Yahoo Stores features ‘automatic’ PCI compliance for secure payments, among other options.
In a new scam, criminals are exploiting the second address line to get fraudulent transactions past MasterCard and Visa’s fraud screening Address Verification Service, payments processor ClearCommerce reports.
In a new scam, criminals are exploiting retailers’ double address lines to get fraudulent transactions past MasterCard and Visa’s fraud screening Address Verification Service, payments processor ClearCommerce reports.
ClearCommerce says it has seen the fraud sporadically over the past few months, but that five large merchants have reported it in the last week. "It is now above the noise level and is what we consider an emerging scheme," says Julie Fergerson, co-founder and vice president of Emerging Technologies.
With the latest scam, criminals are taking advantage of the fact that the Address Verification System checks only the numeric portion of an address and the ZIP code. Transactions receive a pass if both match the card companies’ records, a partial OK if either element matches and a failure if neither matches.
Criminals obtain valid credit card numbers and the correct billing addresses on the accounts. When they use the accounts to order something online, they enter the correct address on the first line with some gibberish afterward, then enter the shipping address on the second line. A transaction going through the AVS system will obtain partial approval if the system notices that the number in the address is correct, regardless of what follows it, even if the ZIP Code doesn’t match, ClearCommerce says. It can also receive a partial approval if the ZIP code is right but the numeric part of the address is wrong.
When the package enters the delivery stream, though, automated scanners can recognize the first address line is not a valid address and so will drop to the second address line, where they will recognize a valid address and route the package accordingly.
While criminals could use the correct address in the bill-to form and their own address-or a drop box address-in the ship-to form, many retailers scrutinize orders more closely when they contain separate bill-to and ship-to addresses. Criminals thus gain an advantage in bypassing those filters by using only the one form for both bill-to and ship-to addresses. “Fraudsters like to do the same shipping and billing address as much as possible; it creates less suspicion if the ship-to address is the same as the bill-to address,” says Steve Waldschmidt, senior risk management analyst for ClearCommerce.
Waldschmidt says retailers can fight back by reviewing partial passes in which the numeric part of the address is correct but the ZIP Code is incorrect. While that may be a big undertaking, it’s easier than other forms of manual review, which often require a call to a customer or looking up information in a database. A visual inspection of packages can flag when the material after the number in an address is gibberish.
ClearCommerce reports that 25% of orders receive a partial match approval. 1.7% pass the street number and fail the ZIP portion. That`s the portion that retailers should focus on, ClearCommerce says.
Retailers can get an idea if this is a problem by comparing partial-match approvals today to historic rates. ClearCommerce also urges retailers to use other fraud triggers and don’t rely on AVS alone.