The Credit Card Associations of Visa and MasterCard maintain the Global Merchant Audit Program (GMAP) to monitor merchants processing an excessive number of fraudulent transactions. GMAP is a rolling six-month database that identifies merchants that for any one calendar month have:
- At least three fraudulent transactions.
- A cumulative total of at least $2,000 in fraudulent transactions.
- A minimum fraud-to-sales volume ratio of 1%.
Merchants identified under the GMAP program are divided into the following three tiers based on their fraud-to-sales volume ratio in any one month:
- Tier 1 — fraud-to-sales volume ratio minimum of 1% and not exceeding 3.99%.
- Tier 2 — fraud-to-sales volume ratio minimum of 4% and not exceeding 6.99%.
- Tier 3 — fraud-to-sales volume ratio of at least 7%.
If a merchant is identified in Tiers 1 or 2 more than one time in a 12-month period, it will be automatically escalates into the next higher tier. If a merchant is escalated into Tier 2, the processor is required to provide it with additional training on fraud control. If a merchant is escalated into Tier 3, the processor is required to decide whether to accept liability for fraud related chargebacks or to terminate the merchant account.
If a merchant is identified in any one of these tiers, it should expect certain actions from its processor. Some of these actions are required by Visa and MasterCard, for others the processor will follow its own policies.
- Tier 1 merchants. When a processor is notified that one of its merchants is placed into Tier 1, there is no requirement that the processor respond formally to the notice. A Tier 1 notice is provided for information only. The merchant should expect, however, that the processor will implement a fraud control program or enhance an existing one.
- Tier 2 merchants. When a processor is notified that one of its merchants is placed into Tier 2, it is required to conduct training on credit card acceptance and fraud control procedures at the merchant location. The Credit Card Associations (Visa and MasterCard) do not require processors to terminate the merchant account, although the processor can do it, if that is its policy. The more likely scenario is that the processor will implement a rigorous fraud control program.
- Tier 3 merchants. When a processor is notified that one of its merchants is placed into Tier 3, the Associations require that it must either terminate the merchant account or accept liability for chargebacks for all reported fraudulent transactions (except fraudulent application and account takeover fraud) during the applicable chargeback period. The chargeback period will be determined to be a minimum of six months or a maximum of 12 months. Most likely, the processor will terminate the merchant account.
Should the processing bank choose to accept chargeback responsibility, the merchant will be placed into the Global Security Bulletin with the applicable chargeback liability period. Issuers will then have the right to charge back any fraudulent transaction that occurred during the applicable period, other than the fraudulent application or account takeover fraud types. The chargeback liability period begins on the first day of the month following the month in which the merchant was placed in the GMAP and lasts for at least six months, but it may be increased to a 12-month period.
Image credit: Thejoysoftraveling.com.