How To Prevent Credit Card Fraud On Shopify

"Ecommerce losses to online payment fraud were estimated at USD 41 bill globally in 2022, up from the previous year ... expected to grow further to USD 48 bill by 2023." - Daniela Coppola, Statista, Aug 29, 2023.

Thankfully, though, in my own experience since 2014:

• With two different shopping cart platforms (Virtuemart and Shopify),

• With five different payment gateways (Wirecard, PayPal, Mastercard Payment Gateway Services, Shopify and Atome),

• Accepting payments via eight different network providers (Visa, Mastercard, American Express, Diners Club, JCB, Discover, UnionPay and PayPal) and

• Selling to customers in 31 countries ...

... we've suffered only one chargeback. Out of more than 17000 online orders. All checked and validated. One transaction at a time.

Yes, you read that right! Touch wood. :)

On Shopify, here's the step-by-step procedure I've been following as a merchant (never used any of the third-party fraud filter/blocker Apps available in their Store).

First things first.

In Shopify checkout settings, make the following mandatory for buyers:

• Email address.

• First and last name.

• Shipping phone number.

Now, let's get down to business.

Check each order. For each of these scenarios. To identify possible red flags.

Incomplete shipping address:

• No unit number: low risk.

• No zip/postal code or no local shipping telephone: Ask buyer to provide (via email). Since courier/logistics company will need these on the waybill anyway.

Shipping name differs from billing name:

• With same address: No/low risk. For example, members of the same household.

• With same company name and ordered using company email address: No risk. For example, a staff member may have ordered on behalf of his/her Manager.

• With same family name and same gender of first name: No/low risk. For instance, a Singapore customer may have registered her credit card in her given name Mei Ling. But ordered using her Christian name Claire.

• All other cases: Medium/high risk.

Or for that matter ...

Shipping phone differs from billing phone:

• From same city/country: Low risk.

• From different countries: Medium/high risk.

Cardholder name differs from billing name, shipping name and email name (ie from all three):

• Medium/high risk: Ask buyer for cardholder's formal acknowledgment/approval (via his/her own email address). Referring to the specific order number. In black and white. Even if buyer has used a Corporate Card registered in their Finance Director's name.

Can never be too careful, can we?

IP country differs from both billing country and shipping country:

• From restricted/embargo country: High risk. Use third-party website to look up IP country. Many freely available on the internet.

• Else: Medium risk. Ask buyer to confirm that he/she was overseas or had used a company VPN or web proxy server.

• All other cases: High risk.

CVV (Card Verification Value) Check is not 'Pass':

• If buyer has used an Accelerated Checkout Method (like Apple Pay, Google Pay or Shop Pay): safe.

• Else: High risk.

Wasn't it the late Andy Grove who'd said, "Only the paranoid survive"?

3D Secure/OTP (one-time password)/ECI (Electronic Commerce Indicator) has 'Failed':

• If card-issuing bank is yet to enable 3D Secure authentication for its subscribers: Medium/high risk. Banks in most countries have already implemented. Hence, safer to cancel and refund anyway.

• Else: High risk.

Buyer has attempted payment more than once:

• Due to time out: No risk.

• Due to other/unknown reason: Low risk.

Or even ...

Buyer has attempted payment with more than one credit card:

• Cards issued in different countries: High risk.

• Cards issued in same country:

• Due to insufficient balance: No/low risk.

• Due to other/unknown reason: Medium risk.

Credit-card-issuing country differs from both billing country and shipping country:

• From restricted/embargo country: High risk.

• Else if CVV='Pass', low risk.

• All other cases: Ask buyer to re-order using local credit card.

Unfamiliar email address top-level domain:

• If address exists and is deliverable: Low risk. Use third-party email verifier site to check.

• All other cases: medium/high risk.

Lastly, for good measure ...

Other behaviours typical of scamsters:

• they check out as guests without creating/activating an account.

• they do not subscribe to newsletters. Or to any email marketing.

• they do not engage in live web chat even before a high-value purchase.

• they use generic email domains. Free rather than paid.

• they order at suspiciously odd hours (in their own time zones).

• they provide a post office box or an international freight aggregator's/consolidator's warehouse address as shipping destination.

• they sometimes ask for a change of shipping address after you confirm their order.

And there you have it!

A checklist that will hopefully protect you. From illegitimate or unauthorised payments. Without offending or deterring genuine bona fide customers.

Would love to hear of any other safeguards you know.

Happy and safe online selling!

Until next time. :)