Inside the Black Hole

Credit card fraud affects everyone involved in it: the consumer whose card information is stolen, the merchant whose product is purchased, the processing bank that facilitates the transaction and the issuer who is charged with protecting its cardholders, to say nothing of Visa and MasterCard who spend millions developing products to help prevent it from happening. In previous posts we have written in detail about the various products and procedures that can be utilized to protect your web-based business from fraudulent transactions. In this post, we will offer a general overview of the e-commerce fraud prevention tools and strategies that we believe all e-commerce merchants should use to build their sales processing system around.

Firstly, however, it should be pointed out that no system is 100 percent fraud poof and yours will not be an exception. Even your best efforts will not protect you from processing a fraudulent sale or two on occasion. Whenever that happens, you will bear a certain financial responsibility. Although the merchant is just as much a victim of fraud as the cardholder whose card information was stolen, there are transaction fees that have been incurred in processing the payment and the merchant will end up paying them. On top of that, you will most likely be hit with a loss for the cost of the item that was sold and for shipping charges, if applicable.

It is important to emphasize that in credit card transactions, the payment information does not actually get to your processor until you submit your daily batch at the end of the day. The reason it is important is that it gives you some extra time to verify the validity of the orders that you accepted that day. If yours is a small business, you can probably go through each transaction every day. Larger organizations, however, will not have this option and should develop a process to set higher risk transactions aside for further review. Don’t hesitate to ask your processor for help. Remember that they also have a financial incentive to minimize fraud, just as you do.

There are several tools that were specifically developed to help e-commerce merchants fight fraud and you should take the time to get to know how these tools work and provide support for them all:

• Card Security Codes (CVV2, CVC 2 and CID). The three-digit codes on the back of Visa, MasterCard and Discover cards and the four-digit codes on the front of American Express cards were introduced as an additional tool to help merchants verify that the cardholder is in a physical possession of the card at the time of the transaction. You should never store these codes in your system.
• Address Verification Service (AVS). AVS enables merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement) provided by a customer with the billing address on the card issuer’s file before processing a transaction. A mismatch is a strong indication of fraud.
• Verified by Visa and MasterCard SecureCode. These are payment authentication systems that validate a cardholder’s ownership of an account in real-time during an online payment transaction. When the cardholder initiates a payment at the checkout page of a participating merchant’s website, a new screen automatically opens up in the cardholder’s browser. The cardholder enters a previously created password that allows the card issuer to verify his or her identity.
• Validating credit card numbers. The Mod 10 algorithm is used to verify credit card numbers before submitting transactions for authorization. Its algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits.

In addition to the tools, you should develop strategies for fighting fraud and implement them consistently:

• Understand e-commerce risk. Fraud, customer disputes, chargebacks come in various shapes and forms, yet all of them are costly, time consuming and require constant attention. You should invest the time to understand the risks associated with processing internet transactions.
• Learn how to process e-commerce transactions. Processing e-commerce transactions presents challenges that you will need to be prepared to handle.
• Learn how to handle chargebacks. Chargebacks are the single biggest reason why e-commerce businesses get into trouble with their credit card processing account. Processing banks are required by Visa and MasterCard to monitor their merchants’ chargeback levels and must ensure that the number of charged back transactions for any given month is below 1 percent of the total number of transactions. Because if their merchant’s chargeback ratio is above 1 percent they are assessed fines by the Associations, processors will suspend and close merchant account before their chargeback rates come even close to 1 percent.
• Learn how to manage authorization responses. All card-not-present transactions must be authorized before they are processed. The authorization response will typically be approval or decline. You should develop a process for handling transactions after the authorization response has been received and apply it consistently.
• Screen international transactions. International orders generate more fraud and should be scrutinized more rigorously than domestic ones. You will not be able to use AVS, unless the card issuer supports International AVS and then AVS can validate addresses in the United Kingdom. Moreover, the legal environment is different in each country and there is likely to be a language barrier that you should consider.
• Use fraud scoring. Fraud scoring is a system of predictive fraud detection models or technologies that payment processors use to identify the highest-risk transactions in card-not-present environment that require additional verification.
• Set up transaction velocity limits and controls. Set review limits on the number and dollar amount of transactions approved for a customer within a specified period of time. As you accumulate transaction data over time, adjust these limits to reflect the customer’s purchasing patterns.
• Comply with the Payment Card Security Data Security Standard (PCI DSS). The Payment Card Security Data Security Standard (PCI DSS) is a set of requirements for security management, policies, procedures, network architecture, software design and other protective measures. Compliance is mandatory for all e-commerce merchants.

Avoid using voice authorizations because they bypass your processor’s systems and cannot be used as supporting evidence in chargeback re-presentments. Also, whenever you get an order from a new customer, check the provided information and make sure there is nothing suspicious. Often, common sense is the most effective tool for fighting fraud that you have at your disposal.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

The Merchant Direct Access Service (MDAS) provides Address Verification Service (AVS) authorization services to smaller merchants operating in a card-not-present environment, mainly to small mail order and telephone order (MO / TO) businesses. MDAS connects merchants to the AVS service by telephone. If your credit card processing volume is small or infrequent and if electronic access to AVS is not otherwise available, or if you want to access AVS for transactions that are key-entered when the card’s magnetic stripe cannot be read, MDAS may be the right option for you. MDAS provides AVS service on a per-transaction basis.

How to use MDAS. To use the Merchant Direct Access Service, all you need is a telephone and a Merchant Access Code (MAC) which you will get from your payment processing provider. To request an AVS authorization, you will dial a toll-free number and follow the instructions that the automated system will give you. You will need to provide your customer’s billing address and account number and the system will give you the verification results.

MDAS responses. The responses MDAS provides are very similar to the ones AVS provides but do not include response codes. You will receive one of the following MDAS responses:

MDAS provides a way to use AVS on a selective basis. Merchants who choose to implement it will be able to cut costs by minimizing address verification requests, while still verifying the validity of these credit card transactions that are most likely to be fraudulent. If you choose to enroll in MDAS, you need to contact your processing bank.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

Once your fraud prevention system identifies suspicious e-commerce transaction characteristics, you need to be able to review them quickly and within budget. First of all, however, you will need to set cost effective thresholds for determining which of the suspicious transactions to review. As reviewing all transactions manually is both time-consuming and costly, it is generally not justified for all high-risk transactions.

To ensure that your review costs remain lower than the potential losses from suspect transactions, consider implementing the following procedures:

• Implement card-not-present transaction screening that lets you avoid the manual reviews of low-risk transactions. Criteria that you can use in your transaction screening procedures can include:
  • Low transaction amounts. If the cost of reviewing the suspicious transaction equals or is not much lower than the transaction amount itself, it does not make much sense to subject it to a review. Your screening process should be designed to automatically exclude low-amount transactions from the review process.
  • Repeat customers with a good record. If an order has been received from a customer with a good payment record for at least the past 90 days and merchandise has been shipped to their address before, you should not subject the transaction to further review, even if it displays high-risk characteristics. The customer’s good history serves as a proof that he or she can be trusted.
  • An Address Verification Service (AVS) match and a shipping address that is the same as the billing address. An AVS match, combined with a match with the billing address is typically enough to guarantee that the transaction is genuine. However, if multiple high-risk characteristics are present and if the purchase amount is above the established dollar threshold, you may want to review the transaction.
• Decline all credit card transactions that display high-risk characteristics and are not routed for fraud review. Such transactions should include the ones that fall below your preset dollar threshold and that:
  • Match information in your internal negative file. Your organization should build and maintain an internal negative file where details from previously processed fraudulent transactions are recorded and stored. Information that relates to customer disputes or chargebacks should be left out of the negative file.
  • Come from international IP addresses. Transactions placed from international IP addresses are proved to produce higher levels of fraud. Some merchants have decided not to accept international orders altogether, regardless of the amount.
  • Have international billing or shipping addresses. Similarly to the above characteristic, international billing and shipping addresses are linked to high levels of fraud. It has to be said, however, that not all merchants suffer the same levels of fraud from international transactions. Some types of merchandise and services are related to higher fraud rates than others and you should find out what your fraud risk is before deciding how to handle international orders.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

Airlines use various outlets for selling tickets, including direct internet sales, central reservations, ticket counters and third party travel agencies. All merchants selling airline tickets fall within the highest risk category of businesses that are allowed to apply for a U.S.-based merchant account. Most payment processors have set extremely tight requirements for airline ticket sellers and most will not accept an application unless the applicant has a previous credit card processing experience for at least six months. Yet, there are processors who specialize in working with airlines and their agents and, anyway, if you build a solid credit card processing track record, all processors will be happy to offer you their services.

In order to get the best merchant account terms, you will have to first understand credit card processing risk associated with selling airline tickets and then design and implement best practices to manage it. A well designed risk management process will help you reduce customer disputes and related chargebacks, which are the principal reasons payment processors are cautious when underwriting merchant accounts for airline ticket sellers.

The following best fraud prevention practices should be taken into consideration by airlines and third-party agencies:

• Screen all high risk bookings. Screening high-risk bookings can help you detect and prevent fraud before it actually happens. Screening should be performed on transactions with characteristics such as:
  • Third party purchases.
  • First or business class tickets.
  • E-tickets or tickets not delivered to the cardholders’ billing address.
  • Date of travel that is less than six days after the ticket purchase.
  • Customers not enrolled in your frequent-flier programs.
• Use Address Verification Service (AVS) to confirm billing addresses for paper ticket sales. AVS helps you fight fraud by enabling you to compare the billing address (the address to which the card issuer sends its monthly statement for that account) provided by your customer with the billing address on the card issuer’s file before you process the payment. Be advised, however, that AVS fraud chargeback rights do not apply to e-ticket sales or to such cases where paper tickets are not mailed to the billing address.
• Track fraud by ticket source. When monitoring credit card fraud, it is a good practice to track different fraud sources separately. With merchants selling airline tickets these sources are internet sales, central reservations, ticket counters and travel agencies. This practice can help airlines identify the areas where risk exposure is the greatest and develop strategies to reduce risk.
• Participate in Verified by Visa and MasterCard SecureCode. These are fraud prevention services that the Credit Card Associations provide to e-commerce merchants and to consumers shopping online. MasterCard SecureCode and Verified by Visa work by enabling cardholders to authenticate themselves to their credit card issuer through the use of a personal password that they have chosen when they registered their cards with the program. These services protect against fraudulent “unauthorized use” chargebacks.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Chargebacks are the single biggest reason why e-commerce businesses get into trouble with their payment processing provider. Processing banks are required by Visa and MasterCard to monitor their merchants’ chargeback levels and must ensure that the number of charged back transactions for any given month is below 1 percent of the total number of transactions. If you cannot keep your chargeback rate under 1 percent, your processor will suspend and eventually close your merchant account. In reality, processors suspend and close merchant accounts before their chargeback rates come even close to 1percent.

So what are chargebacks and what you should do about them?

What is a chargeback? Chargeback is a transaction that is returned by the card issuer and / or the cardholder to the processing bank, and most often directly to the merchant, as a financial liability. In essence, it reverses a sales transaction, as follows:

1. The card issuer subtracts the transaction dollar amount from the cardholder’s account. The cardholder receives a credit and is no longer financially responsible for the dollar amount of the transaction.
2. The card issuer debits the processing bank for the dollar amount of the transaction.
3. The processing bank will most often deduct the transaction amount from the merchant’s account. The merchant loses the dollar amount of the transaction.

Why do chargebacks occur? There are many reasons why chargebacks occur, but there are several that stand out:

• Customer disputes.
• Fraud.
• Processing errors.
• Authorization issues.
• Non-fulfillment of transaction copy requests (only if fraud or illegible).

What do you do when a transaction is charged back? Chargebacks probably cannot be completely eliminated, although merchants can take steps to reduce them in number. Many of the chargebacks are a result of improper transaction processing procedures and can be easily avoided with making adjustments where necessary and we have discussed this subject elsewhere. Other chargebacks, however, are beyond the control of the merchant. When a transaction is charged back to you:

1. First try to resolve it without losing the sale. Provide to your processor all available additional information about the transaction at issue or about the shipping, delivery or other issues that you may have had. A chargeback may have been initiated because the consumer has not received the product or service on the agreed-upon date. You may be able to resolve the issue by providing evidence that the merchandise was received within the specified time frame, however the cardholder has not taken into account the weekend days. Send this information to your merchant processing provider as soon as possible. It is always advisable that you provide as much information, relevant to the issue, as you have available, including:
   1. Account number.
   2. Card expiration date.
   3. Cardholder name.
   4. Transaction date.
   5. Transaction amount.
   6. Authorization code.
   7. Merchant name.
   8. Merchant website address.
   9. General description of the merchandise or services.
   10. Shipping address, if applicable.
   11. Address Verification Service (AVS) response code, if applicable.
2. Represent the transaction. Once your processor has sufficient evidence to support your case, the transaction will be represented on your behalf, through the Credit Card Network of Visa or MasterCard, to the credit card issuer.
3. Provide timely responses to information requests. The most important factor in the chargeback process is time. You will have a certain time limit to complete each step of the process. If you do not respond to a particular request within the specified time-frame, you will lose your representment rights and will not be able to get your money back. For example, the card issuer can charge back a transaction if you do not respond to an information request within 30 days.
4. Understand your rights related to using the AVS and card security codes. Using AVS and the card security codes gives you stronger representment right for some type of chargebacks. Specifically, a charged back transaction can be represented if:
   1. You received an AVS positive match in the authorization message and if the cardholder’s billing and shipping addresses are the same. Your re-presentment will need to include a proof of the shipping address and delivery.
   2. You submitted an AVS query during the authorization process and received a “U” response from a U.S. card issuer. This response means that the card issuer is unavailable or does not support AVS.
   3. You submitted a card security code verification request during the authorization process and received a “U” response from a U.S. card issuer. This response means the issuer does not support the particular security code.

   
   If you believe you have AVS or card security code re-presentment rights on a charged back transaction, work with your processor to ensure that all supporting evidence for the re-presentment is submitted.

5. Understand your Verified by Visa and MasterCard SecureCode representment rights. If you participate in Verified by Visa and / or MasterCard SecureCode and you have received a fully authenticated or attempted authentication response from the card issuer, you retain your representment rights. The same applies for chargebacks resulting from unauthorized use.

Sometimes a chargeback cannot be reversed, either because you don’t have supporting evidence to represent or for another reason. In such cases the best course of action will be to accept it and move on, saving valuable time and money.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).