Beyond card verification numbers and blacklists: US online merchants need better fraud controls

By Rafael Lourenco, EVP, ClearSale

US e-commerce sellers face above-average rates of card-not-present fraud, but many don’t use all the fraud-detection tools at their disposal. A recent white paper from the US Payments Forum found that while CNP fraud in the US is comparatively high – and rising by 16% per year — many online sellers in the US and elsewhere rely on card verification numbers and internal blacklists as their primary forms of fraud protection. As CNP fraud increases, e-commerce and multi-channel merchants need to understand the fraud-prevention tools available to them and how to use them to create layers of chargeback-prevention security without sacrificing valid orders.

Card verification numbers (CVNs), internal negative lists, and other simple security measures have their place in the fraud-screening process, but on their own they’re simply not adequate to protect merchants from determined professional fraudsters. To better prevent chargebacks, merchants need to know what CVNs and blacklists can and can’t do and understand the other tools that should be part of every online merchant’s fraud-protection program.

The limits of card verification numbers for fraud screening

At first glance, requiring customers to provide their CVN – the 3- or 4-digit code on the back of the card – seems like an effective way to verify that the customer owns the card they’re using for the purchase. However, there are many ways that criminals get around the CVN requirement. The first and simplest is by stealing physical cards, but this isn’t common. According to digital security expert Brian Krebs, other fraudsters steal CVNs by using web-based keyloggers that capture customers’ data as they make purchases with online sellers.

The biggest and fastest-growing way fraudsters acquire the CVNs of stolen credit card numbers, though, is through card testing. This type of fraud – in which thieves try out different CVNs on small orders until they find a match for the card – tripled in the first quarter of 2017. Once fraudsters have tested card numbers, found the CVNs, and determined that they cards work, they can move on to higher-value fraudulent purchases – all while appearing to be valid customers in possession of the card verification number.

Other methods of verifying card data can also be incomplete on their own. Matching an order’s billing address to data in the Visa/MasterCard Address Verification System can screen out obvious fraud, but experienced fraudsters know how to work around AVS. Relying solely on AVS can also generate false declines when a legitimate customer (such as a college student or someone who’s recently changed addresses) enters the wrong billing address for their card.

The pros and cons of internal blacklists

Another tool merchants often rely on is the in-house blacklist, or negative list. In principle, this list prevents known fraudsters from buying from you again. The problem is that thieves often swipe not only other people’s card numbers and CVNs but also physical addresses, phone numbers, and IP addresses that belong to others. By categorically blocking all the information associated with a fraudulent order, merchants may deprive themselves of an increasingly large number of good customers, while the fraudsters move on to assume other identities, spoof other IP addresses, and keep on committing fraud. To be effective as chargeback prevention tools, blacklists must be carefully targeted.

Making fraud-detection tools work together

Card verification values and targeted blacklists can help merchants prevent some chargeback fraud, but these tools work best as layers in a program that includes a number of other fraud controls. Algorithmic scoring of all orders can spot potential fraud and collect order data to refine screening rules. That scoring should evaluate lots of data besides the order information, such as the fingerprint of the device used to place the order, shipping and delivery location risk ratings, the customer’s order history and behavioral data, and data gathered from outside sources to check orders for man-in-the-middle and botnet activity.

Manual review of all flagged orders can confirm fraud and prevent false declines, which cost online sellers more than fraud does. It’s important to contact customers quickly at this stage to avoid approval delays that can damage good customer relationships and reduce the lifetime value of existing customers. Sellers who demonstrate that they care about customers’ account security, on the other hand, can build trust that leads to higher lifetime value.

Effective fraud-prevention programs are complex and always changing to keep up with the latest approaches by fraudsters, and there’s no question that a lot of work is involved in running and updating such a program. The alternative, though, is to remain at risk for the rising tide of CNP fraud and to lose good customers to overly broad blacklist practices. In an increasingly competitive online environment that’s also a growing target for organized fraudsters, a robust, multilayered fraud prevention program is a must for survival and growth.


Rafael Lourenco is the Executive Vice President at ClearSale, a Card-Not-Present fraud prevention operation that protects e-commerce merchants against chargebacks. ClearSale is the only solution of its kind that does not auto-decline, its manual review process ensures that suspect transactions are never denied outright which provides the highest approval rates industry-wide and virtually eliminates false positives.

Related reading