Fraud Prevention Guide. Version 3.0 January 2013

Transcription

1 Version 3.0 January 2013

2 Introduction... 3 What are Card-Not-Present (CNP) Transactions?... 3 Transaction Process Diagram for Form and Server... 4 Do I need to worry about CNP Fraud?... 5 The Internet Transaction Process... 6 AVS/CV AVS/CV2 Responses... 9 AVS/CV2 Rules Common AVS/CV2 Rules D Secure American Express SafeKey D Secure Responses D Secure Liability Shift D Secure Rules Common 3D Secure Rules The 3rd Man Fraud Analysis Viewing 3rd Man Fraud Results Restrictions Delaying Settlement of Funds The Chargeback Process Manual Checks Additional Fraud Prevention Advice Page 2 of 30

3 Introduction This document is a Sage Pay merchants guide to online fraud protection. Sage Pay is an Internet Payment Service Provider. We provide the software to enable your website to take secure online credit and debit card payments. In order to take secure online payments, you must have an internet merchant account which is provided by your Merchant bank. Although Sage Pay provides the software facility to allow you to trade online and to ensure that your customer s details remain secure throughout the transaction process, we cannot guarantee against fraudulent transactions. It is important to note that Authorisation does not guarantee against chargebacks. You will need to ensure that you have carried out all the necessary checks to minimise the risk that the transaction is fraudulent. Sage Pay provides several tools to help you in your fight against fraud. These tools are detailed later in this document. What are Card-Not-Present (CNP) Transactions? CNP transactions are transactions where the card and cardholder are not present at the point-of-sale. This applies to the following: Internet orders Mail order Telephone orders Fax orders When a CNP transaction is processed, Sage Pay requests authorisation from the card issuer via your acquiring bank. The card issuer will then confirm that the card has not been reported lost or stolen, and that the cardholder has sufficient funds in their account. Because the card and cardholder are not present, you are unable to physically check the card or the identity of the cardholder. You therefore need to be particularly careful about CNP transactions, because it is much easier for the fraudster to disguise their true identity. Page 3 of 30

4 Transaction Process Diagram for Form and Server IMPORTANT NOTE: The transaction process differs slightly for Direct and Terminal transactions. For further information, please create a login to the Sage Pay website where you can access the full suite of online technical help and user guides in our Help Centre. Page 4 of 30

5 Do I need to worry about CNP Fraud? The internet is currently the fastest growing area for making CNP purchases. Because the internet enables an individual to disguise their identity, it gives them much greater confidence when using card details fraudulently. Some of the factors which make the internet a higher risk for CNP transactions include: Overseas orders No centralised standards or legal authority Weak customer identification mechanisms The table below shows annual fraud losses on UK issued cards for card-not-present transactions. All figures in millions Although card-not-present fraud accounts for more than half of all card fraud, it fell by 3% to million in This recent decline in fraud is even more impressive when the massive growth in CNP spending over the past ten years - especially over the internet - is taken into account. The reasons behind the continued decrease include the increasing use of sophisticated fraud screening detection tools, as well as the growth in the use of MasterCard SecureCode and Verified by Visa by both online retailers and cardholders. (source Financial Fraud ActionUK) The internet has opened the international market to UK businesses. With overseas orders come extra risks which can be difficult to tackle and you should pay particular attention to these orders. You are responsible for ensuring that CNP transactions are not fraudulent. If a transaction is fraudulent, you will be liable for the loss. You need to ensure that you have procedures in place to protect your business against fraud. Page 5 of 30

6 The Internet Transaction Process Sage Pay, you as the merchant and the customer (card holder) are not the only parties involved in the transaction process for internet CNP transactions. There are actually several parties involved. Merchant The merchant or retailer is the party selling goods or services via the internet. In this case it would likely be you. If you are new to trading on the Internet you need to obtain permission from your acquiring bank. You are responsible for ensuring that transactions are placed by the genuine cardholder and are therefore liable if the genuine cardholder disputes the transaction. Acquiring Bank The acquiring bank provides you with an internet merchant number to allow you to take credit and debit card transactions online. The acquiring bank deals with the processing and settlement of funds for each transaction. They will help you to process a chargeback with the card issuer (see page 26 for details). Sage Pay are currently approved with the following acquiring banks: Lloyds TSB Cardnet Barclaycard Merchant Services NatWest Streamline HSBC First Data American Express Diners Club JCB Elavon (Bank of Ireland/Alliance & Leicester) Allied Irish Bank Chase Payment Tech If you would like advice about merchant accounts or merchant banks, please visit the link below; Card Issuer The card issuer is the financial institution that provides the cardholder with their credit or debit card. The card issuer is contacted by the acquiring bank during the transaction process. The following details are confirmed: That the card number exists That the expiry date is correct (not for all transactions) That the card has not been reported lost or stolen That there are sufficient funds in the account at that given moment in time The card issuer will also check the AVS/CV2 details (see page 8 for details) if this information has been provided in the transaction message. Card issuers will also notify you of chargebacks and will deal with any subsequent disputes. Page 6 of 30

7 Card Schemes The card schemes provide the branding and infrastructure to enable credit and debit cards to be used internationally and provide the rules for card acceptance. The card schemes also provide a mechanism for acquiring banks and card issuers to talk to one another during authorisation. Visa/MasterCard Directory The Visa/MasterCard Directory provides information about each card and its current 3D Secure status. (see page 13 for details) Payment Service Provider The Payment Service Provider (Sage Pay) provides the software for merchants to take online credit and debit card payments in a secure environment. The Payment Service Provider software sits between the merchant s acquiring bank and their website. Page 7 of 30

8 AVS/CV2 The banking industry introduced AVS and CV2 to help combat the growing problems with verifying the shopper during a CNP transaction (Cardholder Not Present). AVS and CV2 checking is an electronic notification service that is provided by most card issuers. AVS and CV2 checks can be carried out on all ecommerce and Mail Order/Telephone Order transactions placed through your Sage Pay account. The aim of these security checks is to provide additional information on each transaction which arms you, the merchant, with information to reduce the risk of fraudulent transactions. Address Verification Service (AVS) This allows you to check the numerical details in the cardholder s address and postcode with their card issuer. Although the results are split, the response is combined and it is not possible to apply rules against just the post code result or just the address result. AVS is available for all UK issued credit and debit cards. AVS is not checked for overseas orders and the characters in the billing address are not checked, only the numerical details. IMPORTANT NOTE: It is possible for a cardholder to change their billing address details when they reach the Sage Pay site. If you would like to prevent the cardholder from being able to do so you should change the payment page template in the Settings area of My Sage Pay. Card Verification Value (CV2) This allows you to check the additional 3 or 4 digit security code found on the signature strip on the back of the card. American Express cards have a 4 digit security code found on the front of the card just above the card number. CV2 can be checked on all cards issued within the EU and the majority of international cards. AVS/CV2 checking is active by default on all new Sage Pay accounts. You can control this through the AVS/CV2 section in the Settings area of My Sage Pay. IMPORTANT NOTE: Although AVS/CV2 is set up on all new accounts, Sage Pay does not reject a transaction based on the response unless you have added an AVS/CV2 rule base to your account (see AVS/CV2 Rules section for details). Page 8 of 30

9 AVS/CV2 Responses Sage Pay will send an AVS/CV2 response in the AVSCV2 field for all transactions. The following responses can be returned: ALL MATCH: SECURITY CODE MATCH ONLY: ADDRESS MATCH ONLY: NO DATA MATCHES: The numerics of the billing address and the CV2 matched with the card issuer. Only the security code (CV2) matched with the card issuer. Only the numerics of the card holder address and post code matched with the card issuer. Neither the numerics of the billing address nor the CV2 matched with the card issuer. DATA NOT CHECKED: AVS/CV2 checking was turned off or disabled. The transaction is through PayPal. It s an AUTHENTICATED transaction. The card issuer is unable to check both AVS/CV2 details at this time. You will also receive the following fields which give a more detailed breakdown of the AVS/CV2 response: AddressResult: PostCodeResult: CV2Result: The specific result of the checks on the cardholder s address numeric from the AVS/CV2 checks. The specific result of the checks on the cardholder s post code numeric from the AVS/CV2 checks. The specific result of the checks on the cardholder s CV2 code from the AVS/CV2 checks. All of the fields can contain one of the following four responses which populate My Sage Pay in the following format: MATCHED NOTMATCHED NOTCHECKED NOTPROVIDED Result matches Result doesn t match The card issuer has not been able to verify the AVS/CV2 values. AVS/CV2 values were not passed to the card issuer for checking. Page 9 of 30

10 AVS/CV2 Rules A rule base allows you to tailor the way in which AVS/CV2 authentication responses are handled by your Sage Pay account. When a rule base is set up on your account you will be rejecting transactions that don t pass your specified rules. This contributes to the prevention of fraudulent transactions from being authorised. Without any AVS/CV2 rules applied to your account, the AVS/CV2 result will not affect the authorisation of a transaction. If you wish to decline a transaction based on the AVS/CV2 result, you should set up AVS/CV2 rules on your account. An AVS/CV2 rule base is applied after the transaction has been sent to your merchant bank for authorisation. This is because the transaction must be sent to the card issuing bank to check the card holders address, post code and CV2 details. After the transaction has been sent to your merchant bank for authorisation, your merchant bank returns the AVS/CV2 response from the card issuer for that transaction. After the AVS/CV2 response has been returned to Sage Pay, the response is checked against your AVS/CV2 rule base. If the transaction has been authorised and the AVS/CV2 response is not allowed through your AVS/CV2 rule base, a reversal request is sent to your merchant bank to request that the authorisation is reversed and the transaction is cancelled. IMPORTANT NOTE: AVS/CV2 rules will be applied to American Express Cards, however as American Express do not support online reversals; it is likely that a shadow will be left on the shopper s account if a transaction is rejected by the rule base. Some other card issuing banks may not reverse the transaction which can leave an authorisation shadow on the card for up to 10 working days. The transaction will never be settled by Sage Pay and will appear as a failed transaction in your My Sage Pay Admin area. For further information on Bank Shadows and how they can be removed, please visit our website using the link below. To set up an AVS/CV2 rule base on your account, access the AVS/CV2 section in the Settings area of My Sage Pay. Page 10 of 30

11 If you have AVS/CV2 switched on, you can add a rule base by selecting the Add Rule button. Enter the Start value and End value to set the range of transactions based on their amount you want the rule to apply. If you want this rule to apply to all transactions we recommended entering a value of 0 to It is possible to add multiple rules provided the value range doesn t overlap. For example you may want to add a more stringent rule base for higher value transactions. Once a range has been entered tick the boxes next to the rules you wish to allow. When you are happy you should click the Add rule button to add this rule base to your account. To determine which AVS/CV2 rule you should apply to allow each AVS/CV2 response, please refer to the table below. The table lists some of the possible My Sage Pay AVS/CV2 response flag combinations, AVS/CV2 response returned to your site, and the AVS/CV2 Rule you should use to allow a transaction with that AVS/CV2 response to be successfully authorised. Page 11 of 30

12 CV2 Add PC AVS/CV2 Response AVS/CV2 Rule(s) To Allow ALL MATCH SECURITY CODE MATCH ONLY SECURITY CODE MATCH ONLY SECURITY CODE MATCH ONLY SECURITY CODE MATCH ONLY ADDRESS MATCH ONLY ADDRESS MATCH ONLY NO DATA MATCHES NO DATA MATCHES NO DATA MATCHES DATA NOT CHECKED None Accept SECURITY CODE MATCH ONLY Accept SECURITY CODE MATCH ONLY Accept SECURITY CODE MATCH ONLY Accept SECURITY CODE MATCH ONLY Accept ADDRESS MATCH ONLY Accept ADDRESS MATCH ONLY Accept NO DATA MATCHES Accept NO DATA MATCHES Accept NO DATA MATCHES Accept DATA NOT CHECKED Page 12 of 30

13 Common AVS/CV2 Rules Strict rule base The strictest rule base you can apply for AVS/CV2 is shown below. This rule base will only allow a transaction to be authorised if the AVS/CV2 response returns ALL DATA MATCHED for a price range of 0.00 to 100, This is the best possible result for AVS/CV2 responses. However, if you apply a rule base as strict as this, you may well be declining genuine cardholders. For example, this rule would decline cardholders whose address could not be checked because they have a card issued outside of the UK. Medium rule base The example rule base shown below shows the use of multiple rules. It will allow most low value transactions to be authorised, whilst at the same time applying a stricter rule against higher value transactions. This rule base will only allow transactions through if the AVS/CV2 response returns ALL DATA MATCHED, ADDRESS MATCH ONLY, SECURITY CODE MATCH ONLY, or DATA NOT CHECKED for a price range of 0.00 to It will require a response of ALL DATA MATCHED for all other transactions over If you wish to implement a Minimum AVS/CV2 rule base we recommend simply turn on the AVS CV2 checking and not apply a rule base to reject any transactions. This will mean no transactions will be rejected based on the results returned, but still gives you visibility of the result. Page 13 of 30

14 3D Secure Verified by Visa (VbV), MasterCard SecureCode (MSC) and American Express SafeKey, which use 3D Secure technology, are an added fraud prevention initiative launched by the card schemes as a more secure method for authenticating the cardholder at the time of the transaction. VbV, MSC and American Express Safekey require the cardholder to enter a password during the transaction process. The cardholder will first need to register their password for VbV or SecureCode with their card issuer. 3D Secure is an online version of Chip and PIN, which is why 3D Secure is not applicable for MOTO or Repeat transactions. In the same way a shopper would not provide the merchant with their PIN number over the phone, the shopper should not provide their 3D Secure password over the phone either. IMPORTANT NOTE: MasterCard have issued a rule which states that all International Maestro cards MUST have a full 3D Secure Authentication in order for the transaction to be authorised. They have also issued a rule which states that for domestic Maestro cards, you must attempt to authenticate the transaction under the scheme. Upon generation of your account, Sage Pay will request that all applicable merchant numbers are enrolled in 3D Secure, with the exception of Barclays merchants*. Once this has been completed by your merchant bank the service will be added to your Sage Pay account. In most cases, 3D Secure takes up to 14 days to set up. There is no charge from Sage Pay to setup 3D Secure. *Barclays merchants will need to contact Barclays directly to set up 3D Secure and the enrolment details to Sage Pay. While we re waiting for confirmation that your merchant number has been enrolled for 3D Secure the message below will display in the Settings > 3D Secure section of the My Sage Pay admin area. Sage Pay will advise you when we are notified that your merchant number is enrolled and the service has been enabled on your account. Once we have done this, the above message will change to the one displayed below. We recommend that you turn on 3D Secure straightaway. IMPORTANT NOTE: Sage Pay will only enable the ability to use 3D Secure on your account. It is your responsibility to turn 3D Secure on. Visa, MasterCard and American Express require cardholders to enrol for VbV, SecureCode and Safekey via their card issuing bank. Card issuers may prompt cardholders to enrol at the time of the transaction, or may use a separate enrolment process. Page 14 of 30

15 Once the cardholder has enrolled, they will be prompted to enter their password whenever placing a transaction through a 3D Secure enabled site. This password is then sent to the cardholder s issuing bank and checked against their system. If the password matches, the cardholder is authenticated and the payment process continues in the normal way. A fully 3D authenticated transaction allows for a liability shift protecting you against customer chargebacks (see page 17 for more information on gaining liability shift). If the password does not match, it is possible for you to implement a rule base to stop the transaction from being sent to the bank for authorisation, therefore avoiding a potentially fraudulent transaction from being processed. (see page 18 for more information on setting up a 3D Secure rule base). To streamline the 3D Secure process and reduce the amount of dropouts at this stage in the transaction, a lot of the card issuing banks are implementing their own screening process. Below is an example of Halifax Secure. The service will assess each transaction and the shoppers 3D Secure details are either automatically verified or, in some cases, they ll be required to provide a password. The service will look for trends such as whether the cardholder has used this IP address before, ordered from your website before and a host of other things before determining if 3D Secure will be automatically authorised. Below is an example screen shot from Halifax Secure where 3D Secure is authorised on behalf of the shopper. These 3D authorisations receive the same responses and observe the same liability shift rules. IMPORTANT NOTE: Sage Pay has no control over the contents of 3D Secure pages, or password details. These are regulated and controlled by the card issuing banks. Page 15 of 30

16 American Express SafeKey American Express SafeKey is a fraud prevention tool designed to protect American Express merchants and card members from the growing problem of fraudulent online transactions. American Express SafeKey has been designed using 3D Secure specifications to ensure industry consistent processes and functionality. As a merchant, you can benefit from a number of critical advantages by implementing American Express SafeKey for customers purchasing online with you: It acts as a deterrent to fraudsters, helping to prevent fraudulent transactions before they are cleared. It may shift fraud liability away from your business. It demonstrates a higher level of security for your customers, offering reassurance that you are taking all possible steps to combat fraud. There are no extra charges and if you re already using 3D Secure you won t need to make any major changes to your website or checkout process. If you wish to enrol in American Express SafeKey, please support@sagepay.com and our support team will be in touch with the next steps. Page 16 of 30

17 3D Secure Responses Sage Pay will send a 3D Secure response in the 3DSecureStatus field for all ecommerce transactions. The table below shows the possible responses, their corresponding flag displayed in My Sage Pay and how it s interpreted. OK ATTEMPTONLY INCOMPLETE NOTAUTHED MALFORMED INVALID ERROR NOAUTH CANTAUTH NOTCHECKED (OK) The 3D-Authentication step completed successfully. (ATTEMPTONLY) The cardholder attempted to authenticate themselves but the process did not complete. A CAVV is returned, therefore a liability shift may occur for non-maestro cards. Check your merchant agreement. (INCOMPLETE) 3D Secure authentication was unable to complete (normally at the card issuer site). No authentication occurred. (NOTAUTHED) The cardholder failed to authenticate themselves with their Issuing Bank. (ERROR) These statuses indicate a problem with creating or receiving the 3D Secure data. These should not occur on the live environment. (NOTAVAILABLE) This means the card is not in the 3D Secure scheme. (NOTAVAILABLE) This normally means the card issuer is not part of the scheme. (NOTCHECKED) No 3D Authentication was attempted for this transaction. Always returned if 3D Secure is not active on your account. More information around the 3D Secure response can be found within the Fraud Results tab of each transaction. ECI Ecommerce Indicator. Provides the security level used in an Internet transaction. The tables below provide a definition of the ECI values used by each card scheme. Visa: Value Description 05 Authentication is successful 06 Authentication is attempted but the process did not complete Page 17 of 30

18 MasterCard and Maestro: Value Description 02 Authentication is successful. Full UCAF 01 Authentication is attempted but the process did not complete. Merchant UCAF XID Transaction Identifier. CAVV Cardholder Authentication Verification Value. Unique reference generated by Visa card issuers to prove authentication took place or was attempted. UCAF Universal Cardholder Authentication Field. The data field used by MasterCard and Maestro issuers to send the Accountholder Authentication Value proving that authentication took place. There are two stages to 3D Secure. An enrolment stage which checks to see if the card holder is part of the scheme, and an authentication stage which verifies the details entered by the card holder. The tables below show the possible responses at each stage, the associated ECI value and 3D Secure Status. Enrolment Status Y N U E Description Transaction progresses to authentication stage. This means the card is not in the 3D Secure scheme. This normally means the card issuer is not part of the scheme. Indicates a problem with creating or receiving the 3D Secure data. 3D Secure Status - Yes NOAUTH CANTAUTH ERROR Proceed with 3D Authentication No No No Authentication Status Visa ECI MC ECI Description Y Authentication successful OK A N - - U E - - The cardholder attempted to authenticate themselves but the process did not complete. The cardholder failed to authenticate themselves with their Issuing Bank. 3D Secure authentication was unable to complete (normally at the card issuer site). No response returned. Either the browser was closed or the back button clicked whilst on the 3D Secure page. Indicates a problem with creating or receiving the 3D Secure data. 3D Secure Status ATTEMPTONLY NOTAUTHED INCOMPLETE INCOMPLETE ERROR Page 18 of 30

19 3D Secure Liability Shift The major benefit to you as the merchant is that you are likely to experience a liability shift for a fully 3D Secure authenticated transaction. Meaning if it later turns out to be fraudulent you will not be responsible. You are protected by the card issuer against such chargebacks because the bank themselves assume the liability. IMPORTANT NOTE: The simplified tables below are for guidance only and do no guarantee that a liability shift will occur. Different conditions such as the card issuer, card type and location can alter the possibility of a liability shift. You should contact your merchant bank for exact terms and conditions for a liability shift. The tables below show when you may receive a liability shift. Visa: Status CAVV ECI Description Y Yes 05 A Optional 06 MasterCard: Status UCAF ECI Description Y Yes 02 A Optional 01 Maestro: Status CAVV ECI Description Y Yes 02 A Optional 01 Authentication successful by cardholder. Issuer generated CAVV. Authentication attempted but cardholder not enrolled. Issuer optionally generates CAVV. Authentication successful by cardholder. Issuer generated UCAF. Authentication attempted but cardholder not enrolled. Issuer optionally generates UCAF. Authentication successful by cardholder. Issuer generated UCAF. Authentication attempted but cardholder not enrolled. Issuer optionally generates UCAF. Liability Shift? Yes Yes Liability Shift? Yes Yes Liability Shift? Yes Yes (only for cards issued in the UK) My Sage Pay My Sage Pay My Sage Pay Page 19 of 30

20 3D Secure Rules A rule base allows you to tailor the way in which 3D Secure responses are handled by your Sage Pay account. When a rule base is set up on your account you will be rejecting transactions that don t pass your specified rules. This contributes to the prevention of fraudulent transactions from being authorised. With 3D Secure turned on and no rules applied to your account, the only transactions where the password is entered incorrectly will be rejected. If you wish to decline a transaction based on whether or not a card is enrolled or if you wish to allow failed authentications, you should set 3D Secure rules on your account. A 3D Secure rule base is applied before the transaction is sent to the card issuer for authorisation. The responses for enrolment and authentication are checked against your 3D Secure rule base and the transaction is either failed or continues for authorisation. To set up a 3D Secure rule base on your account, access the 3D Secure section in the Settings area of My Sage Pay. If you have 3D Secure switched on, you can add a rule base by selecting the Add Rule button. Page 20 of 30

21 Enter the Start value and End value to set the range of transactions based on their amount you want the rule to apply. If you want this rule to apply to all transactions we recommended entering a value of 0 to It is possible to add multiple rules provided the value range doesn t overlap. For example you may want to add a more stringent rule base for higher value transactions. Once a range has been entered tick the boxes next to the rules you wish to allow. When you are happy you should click the Add rule button to add this rule base to your account. To determine which 3D Secure rule you should apply to allow each type of 3D Secure response, please refer to the table below. The table lists the rule base option and the response you will allow by selecting it. Responses can vary depending on the method of integration you use with Sage Pay. Rule Base FORM Server Direct Perform 3D Secure Authentication OK ATTEMPTONLY OK ATTEMPTONLY OK ATTEMPTONLY Accept non-3d secure cards to be authorised NOTAVAILABLE INCOMPLETE NOTAVAILABLE INCOMPLETE NOAUTH Accept authorisations when MPI errors occur Accept cards from non-3d secure issuers to be authorised Accept 3D secure failures to continue for authorisation ERROR ERROR ERROR MALFORMED INVALID NOTAVAILABLE NOTAVAILABLE CANTAUTH NOTAUTHED NOTAUTHED NOTAUTHED Page 21 of 30

22 Common 3D Secure Rules Strict rule base The strictest rule base you can apply for 3D Secure is shown below. This rule base will only allow a transaction to be authorised if the card holder is enrolled in the scheme and a response of OK or ATTEMPTONLY is returned for a price range of 0.00 to 100, This is the best possible result for 3D Secure. However, if you apply a rule base as strict as this, you may well be declining genuine cardholders. For example, this rule would decline cardholders whose are yet to enrol in the 3D Secure scheme with their card issuing bank. Medium rule base The example rule base shown below shows the use of multiple rules. It still applies 3D Secure to all transactions but will allow low value transactions to be authorised if the card holder isn t enrolled in the scheme or an error occurs during the process, whilst at the same time applying a stricter rule against higher value transactions. This rule base will only allow transactions over through if the transaction is 3D Authenticated with the response OK or ATTEMPTONLY, limiting your risk of being liable for a chargeback. Transactions under can be processed if the card holder is not part of the 3D Secure scheme. Page 22 of 30

23 The 3rd Man Fraud Analysis Sage Pay work in conjunction with The 3rd Man to provide Verified Payment Data Query (VPDQ), an extensive risk management tool that screens all your transactions for fraud. Each transaction is screened by The 3rd Man, the results are returned within an hour and displayed in My Sage Pay. This can be viewed within the My Sage Pay daily transaction list alongside the AVS, CV2 and 3D Secure fraud screening results in the T3M column. IMPORTANT NOTE: The 3rd Man is an independent company from Sage Pay and we cannot always guarantee that results will be returned. If we receive a result, it will be display in the My Sage Pay admin area. Each transaction is given a risk rating of high, medium or low, depending on the overall score, and colour-coded red, amber or green respectively so that merchants can see at a glance the level of risk associated with each transaction. Transactions are scored between and Scores are calculated by starting at 0 and increase when factors such as delivery address, address or telephone number are deemed as irregular or risky and decrease when factors are consistent or verified. The 3rd Man analyses transaction data through their suite of risk management tools looking for behavioural trends, patterns and abnormalities. High Risk (Reject) 50 to 1000 Medium Risk (Hold) 30 to 49 Low Risk (OK) to 29 No Result Awaiting result or result not applicable (i.e. Refund) Factors that will influence The 3rd Man score include: Value of the transaction AVS/CV2 results Country of issuing bank History of the card (card holder name, transaction values, addresses used, contact telephone numbers)* IP address (location and history)* Billing and Delivery address (location and history)* address (history)* Names (card, billing and delivery) Telephone number (history)* PAF check Postcode Address File ER check Electoral Roll *history is populated by transactions through the Sage Pay gateway only. Page 23 of 30

24 Viewing 3rd Man Fraud Results Once a result has been returned it can be reviewed in the My Sage Pay admin area. Select the Transactions tab and click on the relevant transaction. Within the Fraud Results tab you are shown an overview of the 3rd Man result. Clicking on the result ( OK, Hold or Reject ) will give you a more detailed breakdown of the score. For further information relating to risk assessment of any transaction, call Sage Pay Customer Services on and quote your T3M ID number. We re available 24 hours a day, 7 days a week. IMPORTANT NOTE: Our fraud detection system gives an indication of risk only and does not give you any guarantees against fraud. When contacting Sage Pay Customer Service regarding your T3M results, we offer an advisory service only. We are more than happy to explain why certain factors have scored highly or look at historical trends. However, as a third party company we cannot take responsibility for whether you choose to fulfil an order. This is ultimately your discretion and you should not be directing your customers to us or The 3rd Man in regards to transactions that you have chosen not to proceed with, regardless of the fraud advice received. Page 24 of 30

25 Restrictions If you notice any trend to fraudulent attempts through your site, we offer the ability to set restrictions on certain criteria. These restrictions can also be used to pre-empt any potential fraudulent transactions such as blocking countries that are notorious for fraud. The following Restrictions can be applied: IP Addresses Countries Card Ranges Issuing Countries You can add these through the Restrictions section in the Settings area of My Sage Pay. You can use this section to add a specific IP address that you want to block from being able to process a transaction through your Sage Pay account. You can use this section to add a country that you want to block from being able to process a transaction through your Sage Pay account. Every customer with an IP address located in this country will be blocked from ordering. Page 25 of 30

26 You can use this section to add a specific card range that you want to block from ordering through your Sage Pay account. You can use this section to add an issuing country that you want to block from ordering through your Sage Pay account. Every customer with a card issued in this country will be blocked from ordering. Page 26 of 30

27 Delaying Settlement of Funds You may wish to perform your own manual fraud checks on the cardholder to ensure that they are genuine (see page 27 for more information). After you have completed these checks you can arrange for funds from each transaction to be settled on request, as opposed to them automatically being settled on a daily basis. It is also useful to delay settlement if you don t always have the goods in stock. The two options for delaying settlement of funds are: Deferred: A deferred transaction shadows the card for the full amount of the transaction. The funds are not settled until you choose to send the release message to Sage Pay to settle the funds. A Deferred transaction will remain active for 30 days for you to Release. However, the bank's authorisation 'shadow' will usually only remain active for up to 6 days. For more information about Deferred transactions, please refer to the link below: Authenticate/Authorise: Authenticated transactions do not obtain an authorisation at the time the order is placed. Instead the card and card holder are validated using the 3D Secure authentication provided by the card-schemes and card issuing banks. A Transaction will ONLY be AUTHENTICATED if it is fully 3D Secured. If the Card Issuer/Merchant is not in the 3D Secure scheme, a transaction will return a status of REGISTERED. After a transaction has been Authenticated or Registered, you have up to 90 days (30 days for Maestro) in which to Authorise the transaction and take the funds, enabling you to delay settlement until you are ready to ship the goods. The Authenticate DOES NOT reach the banks; it only reaches the 3D Secure stage. Once you are ready to fulfil the order, you can then Authorise the payment for the full amount of the transaction, or for multiple Authorisations up to 115% of the original Authenticated amount. For more information about Authenticate transactions, please refer to the link below: Page 27 of 30

28 The Chargeback Process Generally a fraudulent online transaction will result in a chargeback for which you (the merchant) will be liable, unless you have 3D Secure Authentication set up on your account. For more information about 3D Secure Authentication and receiving a shift in liability for certain chargebacks please refer to the 3D Secure section included in this guide. A chargeback can occur for a number of reasons. The main reason is when the genuine cardholder reports an unknown transaction on their card statement to their card issuer. You may not be made aware of a chargeback until up to 6 months after the original transaction. You have 14 days to process a chargeback and will be required to provide all of the necessary paperwork related to the transaction. You will need to supply any details which can help you prove that the cardholder participated in the transaction. This paperwork can include receipts, details of telephone conversations, and any other correspondence which may be relevant. Once the card issuer has received the paperwork, they will investigate further. This will enable the card issuer to confirm if the cardholder did participate in the transaction. If you don t receive any further contact from the card issuer that chargeback may be closed. However, if the chargeback does proceed, you will be required to provide further information to defend the chargeback. After this process is complete, the card issuer will go back to the cardholder, obtain a response from them and then decide on the appropriate course of action. The onus of proof will always lie with you as the merchant. You should contact your merchant bank for more information and a comprehensive explanation of their chargeback rules. Page 28 of 30

29 Manual Checks You may wish to perform manual checks on a transaction to ensure that the customer is the true cardholder. Normally, you would only need to perform manual checks on transactions if you are worried that the transaction may be fraudulent. Some fraud indicators are given below. The value of the order is higher than you would normally expect. The AVS/CV2 response is not ALL MATCH The order is from a country which is listed as high fraud risk: (source Elavon) o Balkans o Iraq o Belarus o Ivory Coast (Côte d Ivoire) o Burma/Myanmar o Lebanon o Cuba o Liberia o Democratic Republic of Congo o North Korea o Eritrea o Republic of Guinea o Federal Republic of Yugoslavia o Somalia and Serbia o Sudan o International Criminal Tribunal for o Syria The Former Yugoslavia o Zimbabwe o Iran The customer has ordered more than once in a day The customer has attempted to make payment several times with the first few transactions failing The country of issue for the card does not match the delivery address The customer refuses to confirm their card details The customer alters the delivery address at short notice The customer demands next day delivery without regard for the extra costs involved The 3rd Man returned a high risk fraud screening result The 3D Secure Authentication result returned a yellow or red flag. If your fraud screening processes have flagged a transaction for further investigation, you may want to perform the following manual checks: Send an to the address supplied by the customer to confirm that it exists. Check the area code of the phone number matches the address by using one of the free web based tools. Check the customer s name with directory enquiries to verify the address against the telephone number. Ring the customer on their landline number to confirm the order details and check that the telephone number and customer exist. Check the IP Address of the customer at to confirm that the IP Country matches the billing address. You will be able to find the customer s IP Address on the Transaction Detail in the My Sage Pay Admin screens. Page 29 of 30

30 Additional Fraud Prevention Advice High value goods and overseas transactions should be treated with extreme caution. You should consider delivery through a courier company who can obtain a signature upon delivery. Delivery Usually goods ordered via the internet will be delivered to the customer. However, in some cases the customer may collect the goods in person. If the customer does collect the goods in person, you should obtain a signature and ask the customer to show the card that they used during the transaction. You should then process the transaction as a cardholder present transaction and refund the transaction placed through the internet. You may want to consider the following: Only deliver goods to the cardholder s permanent billing address. Avoid sending goods to hotels or guest houses. Only send goods by registered or recorded post or by a reputable courier. Insist on a signed and dated delivery note. Couriers should return goods if they are unable to deliver to the address specified. My Sage Pay Admin You should use the My Sage Pay Admin area to examine your transactions on a regular basis. You will need to look for fraud patterns as detailed previously. You may also want to consider using The 3rd Man fraud screening service which can perform these checks for you. Transaction Security All transaction information passed between merchant sites and Sage Pay s systems is encrypted using 128-bit SSL certificates. No cardholder information is ever passed unencrypted and any messages sent to your servers from Sage Pay are signed using MD5 hashing to prevent tampering. You can be completely assured that nothing you pass to Sage Pay s servers can be examined, used or modified by any third parties attempting to gain access to sensitive information. Encryption and Data Storage Once on the Sage Pay systems, all sensitive data is secured using the same internationally recognised 256-bit encryption standards used by, among others, the US Government. The encryption keys are held on state-of-the-art, tamper proof systems in the same family as those used to secure VeriSign's Global Root certificate, making them all but impossible to extract. The data held by Sage Pay is extremely secure and Sage Pay is regularly audited by the banks and banking authorities to ensure it remains so. For more information on Sage Pay s security policies please refer to the link below: Page 30 of 30