Why check for address instead of CVV for mail orders to protect against fraud? Shouldn’t CVV or CVV2 be checked before anything else? The difference really lies in the way your firm processes orders and the need to be PCI Compliant.

MO/TO or MOTO stands for Mail orders/telephone orders. The same rules apply for fax orders.

Mail orders or fax orders generally involve a pre-printed form returned with the buyers selection and pricing. The card is then scanned with an OCR device or the order is keypunched. The form should not ask for the CVV or CID code as this presents a security risk from the moment it leaves the senders hands. Therefore, when the order is received, the merchant needs a way to process the order that does not require a CVV code, but still protect the merchant from fraud. The AVS or address verification becomes essential to prevent fraud.  If using a virtual terminal, the terminal should require an AVS check.

If you complete Phone orders by keypunching the cardholders data while on the phone with the customer, you can ask for the CVV or CVV2 code. The assumption is that you are using a PCI Compliant solution whether it be software or a virtual terminal, that does not store the CVV data.  A secure method such as a virtual terminal can prompt for the CVV code and also perform an address check. There is still some risk by taking CVV over the phone because the data is exposed to whoever handles the order. If the merchant writes down transaction information to be keypunched later, merchants should avoid requesting CVV whenever possible; if they are written down, there are few exceptions that allow this and special PCI Compliance standards need to be followed to protect the data temporarily until it is securely shredded.

The AVS response can be a full match, partial match, no match, unavailable, or retry.

Full match - both the zip code and address match.

partial match- only the zip code or address match, but not both. You may wish to determine what risk you are willing to assume based on the order value.

no match- zip and address don’t match. This is a sign of fraud and further steps should be taken to verify it’s a valid transaction. If you’re on the phone ask questions and get the CVV. If you’re not on the phone, you might want to invest time for a little research depending on the value of the order. For example, I’ve used whitepages.com to research name, phone and address. If the person moved, there could be a legitimate reason, but the person should be able to recite their old address.

Unavailable- The system is unavailable or the card issuer does not support it. US card issuers must support AVS, but this is not true worldwide. For merchants that have a lot of transactions from foreigners, requiring AVS can be a problem because they can’t pass. However, all cards should be able to pass CVV. Merchants lose all chargeback prevention rights for card not present transactions if the CVV or AVS response is U.

Retry - The card issuers system is anavailble- try again later.

For more details, please see the Visa Card Acceptance Guide.

If the merchant performs an address check and gets a full match, plus has a CVV match, they’ll be in a better position to win chargeback disputes. However, your customer types, order processing methods, employees and industry all are factors in assessing risk and determining what steps are best for you to mitigate risk. Whatever methods you choose, be sure to communicate policies with employees and always review PCI Data Security Standards.

CenPOS is a technology solution with numerous controls to help management set criteria globally and down to the cashier level. Settings include AVS (full and partial) and CVV plus dollar thresholds.

Fraud control measures heavily employed to mitigate risk and reduce exposure

March 26, 2009 Deteriorating financial conditions in 2008 coupled with the emergence of new payments types and the growth of electronic payments opened up new opportunities for payment fraud, according to the 2009 AFP Payments and Fraud Control Survey. The assault on payments is widespread: over seventy percent of organizations surveyed experienced attempted or actual payments fraud in 2008.  The survey was sponsored by J.P. Morgan Treasury Services.

Large organizations were more likely to have experienced payments fraud than were smaller ones. Eighty percent of organizations with annual revenues over $1 billion were victims of payments fraud in 2008 compared with 63 percent of organizations with annual revenues under $1 billion.

Since 2005, the Association for Financial Professionals (AFP) has examined the nature and frequency of fraudulent attacks on business-to-business payments and the industry fraud-risk tools that organizations use to control payments fraud.   Continuing that research, in January 2009 AFP conducted its Payments and Fraud Control Survey to capture the payments experiences of organizations during 2008.

Thirty percent of survey respondents report that incidents of fraud increased in 2008 compared to 2007. Further, nearly forty percent of organizations experienced increased fraud activity during the second half of 2008 as economic conditions worsened in the U.S.

According to Nasreen Quibria, Director of Payments for AFP, the fraud attacks on payment activities have occurred at a greater frequency than we’ve seen in the past.  Now, the vulnerability of all payment methods, especially checks, demands a range of fraud-fighting tools and the vigilance of financial and treasury professionals responsible for protecting organizations assets.

Nine out of ten organizations (91 percent) that experienced attempted or actual payments fraud in 2008 were victims of check fraud. The percentage of organizations affected by payments fraud via other payment method were: ACH debit (28 percent); consumer credit/debit cards (18 percent); corporate/commercial cards (14 percent); ACH credits (seven percent); and wire transfers (six percent).

Sixty-three percent of organizations that were victims of actual and/or attempted payments fraud in 2008 experienced no financial loss, and among organizations that did suffer a financial loss resulting from payments fraud in 2008, the typical loss was relatively small at $15,200.

Many organizations are mitigating financial loss from fraud by turning to a number of defensive measures provided by their banks, including:

• Positive pay/reverse positive pay (82 percent)
• ACH debit blocks (71 percent)
• ACH debit filters (55 percent)
• Payee positive pay (50 percent)
• Post no checks restriction on depository accounts (34 percent)

Organizations can also develop and/or modify internal business processes to minimize potential payments fraud risks.  The processes considered important include:

• Stopping the provision of payment instructions by phone or fax (86 percent);
• Increasing the use of electronic payments for business-to-consumer and business-to-business transactions (82 percent); and
• Reducing the number of bank accounts (82 percent).

J.P. Morgan is highly sensitive to the need for vigilance in protecting client assets from fraud, said Iqbal M. Khan, executive director, J.P. Morgan Treasury Services.  We are pleased to sponsor the 2009 AFP Payments and Fraud Control Survey.  We look forward to the data being used to foster important discussion around this issue and to seeing the financial community continue to develop anti-fraud tools that provide the critical safeguards corporates want and need.

The survey includes responses from 629 corporate treasury and finance professionals including assistant treasurers, controllers, cash managers, analysts, and directors.  To obtain a complete report of the 2009 Payments Fraud and Control Survey go to www.AFPonline.org/research.
About AFP
The Association for Financial Professionals (AFP) serves a network of more than 16,000 treasury and finance professionals. Headquartered in Bethesda, MD, AFP provides members with breaking news, economic research and data on the evolving world of treasury and finance, as well as world-class treasury certification programs, networking events, financial analytical tools, training, and public policy representation to legislators and regulators. AFP is the daily resource for treasury and finance professionals.

AFP’s global reach extends to over 150,000 treasury and financial professionals worldwide, including AFP of Canada; London-based AFP’s gtnews, an on-line resource for the treasury and finance community; and bobsguide, a financial IT solutions network.

How can you protect your company from payments fraud? What are the current areas of risk? What are statistics for losses? JP Morgan presentation answers these questions with data for all payment types.

Managing Risk : What Matters Today: Protecting Your Assets is part of a series to help treasury management mitigate risk, among other goals. link to PDF download and webinar.

We’ve identified a number of companies, services, and technologies that are especially vigilent in protecting you against fraud, including JP Morgan. Unlike JP Morgan though, we are not limited to a single vendor option. Our clients can choose from many solutions, including expanding the relationship with their current vendor. We increase awareness of what’s available and help you choose solutions best suited for your organization.

For example, CenPOS has fraud protection solutions to prevent improper credit card refunds.