Security - Credit Card, Website, PayPal info...

Protecting Yourself from Credit Card Fraud

Hacking

HackerSafe

Security - Credit Card, Website, PayPal info...

Q1: You say you offer "secure server" for credit card security. What does that mean and how does it work?

A1: The goal of Americart security is to achieve one thing: delivering credit card information from the customer to the merchant with the minimum possibility of exposure to prying eyes.

Our primary tool for this is the utilization of secure data encryption. We encrypt the information between the customer and the cart, and then you retrieve credit card information the same way. Although orders are emailed to you in the clear, we strip off the credit card number, which you then retrieve through your secure browser, thus completing the secure path.
THE CREDIT CARD DIGITS CAN BE RETRIEVED FROM THE "LASTSIX" SECURE URL:
https://www.cartserver.com/sc/lastsix.html

Q2: Do you use VeriSign and can I display the VeriSign security symbol graphic on my website?

A2: We hold a VeriSign Secure Server Authenticity Certificate. VeriSign cannot, for security reasons, allow anyone not directly holding their certificate to display their logo, but you can certainly say, in text, that your Shopping Cart Service holds a Verisign Certificate which is used at checkout time.

Q3: When I enter a test number for the credit card number on the demo page, the cart gives me an error. Can I test it without using a real number?

A3: You have run into one of our tools that keep you from submitting erroneous charges. We run a mathematical checksum calculation on each card number to insure that it is a valid number. To run tests, use 4111 1111 1111 1111 Visa. This is a mathematically valid charge number, and we do not specifically screen them out.

Q4: If the shopper does not "sign" an on-line receipt, or fax their signature, is this a problem?

A4: Potentially , it could be, as would be the case with accepting phone orders. A bigger concern is crooks attempting to order with other people's card numbers.

We advise that if you get a big order, or ESPECIALLY an overseas order, that you email the person and request the bank name and phone number (on back of the card) to call for billing address verification. If they are bogus, you never hear back from them, and you just saved some money.

[back to top]

Protecting Yourself from Credit Card Fraud

Q5: Is there significant credit card fraud on the internet?

A5: For orders originating from certain "problem countries" and to a much lesser extent domestic orders, there is cause for concern. We try to screen these orders, but they do still slip through. The following tips are intended to help reduce or eliminate fraudulent activity.

General Tips:
1.) Educate yourself on fraudulent activity by reading this page and any other references you may find. Diligently check your orders and alert your personnel to be observant to suspicious situations.

2.) Use the Address Verification System (AVS) if your merchant account supports it (USA credit cards only). AVS will return an address match or mismatch. Be sure the digits in the street address and the digits in the zip code match the billing address of the cardholder. If a mismatch is returned, exercise caution and sound judgment.

3.) Add a message to the cart display that you are "fraud smart", and pursue fraudulent orders to the full extent of the law. A message as simple as "We screen diligently for credit card fraud" may be enough to cut fraud attempts in half.

4.) Do not accept international credit card orders over $250 without completing ALL investigative steps below. Do not accept large dollar amount credit card orders under any circumstances. Telephone domestic buyers who order over $250.

5.) Be careful of REMAILING SERVICES! There are places in the USA which will remail packages to overseas destinations. Here is an address actually used in a fraud: 7801 N.W. 37th STREET, Suite 179AX9CO in Miami at zipcode 33166. See the "Suite 179AX9CO"? That's an account number, which in that case goes to an address in Columbia (which we inferred from the order IP address). Tip #8 below would have caught this fraud.

6.) Be careful of Hotel addresses. A good trick to catch those is to search Google for the numeric street address, street name, and zip. Most lodging addresses are on the web these days, so you can find these.

7) Geographical Tips:
The vast majority of orders from the following countries are FRAUDULENT:

• Romania
• Indonesia
• Singapore (see note below)
• Ghana (a rising star of fraud!)
• Ukraine
• Uganda
• Nigeria
• Hungary
• Belarus
• Estonia
• Latvia
• Lithuania
• Slovak Republic
• Russia
• Yugoslavia
• Macedonia
• Philippines
• Thailand
• Malaysia (see note below)

Note on Singapore and Malaysia: People in Indonesia use Singapore or Malaysia as the destination Country name, and still get the package because Singapore/Malaysia Postal Service figures out where to send it.

Our advice is to just not ship to any of these countries. In the long haul, you will lose money.
The following countries are on the U.S. Department of the Treasury sanction list:

• Balkans
• Burma
• Cote d’Ivoire
• Cuba
• Iran
• Iraq
• Liberia
• Libya
• North Korea
• Sudan
• Syria
• Zimbabwe

Other countries, regimes, and people are listed also, with varying sanctions. The list and the extent of the sanctions changes often. A good site outlining corporate responsibility regarding this topic is http://www.treas.gov/offices/enforcement/ofac/programs/index.shtml.

8) Signs of Potential Credit Card Fraud:

• Shopper is unconcerned with shipping costs. Most legitimate shoppers are very sensitive to shipping costs. A "please expedite and add the extra onto my card" with no maximum or qualifying comment or question may be a tip-off: Use Caution.
• Very large dollar amount order or large quantity. Thieves need to score quickly and move on since fraudulent delivery addresses have a short lifespan, at least in the USA. They will try to hit a perfect spot where the order is big enough to profit them, but small enough NOT to make merchants suspicious. Sometimes they will aim for $500+ orders, other times try to stay in the $199 range.
• Ship-to address is not the same as the billing address. There are many legitimate reasons for a shopper wanting to do this, but it is a "cheat" of the AVS system if the thief has the billing address of the real cardholder.
• Shopper email is undeliverable. Americart sends out an email acknowledgement to the shopper when an order is placed, and we have the "from" address set to be your address. If that message is undeliverable, it will typically bounce back to you. It could be an innocent typographical error, or it could be a fraudulent order. You can send a message yourself if you don't have "email confirmation" enabled in your cart.

9) How to Investigate Suspicious Orders:

• For an overseas order, check to see if they are using a US bank card number. Call your card processor's customer service line and give them the first six numbers of the card in question. That is the "bin" number, or bank identification number. Many stolen card numbers are USA cards. If overseas order and "bin" is a US bank, it may be a stolen card.
• Email the shopper and request the bank name printed on the card. Most thieves will not reply, assuming that you are "fraud smart", and will have caught on to them. When they do send it, verify with your processor that the bank name is correct. Sometimes the processor won't be able to identify a foreign bank. You can also ask for the 1-800 number on the back of the card; you can then call the bank and ask them to call their customer to verify the charge legitimacy. They will do this gladly in most cases.
• Email the shopper and ask for their expiration month again, stating it did not come through in the order. Frauds will often not keep track of which of the several cards they were ordering with that day that they used on a given site, and so will not be able to repeat the information accurately.
• Tell them you have their "widget" in stock, and ask if they want a "gadget" to go with that, for only $200 more. Phrase this appropriately to avoid annoying legitimate shoppers. A crook, if monitoring their bogus email box at all, will say "sure!", without even a question. This should raise red flags.
• Call the phone number given in the order. It may be entirely bogus, and sometimes it is even the actual number of the person whose card was stolen. If you don't get a phone number with the order, write and ask for one.
• If it is a separate billing/shipping situation, send a paper receipt or "thank you card" to the billing address immediately, and include instructions to call you if the letter reached them in error. Try to avoid shipping the product until the letter has time to get to the billing address for the credit card.
• Begin a dialogue. Think of some reason to contact the shopper to ask about colors or sizes, etc. Do not be too specific about what the product is or available colors/sizes. Often a thief is on a "shopping spree", and won't even remember who you are or what they ordered from you. After all, they just ordered from 15 websites that day. A legitimate shopper will know EXACTLY what they ordered, and have definite choices in mind.
• Check the order origin using the IP number included in the order. Look up IP numbers in the ARIN system. One ploy that some Indonesian crooks are using is to have delivery to a USA address where their friend is waiting to grab the package. They will often place the order over the internet from Indonesia, and you can find that out. Enter this IP number into the arin system referenced above: 203.130.216.56

Notice that this particular IP number is under "Asia Pacific Network Information Center"? Why would someone in California be placing their order through an APNIC IP number? That's a big red flag! Other international crooks besides Indonesia have "friends" in the USA also, so be careful.

[back to top]

Hacking

Q6: What is to stop someone from saving one of my pages to disk, changing a price, and putting an item in the cart with a lower price?

A6: We have a system in place that checks to see what URL products come into your carts from. If they don't come from your site, a warning will be placed into your received order along with the URL of the origin so you can determine if there is a problem.

To be absolutely safe, always enter your orders into your computer by part number, and calculate your own prices. Treat this information as you would an email order or a paper order form. Shoppers make errors...sometimes on purpose.

Americart reduces these errors, but cannot eliminate them. Heed this message when it appears in any order you receive:

Warning! A page was submitted from an unfamiliar URL: (the URL being referenced)

or

Probable local file submit or browser location bar manipulation. Double check prices.
This may indicate shopper tampering. If this URL is under your control, you should add its domain name to the trusted list of your account configuration form at URL:
http://www.cartserver.com/config/americart-config.html

You can find more info at: sc/trusted.txt

[back to top]

HackerSafe

Q7: What is ScanAlert’s HackerSafe? Do you use the program?

A7: HackerSafe is a service that checks clients’ websites daily for known security vulnerabilities.

Q8: I now see the HackerSafe logo on my shopping cart. Am I paying for that now?

A8: No. Americart has added this extra service at no additional cost.

Q9: Why did Americart enroll?

A9: Americart is continually working to make our service the most up to date and secure on the web.  Hacker Safe was added to provide the highest level of protection for our customer’s piece of mind. This has been provided as part of your Americart service at no extra cost to you.

Q10: I already have SSL certification. Do I need HackerSafe?

A10: Hacker Safe is an extra layer of security for the online customer.  It goes beyond firewalls and other detection systems. It protects your customers from fraud. Moreover, tests have shown that sites with protected by HackerSafe that display the logo generate an average increase in sales of 15%.

Q11: How does HackerSafe work?

A11: The system generates both manual and automatic testing of your site.  Once no problems are found, your site becomes certified as secure from hackers.

Q12: Do I need any special hardware or software?

A12: This is a subscription based program with no special hardware or software needed.

Q13: What if HackerSafe finds problems on my site?

A13: Initially, more than 50% of sites will show vulnerabilities according to Hacker Safe guidelines.  They will work with you to fix any security problems to bring your site to the required security level. 

Q14: Will Hacker Safe certification improve my business?

A14: ScanAlert, the parent company of the Hacker Safe product, reports that customers displaying their certification show an increase in sales between 4% and 33%, with an average increase of 15%.

Q15: Can I display ScanAlert’s HackerSafe security symbol graphic on my website?

A15: We subscribe to ScanAlert’s HackerSafe security program. Our website is tested daily for the security vulnerabilities that are responsible for 99.9% of security breaches.

Q16: How do I enroll for Hacker Safe/What do I need to do?

A16: Americart has negotiated a significantly discounted price for its merchants. To take advantage of this program, you need to contact ScanAlert through this link: http://www.scanalert.com/content/webhost/?hostId=2977.  Once there, you will find a toll-free number to call. 

[back to top]

< Back to FAQ’s