10 Tips for Preventing Online Credit Card Fraud

online credit card fraud

Merchants and retailers are often on the front lines of managing payment card fraud. Online businesses face a unique challenge because all purchases are made as a “card not present” transaction. But there are red flags to look out for and security measures to put in place that will help minimize losses from online credit card fraud.

Steve Chou, co-founder of Bumblebee Linens, has had years of experience dealing with online credit card transactions in his e-commerce business. We reached out to him to share some of his “insider” tips and expertise, along with additional pointers. Below are 10 tips to prevent online credit card fraud:

1. Be wary of expedited shipping when billing and shipping addresses differ.

When the “bill to” and “ship to” addresses are different and the customer is asking for expedited shipping, there’s a high possibility for fraud, Chou explains. Also, when the “ship to” address is not the same as the billing address for the card, you are at greater risk of it being a fraudulent transaction. Different billing and shipping addresses are not always a sure sign of fraud (for example, honest customers may order items as gifts). But for all large orders that fit this profile, always call to try to match the phone number as well.

2. Make sure IP location and credit card address match up.

Chou recommends watching out for IP addresses from overseas that don’t match the address on the credit card used in a payment. You can manually research an IP address at a site like IP-Lookup.net.

One way to cut down on the number of these kinds of transactions is to restrict all IP addresses that originate from countries where you don’t offer shipping. Simply program your site to prevent such visitors from checking out in the first place. Some e-commerce software platforms provide settings for you to block IP addresses, without requiring custom programming.

3. Watch out for suspicious email accounts.

Some email addresses can be a dead giveaway tipping you off you’ve received a fraudulent order, says Chou. Always check the email address used when placing that order. Does it read something like bgh3423679@yahoo.com? If so, it’s a red flag.

4. Do some research on that suspect address.

One way to detect a possible fraudulent credit card transaction is to research the billing address or shipping address being used for the order. Fortunately, there are tools that can make it easier to do this. Chou suggests using Google maps or Zillow to try to assess whether the address is legitimate. You can use a service such as ZabaSearch to make sure the person actually lives at the address in question or use address verification services offered by payment brands.

5. Keep a log of credit card numbers.

Chou suggests keeping a log of whenever a customer tries to enter in a credit card number. If the number of times is five or higher, it’s likely to be fraud. Most credit card processors will allow you to review the batch transactions for the day. Scammers will attempt many transactions using multiple credit card numbers. Be sure to flag these.

6. Consider using a fraud profiling service.

Though it may not be necessary for every online store, a fraud profiling service such as MaxMind is another option, says Chou. These services cross reference IP addresses, names, previous purchases and more. Studying per-purchase behaviors allows these companies to give you a more informed assessment around each transaction, and to identify high risk transactions. Some e-commerce platforms such as Volusion offer add-on fraud profiling services that work with their software.

7. Restrict the number of declined transactions.

Chou explains when scammers try to make fraudulent transactions, sometimes this is done via a malicious software script where many credit card numbers are tried in succession. Since you may incur a fee for each declined transaction — even if it doesn’t go through — the solution is to restrict the number of times a user can incorrectly enter in credit card numbers. Ban them once they exceed that number of attempted transactions.

8. Always require the Security Code.

This security code is typically a three-digit number printed on the back of the card (in the case of American Express, four digits on the card front). It is not stored in the magnetic strip or embossed on the card, so it can’t be as easily retrieved by thieves unless the card is in hand. This code goes by different names depending on the credit card brand: Visa calls it a CVV2, MasterCard calls it a CVC2, and American Express calls it the CID.

9. Ship your orders using tracking numbers and require signatures.

A tracking number helps prove a package was delivered, of course. While this may not protect your business in the case of outright criminals, it may help if you get into a dispute with a legitimate customer who says they never received the package, but you are sure it arrived. For expensive items, always require a signature upon delivery.

10. Strengthen your website security measures.

Beyond the individual credit card transaction, pay attention to the security of your entire website and e-commerce processes. Cyber attacks on small businesses are increasing, mostly because small business websites are perceived as softer targets than larger corporations.

Make sure your systems and services are PCI-compliant (i.e., meeting the payment card industry’s security standards for e-commerce transactions) at every step of the way. Visa and MasterCard maintain lists of certified PCI-compliant providers: Visa certified PCI-compliant providers; MasterCard certified PCI-compliant providers.  The major e-commerce software platforms or shopping cart providers will have information on their websites about being PCI compliant. In addition, Visa has an animated business guide to data security that I recommend you watch. MasterCard also offers online fraud prevention training for merchants.

Some e-commerce sites use a “trust mark” security service that scans daily to search for malware and vulnerabilities. Examples are Truste, Verisgn or McAfee Secure. These services help you avoid and/or catch problems quickly — in addition to increasing consumer trust.

Your e-commerce software platform — especially a hosted e-commerce service — may integrate advanced security measures and handle it all for you as part of their service. Don’t assume — be sure to check.

No matter what software you use, always update to the latest version as it becomes available. Updates could include security patches vital to avoiding a breach of your site. One vulnerability on your server — even if it’s not in your e-commerce software but in a different software program on the same server — could open a backdoor for cybercriminals to get into all your customer data and steal credit card numbers and other sensitive information. And that could cause you much greater losses and headaches than a fraudulent credit card transaction.

For more information on avoiding fraud at your business and online credit card fraud, you can check out Community Merchants USA’s resources online.

Credit Fraud Photo via Shutterstock


Anita Campbell - CEO

Anita Campbell Anita Campbell is the Founder and Publisher of Small Business Trends and has been following trends in small businesses since 2003. She is the owner of BizSugar, a social media site for small businesses, and also serves as CEO of TweakYourBiz.com.

21 Reactions

  1. I like the suggestion to only allow a certain number of attempts before locking out the user. While I might fat-finger the number once or twice on a credit card, 5+ is a huge red flag.

    • Anita Campbell

      Hi Robert,

      I agree. I was so glad we were able to get an interview with Steve Chou because he has learned a lot of lessons over the years about e-commerce, and little tricks you might not otherwise see. He’s been an awesome BizSugar.com member over the years, so it’s been terrific to tap his brain.

      - Anita

  2. Fantastic tips, Anita.

    It’s amazing how much the security code that’s located by the signature area of all credit cards can help prevent fraud.

    The online marketplace is huge; there are always people looking to exploit it.

    As you pointed out, using proper security measures really can go a long way in preventing fraud.

    The Franchise King®

    • Anita Campbell

      And, Joel, I think a lot of it is about being proactive and involved.

      That’s the main thing that stuck out to me from Steve’s interview comments. He doesn’t just sit back and “let orders happen” online with his and his wife’s business. They are in there all the time examining the orders, spotting patterns that might be fraud, and so on.

      It goes to show — you really can make a difference, if you are actively engaged in managing your business, even if online sales are just a part of your business, or all of your business.

      - Anita

  3. Thanks for this. We’ve been dealing with a lot of international fraud lately, so we’ve been looking at what we can do. One thing I’ve noticed is that a lot of these fraud events go to remailers.

  4. After we first launched we quickly ended up adding extra security filters to prevent fraudulent transactions and annoying chargebacks.

    These are some good tips!

  5. We always do #2 in all our transactions. At best, we even call the customers to verify why they are using a different IP address. We don’t deliver products unless the payment has passed. It keeps us on the safe side while we continue with our business.

  6. My credit card had been duplicated before for fraudulent transaction and it was immediately cancelled by my bank after they called up to inform me of the cheating case. All 10 tips are necessary for the prevention of fraud.

  7. Great tips! It seems online scammers get smarter and smarter as time goes by. A combination of steps from the above post is the minimum you can do to ensure your online finances.

  8. Shawn Hessinger

    Hi Steve,
    Incredibly detailed information here. I’ve left this comment here and on BizSugar so perhaps you could answer it both places for the benefit of both communities. In the case of point number one, I suppose it’s always possible that, even in the case of a legitimate order, you could end up having difficulty reaching someone by phone, especially overseas. I’m wondering. What do you do at that point? What’s your next step or process to try to assess the validity of the order?

    • If it’s a suspicious order with a large dollar amount, I will almost always verify with the card holder even if they are hard to reach.

      If they need their goods immediately, then usually they will be in touch by email or phone if it’s legit. But again, circumstances like this are extremely rare.

  9. Hi Steve,
    Like Shawn, I’m leaving my question in both communities. I think it’s great to have explanations from someone with real experience in this field as a resource for anyone out there who’s run into these kinds of issues with credit card payments for an online business. Here goes. I notice in many cases, there’s a whole lot of verifying going on here and I’m wondering, from a time management standpoint, whether this is something you need to allocate additional resources to as your business grows. Approximately how much time can an online merchant expect to spend on double checking on possible credit fraud vs. all the other activities that go into running a successful business? I realize spending the time to do this is better than taking it on the chin for a bad payment, especially on a really big order. But I’m just wondering, how much time does it eat up in practice and how do you compensate?

    • Almost everything can be automated and/or scripted and we focus our verification efforts on the larger orders, especially if they seem suspicious. For our store, this is a very small percentage of the overall order total.

  10. Wow, amazing list of preventive measures and things to look out for. Quite impressive. Thanks for this information a lot of which I was not aware of.

  11. Verrrrry useful tips, Steve. Thank you.

    I think some online business owners think it’ll never happen to them. That very thought is a security risk in itself. It could happen. It might. And unfortunately for some, it will and has.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Compare your business to the industry - Try our new tool