By now all regular visitors to this blog should have learned that accepting payments online, over the phone or in any other card-not-present setting is a much riskier affair than a face-to-face transaction. Admittedly, most of our readers are involved, in one way or another, in processing credit card payments, and already knew that from experience, even before we first wrote on the subject.
Still, it is worth reiterating exactly what the risks are, before we suggest ways to mitigate them. The two biggest issues, often interrelated, associated with processing card-not-present payments are fraud and chargebacks. The reason why fraud is more rampant online than in brick-and-mortar stores is that it is much more difficult to establish the legitimacy of the cardholder and the validity of the card when neither can be seen. Chargeback levels are higher for much the same reason, but also, because accepting card payments online or over the phone allows for more processing errors.
Yet, although at an obvious disadvantage, e-commerce and MO / TO merchants are not exactly at the mercy of the criminals. Plenty of tools are available to help you fight fraud and following best card acceptance practices will further minimize fraud and chargeback levels. In this post I will offer nine simple steps for processing card-not-present payments. If you follow them in each of your sales transactions, both your fraud and chargeback rates will decline significantly.
When a customer makes a payment at the checkout of your online store or over the phone to complete a transaction, your system needs to perform the following actions:
- Collect the payment information. At a minimum, the following information needs to be submitted with each sales transaction:
- The cardholder’s name, card account number and expiration date.
- The cardholder’s full billing address and the shipping address (if applicable).
- The payment date.
- The total amount of the payment, including all applicable taxes and gratuities purchased on the card.
- A mutually acceptable description of the products or services purchased by the cardholder.
- If participating in Verified by Visa (VbV) or MasterCard SecureCode (you should), complete the respective authentication process and provide the authentication data in the authorization request. These services add an additional security layer to help protect merchants that accept cards over the internet.
- Perform internal fraud screening. You need to develop a fraud screening system, or obtain one from a third-party vendor. This mechanism will, if certain predefined high-risk characteristics are found, suspend the processing of the transaction at issue. Such services will help you verify the validity of both the cardholder and the card.
- For transactions that pass your internal scrutiny, obtain authorization from the card issuer. Authorization is the process of obtaining permission from the card issuing bank to accept the card for payment and should be obtained for all card-not-present transactions (see chart below).
With your authorization request you should also perform the following verifications:
- Address verification. The Address Verification Service (AVS) is a risk management tool that enables merchants accepting card payments in a non-face-to-face environment to verify the validity of the billing address provided by their customers by comparing it to the one on file with the card issuer.
- Verification of the card security code. Card security codes are the 3-digit numbers on the back of Visa, MasterCard and Discover cards and the 4-digit codes on the front of American Express cards. They were introduced to help e-commerce and MO / TO merchants verify that their customers are in a physical possession of their cards at the time of the transaction. It is a feature that all major payment gateways support and your payment processing provider should make it available to you. You should never store card security codes.
- Use the correct electronic descriptor. The electronic descriptor identifies the transaction type and helps processing banks to differentiate merchants based on the way payments are accepted. Indicate “Mail Order,” “Telephone Order,” “Internet Order,” or “Signature on File,” as applicable, into the appropriate field of the authorization and settlement messages.
- Provide your customer with the expected delivery date. Tell your customer what the delivery method and expected delivery date will be. If a delivery is running late, immediately inform your customer of the new expected delivery.
- Do not deposit transactions before the shipping date. For card-not-present transactions, the transaction date is the shipping date, not the order date ( see graph above). Transactions cannot be deposited until the products or services have been shipped. Also, you shouldn’t be late with your deposits. Transactions deposited more than 30 days after the transaction date may be charged back to you.
- Make your organization’s return and credit policies available to consumers through clearly visible links on your website. Placing these links in your website’s footer or header will usually make them present on all pages, so that customers can easily review them.
- Place your customer service number on all of your website pages. This is a crucial, though often neglected, requirement. Most customer questions can be answered and concerns alleviated with a simple phone call, before they deteriorate into disputes and chargebacks. You should also make available to your customers other communication methods, like email and chat, but not in place but in addition to phone support.
That’s it, nine simple steps to follow in each of your transactions. Actually, the last two are only applicable to e-commerce businesses, so MO / TO merchants only have seven to think of. Unfortunately, some fraud and chargeback causes will remain beyond your control, but applying the above suggestions will remedy the vast majority of them and you will be in a pretty good shape.
Image credit: Besthomedecorators.com.