Credit Card Processing Blog

The latest figures released by Fitch Ratings, a credit ratings agency, show that credit card charge-offs surged 1.12% in January to reach 11.37%, the highest level since a record 11.52% in September of last year. Charged-off are credit card loans that issuers don’t believe will be collected and have written off their books as losses. Typically, an account is charged off 180 day after the last payment was received. The same report shows that in January payments that were 60 or more days late were at 4.50%, while those 30 days late stood at 5.72%. These are extremely high levels, but how exactly are consumers affected by delinquent and charged off accounts?

Both delinquent and charged-off accounts are listed as derogatory items on your credit report and affect your credit score. Delinquent payments will reduce your score, but will not have a lasting effect if you resume making payments on time and convince creditors that the odd late payment was an aberration. That is not to say that you shouldn’t be all that concerned with making payments on time. On the contrary, you should, because consistency and honoring the contract terms will help you get the highest possible credit score and lowest interest when you need a loan.

Charged-off accounts present a much bigger challenge and leave a much more lasting effect on your credit history. A single charged-off account can be enough to prevent you from obtaining any form of credit and can hurt your employment prospects. It remains on your credit report for at least seven years and destroys your credit score. Moreover, you are still responsible for the debt after it has been charged off and the lender or a collection agency can still attempt to recover it. The credit reporting agencies report charged off accounts as “negative accounts,” often listing them under “collection accounts.”

The best way to deal with charge-offs is to settle them with your creditor at the earliest opportunity. Remember that the creditor has already written off your account as a loss, so they will be willing to negotiate and accept a settlement for less than the full amount, as little as 50% or less in many cases. Now that you have negotiated a settlement, how does that reflect on your credit history?

Once you settle your debt, the negative information will not be automatically deleted from your credit report. What will change is that your account will be reported as “paid in full” (even if you had settled for less than the full amount), which immediately improves your credit worthiness in the eyes of your prospective lenders.
The best course of action that you should follow, once you settle a charged-off account, would be to:

1. Obtain a letter from your creditor stating that you have paid the account in full and they are required by law to issue such a letter.
2. Send a copy of this letter to each of the national credit bureaus: Experian, Equifax and TransUnion. Under the Fair Credit Reporting Act (FCRA), the bureaus are required to update your report within 30 days.
3. If the information is still not updated after 30 days, the FCRA requires that the account is deleted from your history, which is the best possible outcome for you.

According to FICO, the maker of the most popular credit score, their scores are comprised of the following components:

• Payment history accounts to 35% of the score.
• Amounts owed – 30%.
• Length of credit history – 15%.
• New credit – 10%.
• Types of credit used – 10%.

With that in mind, the following tips will help you improve and maintain your credit score:

• Always make your payments on time, at least the minimum.
• Keep your credit card account balances as low as possible or, better yet, pay them off each month.
• Add new and different types of credit, such as an installment loan, which shows creditors that you can handle regular monthly payments.

E-commerce merchants are responsible for verifying the validity of their customers’ personal information prior to processing card payments online. A failure to do so may cause you to lose your representment rights if a transaction is charged back and it will certainly increase your fraud risk exposure. The ultimate financial responsibility for fraudulent transactions is born by the merchant.

The cardholder validation process should be carried out in concurrence with the card verification process, so that the merchant ensures that both the card is authentic and the cardholder is an authorized user of the card. The two validation processes complement each other. They represent the two sides of the same coin and should both be implemented in every e-commerce merchant’s risk management strategy.

The process of validating a cardholder consists of checking the correctness of the provided telephone number, physical address and email address. The following simple verification steps will help you identify errors or potential fraudulent activity:

• Provide separate fields for stationary and cell phones. For landlines, check the telephone number’s area code and telephone prefix of the phone number provided by the customer to make sure that they are valid for the entered city and state. Identify mismatches and allow the customer to re-enter information if desired. For cell phones, call the number provided when it does not match the above mentioned characteristics.
• Use directory services to verify that the provided ZIP code is valid for the provided city and state. Consider allowing customers to override alerts, as information may be valid due to recent updates or wrong data.
• Check the validity of the provided email addresses by sending order confirmations. If the email comes back as “undeliverable,” this can be an indication of a fraudulent activity. At the same time, some customers do not provide valid email addresses for fear they would be used for telemarketing purposes or sold to third-party entities.
• If you have reasons to suspect fraud or unauthorized card use, contact the card issuing bank directly and:
  • Confirm the name, address and telephone number associated with the card number.
  • Confirm whether the cardholder has made a recent address change or added an alternative address.
• Call the cardholder to confirm the transaction and resolve any discrepancies that may still remain. Tell your customer that this confirmation is performed as a protection against fraud.

The validation process should be designed to enhance the fraud prevention tools provided by the credit card companies and associations and by your processor:

• Transaction authorization. All card-not-present transactions have a floor limit of zero, which means that they all require authorization. Always obtain authorization before completing a transaction and take into account the authorization result code.
• Card expiration date. Your website’s payment acceptance forms must have a mandatory field for the card’s expiration date. Direct marketers should have the same field available in their printed payment forms and should insist that customers provide it.
• Card verification codes. Card verification codes are the three-digit numbers that are found in the signature panels on the back of Visa, MasterCard and Discover cards and the four-digit numbers that are found slightly above and to the right of the account numbers of American Express cards. You should always ask the customer to provide this code as a way to prove that he or she is in a physical possession of the card.
• Address Verification Service (AVS). AVS enables merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement for that account) provided by a customer with the billing address on the card issuer’s file before processing a transaction. After comparing the provided address with the one they have on file for their cardholder, the card issuer responds by issuing an AVS response code. Address verification and transaction authorization occur simultaneously and, within seconds, the merchant receives both results.

There are certain e-commerce transaction characteristics that are statistically very likely to be present when fraud is being committed. These risk signs vary from one organization to another, depending on a multitude of factors, so merchants should compile their own lists and update them over time. Listed below are 12 of the most common risk characteristics, the presence of which should alert merchants operating in a card-not-present environment to the possibility that a fraudulent transaction may be under way. If only one or two of these signs are present, this may not be a cause for concern but if several are identified in a single transaction, the merchant should investigate and verify the validity of both the card and the cardholder before processing the payment.

1. First-time shoppers. Criminals are always looking for new victims. Once they commit a fraud at one merchant, they usually move on to another and never come back.
2. Larger-than-average orders. Stolen payment cards have a very limited life span so criminals need to make a quick use of them. Large-size orders are one way of doing that.
3. Orders for several items of the same kind. Just as with larger-than-average orders, purchasing multiple items of the same kind is a way of maxing out stolen cards as quickly as possible.
4. Big-ticket items. Big-ticket items have high resale value, maximizing the fraudsters’ profits.
5. Orders with overnight delivery. Naturally, criminals do not much care about shipping costs and are more likely than legitimate shoppers to order items with an overnight or another type of a rushed delivery.
6. Orders from internet addresses at free email services. Free email services have no billing relationship with their users, leaving no possibility for verification that a legitimate cardholder has opened the account.
7. International shipping addresses. A substantial number of fraudulent transactions are shipped to international addresses. The Address Verification Service can only work for U.K. addresses outside the U.S.
8. Similar account numbers. There are various software tools for generating card account numbers, such as CreditMaster. These numbers are often very similar.
9. Multiple orders shipped to the same address. Such orders may indicate the use of a stolen batch of cards or of fraudulently generated account numbers.
10. Multiple transactions on one card in a short amount of time. Such transactions may indicate that a criminal is attempting to run up a stolen card’s credit line as quickly as possible, before the account is closed.
11. Multiple shipping addresses. Similarly to the previous scheme, a card may be used multiple times in a short amount of time with the orders going to several shipping addresses.
12. Multiple cards from a single IP address. Such transactions may indicate multiple orders placed from the same computer, even if different names and shipping addresses have been used.

It is always amusing and often instructive to look at the credit card processing industry through the eyes of a consumer. It provides industry insiders with invaluable information about how our potential clients view our services and what we should do a better job of explaining. Inc.com’s Christine Lagorio is the latest one to give it a shot in a recent article. She directs her attention to the online payment processing segment of the industry.

The author begins with an advice on how to select a payment processing service provider and mentions several names. She then goes on to review the part payment gateways play in the process and here is where it gets confusing. The article doesn’t explain what a gateway does, while it seems to be suggesting that it is all you need to accept payments online. This is a common misconception and we’ve had to separate the facts from the fiction in many conversations with our clients.

Payment gateway is a service that connects an e-commerce website’s shopping cart with the merchant’s processing bank and transmits transaction information between them. Once a customer places an order, the gateway encrypts the information, routes it to the processing bank and then relays the authorization response (approved, declined, etc.) back to the customer. It serves, for e-commerce stores, the same purpose that a physical point of sale (POS) terminal does for brick-and-mortar businesses.

The payment gateway, however, is just a component (although a vital one) of each e-commerce merchant account, just as the POS terminal is a part of a retail merchant account. Both services facilitate the capture and transmission of transaction information from the merchant to its payment processor. The secure transmission of transaction data is the principal use of a payment gateway. Once the information is sent to the processing bank, the transaction has to be authorized, cleared and settled, in order to be completed. This whole process, from the capturing of information, to the settlement and funding is what a merchant account service provides.

Lagorio also provides pricing information for several major gateways and correctly notes that payment processors use gateways as portals. What she has not mentioned is that processors also typically offer much lower gateway set-up and per-transaction costs than the gateway provider. For example, while Authorize.net would set up an account for $99 and would charge $0.10 per transaction, a processor may set up an Authorize.net account for $50 (or less) and charge less than $0.10 per transaction.

The biggest gap in Lagorio’s review, however, is perhaps the failure to explain what gateway authorization fees are and how they differ from the other per-transaction fees that merchants are charged. The $0.10 per transaction fee mentioned above is a gateway authorization fee. Authorization fees are charged solely for the use of a gateway or a POS terminal. For each bank card transaction, you will be charged an additional fixed fee, which is totally separate from the authorization fee. In her report Lagorio cites several examples, ranging from $0.21 – $0.25. It is important to add that you would be paying these fees, regardless of whether your provider is Authorize.net, First Data or UniBul Merchant Services. These additional per-transaction fees are a component of the “discount fee” that processors charge for processing the merchant’s transactions. The other component of the discount fee is represented as a percentage of the transaction amount. So a typical e-commerce discount rate would be 2.19% + $0.25 per transaction. Discount fees are divided among three participants: the processing bank, the card issuing bank and the card association (Visa or MasterCard). The lion’s share of the discount fees, estimated at about 75% of the total processing fees U.S. merchants paid in 2008, is called interchange fee. It is published annually by Visa and MasterCard and is collected by the card issuer. The association gets a fraction of one percent (about 0.1%), and the rest is collected by the processor.

One of the biggest advantage e-commerce organizations have over their brick-and-mortar counterparts is the option to sell their products and services all over the world.  Now, having the whole world as your potential market is hugely tempting for obvious reasons.  After all, you are in business to make sales and the more customers you have, the more sales you are likely to make.  Moreover, if foreign consumers are willing to pay higher shipping costs to get your merchandise, why won’t you accommodate them?  It seems like international sales are a no-brainer.  Yet, there are significant issues associated with international orders that e-commerce merchants should carefully consider before deciding whether or not to serve customers living abroad.

International orders present a number of unique risk factors that U.S. e-commerce merchants do not have to deal with when serving domestic customers, including:

• Fraud. A significant number of fraudulent transactions are shipped to fraudulent cardholders outside of the United States.  You will be limited in your ability to verify your international customer’s identity and address, as well as the card’s validity.  You will also be liable for any chargebacks if you accept the transaction, even if the card issuer approves it.
• Address Verification Service (AVS). AVS can only be used to confirm addresses in the United States, unless a card issuer supports International AVS and then AVS can validate addresses in the United Kingdom, but other non-U.S. addresses cannot be verified.  Without the benefit of using AVS, e-commerce merchants will not be protected from certain types of chargebacks and will have no recourse against them.
• Laws and regulations. The legal environment at your customer’s country may further restrict your already limited remedial options against fraudulent transactions, even if you are able to prove that unauthorized transaction has taken place.
• Language barrier. Linguistic challenges are likely to further complicate the matter.  Restricting your sales to the English-speaking world would be one solution.

Yet, despite all the risks associated with international transactions, the huge advantage of being able to reach out to consumers all over the world has proved irresistible to many businesses. If you choose to join in and test your international capabilities, consider screening high-risk international transactions to limit your risk exposure. The following suggestions will help you build your screening procedures:

• As a first step, identify the high-risk countries that are heavily involved in online fraud. There are many resources you can turn to for help with that, including your payment processor.
• Before going all in, test your international market and track your fraud experience for various international locations.
• Obtain the contact information of the card issuer from your payment processor and contact them to verify the cardholder information for first-time buyers.
• Require the billing address to be the same as the shipping address.
• Review the Internet Protocol (IP) address and identify the computer network source:
  • There are a number of online resources to enable you to quickly determine the IP address country.
  • Match the IP address country with the one provided by your customer. If there is a mismatch, you should investigate further.

Although you are unlikely to ever manage to completely eliminate international fraud, as you accumulate transaction data over time, you will be better able to manage risk and adjust your screening process.

Industry regulations require processors to ensure that merchant account applicants meet certain qualifications, before processing their paperwork. All applicants must:

1. Be legally registered within the U.S. Individuals are not allowed to set up credit card processing services. Foreign organizations are also excluded. Applicants must be either legally incorporated as businesses or they must be registered with the local municipality and obtain a “Doing Business As” (DBA) name.
2. Have a physical address within the U.S. Applicants must have a physical office that processors can inspect. Home-based businesses are acceptable.
3. Have a U.S. bank account. The bank account into which you will have your funds deposited must be opened with a U.S. bank.

Provided your organization is qualified to apply for a merchant account, there are a number of requirements that will still need to be met and, to understand why the process is so stringent, you need to understand exactly what is it that you are applying for.

Merchant account is a form of line of credit that a processing bank (member of Visa and MasterCard) extends to the merchant. When you accept a card payment, your processor will “acquire” it, usually at the end of the day, together with your other transactions, and will automatically deposit the payment amount, after subtracting the interchange fee and its own processing cost, into your designated checking account. At the same time it will submit a request for payment to your customer’s card issuing bank. Your processing bank will pay you before it gets paid. Moreover, even after the processor gets paid, your customer has six months to dispute the transaction and, if the dispute is valid, the transaction must be reversed (charged back). If you have gone out of business or cannot cover the chargeback amount, your processor is the one who will take the hit. That is the reason why the application process is set up to establish the credit worthiness of both the applicant organization and its principals. Following is a list of requirements that you will have to meet and documents you will have to provide:

• Application form. The application form will collect information about both your business and yourself, including address (business and personal), social security number, tax ID (if applicable), phone number, email address, web address, bank account info, etc.
• Personal guarantee (for-profit organizations only). A personal guarantee is required from the principals of all privately held businesses. Sole proprietorships often do not require a personal guaranty. Non-profits and public companies are not required to provide a personal guarantee.
• Articles of Incorporation. Unless you are a sole proprietor, you will have to provide a proof that it has been legally incorporated.
• Business license. If your business activity is regulated and requires a license, either a federal or a state one, you will need to provide it.
• Business financial statements. Unless your organization has been formed recently, you will have to provide its financial statements (typically it is required that you produce financial statements for the two years preceding the application date).
• Personal financial statements. Typically requested in place of business financial statements, personal financials may also be requested in addition to them. Personal tax returns for the latest two years are typically sufficient.
• Business and personal credit history. Processing banks will check your business’ Dunn & Bradstreet credit file (if applicable). The businesses’ principals will also have their credit files reviewed.
• Business profile and marketing materials. Merchants are required to provide a description of all products and services they offer, as well as copies of all relevant marketing materials. The product type helps processing banks estimate the business’ risk type. Certain business types of products and services will put the applicant business on the restricted merchant list while others may place it in the prohibited list.
• Processing statements. If you are currently accepting credit cards and are looking for a new service, you will be asked to produce your three latest processing statements.
• Voided check. You will need to provide a voided copy of a check for the bank account into which you will want your money to be deposited. The check must have your “Doing Business As” (DBA) name pre-printed on it. If you have not yet received your permanent checks, you can substitute with a signed bank letter stating your account details.
• Compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). Compliance with the PCI DSS will ensure that customer account information is adequately protected.
• Site inspection. The processor may conduct a site inspection of the applicant business’ offices and warehouses (when applicable). Exceptions to the site inspection requirement typically include:
  • Dentists.
  • Health practitioners.
  • Hospitals.
  • Optometrists.
  • Physicians.
  • Colleges and universities.
  • Publicly held companies.
• Business policies. The merchant’s billing, shipping and return policies will be reviewed to ensure compliance with industry regulations. A representative of the processing bank may also place and then return an order with the merchant, as an additional inspection step.
• Other requirements. In case fulfillment of orders is handled by a third party, information should also be provided about this establishment and a site inspection will be conducted at its premises as well. The Internet Service Provider may also have its physical controls inspected. Other requirements may also need to be met.

Despite all of our best efforts to protect sensitive personal information from falling into the wrong hands, we can never achieve absolute security. There are plenty of hackers out there that are equally hard at work attempting to beat our security measures and steal card account details and unfortunately they are successful at times. Merchants should develop and implement security measures to enable them to proactively detect suspected breaches, respond quickly and minimize the damage in case data is compromised. If you suspect or have confirmed that your data security system has been breached, you should take the following measures:

• Immediately contain and limit the exposure. To protect any further loss of data, you should conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise. The following concrete actions should be taken:
  • Do not access or attempt to access the systems that were compromised. Do not change your log-in details.
  • Do not turn off the compromised system. Instead, unplug the cables that connect it to the rest of your network.
  • Try and save the logs and all other information that can be used as evidence in your investigation.
  • Document all actions that were taken.
  • If you are using a wireless network, change the network access code and the network’s name on the access point. Adjust all systems accordingly, save for the compromised one(s).
  • Remain on high alert for the duration of the investigation and monitor all components of your system.
• Immediately contact all parties involved. All parties involved in the payment processing cycle should be immediately alerted of the suspected or confirmed security breach. Be sure to contact:
  • Your organization’s security group, if applicable.
  • Your organization’s legal department.
  • Your payment processor.
  • The local FBI office.

The Credit Card Associations of Visa and MasterCard have established procedures for handling suspected and confirmed data breaches and will contact you to assist in the investigation. In the event of a compromise, they may dispatch a team to go on-site and help identify security deficiencies, control exposure and discuss the measures that need to be taken to prevent similar events from occurring in the future. Once you have identified the compromised account numbers, you will have to distribute them to the respective credit card companies and associations and your processor will instruct you exactly how to do that. The compromised account numbers will then be distributed to the card issuers who may issue new replacement account numbers. Your processor will also instruct you on any other actions that may need to be taken, including providing an incident report, undergoing an independent forensic review, etc.