Account Takeover Prevention
Always verify that the person providing card/account details is the intended recipient.
Best Practices
- Validate the address by performing a AVS check against the address collected during KYC/KYB process. This will verify that the address on file with merchant matches the address on file with the issuer of the recipient PAN. To leverage AVS validations and prevent account takeover scenarios, do NOT allow users to add a new billing address at the time of the transaction.
- Leverage TabaPay's Duplicate Account Check feature to prevent card cycling.
- Require recipient login: Require recipient to provide login/password to payer page or app (e.g., recipient logs into insurance company site to provide debit card).
- IP address matching: Validate that the IP address from which the recipient is providing the PAN matches IP addresses that the merchant has previously seen for this individual.
- Two-factor Authentication: After collecting PAN, send a text or email (using phone number or email address on file) with an authentication code that the recipient must provide back to the merchant before disbursement is processed.
Updated 6 months ago