Dan Grossman

This isn’t the kind of record I want to be setting: My credit card chargeback rate for March is now at 13%; higher than August 2006′s 10% and over 11% higher than my yearly average for 2006. After talking to most of the card holders personally, they not only didn’t place the orders their credit cards were used for, but most don’t even have websites to order services for in the first place.

Not a single chargeback was due to dissatisfaction with service (services not rendered or not as described) — they are all under the chargeback codes for fraud or unrecognized transactions. Stolen card numbers, with matching billing addresses and CVV2 security codes. No order is accepted without passing those checks. No order is accepted when the IP address maps to an apparent open proxy or a high risk country.

But these thousands of dollars in orders were all accepted. They beat the fraud scoring system; there’s simply no way to tell these orders weren’t placed by the actual card holders except the chargebacks themselves. Given I’ve been fighting this battle against card thieves for a few years, I think I’m already doing all that is technologically possible to detect fraud.

My scoring system does everything a professional one like MaxMind or FraudGate can do, then takes it a step further with indicators specific to my business (like trying to advertise the same site as a known fraudulent account once did, or changing billing addresses multiple times before successfully placing an order, or signing up for multiple accounts in one session). That’s not to say fraud scoring doesn’t help. I turned away more than 50 orders this month that were automatically flagged.

That leaves me with little option but to take the final step I’ve been trying to avoid: phone verification. I simply don’t have time, given I’m occupied by either a job or school during business hours, to call each customer personally, so it must be outsourced. Right now, that means MaxMind’s Telephone Verification service. It’ll place an automated phone call to the customer, and read a number that has to be entered on the website before their card is charged.

The point of that is to verify the phone number provided is working and that the person at that number is the person placing the order. The likelihood of the guy sitting in Romania with the stolen card number giving his real phone number, and thus a path to his identity, to the website he’s trying to defraud is likely near zero. I’ll be implementing this soon, hoping it doesn’t result in a higher cart abandonment rate.