Hackers hit pay dirt with the recent credit card system breach of upscale hospitality chain Mandarin Oriental Hotel Group. Considering the hotel’s wealthy clientele, many of hacked cards have very high or no credit limits.
Mandarin Oriental has properties in Boston, Miami, New York, Washington D.C., Las Vegas, and other popular tourist destinations, both in the U.S. and abroad.
The hotel chain acknowledged the breach on March 5 and it is still under investigation.
ME-based E-Commerce 4 IM, a firm offering credit card processing for high-risk vendors, offered some fraud preventative advice for online businesses:
1. Check orders by hand before submitting them for processing
This is perhaps the most difficult and least-practiced of all the fraud-prevention techniques because automatically processing orders is so convenient and manually checking and submitting them is so tedious. However, there is no substitute for human review. Merchants should check their orders for abnormal activity or suspicious trends, such as a large number of orders made with the same credit card, a single order made with a large number of credit cards, multiple users with the same credit card, and orders for an abnormally large number of high-priced or easily-resold merchandise.
2. Amp up credit card security checks
Merchants should never accept a credit card without requiring the CVV/CVC, which is the three-digit code on the back of Visa, MasterCard, and Discover cards or the four-digit code on the front of American Express cards. They should also consider locking orders after the credit card has failed more than three or four times, and call the credit card company when in doubt whether a card is valid or not.
3. Double-check the user’s address, phone number, and e-mail address
AVS (address verification service) software compares the billing address provided by the customer to that on file with the bank. Such software is a basic part of any fraud-prevention program, but during high-risk times it is vital to compare every card every time and to accept nothing less than a full match without calling the bank to verify the card. In addition to verifying the address, merchants should check the phone number’s area code to make sure it’s valid within the given zip code and beware of free e-mail addresses, as fraudsters much more commonly use these accounts than paid services. It’s important to note that free e-mail services and a zip code-area code mismatches are not necessarily indicative of fraud, but are worth further investigation and heightened vigilance.
4. Monitor IP addresses on every order
E-merchants should always compare the location of the IP address on the ordering computer with the location where the card was issued. Foreign IPs using an out-of-country credit card – especially high-risk countries such as Indonesia and Nigeria – should be cause for further investigation.
5. Identify proxy servers
Fraudsters often take great pains to hide their identities and make themselves untraceable behind proxy servers. By using software to detect such servers, merchants can often identify fraud before it happens.
6. Refuse to ship to untraceable addresses
P.O. Boxes, public rented mailboxes, and drop ship companies are frequently used by fraudsters to hide their identity while providing them a way to receive their merchandise. It’s a good practice for merchants to avoid shipping to such addresses unless they can prove its legitimacy (for example, some large companies use P.O. Boxes). During times of heightened risk, it is often better not to ship to these addresses at all.
For more data on Payment Security access CardData®. For information and commentary on Payment Security visit the searchable CardFlash® Library of more than 58,000 articles published since 1995. RAM Research® forecasts on Payment Security are available exclusively through CardWeb.com.®