merchants are among the hardest-hit by rising fraud losses and associated costs. Experts blame it in part on massive data breaches that have flooded the black market with stolen card numbers.

Fortunately, there are steps you can take to reduce your risk of online payment fraud. It starts with an understanding of the signs of potential fraud. In particular, Visa®[2] suggests that online merchants look for the following:

  • First-time shoppers — Criminals are always looking for new victims.
  • Larger-than-normal orders — Because stolen cards or account numbers have a limited life span, crooks need to maximize the size of their purchase.
  • Orders that include several of the same item — Having multiples of the same item increases a criminal's profits.
  • Orders made up of “big-ticket” items — These items have maximum resale value and therefore maximum profit potential for thieves.
  • Rush or overnight shipping — Crooks want their fraudulently obtained items as soon as possible for the quickest possible resale — they usually aren’t concerned about extra delivery charges.
  • Shipping to an international address — A significant number of fraudulent transactions are shipped to addresses outside of the U.S. where address verification is not always possible.
  • Shipping to a single address, but transactions are placed on multiple cards — This could involve an account number generated using special software, or even a batch of stolen cards.
  • Multiple transactions on one card over a very short period of time — This could be an attempt to "run a card" until the account is closed.
  • Multiple transactions on one card with a single billing address, but multiple shipping addresses — This could represent organized activity, rather than one individual at work.
  • Multiple cards used from a single IP address — More than one or two cards from one IP address could definitely indicate a fraud scheme.
  • Orders from Internet addresses that make use of free e-mail services — These e-mail services involve no billing relationships, and often neither an audit trail nor verification that a legitimate cardholder has opened the account.


5 Steps to Follow

If being aware of the red flags of fraud is the first step, the second is adding some concrete steps to your online payment process. Here are 5 steps to consider:

  • Verify the address. Request both the billing and shipping address, and then utilize Address Verification Service (AVS) before the transaction is processed. AVS checks the billing address listed in the transaction against the address registered with the issuing bank.
  • Create a blacklist. Compile a “no-sell” list of cards and customers suspected of fraudulent transactions.
  • Ask for the security code. Typically printed on the back of the card, the three-digit security code (four digits for American Express) is not stored in the card’s magnetic strip and can’t be as easily retrieved by thieves unless they physically have the card.
  • Restrict the number of declined transactions. Restricting the number of times a user can incorrectly enter in credit card numbers can foil scammers using malicious software that tries many credit card numbers in succession. Ban them once they exceed a certain number of attempted transactions.
  • Strengthen your website security. Make sure your systems and processes meet the required payment card industry’s security standards for e-commerce transactions (i.e., that they’re PCI-compliant). Consider using eCommerce sites that use a “trust mark” security service that scans daily to search for malware and vulnerabilities. And always keep up-to-date with your software. Using the most current version helps ensure you have updated security patches in place to protect against a breach of your site.

Protect Your Data

With data breaches on the rise, protecting your customers’ valuable payment card data is more important than ever. Clover® Security Plus is designed to dramatically reduce risk by encrypting and protecting sensitive cardholder data at every stage of the transaction — while it’s in transit, in use and at rest. PNC Merchant Services also offers Payeezy℠ Gateway, a merchant processing payment gateway solution that provides the highest level of cardholder data security, including 256-bit encryption. By acting now and upgrading to Payeezy℠ Gateway, you will be eligible to receive an extra layer of security delivered through TransArmor® Data Protection tokenization to help protect data at every transactional processing stage. TransArmor Data Protection is included with Clover Security Plus, but you must upgrade to Payeezy Gateway in order to take advantage of this additional security layer that can significantly reduce your risk to data security issues.

PNC Merchant Services is available to help you with security questions or concerns, as well as provide information on Clover Security Plus. Contact us at 1-888-235-6959 to learn more.

More Insights eNews

Get helpful articles like this sent automatically to your inbox quarterly.

Subscribe »

More Payment Solutions »
Contact Us »

Start Your Cash Flow Conversation
Give us a call at 1-855-762-2365 or fill out our simple form and a PNC Business Banking representative will get in touch with you.
Request a Contact »

Associated Products & Services

Data Breaches are on the Rise

Help protect your customers’ valuable payment card data and improve data security for your business with Clover® Security Plus.

Learn More »

Cash Flow Insight℠

Manage your business's cash flow with efficiency, control and insight with our innovative suite of online tools.

Learn More »

Are you ready for the new customer payment option –Contactless?

Contactless payments enable customers to “wave” their chip-embedded card or other payment device, such as a mobile phone, in close proximity to a reader at the point-of-sale (POS) to pay for a purchase.

Learn More »

Important Legal Disclosures & Information



Visa is a registered trademark of Visa International Service Association and used under license.

The Clover® name and logo are owned by Clover Network, Inc., a wholly owned subsidiary of First Data Corporation, and are registered or used in the U.S. and many foreign countries.

Payeezy Gateway is a registered service mark of First Data Corporation.

TransArmor is a registered trademark of the First Data Corporation in the United States and other countries.

All other trademarks, service marks and trade names referenced in this material are the property of their respective owners.

Merchant Services provided by PNC Merchant Services Company and are subject to credit approval. PNC Merchant Services is a registered trademark of The PNC Financial Services Group, Inc.