Managing the E-Commerce Authorization Process

The e-commerce transaction authorization process has a significant impact on risk, customer service and operational expenses. Implementing the following best practices will ensure that it is managed effectively and will keep your chargeback level low:

• Focus on fraud prevention. When a cardholder initiates a transaction, follow these best practices:
  • If you are participating in Verified by Visa (VbV) or MasterCard SecureCode, complete the respective authentication process and provide the authentication data in the authorization request. These services add an additional security layer to help protect merchants that accept cards over the internet.
  • Perform internal fraud screening. Fraud screening procedures can be developed internally or obtained from third-party vendors. There are many fraud screening services available today to help e-commerce merchants assess the risks associated with online transactions and to help you verify the validity of both the cardholder and the card. Transactions should be matched against velocity parameters, high-risk locations and internal negative files. Transactions that raise suspicions should be subjected to a further review.
  • For transactions that pass your internal scrutiny, you should obtain authorization from the card issuer. The authorization should include Address Verification Service (AVS) and Card Security Codes (the 3- or 4-digit codes on the back or front of credit and debit cards) to help determine whether the card issuer or you should decline the transaction.
    • The Address Verification Service (AVS) is a risk management tool that enables merchants accepting card payments in a non-face-to-face environment (e.g. e-commerce, mail order and telephone order [MO / TO]) to verify the validity of the billing address provided by their customers by comparing it to the one on file with the card issuer. Using AVS helps card-not-present merchants minimize fraud and fraud-related chargebacks.
    • The Card Security Codes (CVV2, CVC 2 and CID) were introduced to help e-commerce and mail order and telephone order (MO / TO) merchants verify that their customers are in a physical possession of their cards at the time of the transaction. It is a feature that all major payment gateways support and your payment processing provider should make it available to you.
  • If you are using a third-party fraud screening service, obtain a fraud score for these transactions that have not yet been declined by you or the card issuer. The fraud score provides the probability that a transaction may be fraudulent. Evaluate the costs and benefits of fraud scoring for low-risk transactions. For many merchants it will not be cost-effective to obtain fraud scores, internal or third-party, for every single transaction.
• Use the correct Electronic Commerce Indicator (ECI) for all e-commerce transactions. The ECI identifies the transaction as “e-commerce” and helps acquirers to differentiate internet merchants from other merchants. All online transactions should be identified with the correct ECI, entered into the appropriate field of the authorization and settlement messages.
• Obtain a new authorization if the original one expires. If your business sells products online and if the products are shipped to your customers more than seven days after the original authorization was obtained (i.e. back order), you should obtain a new authorization before proceeding with the shipment. This practice is required by Visa and MasterCard and implementing it will help protect you from chargebacks due to no authorization.