This article explains the default fraud checks in place when using CitrusPay Gateway to accept card payments on your Ecommerce site, and what each one does.

Getting the right balance between fraud prevention and a smooth checkout experience is an ongoing challenge. On one hand, you need robust fraud checking to make it as difficult as possible for a fraudulent transaction to take place. On the other hand, you need the payment process to be as straightforward as possible so that genuine customers are not put off, and legitimate orders are not declined.

Fraudsters are always looking for vulnerabilities to exploit and are increasingly sophisticated in their methods, so it is worth staying alert and understanding what steps you can take to reduce the risk of fraud on your Ecommerce site.

If you are using CitrusPay Gateway to accept card payments on your site, a number of fraud checks are in place to achieve the best possible combination of security and ease of use, in line with industry guidelines. This article covers the following topics:

• AVS/CV2 Checks
• 3D Secure
• What if I want to make changes to the default settings?

AVS/CV2 Checks

The Address and CV2 Verification Service (AVS/CV2) is a service provided by credit card processors and issuing banks to help detect suspicious credit card transactions and prevent card fraud.

The service checks the billing address and CV2 security code (the three digits on the back of the card) submitted by the cardholder against the details on record at the card-issuing bank. This check happens as part of the transaction authorisation. Your acquirer (e.g. Barclaycard, First Data) returns a response code indicating how closely the details match, and transactions can be accepted or rejected based on the result. Rejected transactions will have their authorisations reversed.

AVS is one of the most widely used tools for preventing card fraud. However, it is only available in a limited number of countries — mainly the UK, USA, and Canada. It is also not a foolproof system, since only the numeric characters in an address are matched, which means flats or properties identified by name rather than number can produce false negatives.

By default, your CitrusPay Gateway is set up with the following AVS/CV2 check values:

Partially Matched

The value provided partially matches the details on record. This is not currently supported for CV2 security code values — the customer must always provide the exact CV2 value — but it is useful for address and postcode values, which may differ slightly in format.

Not Matched

The value provided does not match the details on record.

Not Checked

The checks were not carried out by the card issuer. Not all card issuers support AVS/CV2 checking, so accepting this value means you can still accept payments from customers whose cards were issued in countries where these checks are not available.

Not Known

The results of the checks are not known. This could be because the issuer does not support the checks, or because there was a problem carrying them out. Accepting a Not Known value is useful for customers with overseas-issued cards.

With these values in place, the aim is twofold:

1) Allow the broadest range of customers to make a successful payment, on the basis that the billing details they provide meet the criteria supported by their card issuer.

2) Prevent payments from being accepted based purely on information visible on a payment card. By rejecting transactions where the billing address and postcode do not match those on record with the card issuer, the aim is to reduce the chance of a lost or stolen card being used to make a payment — since the person attempting the transaction is unlikely to know the registered address.

3D Secure

Online transactions made using Visa, Mastercard, or American Express cards can use the 3D Secure authentication system, also known as Verified by Visa, Mastercard SecureCode, and American Express SafeKey.

This system gives card issuers a way to verify the identity of the cardholder — typically by asking them to enter a password or secret code that only they should know. This adds extra security to an online transaction because even if a cardholder's card details are obtained fraudulently, it is unlikely that the secret is also obtained. For a successfully authenticated cardholder, the risk of fraud is significantly reduced.

Participating card issuers offer a payment guarantee for successful online transactions authenticated using 3D Secure. This means that if there is a dispute or chargeback for fraud reasons (for example, the cardholder disputes that they made or authorised the transaction), you will typically not be liable for the dispute or chargeback costs. This is known as 'liability shift'. There are some differences in how liability shift is handled by different card brands, so check the exact details with your acquirer.

By default, your CitrusPay Gateway is set up with the following 3D Secure check values to ensure that Strong Customer Authentication (SCA) is enforced:

Attempted Authentication

The cardholder or the issuer is not enrolled in the 3D Secure system.

Not Authenticated

The cardholder did not provide the correct authentication details.

Not Checked

3D Secure authentication was not attempted because the card issuer or payment card does not support the system. The majority of card issuers support 3D Secure.

Not Known

3D Secure authentication could not be carried out, possibly due to a system or communications problem.

What if I want to make changes to the default settings?

The default settings are designed to strike a balance between robust security for you as the retailer and ease of use for your customers. Changing the settings without understanding the possible consequences could leave you exposed to a greater risk of fraud and resulting chargebacks. Therefore, access to the fraud settings is not available directly through Cloud MT. 

If you do wish to make any changes, you will need to contact the Citrus-Lime Support Team to discuss this. Please note that no changes will be made to 3D Secure settings.