Having an internet merchant account constantly requires playing defense. For retailers who allow for buy-online-pickup-in-store (BOPIS), having a fraud defense protocol in place is required.
Recently my wife made a purchase on the website of a well-known, nationwide retailer, and had me retrieve it at the store. BOPIS sales are rapidly increasing – 44 percent in two years says one survey.
Dutifully, I made the pickup. I came prepared with a digital copy of the receipt (e-mailed to me by my wife) as well as photo identification, since it wasn’t me who made the purchase. It turns out my photo ID wouldn’t have been enough if I didn’t have the digital receipt. While this may have rankled some consumers, I fully understood the store’s hesitancy in allowing me to retrieve the purchase — likely because I work in the payments industry.
It turns out fraudulent BOPIS purchases are increasing dramatically through the use of stolen credit card information off the dark web, and internet merchant account holders are getting burned all over.
How easy is it to buy credit card data?
Purchasing stolen credit card data is just like purchasing any product online. The buyer uses bitcoin or another form of cryptocurrency — at their own risk, a credit card of their own — to buy the data, which they can use to fraudulently purchase goods online or create a legitimate-looking, functional credit card with a machine called an MSR-206.
Some credit card data goes for as little as $3 on the black market. The higher the credit limit, however, the higher the cost of the stolen data, thus higher ticket purchases.
What makes BOPIS attractive to fraudsters?
A fraudulent BOPIS purchase works as such: The criminal purchases credit card details off a rogue website, then quickly finds desirable high ticket items to purchase online, and does so. Most retailers, especially the big box ones, can have the goods available for pickup in as little as an hour (which is ideal for the criminal, since stolen credit card information has a short shelf life).
The criminal quickly retrieves his high ticket purchase at the nearest storefront location, and vanishes while the rightful cardholder gets a phone call about a questionable purchase with his/her card.
Below are three reasons BOPIS purchases are valuable to criminals:
- No address verification: Since the ‘consumer’ opts to pickup in-store, the merchant has no way of comparing the shipping and billing address, which, when they’re different, is a huge red flag for a fraudulent online purchase.
- Little time for review: Since the big box retailers can have online purchases ready for pickup within an hour, it leaves a limited window for the retailer to examine the purchase for signs of fraud. Criminals taking advantage of stolen card data and BOPIS purchases work very, very quickly. Often by the time any red flags are raised, the sale is complete and the criminal is long gone.
- Friendly fraud pickups: Friendly fraud even infiltrates BOPIS purchases. The criminal makes the purchase online, with either a legitimate credit card or a stolen one, then arrives at the storefront an hour later for pickup. However, just prior to entering the store, the criminal cancels the order, but is still able to retrieve (steal?) the goods since the store hadn’t yet been notified.
The solution: require proof of purchase at pickup
Along with valid identification (driver’s license or passport), merchants are well within their rights to require buyers to present the credit card they used for the purchase at the time of pickup, as if they made the purchase in-store.
Additionally, online merchants with storefronts could theoretically use the customer’s online credit card details to merely hold the purchase, then have the customer pay for the purchase in the store, further authenticating the cardholder.
What would help retailers tremendously is having a popup disclaimer appear when a consumer opts for in-store pickup, detailing the requirement of identification and the physical credit card used for the purchase. In having such a disclaimer, merchants holders may see a rise in checkout abandonment — a likely result of criminals opting out of purchases.
For added authentication, internet/storefront merchants should prioritize BOPIS purchases when identifying possible cases of fraud – as they do on online purchases in which the shipping and billing addresses differ.
Internet merchant account solutions with Instabill
Instabill continues to earn recognition among the best high risk internet merchant account providers in the business. We think our reputation comes from our commitment to live, one-on-one customer support, which we feel has slowly disappeared with companies and competitors opting for automation.
By telephoning Instabill at 1-800-530-2444, prospective merchants and partners will be directly connected with one of our internet merchant account managers. With a 10-minute conversation, our account managers can get a feel for merchants’ payment processing needs and connect them with the best payment processing solution we know.