Credit Card Fraud

[Stevie Wonder]

Yesterday a member of staff received an order from a customer who paid over the phone for their goods. This customer has given the company another order over the phone again today and collected the goods (via courier).

I have a suspicion that this may be fraudulent as the customer is not local and the transaction seemed a little rushed. Although the goods are viewable on our website.

If this turns out to be a credit card fraud of some sort where do I stand?

I am currently with barclaycard as my card provider.

If anyone has any knowledge/experience of this it would be much appreciated.

Thanks in advance.

 

[Leo-InstallingIT]

At it was an over the phone transaction (therefore no 3D Secure), if the genuine card holder was to issue a charge back you would probably struggle to fight it.

Did the address & post code they gave you pass the AVS checks? This won't help because the customer collected, but at least you know the genuine cardholders address.

Did you check any kind of ID when the customer collected?

 

[Leo-InstallingIT]

Forgot to ask, what sort of value are we talking? Over £100 pounds?

 

[Stevie Wonder]

The address and everything checked out. Hence the payment going through on our machine.

The sales add up to over £1000.

The courier was independent so there was no ID.

Would we have to repay the money immediately?

 

[Leo-InstallingIT]

If a charge back is issued and you can't fight it then the charge will just be reversed and added to your next merchant account invoice.

If you have the address it might be worth seeing if you can look up a number for that address and give them a call - it might at least put your mind at rest or confirm your fears.

 

[scstock]

Oh dear - taking payment over the phone and then letting someone collect the goods is a real no-no; I'm afraid you won't have a leg to stand on.

 

[Darrenchase]

I know a flooring company that got done before Christmas for 10k with this scam and has put him out of business.

 

[Stevie Wonder]

Thank you for your replies.

For me now its a case of damage limitation, and of course lesson learned (the hard way!).

Why card machines even accept unsecure payments is beyond me. I was previously under the impression that if the payment was accepted and went through then it was ok (WRONG!).

I just hope that this thread may serve as a warning to other members who may have fallen into the same trap at some stage.

 

[Paul_Rosser]

Do you have CCTV ? Did the courrier provide any ID ? Do you know which firm they were from ? As then you could at least check where the goods went and possibly take it from there.

Bit late now but in future if taking phone orders for customers to collect you should always insist on the customer collecting themselves and providing ID (driving licence, passport etc) which you keep a copy of on file.

 

[DavidWH]

Isn't it PCI Policy to the following:

If you take a payment over the phone, and the customer collects the goods, you should refund the card used for the payment over the phone (cardholder not present) then re do the transaction in the card machine as a card holder present?

If you're sending out goods, at least for the first time you should make sure it's to the same address as the AVS.

Neither particularly any help in your circumstances, even if this occasion it isn't a fraudulent transaction, you may have just highlighted a loophole in the way you process payments.

 

[David19]

This is text book. Write it off. I know it's not much use now, but ban the staff from takingpayments over the phone. Card on website or in store only.

 

[scstock]

This is text book. Write it off. I know it's not much use now, but ban the staff from takingpayments over the phone. Card on website or in store only.

You should be OK taking payment over the phone as long as you deliver to the card holder address - or if it is an established customer.

 

[mhall]

Sorry but I think you are about to get shafted. We have had this type of thing a couple of times in the last few years - thankfully we haven't lost out - Yet.

The chances are the courier will be perfectly legit and will have been paid via the same credit card. They will be just as shafted as you. Once the courier has picked up the goods they will have got a call changing the delivery address - usually a layby somewhere and the trail will go cold. The last time they tried it with us my hubby volunteered to pose as the courier if the police would follow him, but they refused as it was going over county borders and the police couldn't guarantee someone would be at the other end from the other force.

 

[aussiecameras]

Keep in mind also that Paypal is no more secure and doesn't cover you in the case of chargebacks from credit card use. So treat purchases through paypal with similar care.

 

[tonitarzan]

you have to be extremely careful when takingorders over the phone.. i believe if you are following the correct procedues, then atleast you dont have any come backs.. One or 2 fraud charges pe month is ok where you will still be paid by the credit card company, but if you start getting too many dodgy card payments every month then they will start looking into you.

 

[pen2670]

Isn't it PCI Policy to the following:

If you take a payment over the phone, and the customer collects the goods, you should refund the card used for the payment over the phone (cardholder not present) then re do the transaction in the card machine as a card holder present?

Sounds good in theory, but would be wary of this in practice especially with high value items as if the original transaction doesn't credit their account before you take the second one it might be rejected as exceeding their credit limit OR give them over limit charges for which they'd probably hold you liable OR lead to them having their card declined in the middle of their weekly shop all of which would lead to one very unhappy customer. Worth remembering some cards, my new business credit card for example has a £1k per month limit and that's all I can spend on it in one month even if I pay some off early.

 

[tonitarzan]

I agree with Pen2670, the ooriginal transaction crediting their account before they take the second item is something you need to be very careful with.

 

[DavidWH]

That's what the book says, whilst I agree with your comments. We don't do this, never have.

But it does cover the card issuer, as they turn round and say you should have done it.

A simpler/better option would be to charge the card 1p, then reverse the transaction (don't think theres a refund charge then with out provider) which will prove the card holder knows the PIN for the card used to order the items online/over the phone.

Wouldn't have helped matters as the customers sent a courier to collect the goods in this case.

 

[pen2670]

That's what the book says, whilst I agree with your comments. We don't do this, never have.

But it does cover the card issuer, as they turn round and say you should have done it.

A simpler/better option would be to charge the card 1p, then reverse the transaction (don't think theres a refund charge then with out provider) which will prove the card holder knows the PIN for the card used to order the items online/over the phone.

Wouldn't have helped matters as the customers sent a courier to collect the goods in this case.

Or 50% over the phone and 50% in store.

Have to admit this thread made me think. Had a customer pay over the phone last week. She rang on the Monday to see if we had x in stock as they'd sold out near her and she was coming down to visit Mum at the weekend. Said yes and she paid over the phone to make sure we didn't sell it to anyone else. Took name address tel etc and she had loads of I D when she arrived with Mum, but in hindsight will split payment if it happens again!

 

[groovyjon]

You're already aware of the mistake you've made, but for future reference, and for any others that are interested, any of the following circumstances during a payment over the phone (or online for that matter) should throw up a huge red flag:

- Asks to use their own "courier" to collect (Typical excuse: "I use my company's courier for free")

- Can't bring the card in for ID purposes (Typical excuse: "I'm sending my colleague to collect the goods, they're in a different location to me")

- Tries one card, fails. Tries their second card, fails. Tries their third card and goes through successfully. (Typical excuse: "I must be over my limit on my main cards")

- Doesn't know the address card is registered to. (Typical excuse: "It's my girlfriend's card, I'm not sure of her address")

- Multiple high value, easy to re-sell items, e.g. watches, designer trainers, especially when they don't bother asking any questions about the products.

- Doesn't know the CV2 digits on the back, although you may not be able to enter the transaction without this anyway. (Typical excuse: "The digits have rubbed off, I can't read them")

- If you are using your own courier, they want the most urgent quickest delivery possible (i.e. before the cardholder gets wind of what's going on)

- Delivery of high value or bulk quantities to certain countries (I won't say which ones in case I start a diplomatic row!)

When we see one or more of the above, we politely say that an order of that value would need to be placed directly on our website (3D Secure) and delivered to the registered cardholder's address. They often agree, but then the online order never materialises. I'm sure we've lost a few genuine orders that way, but I'm equally sure we've prevented a lot more fraudulent ones.

 

[jcoatesjones]

You should have checked PCI on this.

If you take a CNP - Cardholder not present transaction then YOU are always at risk and using common sense and steps is the better thing.

Get them to come and pay by Chip and Pin, because then YOU are covered and guaranteed your money, this is called the liability shift.

If they order again, ask them to come and pay, chances are if they refuse to do so, it could be fraud, but both you and all the staff need to be compliant.

If it was me who had sold you the terminal or VT, I would have trained you in PCI and do's and don't esp with CNP transactions. Feel free to PM me if you have any questions at all, and I will do my best to help.

Thanks,
Joe.

 

[gr9ce]

We made the mistake of taking a break and in absence valuable item sold with stolen cc (while back now so specific details a blur) but this was a delivery address switch at last minute. As you guess goods disappeared overnight.
But person accepting delivery photographed, known to police arrested and id'ed. Goods traced to a nearby property as they didn't have instruction booklet and made mistake of immediately trying to get a copy from manufacturer (already alerted to theft). Sent picture of item over phone to verify 'model'. Police finally persuaded to call and seize stolen goods but some accessories still missing.

So police had person implicated in cc fraud receiving stolen goods and another again receiving stolen goods. Missing parts value easily £500, retrieved item damaged slightly.

No prosecution due to lack of evidence. Yup you heard it here.

Lesson learned never accept a change of delivery address and never take a break.

 

[LMDServicesUK]

Hi

The issue you have hit is that the fraud liability for a transaction only passes back to the Card issuer where you either use 3D secure (on a website) or F2F PIN number.

If as in your case it is CNP, the liability does not shift so if you are hit with a Chargeback it will be hard to fight.

Suggest as others have said, that in future no problem with taking a payment over the phone if the AVS and CVV checks pass OK, but when the goods are collected ask for a further ID to verify against the original details. This way if it is a fraudulent transaction you can show the card issuer you took all reasonable steps to verify the validity of not only the card (at the time of the transaction) but the person who placed the order.

Again if you are ever unsure get your staff to call your Merchant account provider to verify the card details being offered to you.

I hope that it turned out to be a genuine transaction in the end.

Rgds

Mark