From a financial perspective, the merchant pays the most for these types of theft. By law, U.S. cardholders are responsible only for the first $50 of a fraudulent transaction, and MasterCard and Visa recently waived that requirement for online commerce. However, not only is the merchant responsible for the entire transaction, it also may be charged a fee from the credit-card issuer. And though Visa recently launched its "Verified with Visa" program (see "New Credit Card Verification Woes,"), which can relieve the merchant from some liability for fraudulent transactions, the program doesn't work if it isn't used.

Of course, a merchant can prosecute a criminal to recover the transaction, but this rarely happens. "Less than 10 percent of the cases are prosecuted to the point where a merchant receives restitution. A higher percentage is prosecuted, and conviction of the perpetrator may even occur, but unless the merchant receives restitution, it isn't really 'successful,' " says Julie Fergerson, chair of the Fraud Protection Network, which was founded by American Express. The FPN offers advice and resources to help combat fraud for "card not present" (CNP) transactions. The merchant typically sets criteria to determine which fraudulent orders will be researched and processed. Some criteria for prosecuting fraud include dollar amount of loss, frequency of the attack and how much reliable information is available on the attempt.

Hard data is difficult to obtain from merchants, but the National Fraud Information Center (NFIC), which tabulates data on all types of fraud, attributed losses of $4.4 million in 2001 to Internet fraud, with 11 percent of that total in the general merchandise category. And within that category, 41 percent were via credit card.

Credit-card thieves use the stolen plastic to purchase merchandise and online subscriptions -- even Internet access. Some thieves ship the merchandise to an address other than the billing address; others have the merchandise shipped to the billing address, then somehow pick up the goods. As for service theft, the NFIC reports that in 2001, 3 percent of the losses to fraud were due to payment for Internet access service.

Of course, you cannot ensure that all fraudulent purchases are caught, but you can reduce your company's risk to an acceptable level. All merchants should determine a dollar amount of "acceptable loss" as a cost of doing business. This number ranges on average from 0.25 percent to 1.5 percent of a merchant's total budget depending on the type of business and the resources assigned to investigate and prevent fraudulent orders. The industry average is about 1.1 percent, according to Gartner.

Get the Data You Need

One of the first steps toward reducing your risk is getting as much information as you can about the credit card and the cardholder. At a minimum, you should get the following information from customers:

>> Cardholder's name exactly as it appears on the card

>> Card account number

>> Card expiration date

>> Card billing address

>> Cardholder's home number, business telephone number or both

>> Cardholder's e-mail address

>> Name of the package recipient

>> Shipping address

>> Phone number at the shipping destination

The name, account number and address can be used for rudimentary identity verification. The card issuer can determine if the address and name submitted match the information on file for the account number. Once this information is ascertained, the merchant takes over determining if the transaction is fraudulent.

The e-mail address also is important. A recent FBI study of online fraud found that 97.3 percent of fraudulent orders submitted e-mail addresses originating from a free e-mail service. Some companies reject orders with such addresses outright, deeming the risk too high; others perform additional or manual verification to determine the validity of the order.

For instance, you can do simple comparisons of the addresses within your code to check for possible fraud attempts. Such examinations generally involve comparing the billing address and the shipping address. A billing address that is different from the shipping address should be considered suspicious -- especially if the shipping address is an international one. Although you don't want to reject the transaction based on this information alone, you might want to set it to the side for manual verification -- calling the customer and checking the purchase, for example.

In addition, you might also want to determine the customer's location from his or her IP address (easily retrieved via the REMOTE_ADDR HTTP header) and cross-check this against his or her billing address. Note, however, that this technique is not foolproof; for example, most America Online customers will appear to be in Virginia. Also, use of a public proxy will invalidate this check. But it can be an indication that manual verification is called for, especially for expensive purchases.

Ensure that your site is configured to log as much information as possible about the customer -- including his or her IP address, the date and time of the order, and the length of the time the customer spends on your site, if possible.

Also watch for repeated order attempts coming from the same IP address but with different credit-card numbers. That customer could very well be someone using a credit- card-number generator to find a valid number.

Remember, though, that the discovery of some inconsistencies does not mean you've uncovered a criminal. You should use the additional information requested, such as e-mail address or telephone number, to verify the purchase with the customer. You do not want to reject a valid transaction.

So unless you are 100 percent positive your system can determine a fraudulent transaction, you'll want to review questionable transactions rather than reject them outright.