What New Anti-Fraud Rules Mean for UK Online Retailers

In this article we explain:

  • Why new rules have been introduced now.
  • What exactly are the rules for UK online retailers?
  • Solutions available to businesses to ensure compliance.

Why new rules have been introduced now

Online fraud has grown in step with retailers’ increasing amounts of revenue year on year from their online channels, costing business and the banking industry huge amounts of money annually. According to the Daily Telegraph online fraud costs consumers around £400m a year.

To combat this, new online anti-fraud legislation was instigated by the European Banking Authority and introduced into UK law prior to Brexit. The new rules were due to be introduced by the Financial Conduct Authority (FCA) in early 2021, but this was delayed until 14th March 2022 to give online retailers more time to adjust their systems to be compliant.

What are the new rules for UK online retailers?

Since the 14th March this year, retailers and payment providers are now legally required to make identity checks to their customers who buy online using a credit or debit card.

These Strong Customer Authentication (SCA) rules, as they are known, will predominently apply to purchases over £25 (30 Euros). However if multiple purchase patterns are seen from a customer for amounts below £25 this could also invoke the SCA rules for an identity check to make sure the customer is genuinely who they say they are. The new rules do not apply for purchases over the telephone.

Identity verification checks have only been around 1% of purchases before 14th March, but these new anti-fraud rules could see that figure rise to around 25% of all purchases according to Mastercard.

Solutions available to businesses to ensure compliance

There are a number of identity verification solutions available to check the custom is genuinely who they say they are.

Below are what we believe to be the best solutions for online retailers to use on their websites to comply with the new rules.

It is important to mention that the FCA expects websites to be able to provide identity checks on ALL customers. This means those who can’t be verified using their mobile phone device, either because of poor signal or they choose not to own a mobile, must still be verified via some other means. Therefore websites need to have several different methods of authentication available, not just one that relies on a mobile phone for example.

2 Factor authentication

A common way of verifying a customer is 2 Factor authentication via SMS text. The first stage is the customer entering the password to their account on the website. Then for the second stage the customer is asked to provide their mobile phone number and enter a one time numeric code into the webpage that is sent by text message to their mobile.

Read more about integrating text message verification into your website with the T2A text message API method.

You can also check the mobile number is current and in use with the T2A mobile number validation API method.

Person Verification using data matching

This is one of the most robust solutions for checking the identity of a customer to prevent fraud, as it matches against actual data so cannot be falsified.

The customer name and address details are matched against a comprehensive UK dataset comprised of several licensed databases such as the Electoral Roll. A message of ‘identity verified’ or ‘not verified’ is returned to the website and communicated on-screen to the customer.

Read more about integrating Person Verification into your website using the T2A Person Verification API method.

Age Verification using data matching

Age Verification is for websites that sell any age-restricted products or services where customers must be 18 or over to make the purchase. This is a great add-on to Person Verification where retailers are liable for any claims of underage selling, as well as identity checking.

Like Person Verification, this is a very reliable and robust solution as it matches the name and address details of the customer against a vast dataset of UK person databases including the Electoral Roll. A result of ‘verified under 18′ or ’18 or over is returned.’

Read more about using Age Verification on your website using the T2A Age Verify API method.

In Conclusion

UK online retailers have had a long period to get their website systems ready for the new anti-fraud rules that came into force on 14th March 2022. Therefore, it’s probable that the FCA will soon be checking that websites are complying with the rules and potentially making examples of those that are not and perhaps issuing companies with fines.

Online retailer’s websites must have a number of solutions for customer identity checking in place, not just one, to ensure ALL customers can be verified by some means.

Validating a customer’s identity using a system of matching customer details with recognised up to date databases such as the Electoral Roll, is the best way to be compliant with the rules as this method cannot be falsified.

The Person Verification API method from T2A is one such solution that retailers can integrate easily and cheaply into their website or App.

A quick guide to Cyber Essentials Plus

We have just successfully passed Cyber Essentials Plus, a test we undergo every year because we value highly the security of our IT systems. We also know it gives our corporate and individual customers piece of mind when searching for information on our websites or using our T2A API methods.

So here’s a bit more information about what the accreditation is, how it’s done, and some reasons to do it in your organisation…

What is Cyber Essentials Plus?

Cyber Essentials is a scheme, backed by the UK government, that helps you protect your organisation against a range of common cyber attacks. There are two types of certification:

  • Cyber Essentials
  • Cyber Essentials Plus

Cyber Essentials is the cheaper option at £300+VAT. This is a self-assessment where you answer of series of questions relating to your IT infrastructure. For those organisations that don’t have anyone with a technical IT background and may find some of the questions difficult to answer, there is help available from one of the Certification Bodies who are trained and licensed for the Cyber Essentials scheme.

Cyber Essentials Plus involves a hands-on technical verification that your IT systems meet the required standard to repel common cyber attacks. As these hands-on tests of your network and computers are done by experts from one of the Certification Bodies, having the Cyber Essentials Plus certification displayed to customers gives more assurance that you are complying with the scheme than the basic self-assessment option above.

This was the reason we felt it better to go for the “Plus” option even though it is more expensive. The price varies depending on the size and structure of your organisation and you can get a quote on the Government’s Cyber Essentials partner IASME website here: Cyber Essentials Plus Get a Quote – Iasme

In these times of the Covid-19 pandemic we expected that we would have to look at safe distancing measures etc. when someone from our chosen certification body came to visit our office. Instead they sent us an impressive looking case of technical equipment for us to plug in. They were then able to do all their necessary checks remotely, but just as good as if they has been in our office in person.

Reasons you should get Cyber Essentials certified

As we’ve already mentioned, at T2A we thought it was well worth going for Cyber Essentials Plus. But if you can’t afford that it’s still worth doing the basic Cyber Essentials certification. There are good reasons for doing either option:

  • It prompts a review of your IT security and procedures.
  • Gives customers piece of mind that you take cyber security seriously and are taking positive steps to block all common cyber attacks.
  • Customers know that you have taken extra steps to protect their personal details and passwords.
  • Certification of the scheme, especially the Cyber Essentials Plus option, gives you an extra positive selling point to new potential customers.
  • If you tender for public sector work, some government contracts will only deal with companies that have Cyber Essentials certification.

More information

There is a good FAQs section on the National Cyber Security Centre’s (NCSC) website: Frequently Asked Questions – NCSC.GOV.UK

Here is an overview of the scheme on the NCSC website: About Cyber Essentials – NCSC.GOV.UK

How companies can beat scalping and win over customers

What is Scalping?

You might be familiar with the gruesome act of removing an enemy’s hair (and scalp!) featured in many Hollywood westerns. However, there’s another meaning of scalping which is used increasingly in business.

A definition of scalping, in a business sense, from the Cambridge English dictionary:

The activity of buying things, such as theatre tickets, at the usual price and then selling them when they are difficult to get at higher prices.

Scalping is most prevalent online. The coronavirus pandemic has benefited online scalpers by creating the perfect storm of:

  • A huge consumer shift towards online purchasing.
  •  Delays in product delivery due to problems with global supply chains.
  • Other purchasing channels, such as high street retail, being closed during lockdowns.

What’s the problem?

The Scalpers say that buying up desirable items for sale on the internet, like the new PlayStation 5 console, and selling them for a handsome markup is just good business. They claim they are only being entrepreneurial and it’s not illegal to do it.

Indeed it is not illegal, but it’s certainly regarded as pretty unethical and angers many consumers who can’t get items they really want, like the PS5.

Scalpers often use bots to trawl the internet to find websites selling these desirable in-demand items. This practice adds to the view that this is unethical, with ordinary customers standing little chance of finding items in stock on a website against such mass volume automated techniques.

Many people have written to their MPs complaining about the practice and a debate on scalping was raised in parliament specifically about the unfairness on consumers of scalping in the computer consoles market.

Very few retailers have protection in place against scalping

In the gaming market, most retailers recognise the problem of scalping.

Our very quick mystery shopping exercise found that the current ‘hard to get’ PS5 cannot easily be bought on the internet at it’s RRP of £449.99 because stocks on retailer websites are all sold out.

However, you can get one if you’re prepared to pay the inflated cost of the scalpers on reseller websites like Ebay, some adding on hundreds of pounds. The cheapest PS5 we found on Ebay was £535.00, going up to £999.99.

Currys PC World seem to be one of the few online retailers trying to offer a fairer system. You can enter their PS5 VIP pass draw and if you’re one of the lucky winners you get a code to purchase a PS5 when they secure more stock.

Companies have a choice to retain their brand reputation and win over customers

The use of automated bots has only been made illegal for buying tickets for concerts and gigs.

For all other items currently in high demand scalpers can continue to use bots and buy up stock from websites that aren’t doing anything about it. There are many items that attract scalpers, here are just a few examples:

  • Game consoles
  • New technology and computer equipment
  • Hot tubs
  • Gym equipment
  • Special edition records
  • Limited edition trainers and clothing

Companies risk losing their brand reputation and customer loyalty when customers go to their website and cannot get what they want as it’s out of stock, scalpers with their automated bots having got there first and purchased the items in bulk.

Customers are less likely to return to a website in future when looking for other items if they have been unable to get their in-demand item before because the company has allowed scalpers to buy up much of the stock.

In fact, because it’s becoming such an issue, there’s an opportunity for companies to get ahead of their competitors by introducing anti-scalping operating procedures onto their website. This will create a fair and level playing field for consumers, plus a real positive PR story for their brand which in turn can increase customer loyalty and sales.

The Anti-Scalping solution for companies to keep their customers happy

Companies can use Person Identity Verification on their website to ensure an order is from a genuine name at the delivery address given. Person Verification matches the order details against the full Electoral Roll dataset. Steps for companies are:

  1. Restrict a product liable to scalping to 1 order per person.
  2.  Check the name and address typed in hasn’t already been used to buy it.
  3. Someone scalping would need to invent false names at their address, or other addresses they are using. Running this through Person Identity Verification would then tell the company that the name and address doesn’t exist and so refuse the purchase.

This data-based method of verification is easier and cheaper to implement for the company, and much less hassle for the customer, than having to find photo ID and upload to the website.

Our API for websites can integrate our Person Verification method easily into your website. We also offer Person Identity Verification on our public website ukphonebook.com.

Contact Us or visit our website for more information.

Selling age-restricted products to under 18’s is illegal – how to comply as an online retailer?

Companies will be aware that selling certain products such as alcohol, tobacco and fireworks to anyone under 18 years of age is illegal. However, companies may not be so aware of the positive steps they are required to take under UK Government guidelines to check the age of customers buying these products.

Proof of age can easily be done in a shop by judging whether the customer looks old enough, or asking for photo id if the shopkeeper is unsure. It is much more tricky for online retailers to be certain a customer is over 18, yet the same responsibility applies to a website owner as it does to a shop owner.

In this article we explain what an online retailer’s responsibilities are and how to comply with Trading Standards guidelines.

Duty of online retailers

It is the responsibility of online retailers not to sell age-restricted products to customers under the minimum legal age.

That is no surprise, but importantly it is also the duty of online retailers to use effective systems capable of verifying the age of potential purchasers to ensure they are old enough to buy a product.

The list of age-restricted products in the UK includes:

  • Alcohol
  • Tobacco and vaping products
  • Fireworks
  • Spray paints and hazardous chemicals
  • Cooking and camping knives
  • Certificate 18 films and games
  • Pharmaceuticals and medicines

What age checks are not likely to be viewed as taking ‘due diligence’ ?

What we mean by ‘due diligence’ here is all reasonable checks made by an online retailer to verify the customers age before selling them age-restricted products.

According to the Business Companion website (who describe themselves as “Trading Standards law explained”) the following checks are unlikely to satisfy ‘due diligence’ , and thus not be a reasonable defence if an online retailer appeared in court for selling to an under age person.

Not sufficient to satisfy ‘due diligence’:

  • Using tick boxes to ask purchasers to confirm they are over 18.
  • Asking the purchaser to give a date of birth.
  • Relying on the purchaser confirming that they are over 18.
  • Using a general disclaimer on your website – e.g. “anyone ordering this product will be deemed to be at least 18”.
  • An ‘accept’ tick box that the purchaser has read the website terms and conditions where it states they must be over 18.
  • Only taking credit card payment. Credit cards are not available to under 18s but some debit cards and pre-paid cards are.

Age verification methods that are likely to show compliance

Age verification checks are much more likely to display an online retailer’s compliance with ‘due diligence’ and their responsibilities when selling age-restricted products. Examples of these age verification methods are:

  • Age Verification of a purchaser by matching name and address details against a frequently updated dataset comprised of the Electoral Role and other UK data sources. See more details on T2A’s pay-as-you-go Age Verification method.
  • Obtaining proof of age at the door when delivering the product. However, third party delivery companies may not want to take responsibility for this on your behalf.
  • Follow up checks after the product has been ordered, for example if proof of age could not be done at the time of purchase. This can create time consuming admin for website owners and can be a problem if purchases slip through the net and forget to be checked.
  • If a website has stores as well, click and collect can be offered and age checks can be done face-to-face when the customer comes in to collect the product. This option is not likely to be viable for the majority of websites, just big brands with stores nationwide.

Conclusion

Considering the options above, the first option of verifying a purchaser’s age against third party data, seems to be the best for the vast majority of websites that sell age-restricted products. The reasons are:

  • First and foremost the online retailer is doing the most they can by checking age at the point of purchase. This represents a good level of ‘due diligence’ should the retailer be accused of selling age-restricted products to someone under age.
  • Matching against data sources like the Electoral Role before the purchase is confirmed make it a reliable way to verify the purchaser’s age without the admin that results from making manual age checks.
  • The online retailer does not have to rely on courier companies making an age check for them on delivery. A driver may forget to ask if they are busy with many deliveries, or the purchaser may not be at home which creates logistical issues when the product cannot be left at the door.

For more information on T2A’s Age Verification method for online retailers, please click here.

This is also available as an Age Verification plugin for websites built using WordPress and WooCommerce.

How to use bulk options for Person Verification and Age Verification.

Our API offers the option, on both Person Verification and Age Verification, of a bulk method so you can check a file of multiple names and addresses in one go.

This is ideal for companies that want to check their customer database to verify that they hold the correct and genuine name/address details in the case of Person Verification, or that customers are 18 years old or over if running the file against our Age Verification.

Person Verification

To check that a person applying for your product, or that has registered an account with you, is who they say they are is invaluable as a way to prevent fraud and money laundering within your business. Our Person Verification method does just that by checking against our vast dataset of over 48+ million UK people.

‘Knowing Your Customer’ (or KYC as it’s commonly abbreviated to) by using our Person Verification facility is vital in many business sectors including:

  • Banks and Building Societies
  • Lending companies
  • Insurance companies & brokers
  • Rail industry (for ticket inspectors issuing fines)
  • Legal practices and solicitors

Read more on the bulk tab of our T2A Person Verification page.

Age Verification

Under UK law any business selling age-restricted products or services must check that the customer is old enough to purchase them. Trading Standards guidance from the Government states that a customer ticking a box on a website to say they are 18 or over is not sufficient to verify their age.

Our Age Verification method checks a UK person’s age against actual date of birth data within our comprehensive set of data sources including the Full Electoral Roll.

There is a need for reliable age verification amongst a wide range of industries that sell age restricted products including:

  • E-Commerce retailers of alcohol, tobacco or DVDs
  • Pharmaceutical companies selling their products online
  • Retailers of kitchen knives and other items that can be classed as “offensive weapons”
  • websites selling potentially harmful cleaning products and other dangerous chemicals.

Read our Age Verification page on T2A to see how we check age against actual data. Click the bulk tab for information on the bulk age verification method.

How our bulk Person Verification and Age Verification services work

Step 1 – download the names and addresses from your database that you want to verify into a csv file.

Step 2 – make sure your file has these fields included as a minimum:

  • First name
  • Surname
  • Address line 1
  • Postcode

Step 3 – upload your file to T2A

Step 4 – T2A matches your information against our vast dataset which is updated daily to provide the most accurate, up to date results.

Step 5 – your csv results file will contain the original data plus an extra column to give one of the following results next to each person:

For Person Verification…

  • FOUND
  • NOT_FOUND

For Age verification…

  • FOUND_OVER_18
  • FOUND_ UNDER_18
  • NOT_FOUND

Try our verification services for free

There is a free demo for each of our verification methods:

Go to the demo tab on this page to try Person Verification.

Go to the demo tab on this page for Age Verification.

So if you want to ensure your customer database contains genuine verified UK individuals, and that they are old enough to buy your age restricted products in the future, why not get in touch.

Using T2A with Webhooks

A users interaction on a website and in particular eCommerce website can be described as a series of events. Whenever a user does something like sign in, register, request a password reset link, add an item to their basket etc. an event occurs. Webhooks are a way of responding to these events.

Age verification

With age verification becoming increasingly more regulated, it is important to make sure your website, if it sells age restricted products, is designed to check a customer is over 18. This can be achieved with webhooks and the T2A method age_verification. Most eCommerce solutions (e.g. WooCommerce) will provide webhooks that you can use. For WooCommerce you could set your Topic as “Customer created”, “Order created”, “Order updated” and then run the T2A age verification to check the customer information against our extensive UK people data sources to see if the user is over 18. Alternatively, you could select Action as your topic field and create a webhook that fires after a particular WooCommerce action occurs e.g. “woocommerce_after_checkout_validation”.

Identity Verification

Another use for webhooks is to check customer information to prevent fraudulent card transactions. Stripe, Braintree and other merchant account providers will provide webhook interaction which you can use by checking customer input against our person_verify method. This could be a first step in flagging a transaction that needs further investigation. Our person_verify method checks a name and address against our 48+ million data set of UK people and indicates whether they exist in our data.

Contact Appending

As well as verification you could use webhooks and T2A to improve your customer database.
We have substantial information on UK people and businesses. Using a “Customer created” webhook you could use our person_search method to enhance the customer record. The person_search method returns telephone numbers, mobile numbers and links the person to associated companies if they are a company director. Alternatively, if you are dealing with a UK business you could get further information on the company using our business_search, company_details, company_credit_report and director_details methods. Our business data includes telephone numbers, company website, company appointments, credit reports and information on directors. This appended customer information could help with marketing, profiling, order fulfillment and other customer service requirements.

Alternatively, if you don’t need to update customer records on the fly during webhooks you can take advantage of the bulk telephone number appending API method.

TPS Checking

The last use case in this post is the tps_full method. Again using a “Customer created” webhook you could check if the customers telephone number is on the TPS or Corporate TPS register and flag the record accordingly. You could also periodically check all your records with the bulk tps checking method tps_bulk (though this would not be during a webhook).


How one customer has harnessed the power of our API

The T2A API is powering lots of companies’ websites, apps and internal systems to help them deliver new efficient processes in their business. They depend on our UK data sources, the most accurate and up to date available, to deliver instant reliable results for their staff’s people, address and company information searches.

Our customers are wide and varied, from delivery companies to fraud prevention specialists, E-Commerce websites to estate agents, telemarketing agencies to building societies.

Here is a case study about one of our customers to give you a flavour of how we help companies, working with them as their data partner…


T2A Customer Focus – Raspberry Software Systems Ltd

Raspberry Software Systems, providers of software solutions to the UK rail industry since 2004, have been working with us for 10 years and have increased their usage of our T2A data during that time.

Through Raspberry Software’s Ticket Inspection and Prosecution System (TIPS) their rail clients have been able to replace paper based systems, and arduous record checking over the phone by Revenue Protection Officers on the train, with instant passenger identification through the app on an Officer’s tablet or smart phone.

At the heart of the TIPS system is the T2A data upon which it replies, delivered by API methods that we worked on in partnership with Raspberry Software to help them deliver the unique tailored system they wanted to develop.

The feedback that Raspberry Software has had from their clients has been excellent. Rail companies using TIPS have reported a much greater number of Penalty Fare Notices issued and a marked increase in those settled.

Working with T2A has been a very rewarding process for us. Their agile and flexible approach to delivering quick solutions to the data requirements we had for our system has been very refreshing. Add to that the fact that through their API we have access to good quality data at very good value prices, this relationship has been a win for us and a win for our clients.

Peter Jarvis | Director
Raspberry Software Systems Ltd

In the case study example above, Raspberry Software are using our API methods relating to finding who lives at a UK address, accessing the Electoral Roll and our other data sources.

We have a host of other methods too within our API to help you with whatever people, address and company data searching you need to perform within your system. Here is our full method list to show what the T2A API can do.

Some of our most popular applications of the API are:

…and much more. See all our API services

Try before you buy!

One of the best things about our API is that you can sign up for an account and start testing it out straight away without any financial commitment. There are free demos (using limited access to live data) and example scripts to get an idea of how accessing the API could work for you with HTML, CSS and JavaScript.

So if you have an app, website or internal system (or you’re looking to develop one) and need an API to return results using comprehensive up to date UK data sources…let’s talk!

Quick links:

Sign up to try out how our API can work for your system, on a trial basis with no commitment!

Contact Us – we’d love to hear from you!

Find out more – a summary of what you can do with the T2A API

How to recover file contents after Notepad++ crash

Notepad++ is generally a pleasure to use but it does very occasionally crash and empty whatever file you happened to be editing at the time too… Here’s where you can find a backup version to recover your file if this ever happens to you too:

C:\Users\YOUR_USERNAME\AppData\Roaming\Notepad++\backup

Note: At the time of writing I’m running Notepad++ v6.7.8.2 on Windows 7 Professional, but you’ve not got anything to lose by trying this for other versions of Notepad++/Windows.

Thanks to Indrajit on Stack Overflow for posting the solution originally!

Preventing card fraud when accepting Card Not Present (CNP) transactions

If your business accepts Card Not Present card payments (e.g. an eCommerce website) you are probably aware of the built in checks provider by your merchant services provider:  *AVS, CVV, MasterCard SecureCode / Verified by Visa and Fraud Screening.

*Brief description of built in checks

  • Address Verification Checks   – checks the numerical characters of the transactions billing address and postcode against the details held by the card issuer. (This is not widely used by non-UK cards)
  • Card Verification Value (CVV) – Checks the transactions inputted CVV against the value held by the card issuer.
  • MasterCard SecureCode / Verified by Visa  – services created by the Card Schemes to protect you and your customers.
  • Fraud Screening – your merchant provider provides a score indicating the likelihood a transaction is fraudulent, they also highlight anomalies with the transaction (e.g. transaction billing address country does not match value held by the card issuer).

There is however additional checks you can make to help avoid a fraudulent transaction.

  1. Check the customer emails address – proceed with caution with free email address like Yahoo, Hotmail or Gmail as these are more likely to result in fraud. Subscription email addresses like ‘BTConnect’ or ‘Virginmedia’ are usually safer. Or if the email address is the domain of a company website go to that domain and see if it is an established website, if it’s just a parking page the transaction is less safe. You should also check the name in the email address. Does it make sense when comparing it to the card holder name?  Checking the email address should be a part of your overall checking as many of your honest customers may use free email addresses.
  2. Is the order too good to be true? Be aware if you have an order that is a higher value than your normal orders. Also be aware if you get several orders from the same customer in a short space of time. Have a look at your statistics, how frequently do you get orders from the same customer, if you best honest customer is buying from your website once a month and someone purchases from you 3 days in a row, something might be fishy.
  3. Is it unusual in another way? Is there anything else you can think of that doesn’t match your normal customers.
  4. Check the IP address of the transaction and see where it originates from. Compare this with the billing address.  Be aware that fraudsters can use proxy IP addresses.
  5. Where possible ask customers for a land line telephone number which can be checked using Directory Enquiries (unless they are ex-directory). You can also check the supplied name and address details against the details on the Edited Electoral Roll. This is not a guarantee as it is possible to opt out of having your details published. Try ukphonebook.com people search OR the T2A API search for a person and find a residential telephone number methods.
  6.  Have a look at all the transactions occurring on your website not just the successful ones. Was the customer declined several times before they were successful? You shouldn’t immediately think its fraud as sometimes people mistype things, but you should investigate further.
  7. When you do get a fraudulent transaction or charge-back – investigate the details of the transaction and see if there are any clues to help further improve your fraud screening.

These checks can help you when you are reviewing your transactions but you may want to consider building your own solution that uses a combination of these checks against each transaction before they are submitted to protect yourself further.