View Full Version : worldpay //fraud & liability issues?

10-03-2005, 12:32 PM
*We* (as in the Royal We!) are just finishing off integrating worldpay into the site and getting lots of loose ends tied up.
One thing that is slightly worrying me - and I admit,I've yet to ask worldpay themselves about this - is the issue of card fraud and liability.

The way we are going to be operating is that customers have to register with us in the first instance when they decide they want to buy something and give us their home address details alongside other relevant info.However,when it comes to actually placing an order and deciding where they want their stuff delivered,we are giving them the option of having it delivered *elsewhere* (ie,maybe their work address).
Anything to make the whole shopping experience,such as it is,smooth and hassle free.

One thing that is worrying me now is what happens if someone uses someone else's card fraudulently and has goods delivered to their own address,instead of the invoiced address of the card.I'm worrying that we would be held liable for this (),even though we are not performing a cardholder-not-present transaction via a swipe machine here,but merely directing potential customers to the worldpay portal.

A possible solution we've been thinking about is this.
One of the ways Worldpay validates the bank card is the address used with the card. The address we pass worldpay is the address we capture at registration. the question / scenario i think we should consider is their first order. We have no ways in validating the address stored with the card ourselves. so in a pessimistic view someone could perform fraud from our site by using someone elses card and get it delivered elsewhere. so the way i thought we could deal with this
would be for the first order only deliver to their home address / one
registered to the card. the level of correctness we can decide because
worldpay send us back a set of numbers which correspond to whether the first line / second line/ postcode was correct etc. this should then validate the address we have sent it too and validate the user at the same time.

has anyone else got round this potential fraud issue in this way? or do you have a better alternative?

what is worldpay's stance on fraudulent use of cards and who is liable (them or us) ?


10-03-2005, 12:39 PM
quite a few places I have shopped online with only allow you to use your registered card address for the first purchase, after that, they let you get it deleiverd elsewhere.

but, what if I nicked someones card, made an order, got it delivered to the correct address, but then made a second order to a different address before the first one gets delivered??

10-03-2005, 12:42 PM

10-03-2005, 12:46 PM
Credit card companies stand on the fraud issue normally depends on how the card is verified.

You get a customer not present transaction, where the customer doesnt sign for the purchase, and a customer present where they do sign.

My credit card company will cover fraud as long as it is a cusotmer present trasnsaction i.e, if a fraudulent card is used, but the fraudster has faked a signature, i am covered, and the credit card company reimburse the victim. However if there is no signature present, they are very quick to take the money back out of your account to pay the victim.

Ideally i would ask worldpay as all your online transactions will be cardholder not present, which is more risky, hence why you pay more commission than a purely customer present trader.

10-03-2005, 03:16 PM
Hi Ken

From what I understand Worldpay will do a few checks but they won't cover any fraudulent transactions.

There are things that can help you spot fraudulent transactions.

Firstly Worldpay have there own Rating system. Ranging from NORMAL, CAUTION & WARNING. You get these messages in an Email directly after the transaction has occured.

Some of the checks that we do as a company are to Check that the User has supplied a landline phone number, Check the surname to the address on BT.com directory enquiries and also just give them a ring.

It might seem like a pain but we managed to only get stung in twice in 2 and a half years of trading, and we managed to stop one of those orders going out.


10-03-2005, 05:44 PM
Just thought I'd post an update as this info may be of use to someone else.

I spoke with Worldpay this afternoon to clarify the situation.

What anti-fraud measures do Worldpay take ?
I use Worldpay Junior ,which is the entry-level WorldDirect package which includes the World Alert Service.

As Aceicol (Alex) mentioned,this 'WorldAlert' is Worldpay's rating service which gives the retailer a msg directly after the transaction has taken place which rates the transaction as either NORMAL, CAUTION or WARNING.

According to the sales rep. I spoke with,the WorldAlert service checks that the address given checks out with the registered cardholder's address - (nb Designr's msg on YGCI forum re whether they are able to really do this,given the Data Protection Act - I do not know whether this is the case or not).

If WorldPay come back with a 'normal' msg,it is safe in their opinion for me to continue.

However,if they return with either the following>
: I might receive this msg if,say,the address does not *quite* match up.In this instance,as a Worldpay merchant,I am advised to exercise discretion and investigate further.This will involve investigating online international tel. directories to see if tel no matches up or to contact the customer direct and clarify the confusion.If I choose to go ahead,and it is the case that the transaction is fraudulant,I am liable (NOT Worldpay).

:I might receive this msg if there is a *big* difference in say address details,or it has been noted that there are unusual shopping patterns exhibited by said credit card,or transactions made in quick succession.Again,I am advised to investigate but strongly advised against proceeding.If I choose to go ahead,and it is the case that the transaction is fraudulant,I am liable (NOT Worldpay).

[B]What about fraud even with these ratings in place? [B]
This is all very well,but I am still *paranoid* about the possibility of fraudulant activity taking place DESPITE having these ratings in place.In such an instance - who is liable? Eg,what happens if I take a transaction from a fraudulant individual whose transaction is returned with a 'NORMAL' msg (*ie,they have got both the credit card as well as the correct address details from rummaging round in someone's bin) .The fraudulant person then does what I request and has his first order sent to the invoice (home) address ,but then immediately after places a 2nd order whose delivery address is NOT the invoice address (ie,another non-related address). This clearly is a fraudulant transation - but who is liable to pick up the pieces?

I asked this question and was advised that the scenario I described was *highly unlikely*;ie,unlikely that someone who has stolen a credit card also has the full postal (invoice) address details. (?????)

Nevertheless,in this situation, IF the credit card has been reported as missing/stolen PRIOR to the transaction being made,I am NOT liable - if however,it has NOT been reported stolen/missing prior to the transaction being made,I AM liable.

This seems to be to be a pretty big caveat !!!!!!!!

[B]What further action can i take to protect myself? [B]
Given that I only have the entry level WorldSelect Junior package,which includes this WorldAlert service, I have been advised that I *may* want,in due time,to purchase and upgrade my package still further.
I can buy,if I choose>
1)World Alert Configerator : this allows me to block certain IP addresses or block specific countries. (eg,Nigeria,Canada etc)
This is approx 30gbp set up fee and 20gbp per month plus VAT.

I can also choose to buy
2/Guarantee : This gives me up to 250GBP cover in the case of a *provable* fraudulant transaction.However,this guarantee is VOID if the initial WorldAlert System has come up with a 'warning' msg.Cost:30GBP per month ex VAT.

[B]Conclusion [B]
As I have not yet started using Worldpay,I have no idea of the flow of transactions I will get or what proportion of ratings msgs will come up as 'warning'.However,given that Worldpay clearly insinuate that the responsibility - AND LIABILITY - rests with me in the case if I choose to ignore or disregard their ratings system or more worryingly ,eg, if I have UNKNOWINGLY performed fraudulant transactions with a card which has NOT BEEN REPORTED AS LOST/MISSING.
This seems to me to be the biggest problem.

Package upgrades seem expensive at this stage.I did ask the Wordlpay rep. whether he had come across much fraud (ie,if these are worth my while) and what types of fraud - interestingly,he suggested that the cases he had seen so far had affected biz's/people you would not anticipate - eg,sweets retailer.It turned out that the *fraudsters* were performing a series of fraudulant transactions on him specifically do they could practice configurations.

10-03-2005, 05:58 PM
Hi Ken

From Previous advice I wouldn't get those extra services yet as they could end up taking quite a bit off your bottom line.

Most of the time that you get a WARNING note from Worldpay we found it to be because off discrepancies in the address details, however this more often than not was due to it being Company Credit Cards but the customer gave there home details.

I would strongly advise against doing business with countries such as Nigeria. I would suggest just starting with the UK and then expand when you have a bit more experience.

Rather than paying Worldpay 20 p/m just get yur web developer to make it so that the UK is the only option in your shopping cart.

I don't know what it is you will be selling but like I mentioned earlier, in my experience High levels of Fraud weren't that common, although I agree this may not be true of everyone.

Also you will still have a delivery address even if they use a different address to the billing address, in which case you will always have a point of contact for this person.


10-03-2005, 08:49 PM
Originally posted by Aceicol

From Previous advice I wouldn't get those extra services yet as they could end up taking quite a bit off your bottom line.

I would strongly advise against doing business with countries such as Nigeria.

thanks for the advice - all of it very helpful and much appreciated.....and no,nigeria isn't on my drop down box for countries to sell to !

(*the reason being i'm still miffed as i STILL haven't received my cut of the $20 million USD war-loot booty that is supposed to be winging my way from my good friend Prince XXXXX ;I guess it's just taking longer than usual to process my 5000 processing fee....)


Thanks again..

10-03-2005, 10:05 PM
I had an 8K processing fee and it took over a year but I finally got 480,000 as my share.

If anyone else wants to send me the processing fee I can get you the same sort of amount.

11-03-2005, 05:17 PM
Hi Ken,

NEVER EVER take WorldPay's ratings as a reliable measure!

We have had many payments successfully processed by WorldPay where all their ratings are reported as valid (matched), even the security code, where the "low life" is obviously not the card owner. As Alex has already stated ring them if you are unsure. But another useful method is to check their IP address against the home address they have provided, read how here:
http://www.seiretto.com/newsletters/Accepting online payments.php

There is nothing worse than getting a change-back, except when you get more than one from the same account holder..!

Watch how you go.

Dave Walker
Seiretto Ltd.
Accept credit card payments online with WorldPay and
PayPal (your customers no longer need an account): http://oscart.seiretto.com/

11-03-2005, 05:47 PM
thanks for that....that's a very useful newsletter.
I will bear that in mind.