The home improvement chain also said the malware responsible for the breach has been removed from all stores.
When Bladematrix.com got hit by foreign-based fraud, it didn’t take long for the small web-only retailer to cut it out of its payment system, owner Kendall Dickerson says.
When Bladematrix.com got hit by foreign-based fraud, it didn’t take long for the small web-only retailer of pocketknives, swords and accessories to cut it out of its payment system, owner Kendall Dickerson says. At the same time, he adds, he also learned how fraud-prevention tools can also go too far.
Before upgrading its payment security system, Bladematrix had required online purchasers to enter their card security codes and their ZIP codes, but not a street address as part of address verification.
A criminal based in the Mideast—who had acquired a stolen credit card along with the legitimate cardholder’s ZIP code—placed an order on Bladematrix.com for shipment to Israel. Because the thief was able to enter both the ZIP code and the card security code, the purchase transaction went through and the order shipped. The card security code, also known by terms including card verification value, is the 3- or 4-digit number printed on payment cards to ensure a card user actually has the card on hand and is not just using a stolen account number.
“The ZIP was right for the card account, but wrong for the shipping address, but it didn’t make a difference for the shipping address in Israel and the shipment went to where the culprit wanted it to go,” Dickerson says.
Luckily for Bladematrix, the true owner of the stolen card called soon afterward to alert the retailer of the card theft and fraudulent transaction. Although the criminal had already placed a second order, Dickerson was able to terminate it before it was shipped trough UPS, he says.
To guard against similar incidents of fraud, the retailer implemented new risk-management tools from its payment processor, Fort Thomas, KY-based Omega Processing. Omega Processing’s security suite usually add from $2 to $5 to a monthly payment gateway fee that ranges from $10 to $30, says Tony Damico, vice president of products and services for Omega.
The primary tool in the retailer’s new arsenal is a feature that now requires shoppers to enter both billing and shipping addresses.
If the addresses don’t match, Bladematrix gets a red flag alert in its order management system. If flagged transactions look suspicious, such as high-value orders shipped overseas, the retailer decides whether to conduct a manual review and contact the cardholder to verify the order.
Simple enough, but the system “has caused us an amount of grief, too,” Dickerson says. The new address verification system will block credit card authorizations if a shopper doesn’t enter a billing address—a problem for customers placing orders with third-party gift cards issued by banks, telephone companies and other organizations. “We’re losing some orders,” Dickerson says.
He adds that Bladematrix places notices on its site to inform shoppers with gift cards to call in their order to have it manually processed, but many still try to process the gift card payment online and get rejected.
Nonetheless, the address verification system has coincided with a sharp drop in chargebacks. “We’ve virtually eliminated them,” Dickerson says.