Oracle Commerce

TBC has just introduced their first true e-commerce solution for buy online, ship direct to consumer. Until now everything has been B2B against customer accounts and buy online, complete order in the stores.

Because of this, we are facing online credit card fraud for this first time and I'm looking to lean on those who have been dealing with this for years on how they have tackled this huge issue.

What products is everyone using for online fraud detection, if any, and what other processes have been put in place to combat this growing trend?

------------------------------
Chad Taylor
TBC Corporation / Tire America
Palm Beach Gardens FL
------------------------------

Hi Chad,

There are a few options. Most payment gateways provide an integration to fraud services which you can add to your existing payment services. In many cases, these are white-labeled versions of the Kount (Kount.com) fraud detection solution. Some of our clients have used the solution bundled with the gateway, and others have built a direct integration with Kount. The direct integration with Kount provides the most flexibility.

Commerce Architects built an Oracle Validated Integration to simplify integrating directly with Kount if you want to go that route: Kount Complete - Oracle Validated Integration for Oracle Commerce v11 The validated integration includes an ATG module with code/configs for calling out to Kount for device fingerprinting before checkout as well as pipeline processors for calling Kount during checkout, and flagging an order based on the response if necessary. The module is packaged just like an out-of-the-box ATG module and has SQL as well as sample code for calling back to Kount to alert them of final order disposition. You can download and use the integration code for free from Oracle, or let us know and we can send it over. Oracle validated the integration for both 10.x and 11.x, so we have both versions, but only the 11.x version is available on the Oracle site.

Joe

------------------------------
Joe Conaty
VP, Business Development
Commerce Architects
Spokane WA
------------------------------

Original Message:
Sent: 08-20-2018 14:47
From: Chad Taylor
Subject: Online Fraud Detection

TBC has just introduced their first true e-commerce solution for buy online, ship direct to consumer. Until now everything has been B2B against customer accounts and buy online, complete order in the stores.

Because of this, we are facing online credit card fraud for this first time and I'm looking to lean on those who have been dealing with this for years on how they have tackled this huge issue.

What products is everyone using for online fraud detection, if any, and what other processes have been put in place to combat this growing trend?

------------------------------
Chad Taylor
TBC Corporation / Tire America
Palm Beach Gardens FL
------------------------------

Fraud detection is a complex subject which often needs to be tailored to individual businesses.  A lot of the payment providers allow you to create rules to catch potential fraud but in most cases you need to define what those rules are.

Things you can do to mitigate the risk of fraud:

• Store the X-forwarded-for header against the order (this contains a list of the IP Address(es) used to place the order).  Use a geo-ip location service to then cross reference these with the shipping and billing address and flag orders where there are anomalies e.g. an ip address from Russia shipping to the Washington DC might be fine if you are the president, but probably not ok for most businesses ;-)
• Store the Geo-location of where the order was placed (if available).  Again cross reference this with billing and shipping addresses and flag orders where there are anomalies
• For B2C implement strict Address Verification (AVS) checks for orders placed
• Review orders where the shipping address differs from the billing address
• Do not allow shipping to freight forwarder or PO Box addresses (or force the customer to include the final destination address)
• Consider implementing email verification (My email address was recently used to commit fraud for Buy Online Pickup In Store order with a well known retailer - they found out when I called their help center explaining that I did not place those orders.  Turns out the fraudster had a credit card with my name on it)
• Look for suspicious order placement patterns e.g. if someone places 5 orders in a row for high value items in a very short space of time these orders should probably be reviewed.
• Set a limit on the order amount and dont allow users to circumvent by placing multiple orders using the same card etc
• Consider only allowing registered users to place these types of orders

I know that Cybersource has Decision Manager built in which allows you to define rules which put an order on hold pending a manual review.

Hope some of the above is helpful.

------------------------------
Gerald Heath
Executive Director,
Pipeline Pros
------------------------------

Original Message:
Sent: 08-20-2018 14:47
From: Chad Taylor
Subject: Online Fraud Detection

TBC has just introduced their first true e-commerce solution for buy online, ship direct to consumer. Until now everything has been B2B against customer accounts and buy online, complete order in the stores.

Because of this, we are facing online credit card fraud for this first time and I'm looking to lean on those who have been dealing with this for years on how they have tackled this huge issue.

What products is everyone using for online fraud detection, if any, and what other processes have been put in place to combat this growing trend?

------------------------------
Chad Taylor
TBC Corporation / Tire America
Palm Beach Gardens FL
------------------------------

to add some more information. We do have a security gateway provider in place, but they don't have a fraud detection offering.

We are requiring CVV checks and doing AVS against the billing address. We also do flag all transactions initiated from foreign locations for approval since at this time we are a US based business.

Our biggest issue is our businesses desire to ship to alternate addresses from the main billing address and the fact that we are a big ticket business which apparently sees much higher fraud than small ticket venues.

The fraudsters are entering valid CVV and billing information and then shipping to a pickup location. Because of the nature of our business, we often have this behavior occur with valid transactions and the business is concerned about limiting shipping to addresses associated with the card and to our certified installer network only. Often individuals will ship the tires to their offices, non-certified installers, friends, children at college, etc.

We are looking for tools that assess the risk based on multiple datapoints like IP, cookie, remarketing, previous transactions, fraud history, darkweb data, etc.

------------------------------
Chad Taylor
TBC Corporation
Palm Beach Gardens FL
------------------------------

Original Message:
Sent: 08-20-2018 15:22
From: Gerald Heath
Subject: Online Fraud Detection

Fraud detection is a complex subject which often needs to be tailored to individual businesses.  A lot of the payment providers allow you to create rules to catch potential fraud but in most cases you need to define what those rules are.

Things you can do to mitigate the risk of fraud:

• Store the X-forwarded-for header against the order (this contains a list of the IP Address(es) used to place the order).  Use a geo-ip location service to then cross reference these with the shipping and billing address and flag orders where there are anomalies e.g. an ip address from Russia shipping to the Washington DC might be fine if you are the president, but probably not ok for most businesses ;-)
• Store the Geo-location of where the order was placed (if available).  Again cross reference this with billing and shipping addresses and flag orders where there are anomalies
• For B2C implement strict Address Verification (AVS) checks for orders placed
• Review orders where the shipping address differs from the billing address
• Do not allow shipping to freight forwarder or PO Box addresses (or force the customer to include the final destination address)
• Consider implementing email verification (My email address was recently used to commit fraud for Buy Online Pickup In Store order with a well known retailer - they found out when I called their help center explaining that I did not place those orders.  Turns out the fraudster had a credit card with my name on it)
• Look for suspicious order placement patterns e.g. if someone places 5 orders in a row for high value items in a very short space of time these orders should probably be reviewed.
• Set a limit on the order amount and dont allow users to circumvent by placing multiple orders using the same card etc
• Consider only allowing registered users to place these types of orders

I know that Cybersource has Decision Manager built in which allows you to define rules which put an order on hold pending a manual review.

Hope some of the above is helpful.

------------------------------
Gerald Heath
Executive Director,
Pipeline Pros

Original Message:
Sent: 08-20-2018 14:47
From: Chad Taylor
Subject: Online Fraud Detection

TBC has just introduced their first true e-commerce solution for buy online, ship direct to consumer. Until now everything has been B2B against customer accounts and buy online, complete order in the stores.

Because of this, we are facing online credit card fraud for this first time and I'm looking to lean on those who have been dealing with this for years on how they have tackled this huge issue.

What products is everyone using for online fraud detection, if any, and what other processes have been put in place to combat this growing trend?

------------------------------
Chad Taylor
TBC Corporation / Tire America
Palm Beach Gardens FL
------------------------------

Side note: We need to add edit post functionality.

I forgot to cover that we can't require registered users only as 90% of our customers choose to not register because of the infrequent purchases and thus relationship we deal with in the tire industry. The average customer is only going to buy tires 1 and a half times a year. Thus, they aren't looking to establish a relationship with us in most cases. We are discussing things to address this situation in the future, but that is our customer behavior right now.

We do require an email address and flag and hold suspicious looking email addresses. I know with some fraud detection providers they store known email addresses related to cards and add some risk when the address used isn't associated with the card.

------------------------------
Chad Taylor
TBC Corporation
Palm Beach Gardens FL
------------------------------

Original Message:
Sent: 08-20-2018 16:48
From: Chad Taylor
Subject: Online Fraud Detection

to add some more information. We do have a security gateway provider in place, but they don't have a fraud detection offering.

We are requiring CVV checks and doing AVS against the billing address. We also do flag all transactions initiated from foreign locations for approval since at this time we are a US based business.

Our biggest issue is our businesses desire to ship to alternate addresses from the main billing address and the fact that we are a big ticket business which apparently sees much higher fraud than small ticket venues.

The fraudsters are entering valid CVV and billing information and then shipping to a pickup location. Because of the nature of our business, we often have this behavior occur with valid transactions and the business is concerned about limiting shipping to addresses associated with the card and to our certified installer network only. Often individuals will ship the tires to their offices, non-certified installers, friends, children at college, etc.

We are looking for tools that assess the risk based on multiple datapoints like IP, cookie, remarketing, previous transactions, fraud history, darkweb data, etc.

------------------------------
Chad Taylor
TBC Corporation
Palm Beach Gardens FL

Original Message:
Sent: 08-20-2018 15:22
From: Gerald Heath
Subject: Online Fraud Detection

Fraud detection is a complex subject which often needs to be tailored to individual businesses.  A lot of the payment providers allow you to create rules to catch potential fraud but in most cases you need to define what those rules are.

Things you can do to mitigate the risk of fraud:

• Store the X-forwarded-for header against the order (this contains a list of the IP Address(es) used to place the order).  Use a geo-ip location service to then cross reference these with the shipping and billing address and flag orders where there are anomalies e.g. an ip address from Russia shipping to the Washington DC might be fine if you are the president, but probably not ok for most businesses ;-)
• Store the Geo-location of where the order was placed (if available).  Again cross reference this with billing and shipping addresses and flag orders where there are anomalies
• For B2C implement strict Address Verification (AVS) checks for orders placed
• Review orders where the shipping address differs from the billing address
• Do not allow shipping to freight forwarder or PO Box addresses (or force the customer to include the final destination address)
• Consider implementing email verification (My email address was recently used to commit fraud for Buy Online Pickup In Store order with a well known retailer - they found out when I called their help center explaining that I did not place those orders.  Turns out the fraudster had a credit card with my name on it)
• Look for suspicious order placement patterns e.g. if someone places 5 orders in a row for high value items in a very short space of time these orders should probably be reviewed.
• Set a limit on the order amount and dont allow users to circumvent by placing multiple orders using the same card etc
• Consider only allowing registered users to place these types of orders

I know that Cybersource has Decision Manager built in which allows you to define rules which put an order on hold pending a manual review.

Hope some of the above is helpful.

------------------------------
Gerald Heath
Executive Director,
Pipeline Pros

Original Message:
Sent: 08-20-2018 14:47
From: Chad Taylor
Subject: Online Fraud Detection

TBC has just introduced their first true e-commerce solution for buy online, ship direct to consumer. Until now everything has been B2B against customer accounts and buy online, complete order in the stores.

Because of this, we are facing online credit card fraud for this first time and I'm looking to lean on those who have been dealing with this for years on how they have tackled this huge issue.

What products is everyone using for online fraud detection, if any, and what other processes have been put in place to combat this growing trend?

------------------------------
Chad Taylor
TBC Corporation / Tire America
Palm Beach Gardens FL
------------------------------

To add more to this discussion. We have already reached out to two 3rd party solution providers in this area; Cybersource and ThreatMetrix.

We are wanting to make sure their aren't other players we should be talking to that may have specific offerings for ATG (we are adding Kount based on Joe's suggestion earlier) and whether others choose to go a whole other direction (like using solutions provided by their payment gateway that our gateway doesn't provide, etc) before we start running in a certain direction.

Pause, and learn from others before we learn the hard way on our own. (Thus, Pipeline Pros)

------------------------------
Chad Taylor
TBC Corporation
Palm Beach Gardens FL
------------------------------

Original Message:
Sent: 08-20-2018 16:54
From: Chad Taylor
Subject: Online Fraud Detection

Side note: We need to add edit post functionality.

I forgot to cover that we can't require registered users only as 90% of our customers choose to not register because of the infrequent purchases and thus relationship we deal with in the tire industry. The average customer is only going to buy tires 1 and a half times a year. Thus, they aren't looking to establish a relationship with us in most cases. We are discussing things to address this situation in the future, but that is our customer behavior right now.

We do require an email address and flag and hold suspicious looking email addresses. I know with some fraud detection providers they store known email addresses related to cards and add some risk when the address used isn't associated with the card.

------------------------------
Chad Taylor
TBC Corporation
Palm Beach Gardens FL

Original Message:
Sent: 08-20-2018 16:48
From: Chad Taylor
Subject: Online Fraud Detection

to add some more information. We do have a security gateway provider in place, but they don't have a fraud detection offering.

We are requiring CVV checks and doing AVS against the billing address. We also do flag all transactions initiated from foreign locations for approval since at this time we are a US based business.

Our biggest issue is our businesses desire to ship to alternate addresses from the main billing address and the fact that we are a big ticket business which apparently sees much higher fraud than small ticket venues.

The fraudsters are entering valid CVV and billing information and then shipping to a pickup location. Because of the nature of our business, we often have this behavior occur with valid transactions and the business is concerned about limiting shipping to addresses associated with the card and to our certified installer network only. Often individuals will ship the tires to their offices, non-certified installers, friends, children at college, etc.

We are looking for tools that assess the risk based on multiple datapoints like IP, cookie, remarketing, previous transactions, fraud history, darkweb data, etc.

------------------------------
Chad Taylor
TBC Corporation
Palm Beach Gardens FL

Original Message:
Sent: 08-20-2018 15:22
From: Gerald Heath
Subject: Online Fraud Detection

Fraud detection is a complex subject which often needs to be tailored to individual businesses.  A lot of the payment providers allow you to create rules to catch potential fraud but in most cases you need to define what those rules are.

Things you can do to mitigate the risk of fraud:

• Store the X-forwarded-for header against the order (this contains a list of the IP Address(es) used to place the order).  Use a geo-ip location service to then cross reference these with the shipping and billing address and flag orders where there are anomalies e.g. an ip address from Russia shipping to the Washington DC might be fine if you are the president, but probably not ok for most businesses ;-)
• Store the Geo-location of where the order was placed (if available).  Again cross reference this with billing and shipping addresses and flag orders where there are anomalies
• For B2C implement strict Address Verification (AVS) checks for orders placed
• Review orders where the shipping address differs from the billing address
• Do not allow shipping to freight forwarder or PO Box addresses (or force the customer to include the final destination address)
• Consider implementing email verification (My email address was recently used to commit fraud for Buy Online Pickup In Store order with a well known retailer - they found out when I called their help center explaining that I did not place those orders.  Turns out the fraudster had a credit card with my name on it)
• Look for suspicious order placement patterns e.g. if someone places 5 orders in a row for high value items in a very short space of time these orders should probably be reviewed.
• Set a limit on the order amount and dont allow users to circumvent by placing multiple orders using the same card etc
• Consider only allowing registered users to place these types of orders

I know that Cybersource has Decision Manager built in which allows you to define rules which put an order on hold pending a manual review.

Hope some of the above is helpful.

------------------------------
Gerald Heath
Executive Director,
Pipeline Pros

Original Message:
Sent: 08-20-2018 14:47
From: Chad Taylor
Subject: Online Fraud Detection

TBC has just introduced their first true e-commerce solution for buy online, ship direct to consumer. Until now everything has been B2B against customer accounts and buy online, complete order in the stores.

Because of this, we are facing online credit card fraud for this first time and I'm looking to lean on those who have been dealing with this for years on how they have tackled this huge issue.

What products is everyone using for online fraud detection, if any, and what other processes have been put in place to combat this growing trend?

------------------------------
Chad Taylor
TBC Corporation / Tire America
Palm Beach Gardens FL
------------------------------

Hi Chad,

You may also want to check with these solutions

clear.sale
accertify.com
nofraud.com

some of them already integrated with other ecommerce solutions




------------------------------
Thanks
Daison
Principal Consultant
Cubits Tech
------------------------------

Original Message:
Sent: 08-20-2018 17:03
From: Chad Taylor
Subject: Online Fraud Detection

To add more to this discussion. We have already reached out to two 3rd party solution providers in this area; Cybersource and ThreatMetrix.

We are wanting to make sure their aren't other players we should be talking to that may have specific offerings for ATG (we are adding Kount based on Joe's suggestion earlier) and whether others choose to go a whole other direction (like using solutions provided by their payment gateway that our gateway doesn't provide, etc) before we start running in a certain direction.

Pause, and learn from others before we learn the hard way on our own. (Thus, Pipeline Pros)

------------------------------
Chad Taylor
TBC Corporation
Palm Beach Gardens FL

Original Message:
Sent: 08-20-2018 16:54
From: Chad Taylor
Subject: Online Fraud Detection

Side note: We need to add edit post functionality.

I forgot to cover that we can't require registered users only as 90% of our customers choose to not register because of the infrequent purchases and thus relationship we deal with in the tire industry. The average customer is only going to buy tires 1 and a half times a year. Thus, they aren't looking to establish a relationship with us in most cases. We are discussing things to address this situation in the future, but that is our customer behavior right now.

We do require an email address and flag and hold suspicious looking email addresses. I know with some fraud detection providers they store known email addresses related to cards and add some risk when the address used isn't associated with the card.

------------------------------
Chad Taylor
TBC Corporation
Palm Beach Gardens FL

Original Message:
Sent: 08-20-2018 16:48
From: Chad Taylor
Subject: Online Fraud Detection

to add some more information. We do have a security gateway provider in place, but they don't have a fraud detection offering.

We are requiring CVV checks and doing AVS against the billing address. We also do flag all transactions initiated from foreign locations for approval since at this time we are a US based business.

Our biggest issue is our businesses desire to ship to alternate addresses from the main billing address and the fact that we are a big ticket business which apparently sees much higher fraud than small ticket venues.

The fraudsters are entering valid CVV and billing information and then shipping to a pickup location. Because of the nature of our business, we often have this behavior occur with valid transactions and the business is concerned about limiting shipping to addresses associated with the card and to our certified installer network only. Often individuals will ship the tires to their offices, non-certified installers, friends, children at college, etc.

We are looking for tools that assess the risk based on multiple datapoints like IP, cookie, remarketing, previous transactions, fraud history, darkweb data, etc.

------------------------------
Chad Taylor
TBC Corporation
Palm Beach Gardens FL

Original Message:
Sent: 08-20-2018 15:22
From: Gerald Heath
Subject: Online Fraud Detection

Fraud detection is a complex subject which often needs to be tailored to individual businesses.  A lot of the payment providers allow you to create rules to catch potential fraud but in most cases you need to define what those rules are.

Things you can do to mitigate the risk of fraud:

• Store the X-forwarded-for header against the order (this contains a list of the IP Address(es) used to place the order).  Use a geo-ip location service to then cross reference these with the shipping and billing address and flag orders where there are anomalies e.g. an ip address from Russia shipping to the Washington DC might be fine if you are the president, but probably not ok for most businesses ;-)
• Store the Geo-location of where the order was placed (if available).  Again cross reference this with billing and shipping addresses and flag orders where there are anomalies
• For B2C implement strict Address Verification (AVS) checks for orders placed
• Review orders where the shipping address differs from the billing address
• Do not allow shipping to freight forwarder or PO Box addresses (or force the customer to include the final destination address)
• Consider implementing email verification (My email address was recently used to commit fraud for Buy Online Pickup In Store order with a well known retailer - they found out when I called their help center explaining that I did not place those orders.  Turns out the fraudster had a credit card with my name on it)
• Look for suspicious order placement patterns e.g. if someone places 5 orders in a row for high value items in a very short space of time these orders should probably be reviewed.
• Set a limit on the order amount and dont allow users to circumvent by placing multiple orders using the same card etc
• Consider only allowing registered users to place these types of orders

I know that Cybersource has Decision Manager built in which allows you to define rules which put an order on hold pending a manual review.

Hope some of the above is helpful.

------------------------------
Gerald Heath
Executive Director,
Pipeline Pros

Original Message:
Sent: 08-20-2018 14:47
From: Chad Taylor
Subject: Online Fraud Detection

TBC has just introduced their first true e-commerce solution for buy online, ship direct to consumer. Until now everything has been B2B against customer accounts and buy online, complete order in the stores.

Because of this, we are facing online credit card fraud for this first time and I'm looking to lean on those who have been dealing with this for years on how they have tackled this huge issue.

What products is everyone using for online fraud detection, if any, and what other processes have been put in place to combat this growing trend?

------------------------------
Chad Taylor
TBC Corporation / Tire America
Palm Beach Gardens FL
------------------------------