Ecommerce Fraud Prevention Best Practices

Ecommerce Fraud Prevention Best Practices

Global ecommerce revenue is going to reach $5.4 trillion in 2022, as reported by Statista.

This tremendous growth of ecommerce has opened numerous opportunities for merchants and buyers around the world to improve their services and shopping experience.

However, there’s another category that’s developing in parallel with online retail – ecommerce fraud.

This article examines the best ecommerce fraud prevention practices to help merchants protect their customers’ data and assets.

Ecommerce fraud detection - how to recognize a fraud attempt

Detecting a fraud attempt is the first step in preventing ecommerce fraud. The following tips help identify a fraud attempt.

  • Lower or higher order volumes than usual. A much higher or lower order volume than usual for the customer in question is a red alert. It could be a sign of account takeover fraud, so the best thing to do is contact the customer before processing the order.
  • Expedited shipping. If the customer never uses expedited shipping and suddenly they want an unusually high or low volume order delivered in the shortest time possible, suspect it’s fraud. In this case, fraudsters are trying to make an order using stolen cards before the loss has been reported to the issuer.
  • Multiple transactions within a short time period. Several payments made with the same card within a short time frame is sign for caution, especially if the cardholder has never done something similar before. A merchant that notices such an activity needs to contact the cardholder and the issuing bank.
  • Discrepant order information. If the customer’s shipping address and billing address don’t match or the city and the ZIP code are different, it’s highly likely a fraudulent transaction.
  • Untypical billing address. If a customer always makes a payment from an IP address in the US, and now they’re paying from an untypical IP location, e.g., China, double-check whether it’s the customer transferring money or a criminal committing fraud.
  • Different cards, multiple orders, the same address. If multiple orders have been made from the same IP address to the same shipping address with different payment cards, the merchant must react at once since this could be a sign of address fraud. Sometimes fraudsters steal information from several cardholders and then slowly commit fraud making small orders to avoid suspicion.
  • Multiple shipping addresses. When the customer makes several purchases from one billing address, but sends the purchased goods to multiple shipping addresses, it’s often a scam.
  • One IP address, several cards used simultaneously. Even though one person can have more than one payment card, using them all at the same time is not common. Hence, merchants need to additionally scrutinize such transactions.
  • Ordering products to unusual locations. If a merchant has never received an order from a certain country, say Andorra, and then gets dozens of orders from that location within a short period, it could be a fraud attempt.
  • Several consecutive declined payment attempts. Everybody sometimes runs out of money on their credit cards. However, if the buyer attempts to make a purchase several times in a row, without providing the correct CVV number or card expiry date, the merchant should make the effort to check the transaction.

Note: Check out our comprehensive List of Credit Card Decline Codes.

Ecommerce Fraud Prevention Best Practices

Ecommerce fraud prevention practices

The use of ecommerce fraud prevention strategies protects both merchants and customers from data theft and financial loss. It keeps the merchant’s chargeback rate low and ensures smoother financial operations and a positive business reputation.

Below are the best proven practices for ecommerce fraud prevention.

Perform Regular Security Audits

Try to detect weak spots in your security before fraudsters do. Regular security audits significantly reduce the risk of fraud. Establish procedures to ensure you:

  • Update shopping-cart plugins and software regularly. If you have third-party hosted payment pages, arrange regular updates.
  • Use strong passwords and passphrases for admin accounts, databases, and content management systems, as well as SSL-encrypted online payment forms.
  • Maintain PCI-DSS compliance.
  • Encrypt communication between the ecommerce business and customers.
  • Back up customer data.
  • Conduct regular antimalware website scans.

Use a Reliable Payment Processor

Use a reliable payment processor

Work with a reliable payment processor to ensure a high level of protection from ecommerce fraud. When looking for the right processor, inquire about their protection measures, including PSD2 and PCI compliance, as well as about the use of fraud-prevention tools. Their fraud detection systems must follow best practices and current regulations, and function without a second of downtime.

Note: CCBill provides merchants with Smart Checkout, a powerful fraud-protection system that ensures a detailed scan of every payment before the information is forwarded to credit card associations and banks. It substantially mitigates fraud risk and prevents excessive chargebacks.

Ensure Compliance with PSD2, SCA, and 3DS

Stringent regulations have been adopted recently in reaction to emerging risks of online payment fraud. The most prominent payment processing regulations include:

  • PSD2. The Revised Payment Services Directive (PSD2) regulates payments of cardholders whose issuing banks are in the European Economic Area (EEA). This set of regulations gives cardholders more control over their bank accounts and ensures stronger anti-fraud protection by enforcing the implementation of strong customer authentication (SCA).
  • SCA. One of the key fraud-prevention technologies enforced by PSD2 is strong customer authentication (SCA). It uses multi-factor customer payment verification. The minimum requirement is using at least two-factor authentication. To verify a payment with SCA, consumers need information only they would know (a card PIN, secret Q/A, or password), something only they would have possession of (an authentication code or one-time token sent to their mobile phone) or something they are (biometric data, such as fingerprints, face recognition or iris scan).
  • 3DS2. The 3-D Secure (3DS) protocol was developed by Visa, Mastercard, American Express, and Discover to provide a technical framework for payment card verification in online payments. The 3DS2 protocol is compliant with the European PSD2 regulation but it can be used worldwide as a strong customer authentication solution.

Merchants need to be PSD2-compliant if processing payments from cardholders in the European Economic Area. The additional protection of being PSD2, SCA and 3DS-compliant provides added fraud protection for both merchants and consumers.

CCBill provides hosted payment forms that are compliant with PSD2 and 3DS2 and ensures a high-level of security for both merchants and consumers with the use of strong customer authentication.

Note: Learn what Authorized Push Payment fraud, i.e. APP Fraud is and how to prevent it.

Be PCI Compliant

Be PCI compliant

Every business that accepts credit card payments needs to ensure the implementation of Payment Card Industry (PCI) standards. The major credit card associations – Visa, Mastercard, Discover, and American Express – all require compliance with PCI standards to protect buyers’ data and prevent fraud, while the PCI Security Standards Council ensures the enforcement of the standards.

Monitor for Suspicious Shopping Activity

Monitor customers’ accounts and transactions to reduce and completely eliminate ecommerce fraud. Whenever you notice an unusual activity performed by a customer or a strange payment made from their account, react at once. Contact either the customer or the card issuer, depending on the type of activity noticed, to check who is trying to make the payment.

Use Address Verification Service (AVS)

Use the Address Verification Service (AVS) system to identify potentially dangerous credit card payments and prevent fraud. The AVS system compares the billing address provided by the payer with the cardholder’s billing address registered at the issuing bank. If the addresses don’t match, the system either stops the payment or requires additional actions.

Note: Learn what to do in a situation when AVS is rejected i.e. there is an AVS mismatch.

Enforce the Use of Card Verification Value (CVV)

Enforce the use of CVV

Every credit card issued by Visa, American Express, Discover, and Mastercard has a three-digit (four-digit for American Express cards) card verification value (CVV) on the back of the card.

Insist that all buyers provide this code for each card-not-present payment. This ensures that consumers physically possess the credit card with which they are making the payment and reduces the possibility of payment fraud.

Avoid Shipping Orders to PO Boxes and Virtual Addresses

Ecommerce fraudsters often provide virtual addresses and PO boxes.

One of ecommerce fraud prevention best practices is to refuse to ship ordered goods to incomplete or vague addresses. To prevent this kind of fraud attempt, specify in your business policy that shipments can only be made to validated physical addresses.

Use Fraud Prevention Software

Fraud-prevention software tools ensure seamless anti-fraud protection for ecommerce merchants It tracks customer data and payments, detects security breaches, and notifies merchants of potentially dangerous customer behavior patterns.



Hypertext Transfer Protocol (HTTP) is the basic protocol for sending data online between a client and a server. In the context of an online shop, HTTP is the route along which data is exchanged between an ecommerce store and a customer’s web browser.

Hypertext Transfer Protocol Secure (HTTPS) encrypts all personal information so that data such as credit card numbers, customer names and addresses are protected in-transit. The protocol makes things a lot harder for hackers. Even if they somehow intercept the data, they won’t be able to decrypt it.

Note: Find out more about HTTP and HTTPS in our article HTTP vs. HTTPS: What Are the Differences.

Educate Customers

Educating customers is an effective anti-fraud measure. If they understand why providing additional information for accurate identification is important, they’ll embrace multi-factor verification. Also, think about providing a short explanation below the sign-in box on how a strong password increases the customers’ security while ordering goods on your ecommerce website.

Note: Learn how customers can use Virtual Account Numbers to prevent fraud.

AI and Fraud Detection

Artificial Intelligence (AI) solutions are becoming valuable assistants in fraud detection and prevention. AI anti-fraud systems rely on machine learning and collected data from previous fraud cases. They help predict and detect fraudulent behavior to reduce potential future fraud. What’s more, they gather information in real-time and identify suspicious actions at once. AI tools are now used to accept and supervise orders, saving merchants’ time and increasing overall efficiency.

Note: Learn what a BIN attack is and how to prevent it.


The ecommerce market will keep expanding and merchants will need to implement adequate anti-fraud measures to keep their own and their customers’ data and assets safe. As new security-focused regulations, such as PSD2 and 3DS2, are introduced, merchants will need to turn to reliable payment processors who are compliant with the latest payment processing regulations.

Fraud prevention is a joint effort between credit card associations, card issuing banks, acquiring banks, payment processors and merchants. Follow the fraud-prevention practices explained in this guide to mitigate payment risks while ensuring steady business development.