Hi Marion - had a test purchase through to worldpay to see what you mean.

It is a standard Worldpay payment screen that appears and as most of my clients have the same screen with the populated fields you mention - cutomers (cardholders) address and name etc.

The security / fruad prevention system is Worldpays own through the use of their fraud card number database and the fairly recent security code field on their payment page.

I dont understand quite what the problem is - as regards fraud prevention - there isn't realy anything you can do from your side to check / investigate any possible frauds - this lies solely with how good Worldpay's system is and how up to date their fraud info is.

Generally though I have not had any customers come back to me and say they have had any fraudulent transactions - possibly one or two in the last 3 years or so (stolen cards and for fairly small sums in the scheme of things) - and they have put this down to 'one of those things that happens to retailers'.

Personaly I would not concern myself too much with this aspect - but I may get further posts to prove me wrong.

Actinic's cart thankfully does populate the clients details because it is lengthy enough filling in the forms once without having to do it again in Worldpay (if you dont have a type of roboform to populate with details with one button click)

If I have it wrong then please post further info

Thanks Dimitri

I had two cases of attempted fraud last week, both of which passed worldpays security checks. My own checks (which were done because the orders didn't look quite right) uncovered the fraud very quickly. I telephoned one customer and checked the email address of the other. If you telephone worldpay they will give you some of the information - eg. last 4 digits of the card number, card type etc.

I thought that the credit card number entry was done at the worldpay end but the address details etc were passed throught from Actinic (but can then be changed).

Regards,

what do you mean by fraud - exactly what did you uncover about these 2 clients from their phone number and/or email address.

Also you are right - the credit card info is entered once the client gets to the secure Worldpay pages - thay can as far as I am aware change their details there - but if they do/can then you will get a confirmation email of the order from Worldpay - if you select this under your account options in worldpay's server.

Lastly - say they enterd some datils on your site in actinic - address etc - then they go to worldpay through your site and enter/change their address / name etc - it wont really matter as the name,address, and credit card details have to match for the trasaction to go through - you would end up delivering your goods to that info which was given to you on your site - if it was wrong (and it can frequently be - detective time) they or their neighbours get the goods - one of those things again.

As long as Woldpay has done its job verifying the card holders name / address (if it does) and card number details - thats it!
the responsibility to check and prevent fraud is solely in Worldpays hands - hence why we pay so much for its transaction / merchant service - to prove this point - the paddlock only appears usually once you enter Worldpay to give sensitive data.

Soory if I sound opinionated - dont mean to - just bashing keyboard to get message out (spelling bad!)

Let me know if I'm off track again

we used to use worldpay and tried to tell them that if they allow people to change the address details on their site then they can obviously give the true name and details for the card - if it's stolen, they probably have all the details anyway - we wouldn't get to know they had been given a different address and it will certainly match - which is pointless!

their current AVS systems is totally worthless since any valid street address will get past it and 90% of cards issuers don't support the checks anyway. as long as the account has credit it will pass!

banks just don't have a clue?

Youre absolutely right Paul it/they are useless - but what can one do?

As you say - if the card is stolen / fraudulently used - then a resolution lies with the card providers and the unfortunate person who this happened to.

I always advise people to use credit cards online and not debit cards for insurance reasons.

This is going to sound hard, but as long as you the merchant get the money - and you should even with a fraudulent card / stolen card then dont worry (oh and you have an address to deliver goods to).

My earlier long winded point was - how on earth did the others check for fraud with phone numbers and/or emails - I think the wording is wrong - they may mean just verifying client details such as address / telephone / valid email address etc which customers frequently get wrong - my partner is always cursing them when they do this and the hunt begins - usually via the post office (soooo slow) web site and postal code address finder.

Unless there is some secret system to check via email / phone number for fraud - love to hear about it.

No secret systems, just common sense.

Order 1: email address didn't exist, telephone number couldn't be found to check order, no web site entered, so order declined.

Order 2: telephone number traced, owner of card had never heard of Actinic never mind Mole End so order declined, owner of card cancelled card, sorted.

The orders looked dodgy because 1) there was no telephone number, 2) there was no web site. 3) both email addresses ended with xxx@hotmail.com. I only have products that are of use to eshop owners so it is a bit easier to check people out.

Both orders passed the worldpay checks, I was tempted with the first one to accept the order because of this but if I had I would have had stolen software, worldpay fees and chargebacks to deal with.

I almost think that it was some sort of webbot that generated the orders - although with the second one I did get an email asking when the software would be emailed - oddly enough I didn't get a reply to my response.

Regards,

I see - because you expect a certain 'format' to your orders these stood out - have you thought of making the email field to be a 'required field' just to use as an extra safeguard ...

do you find any use to the AVS prompts = regarding accuracy we know it isn't but the ocassional warning - does it yield any interesting info when you checked?

I'm sorry but I think maybe some of you don't fully appreciate the full consequences of the problem here.

As a merchant, any fraudulent "customer not present" purchases are passed back to the merchant by way of CHARGEBACKS. This means that WE will have to pay for the goods in the end.

It has happened to me regarding "customer not present" transactions in my shop on four occasions, the cost comes out of my own pocket. The bank nor the credit card companies pay a penny of it. In selling flowers the average sale is comparatively low, and therefore separate insurance to cover the risk is not a viable option.

When taking telephone transactions one can use common sense to weedle out most of the fraudsters, which I have to say is often. When trading over the internet one does not have this protection which is why I pay the ridiculously expensive price of £20 per month to Guarantee my payments through WorldPay.

WorldPay, however, cleverly have this system of "Warnings" whereby an order may be declared potentially high risk and is not covered by the guarantee. This can happen even when every last piece of information the cardholder gives is correct. I have spoken to WorldPay about this on many occasions (these warnings come up frequently) and they simply say that they cannot divulge the reasons as to why a purchase may be high risk obviously because the fraudsters could then find a way around it, logically.

I also know that I have had one of my own online purchases rejected by the issuing bank simply beacause I had made more than 3 online purchases in a two day period. However I was a genuine purchaser, and therefore I know that many of these potentially high risk purchases are infact genuine.

So I am back to the task of being cyber detective. I then have to work out if the customer is indeed geniune. I am, after all, covering my own pocket at this stage and taking a financial risk if I decide to go ahead with the order. This can be really difficult when some of the purchases can be very sensitive such as Funeral Flowers.

I hope you can now at least understand that this problem is actually of real importance. We are all at the mercy of the banks and their chargebacks which come out of our own pockets. The banks do not care about this because they do not actually loose out to fraud. We, the merchants do.

The reason I would like to stop the pre-population of the invoice address is because I will then, when the risk is entirely mine, be able to spot if there are any differences in the address given to me on my Web Site to those the customer has given to the bank. I can use this and all other avenues I have currently found, to try to determine whether I can go ahead and ship the order.

After all, none of us want to turn away good business.

If anyone has any idea of how I can stop the pre-population of the cardholder address from Actinic to WorldPay then I would be most grateful for your advice.

Thank you
Marion

p.s. sorry if I sound condescending in this post but I do feel that this is a very serious matter indeed and some of the previous posts were really quite flippant.