Auditing E-Commerce Web Sites

Auditing E-Commerce Web Sites

Using the Internet for E-commerce is not an obscure concept; it is a matter of good business sense. However, if retail organizations ignore the malicious abilities of attackers, they are selling themselves short. There are dozens of Web sites, and an equal number of news groups and chat rooms, dedicated to verifying stolen credit card information so they can use it to commit fraud or sell it to someone else who would commit fraud in the future.

There are a number of entities involved in online credit card transactions:

• Credit card holder. The person or organization to which a credit card has been issued.

• Issuing financial institution. The financial institution that issues the credit card to the credit card holder, also known as the "issuer."

• Acquiring financial institution. This institution contracts with merchants to accept and process their credit card transactions. It is possible for acquirers to contract with third-party processors to provide these services. Acquiring financial institutions are also known as "merchant banks" and the organizations' accounts are known as "merchant accounts."

• Payment gateway. This is a service allowing an E-commerce merchant to connect to the acquirer or its merchant processor to complete a credit card transaction in real-time.

• Service provider. Includes any third-party support entity, e.g., shopping carts, Web servers, payment processors, fulfillment houses, etc. This term is also used to describe a payment gateway alliance.

Of course, online credit card transactions not only include the entities above, but they also include three essential processing actions:

1. Authorization. This action takes place at the time a credit card transaction occurs. It is the process by which an issuer approves, or declines, a credit card transaction.

2. Authentication. This process involves the verification of the cardholder and the credit card. At the time of authorization, the E-commerce merchant should use fraud prevention controls and tools to validate the credit cardholder's identity and the credit card being used to make a purchase.

3. Settlement. When a product has been purchased by a cardholder, the E-commerce merchant can initiate the settlement of a transaction through an acquirer and initiate the transfer of funds from the issuer to the merchant account.

This is an example of a real-time processing for an online credit card transaction. It is not as complicated as many people think. Processing events may vary slightly depending on the acquirer relationship, business requirements, and systems used, but they generally follow the credit card authorization process:

• The cardholder orders items from an E-commerce merchant by entering the credit card number, identifying information, and any shipping information.

• The information transmission is transmitted through the Internet to the merchant server. The payment gateway receives the information from the merchant server; the information is formatted, and transmitted to the acquirer.

• The acquirer electronically sends the authorization to the issuer, who approves or declines the transaction.

Credit Card Authentication

It is the responsibility of the E-commerce merchant to apply tools and controls in verifying the cardholder's identity and validity of the transaction and avoid fraud. These are a few generally accepted tools and controls in avoiding fraud:

• Address Verification Service (AVS). This service allows the E-commerce merchant to check a cardholder's billing address with the issuer. AVS provides online merchants with a key indicator verifying whether the transaction is valid or not.

• Credit Card Verification Value 2 (CVV2). This is a three digit number printed on the signature panel of the credit card helping to validate that a customer has a genuine card in her possession and that the credit card account is valid. CVV2 numbers are present on most major credit cards.

• Advanced fraud screens. These fraud-detection services examine the transactions generated by online E-commerce sites. These services calculate in realtime the level of risk associated with each transaction and provide the merchant with risk scores. These scores permit merchants to identify potentially fraudulent orders and behavior patterns.

Settlement

This process is the operation by which money flows from the issuer to the acquirer. Once the goods or services have been delivered, the E-commerce merchant captures and batches the related transactions for settlement. The batch is electronically submitted to the various acquirers for processing.

The acquirer electronically submits the transaction to issuer for payment. The issuer transmits the payment to the acquirer who credits the E-commerce merchant's account.

Chargeback Issues

With literally millions of credit card transactions, it is inevitable that there will be chargebacks. Chargebacks are transactions that are returned to the acquirer, to the issuer, then to the merchant. There are many reasons for chargebacks:

• Customer disputed transactions

• Fraud

• Authorization issues

• Inaccurate or incomplete transaction information

• Transaction processing errors

The majority of chargebacks are initiated when the cardholder reviews her bank statement and notifies the issuer that there is a problem with a transaction. When this happens, the issuer usually requests an explanation of the problem from the card-holder. If the issuer determines there is a basis for a chargeback, then the matter is referred to the acquirer who debits the merchant's account. It is generally the responsibility of the merchant to resolve the chargeback.

Audit Program Items

E-commerce merchants must take all possible steps to reduce and treat risk. Auditors can play a significant role in this arena and should include audit program items that tip the scales in the E-commerce merchant's favor.

• Record all key elements of fraudulent transactions, names, addresses, shipping addresses, e-mail, credit card numbers, and items purchased. Auditors should verify the existence and currency of a database containing this information.

• Document that all fraud database items are used for comparison before any transactions are processed by the merchant.

• Establish internal transaction controls to identify high-risk transactions prior to authorization. These controls should include:

  • Setting review limits based on the number and dollar amount of transactions approved within a specified number of days. Adjust these limits to fit prior cardholder purchasing patterns.

  • Setting review limits based on a single transaction amount.

  • Ensuring that velocity limits, frequency by which the credit card number and associated information, are checked across multiple characteristics, including shipping address, telephone number, and e-mail address. The term "velocity" in this context is degree of frequency that a credit card is used at an E-commerce Web site. It can also mean the number, within a given time period, that credit cards are submitted from a single IP address. Is there a mechanism prescribed by policy that requires contact with customers who exceed these control limits in an effort to determine whether the cardholder's activity is authorized and legitimate?

• In the Web server interface, does it require the cardholder to input the card type, e.g., MasterCard, American Express, etc.? Does it also require the customer to input the card number and CVV2? Does the merchant's Web site verify that the card type and numerical sequence identifying the card type coincide?

• Does the merchant's Web site require the cardholder to enter the card's expiration date and is there a mechanism to verify that the credit card number, name imprinted on it, and the expiration date coincide?

• Does the merchant's Web site require a customer to enter a legitimate e-mail address?

• Does the merchant's Web site require a customer to enter a legitimate CVV2 number and are these numbers verified with the credit card's other pertinent information?

• Has the merchant implemented AVS verification?

Implementing Fraud Screening to Identify High-Risk Transactions

In the E-commerce world, the greatest risk is that of fraud committed by customers. There are a variety of tools and techniques that will help identify and deal with online fraud.

• Implement fraud screening tools to identify high-risk credit card transactions. This can include online transactions:

  • Matching credit card data stored in the organization's internal negative files.

  • Exceed velocity limits and internal controls.

  • Identify the persons, potential credit card attackers, who are submitting Authorize-Only transactions that are never captured or settled.

  • Identify the persons, potential credit card attackers, who are submitting transactions of low amounts, less than $5, to a Web site in an attempt to merely verify the credit card number and cardholder's information.

  • Notification of an AVS mismatch.

• Develop and implement an effective manual transaction review procedure to investigate high-risk credit card transactions. The purpose of this activity is to significantly reduce online fraud as a percentage of revenue, thereby minimizing the impact on legitimate sales.

• Treat anonymous e-mail addresses as high-risk. It is important to note that many online merchants have discovered that anonymous e-mail addresses have a substantially higher fraud rate than e-mail accounts with well-known Internet Service Providers. Organizations should take more steps requiring these types of e-mail addresses to pass additional verification requirements before permitting them to transact online credit card business.

• Identify and screen high-risk shipping addresses. Fraud can be reduced by comparing the client's shipping address to high-risk shipping in third-party databases and in the organization's own negative files. Of particular note is the shipping address located in a different mail-code than the billing address's mail-code. Particular attention should be paid to mail drops, prisons (of particular note in a prison address is the inclusion of the inmate number), hospitals, and addresses of known fraudulent activity.

• Organizations should develop and implement policies and procedures addressing shipping addresses different from the billing address.

• Organizations should treat addresses outside the merchant's country as being high-risk. Transactions involving cards issued outside the merchant's country of origin and having foreign shipping and billing addresses should be regarded as high-risk. Organizations must be careful the AVS will not likely be useful in such cases. Organizations should require higher transaction scrutiny and customer verification for international online transactions. Controls should be enforced regarding transaction velocity thresholds for these transactions. Internal policies and procedures must address cases where there is not third-party AVS available, where billing and shipping addresses differ, and the client uses an anonymous e-mail address.

• Organizations must assess risks based on the purchase of merchandise that is easily remarketed, for example electronic products or jewelry.

• Organizations should have a policy regarding contacting the credit card issuer to confirm cardholder's information prior to shipping goods related to a high-risk transaction.

Signs of Possible Online Credit Card Fraud

These are some of the possible indicators that attackers are attempting to commit fraud at the E-commerce Web site. Organizations need to be mindful of these signs and take appropriate steps to avoid becoming a victim of fraud. Auditors should include these signs as being addressed by the organization's policies and procedures in their audit programs.

• Multiple credit cards being used from a single IP address. Multiple (more than two) cards are a good indication a fraud scheme is afoot.

• Orders consisting of several of the same item. Having multiples of the same item increases the fraudster's chances of success.

• Orders composed of "big-ticket" items with rushed shipping. These are usually items identified as having maximum resale value with little regard for shipping costs increasing the profit potential for the criminal.

• Orders shipped to a single receiving address but purchased on multiple cards. These transactions could also be characteristic of account numbers generated by special software or stolen.

• Multiple transactions on one card or similar cards with a single billing address or a single card with multiple shipping addresses. This activity represents an organized fraudulent activity rather than one individual at work.

If an online transaction is approved by the credit card issuer, the organization should consider sending a confirming e-mail to the customer before completing and sending the order. If the transaction is declined, the organization should have policies and procedures that specify the means by which the organization handles such transaction declinations.

Auditors should review the method by which the company handles declined transactions. Consideration should be given to having customer service employees review online transaction authorizations declined by issuers and obtain corrected information or an alternate payment that allows the organization to safely proceed. These employees must be mindful of transactions containing incorrect card expiration dates, incorrect billing addresses, incorrect name spelling, incorrect mailing addresses, or incorrect CVV2 information. Incorrect information should be retained as part of the organization's negative information database that is used for comparison with future transaction attempts.

Attackers can gain access to a business' online Web site through shopping carts or payment gateway processor systems. Attackers are also very adept at finding security holes in weak or default passwords. With an attacker invading an E-commerce site, it is possible for the attacker to emulate the merchant and begin processing debits and credits without the merchant's knowledge. It is a fraudulent practice for attackers to offset the deposit credits with debits, thereby attempting to avoid detection by deposit-volume monitoring by the true merchant's bank.

Here is a short checklist for merchants to monitor online authorizations and transactions:

• On a daily basis, organizations must review their transaction logs for Authorize-only transactions and small amount transactions (less than $5). An unusually high number will likely indicate attackers testing the merchant's system.

• On a daily basis, organizations must review their transactions for an unusually high amount or volume of credits. This could indicate fraud.

• On a daily basis, organizations must review their transactions for identical transaction amounts.

• On a daily basis, organizations must review their transactions for multiple transactions from a single IP address.

• Organizations must thoroughly review their online transactions before they are settled. This affords the opportunity to void potentially fraudulent or erroneous transactions before they are submitted for settlement.

• All pertinent passwords must be at least ten characters in length, with a combination of special characters, numbers, and capital letters. These passwords must be changed at least every 30 days or less.

• All credit card numbers and related cardholder information must be stored on a secure server inside a guarded interior system and away from the DMZ where the Web site is located.