Security - Credit Card, Website, PayPal info...
Q1: You say you offer "secure server" for
credit card security. What does that mean and how
does it work?
A1: The goal of Americart security is to achieve
one thing: delivering credit card information from
the customer to the merchant with the minimum possibility
of exposure to prying eyes.
Our primary tool for
this is the utilization of secure data encryption.
We encrypt the information between the customer
and the cart, and then you retrieve credit card
information the same way. Although orders are emailed
to you in the clear, we strip off the credit card
number, which you then retrieve through your secure
browser, thus completing the secure path.
THE CREDIT CARD DIGITS CAN BE RETRIEVED FROM THE "LASTSIX"
Q2: Do you use an SSL Certificate, and can I display a
security symbol graphic on my website?
A2: We hold a GoDaddy Secure Server Authenticity
Certificate. GoDaddy cannot, for security reasons,
allow anyone not directly holding their certificate
to display their logo, but you can certainly say,
in text, that your Shopping Cart Service holds
a GoDaddy Certificate which is used at checkout
Q3: When I enter a test number for the credit
card number on the demo page, the cart gives me
an error. Can I test it without using a real number?
A3: You have run into one of our tools that keep
you from submitting erroneous charges. We run a
mathematical checksum calculation on each card
number to insure that it is a valid number. To
run tests, use 4111 1111 1111 1111 Visa. This is a mathematically
valid charge number, and we do not specifically
screen them out.
Q4: If the shopper does not "sign" an
on-line receipt, or fax their signature, is this
A4: Potentially , it could be, as would be the
case with accepting phone orders. A bigger concern
is crooks attempting to order with other people's
We advise that if you get a big order, or ESPECIALLY
an overseas order, that you email the person and
request the bank name and phone number (on back
of the card) to call for billing address verification.
If they are bogus, you never hear back from them,
and you just saved some money.
If you sell expensive/high risk items, you may
want to consider adding custom forms (see
that request this information already. Be sure
to read our FAQ on Protecting Yourself from Credit
Card Fraud below.
[back to top]
Protecting Yourself from Credit Card Fraud
Q5: Is there significant credit card fraud on
A5: For orders originating from certain "problem countries" and
to a much lesser extent domestic orders, there
is cause for concern. We try to screen these orders, but they do still slip through.
The following tips are
intended to help reduce or eliminate fraudulent
1.) Educate yourself on fraudulent activity by
reading this page and any other references you
may find. Diligently check your orders and alert
your personnel to be observant to suspicious
2.) Use the Address Verification System (AVS)
if your merchant account supports it (USA credit
cards only). AVS will return an address match
or mismatch. Be sure the digits in the street
address and the digits in the zip code match
the billing address of the cardholder. If a mismatch
is returned, exercise caution and sound judgment.
3.) Add a message to the cart display that
you are "fraud smart",
and pursue fraudulent orders to the full extent of the law. A message as simple
as "We screen diligently for credit card fraud" may
be enough to cut fraud attempts in half.
4.) Do not accept international credit card
orders over $250 without completing ALL investigative
steps below. Do not accept large dollar amount
credit card orders under any circumstances. Telephone
domestic buyers who order over $250.
5.) Be careful of REMAILING SERVICES! There
are places in the USA which will remail packages
to overseas destinations. Here is an address
actually used in a fraud: 7801 N.W. 37th STREET,
Suite 179AX9CO in Miami at zipcode 33166. See
the "Suite 179AX9CO"? That's an account
number, which in that case goes to an address
in Columbia (which we inferred from the order
IP address). Tip #8 below would have caught this
6.) Be careful of Hotel addresses. A good
trick to catch those is to search Google for
the numeric street address, street name, and
zip. Most lodging addresses are on the web these
days, so you can find these.
7) Geographical Tips:
The vast majority of orders from the following
countries are FRAUDULENT:
- Singapore (see note below)
- Ghana (a rising star of fraud!)
- Slovak Republic
- Malaysia (see note below)
Note on Singapore and Malaysia: People in Indonesia
use Singapore or Malaysia as the destination
Country name, and still get the package because
Singapore/Malaysia Postal Service figures out
where to send it.
Our advice is to just not ship to any of these
countries. In the long haul, you will lose money.
The following countries are on the U.S. Department
of the Treasury sanction list:
- Cote d’Ivoire
- North Korea
Other countries, regimes, and people are listed
also, with varying sanctions. The list and the
extent of the sanctions changes often. A good
site outlining corporate responsibility regarding
this topic is http://www.treas.gov/offices/enforcement/ofac/programs/index.shtml.
8) Signs of Potential Credit Card Fraud:
- Shopper is unconcerned with shipping costs.
Most legitimate shoppers are very sensitive
to shipping costs. A "please expedite
and add the extra onto my card" with no
maximum or qualifying comment or question may
be a tip-off: Use Caution.
- Very large dollar amount order or large quantity.
Thieves need to score quickly and move on since
fraudulent delivery addresses have a short
lifespan, at least in the USA. They will try
to hit a perfect spot where the order is big
enough to profit them, but small enough NOT
to make merchants suspicious. Sometimes they
will aim for $500+ orders, other times try
to stay in the $199 range.
- Ship-to address is not the same as the billing
address. There are many legitimate reasons
for a shopper wanting to do this, but it is
a "cheat" of the AVS system if the
thief has the billing address of the real cardholder.
- Shopper email is undeliverable. Americart
sends out an email acknowledgement to the shopper
when an order is placed, and we have the "from" address
set to be your address. If that message is
undeliverable, it will typically bounce back
to you. It could be an innocent typographical
error, or it could be a fraudulent order. You
can send a message yourself if you don't have "email
confirmation" enabled in your cart.
9) How to Investigate Suspicious Orders:
- For an overseas order, check to see if they
are using a US bank card number. Call your
card processor's customer service line and
give them the first six numbers of the card
in question. That is the "bin" number,
or bank identification number. Many stolen
card numbers are USA cards. If overseas order
and "bin" is a US bank, it may be
a stolen card.
- Email the shopper and request the bank name
printed on the card. Most thieves will not
reply, assuming that you are "fraud smart",
and will have caught on to them. When they
do send it, verify with your processor that
the bank name is correct. Sometimes the processor
won't be able to identify a foreign bank. You
can also ask for the 1-800 number on the back
of the card; you can then call the bank and
ask them to call their customer to verify the
charge legitimacy. They will do this gladly
in most cases.
- Email the shopper and ask for their expiration
month again, stating it did not come through
in the order. Frauds will often not keep track
of which of the several cards they were ordering
with that day that they used on a given site,
and so will not be able to repeat the information
- Tell them you have their "widget" in
stock, and ask if they want a "gadget" to
go with that, for only $200 more. Phrase this
appropriately to avoid annoying legitimate
shoppers. A crook, if monitoring their bogus
email box at all, will say "sure!",
without even a question. This should raise
- Call the phone number given in the order.
It may be entirely bogus, and sometimes it
is even the actual number of the person whose
card was stolen. If you don't get a phone number
with the order, write and ask for one.
- If it is a separate billing/shipping situation,
send a paper receipt or "thank you
card" to the billing address immediately,
and include instructions to call you if the
letter reached them in error. Try to avoid
shipping the product until the letter has time
to get to the billing address for the credit
- Begin a dialogue. Think of some reason to
contact the shopper to ask about colors or
sizes, etc. Do not be too specific about what
the product is or available colors/sizes. Often
a thief is on a "shopping spree",
and won't even remember who you are or what
they ordered from you. After all, they just
ordered from 15 websites that day. A legitimate
shopper will know EXACTLY what they ordered,
and have definite choices in mind.
- Check the order origin using the IP number
included in the order. Look up IP numbers in
the ARIN system. One ploy that some Indonesian
crooks are using is to have delivery to a USA
address where their friend is waiting to grab
the package. They will often place the order
over the internet from Indonesia, and you can
find that out. Enter this IP number into the
arin system referenced above: 22.214.171.124
Notice that this particular IP number is under "Asia
Pacific Network Information Center"? Why
would someone in California be placing their
order through an APNIC IP number? That's a big
red flag! Other international crooks besides
Indonesia have "friends" in the USA
also, so be careful.
[back to top]
Q6: What is to stop someone from saving one
of my pages to disk, changing a price, and putting
an item in the cart with a lower price?
A6: We have a system in place that checks to
see what URL products come into your carts from.
If they don't come from your site, a warning
will be placed into your received order along
with the URL of the origin so you can determine
if there is a problem.
To be absolutely safe, always enter your orders
into your computer by part number, and calculate
your own prices. Treat this information as you
would an email order or a paper order form. Shoppers
make errors...sometimes on purpose.
Americart reduces these errors, but cannot
eliminate them. Heed this message when it appears
in any order you receive:
Warning! A page was submitted from an unfamiliar
URL: (the URL being referenced)
Probable local file submit or browser location
bar manipulation. Double check prices.
This may indicate shopper tampering. If this
URL is under your control, you should add its
domain name to the trusted list of your account
configuration form at URL:
You can find more info at: sc/trusted.txt
[back to top]
Q7: What is McAfee Secure? Do you use the program?
A7: McAfee Scure (formerly HackerSafe) is a service that checks clients’ websites
daily for known security vulnerabilities.
Q8: I now see the McAfee Secure
logo on my shopping cart. Am I paying for that
A8: No. Americart has added this extra service
at no additional cost.
did Americart enroll?
A9: Americart is continually working to make
our service the most up to date and secure on
the web. McAfee Secure was added to provide the highest level
of protection for our customer’s piece
of mind. This has been provided as part of your
Americart service at no extra cost to you.
already have SSL certification. Do I need McAfee Secure?
A10: McAfee Secure is an extra layer of security
for the online customer. It
goes beyond firewalls and other detection systems.
It protects your customers from fraud. Moreover,
tests have shown that sites with protected by
McAfee Secure that display the logo generate an
average increase in sales of 15%.
does McAfee Secure work?
A11: The system generates both
manual and automatic testing of your site. Once
no problems are found, your site becomes certified
as secure from hackers.
I need any special hardware or software?
is a subscription based program with no special
hardware or software needed.
if McAfee Secure finds problems on my site?
A13: Initially, more than
50% of sites will show vulnerabilities according
to McAfee Secure guidelines. They
will work with you to fix any security problems
to bring your site to the required security level.
Q14: Will McAfee Secure certification
improve my business?
the parent company of the McAfee Secure product,
reports that customers displaying their certification
show an increase in sales between 4% and 33%,
with an average increase of 15%.
Q15: Can I display McAfee’s
security symbol graphic on my website?
A15: Under McAfee's guidelines, you
can only display their graphic if you've purchased
McAfee Secure for your website, separately from the
service included with your shopping cart. However, you
may display text on your website, indicating that
your shopping cart is scanned daily by McAfee Secure.
[back to top]
< Back to