Our wood flooring retail business learned an expensive lesson earlier this year. Within the span of one month we had two fraudulent credit card transactions for a loss of $12,000.
We're a small business, and that hurt in January—our slowest month of the year. In my 10 years of doing this business, we had done millions of dollars of transactions and never had this happen before. It was a very expensive mistake, and it resulted in my spending countless hours talking with our credit card processor, Visa, MasterCard and American Express to learn what security measures we needed to put in place to better protect our business.
The fraudulent transactions happened almost back to back; the first one was in December but the chargeback came back to us in January, and the second was shipped in January and was flagged as fraudulent three weeks later. For the first one, the customer placed the order over the phone, and their first card was declined, so our receptionist called and asked for a different card, which worked. Because it was in the same state but a different city, it was freighted out, and the customer signed for the delivery. Two weeks later we got the chargeback. We tried to call his phone number, but it was disconnected. We tried to establish identity but discovered there was no such person and the delivery address was a vacant home for sale. At that point we called the police and filed a report, and they confirmed it was a vacant property.
Since we had never had this happen before, we thought our merchant processor would have our back—after all, we had all the information proving we shipped the product, signatures on a contract through DocuSign and the signature on the receipt. But we discovered that at the end of the day, if the customer is not a real person, your merchant processor isn't going to protect you.
RELATED: Flooring Company Out $30K After Customer Used Fake Credit Card
In going through this, we found out that when our processor was training our employee who runs the transactions, he might have not made it clear that the AVS (Address Verification System) has to match. Transactions were run whether the billing address provided by the customer matched the AVS or not. In this case, when the rightful owner of the card saw their statement, they filed fraud charges, which we lost because we had no proof of identity. It wasn't a chipped card; it was done over the phone. In talking with the dispute department, we realized the only sure way of being protected is having a chipped card in the store, and that card needs to be signed. In fact, if it is a signed chipped card, we aren't allowed to require ID and can actually be fined for doing so (if the card is not signed, we verify ID in the store).
Many of our transactions aren't in person, so we had to figure out how to protect our business. Since then, I've had numerous conversations with the dispute departments at Visa, MasterCard, American Express and our processor, asking what would have gotten our two fraudulent transactions covered. There are three things they require:
1) The AVS must match.
2) It must be the same address for billing and shipping. (This isn't possible for us—more on that later.)
3) It can't be a foreign card. (This wasn't an issue for us since we don't accept international transactions).
After we went through this, our staff also talked and came up with additional things we consider red flags about a customer:
1) People who are in a rush. They call today, get a quote, give us the card and want us to send it immediately. The project isn't going anywhere, so we've learned to slow things down and ascertain identity before proceeding. We'd rather risk losing a sale than be in a bad situation again.
2) Customers who have to call back with a different card.
3) People who aren't the actual cardholder. Our policy now is that the person placing the order must be the cardholder and also the receiver of the material. We do not accept transactions where the installer or the contractor says, "I'm using my client's card," or the husband is using his wife's card.
When I have a red flag now, I start doing more research to establish identity and make sure the person exists. If it's a company, I'll Google the company name and make sure the person is listed as an officer there.
RELATED: How to Protect Your Wood Flooring Business By Implementing Internal Financial Controls
The thing that makes me feel most secure is that I've learned how to figure out the cardholder's bank. Using the first six digits of the credit card, your card processor can tell you which bank issued the card. So if they tell me it was Chase, I can call Chase and let them know I'm processing a transaction and want to be sure the information the client gave me is accurate. The bank isn't allowed to give me their information, but they can tell me "yes" or "no" regarding whether my information is a match. They will also ask how much we are running and make notes on their end.
We are now strict about following the AVS requirement—the address associated with the card has to match. We require a physical address, so P.O. Boxes can be really challenging. A lot of our customers, especially in the mountain areas, swear they have a P.O. Box, but I've verified with Visa, MasterCard and American Express that there is always a physical address associated with a card, and that is needed for proper procedures to be followed.
As I mentioned, a requirement of all the credit card companies is that the billing address match the shipping address. That's kind of ridiculous for our business. People move and buy new homes that require new flooring—why would we ship two pallets to their old address so they have to move it to their new house? We can't get away from having to ship to a different address than the billing address, so we take extra steps in verifying their information. We'll call the issuing bank, and we'll also require a copy of their ID so we can establish identity—that's something we never did before.
We are also diligent about requiring ID on delivery now. The person taking possession must present a valid ID and sign off on it. Even though it has never happened to us that someone has stolen a flooring shipment, you never know who could be receiving the flooring, and then the rightful owner could say they never got it.
Some people are annoyed by these additional security measures, but these measures are in place to protect their identity as much as our business. If someone's annoyed by that, they could have been a potential problem customer anyway. We don't think it is too much to ask because flooring is a lot of money—it can be $8,000 to $15,000 or more. When you check out on Amazon with a $10 item you must have the right billing address, so why should our expensive transactions be different?
MasterCard, Visa, American Express and the credit card processors will never lose money—you are playing by their rules on their chess board. So, as a retailer, you have to protect yourself as much as possible. All the extra credit card security measures we implemented have paid off so far, and now I can sleep at night knowing our transactions are safe.
RELATED: Increase Sales By Using the Psychology of Pricing