Inside the Black Hole

By now all regular visitors to this blog should have learned that accepting payments online, over the phone or in any other card-not-present setting is a much riskier affair than a face-to-face transaction. Admittedly, most of our readers are involved, in one way or another, in processing credit card payments, and already knew that from experience, even before we first wrote on the subject.

Still, it is worth reiterating exactly what the risks are, before we suggest ways to mitigate them. The two biggest issues, often interrelated, associated with processing card-not-present payments are fraud and chargebacks. The reason why fraud is more rampant online than in brick-and-mortar stores is that it is much more difficult to establish the legitimacy of the cardholder and the validity of the card when neither can be seen. Chargeback levels are higher for much the same reason, but also, because accepting card payments online or over the phone allows for more processing errors.

Yet, although at an obvious disadvantage, e-commerce and MO / TO merchants are not exactly at the mercy of the criminals. Plenty of tools are available to help you fight fraud and following best card acceptance practices will further minimize fraud and chargeback levels. In this post I will offer nine simple steps for processing card-not-present payments. If you follow them in each of your sales transactions, both your fraud and chargeback rates will decline significantly.

When a customer makes a payment at the checkout of your online store or over the phone to complete a transaction, your system needs to perform the following actions:

1. Collect the payment information. At a minimum, the following information needs to be submitted with each sales transaction:
   • The cardholder’s name, card account number and expiration date.
   • The cardholder’s full billing address and the shipping address (if applicable).
   • The payment date.
   • The total amount of the payment, including all applicable taxes and gratuities purchased on the card.
   • A mutually acceptable description of the products or services purchased by the cardholder.
2. If participating in Verified by Visa (VbV) or MasterCard SecureCode (you should), complete the respective authentication process and provide the authentication data in the authorization request. These services add an additional security layer to help protect merchants that accept cards over the internet.
3. Perform internal fraud screening. You need to develop a fraud screening system, or obtain one from a third-party vendor. This mechanism will, if certain predefined high-risk characteristics are found, suspend the processing of the transaction at issue. Such services will help you verify the validity of both the cardholder and the card.

   
   Additionally, transactions should be matched against velocity parameters, high-risk locations and internal negative files. Transactions that raise suspicions should be subjected to a further review.

4. For transactions that pass your internal scrutiny, obtain authorization from the card issuer. Authorization is the process of obtaining permission from the card issuing bank to accept the card for payment and should be obtained for all card-not-present transactions (see chart below).

   
   

   
   With your authorization request you should also perform the following verifications:

   • Address verification. The Address Verification Service (AVS) is a risk management tool that enables merchants accepting card payments in a non-face-to-face environment to verify the validity of the billing address provided by their customers by comparing it to the one on file with the card issuer.
   • Verification of the card security code. Card security codes are the 3-digit numbers on the back of Visa, MasterCard and Discover cards and the 4-digit codes on the front of American Express cards. They were introduced to help e-commerce and MO / TO merchants verify that their customers are in a physical possession of their cards at the time of the transaction. It is a feature that all major payment gateways support and your payment processing provider should make it available to you. You should never store card security codes.
5. Use the correct electronic descriptor. The electronic descriptor identifies the transaction type and helps processing banks to differentiate merchants based on the way payments are accepted. Indicate “Mail Order,” “Telephone Order,” “Internet Order,” or “Signature on File,” as applicable, into the appropriate field of the authorization and settlement messages.
6. Provide your customer with the expected delivery date. Tell your customer what the delivery method and expected delivery date will be. If a delivery is running late, immediately inform your customer of the new expected delivery.
7. Do not deposit transactions before the shipping date. For card-not-present transactions, the transaction date is the shipping date, not the order date ( see graph above). Transactions cannot be deposited until the products or services have been shipped. Also, you shouldn’t be late with your deposits. Transactions deposited more than 30 days after the transaction date may be charged back to you.
8. Make your organization’s return and credit policies available to consumers through clearly visible links on your website. Placing these links in your website’s footer or header will usually make them present on all pages, so that customers can easily review them.
9. Place your customer service number on all of your website pages. This is a crucial, though often neglected, requirement. Most customer questions can be answered and concerns alleviated with a simple phone call, before they deteriorate into disputes and chargebacks. You should also make available to your customers other communication methods, like email and chat, but not in place but in addition to phone support.

That’s it, nine simple steps to follow in each of your transactions. Actually, the last two are only applicable to e-commerce businesses, so MO / TO merchants only have seven to think of. Unfortunately, some fraud and chargeback causes will remain beyond your control, but applying the above suggestions will remedy the vast majority of them and you will be in a pretty good shape.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

We have written multiple times on this blog about payment gateways, which enable e-commerce merchants to connect their websites’ shopping carts to their processors’ payment systems. We have neglected, however, to review another service that is used by merchants accepting payments in a non-face-to-face environment, often concurrently with a payment gateway, but more often on its own. This article will do just that.

Virtual Terminal Basics

Virtual terminal is a generic term used to describe a service that gives a user a direct access to a processing bank‘s payment system, allowing him to manually process payments by key-entering transaction information into a payment form from within his browser.

It is very similar to the service used by utility companies to enable customers to pay their bills online. For example, if you wanted to pay your cell phone bill online, you would log into your account on your services provider’s website and would then provide your credit card account information to make a payment. The virtual terminal works in exactly the same way, with the only difference being that instead of your own personal information, you would be entering your customer’s instead.

How Does a Virtual Terminal Differ from a Payment Gateway?

As I mentioned before, both the virtual terminal and the payment gateway are services used to facilitate payments in card-not-present environment. However, they perform two distinctly separate functions.

Payment gateways are used for processing e-commerce transactions, where the customers themselves key-enter their payment information on the merchant’s website. Once that is done, the payment gateway collects the provided information and transmits it to the processor. Virtual terminals, on the other hand, are used to facilitate payments where the merchant himself key-enter his customer’s payment information directly onto his processor’s server, after receiving it by phone or in another way.

Typically, payment gateways come with a virtual terminal built-in, so that e-commerce merchants have the option available to them, if they need it.

What Types of Payments Can Be Processed through a Virtual Terminal

Virtual terminals can be configured to enable acceptance of the following payment types:

• Payment cards. Virtual terminals are most commonly used for processing bank card payments, e.g. credit, debit, ATM, check, prepaid cards, etc.
• ACH payments. Some virtual terminals, including Authorize.Net, support ACH payment acceptance, i.e. payments directly debited from the payee’s checking account. If you need ACH acceptance, make sure you ask your prospective processor whether the virtual terminal they are offering you supports the option, as most do not.
• Recurring payments. This is another option that will typically not be set up by default and is not supported by some virtual terminals. Some processors may require signing additional paperwork, before enabling you to process recurring payments.

Who Uses Virtual Terminals?

Virtual terminals are most often used by direct marketers. These are merchants who accept orders by phone or mail and are referred to as MO / TO, which stands for “mail order / telephone order.” Virtual Terminals are also commonly used in fund raising drives. For example, when you call in your annual PBS donation, the person who accepts your pledge enters your payment details into a virtual terminal.

How Much Does a Virtual Terminal Cost?

As with all other services used for processing payments, the cost of a virtual terminal can vary widely. Moreover, the overall cost of the service is comprised of several components, as follows:

• Set-up fee. Most processors will not charge you such a fee, however many still do and it can range wildly.
• Monthly fee. Most processors will charge you a monthly fee, typically between $10 – $30, but some will not.
• Authorization fee. Most processors charge authorization fees, typically $0.10 per transaction. Be advised that, if you get your virtual terminal from a vendor, e.g. Authorize.Net, but sign up for a merchant t account with another processor, you will probably be charged authorization fees by both.

The discount rate and all other merchant account fees will be separate from the ones listed above.

Accept credit cards at one flat rate!

Accept credit cards on your website with our flat rate e-commerce merchant account with no fixed monthly fees! You will get:

• One rate for all types of MasterCard and Visa cards (including rewards, commercial, etc.).
• No mid-qualified and non-qualified fees.
• No merchant account application or set-up fees.

UniBul’s Twitter Lists are now on Mashable

Credit card fraud is much more difficult to prevent when neither the cardholder nor the card are present during the transaction. In a face-to-face setting the merchant can inspect the card to ensure that it is valid and can verify that the cardholder is an authorized user on the account by matching his or her signature on the transaction receipt to the one on the back of the card and request an ID when in doubt. None of these actions can be performed when the payment is submitted online or accepted by phone.

Yet, a combination of best practices and fraud prevention tools can provide card-not-present merchants with strong fraud prevention capabilities. If your business accepts payments online or by phone, you should implement the following safeguards:

• Verify the phone number and transaction information. Prior to shipping your products, call the phone number provided by the customer and verify the transaction information. Criminals may be unable to verify such information, because in their haste to max out the credit line before the fraud is discovered, they often order at random and do not keep records.
• Examine priority shipment requests. Costly priority shipments may indicate a fraudulent transaction, especially if a free shipping option has been ignored. Unlike the rest of us, criminals do not much care about shipping costs.
• Validate orders from repeat customers that differ from the established pattern. If an order from a past customer deviates from the established pattern, contact the customer and validate the transaction.

In addition to implementing the above procedures, you should take advantage of the available fraud prevention tools. Following is a short list of the most prominent among them:

• Address Verification Service (AVS). AVS enables you to compare the billing address (the address to which the card issuer sends its monthly statement for the account) provided by your customer with the billing address on the card issuer’s file before processing a transaction. These addresses should match.
• Card Security Codes. Card Security Codes are the 3-digit numbers located on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, in or around the signature panel, and the 4-digit numbers located on the front of American Express (CID) cards, above the card account number. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction.
• Verified by Visa and MasterCard SecureCode. These fraud prevention services are offered by the two Credit Card Associations to e-commerce merchants and to online shoppers. MasterCard SecureCode and Verified by Visa enable cardholders to authenticate themselves to their card issuers through the use of personal passwords they create when they register their cards with the programs. These services protect merchants against fraudulent “unauthorized use” chargebacks.
• PCI compliance. All merchants accepting card payments are now required to be compliant with the requirements of the Payment Card Security Data Security Standard (PCI DSS), which sets the rules for data security management, policies, procedures, network architecture, software design and other protective measures.

Additionally, you should build and maintain an internal negative file that includes data from fraudulent transactions that you have not been able to prevent. Be sure to leave out of it information that relates to customer disputes or chargebacks, as these can be caused by reasons that are unrelated to fraud. Whenever a new order contains information that matches data in the file, your system should be designed to automatically identify the mismatch and trigger an examination.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant services or gateway fees.

American Express, like smaller rival Discover, differs from Visa and MasterCard in that it is a bank, not an association of member banks. In practice, this means that it both issues the cards bearing its logo and processes the payments made with them. Another consequence is that American Express’ payment acceptance process is simpler than Visa’s or MasterCard’s.

Following is a general description of American Express’ payment acceptance process for card-not-present transactions.

Merchants are required to create a record of each transaction (charge record). The charge record should contain the following information:

• Cardholder name, card account number and expiration date.
• The cardholder’s billing address and the shipping address.
• The date the charge was incurred.
• The total amount of the charge, including all applicable taxes and gratuities purchased on the card.
• The six-digit authorization approval code number.
• A mutually acceptable description of the products or services purchased by the cardholder.
• Indicate “Mail Order,” “Telephone Order,” “Internet Order,” or “Signature on File,” as applicable, on the signature line or the appropriate electronic descriptor on the charge record.

American Express can immediately process chargebacks if a cardholder claims that he or she did not authorize the payment. However, AmEx will not charge back a transaction based solely on a cardholder’s claim that he or she did not receive the disputed goods, if the merchant has verified with American Express that the address to which the goods were shipped is the cardholder’s billing address and has obtained a receipt signed by the authorized signer verifying the delivery of the goods to this address.

E-commerce merchants are subject to all of the above requirements, as well as all of the following additional requirements:

• Card data or transaction information must not be sent to anyone other than the cardholder, the merchant’s processing bank or American Express.
• All charges for internet orders must be sent electronically.
• Any separate Service Establishment Numbers* issued by American Express for internet orders must be included in all authorization requests and submissions of charges for internet orders.
• Provide American Express with at least one month’s written notice of any change in your internet address.

  
  *Service Establishment Number (a.k.a. SE Number) is a unique ten-digit number assigned by American Express to a merchant that accepts American Express cards.

It is important for merchants to understand that American Express does not hold itself liable for fraudulent internet transactions, charging them back to the merchant instead. Moreover, if a cardholder disputes an internet transaction, American Express will issue an immediate chargeback (a chargeback for which the merchant is not contacted for supporting documentation) for the full amount of the charge.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Credit card fraud can often be prevented by employing adequate card acceptance procedures at the point of sale. The following suggestions are specific to American Express card transactions, however, with minor adjustments, can be applied to all other card sales as well.

Fraud prevention procedures employed in a face-to-face card acceptance environment cannot always be implemented in a card-not-present setting and will need to be reviewed separately.

Card-present transactions. A face-to-face environment provides merchants with more tools for establishing the validity of both the customer and the card. The following particular steps should be taken during the validation process:

1. Obtain a 6-digit approval code for each transaction.
2. Swipe the card or take an imprint.
3. Verify that the customer is the actual cardholder.
4. Verify that the card has not expired. The card cannot be used beyond its expiration date.
5. Visually inspect the card to make sure it has not been altered.
6. Match the embossed account number on the front of the card to the number on the back of the card and the sales receipt printed out by the terminal. If the numbers do no match, contact American Express’ voice authorization center at 1-800-528-2121 and make a Code 10 call. Code 10 is an authorization request that alerts American Express that a fraudulent activity may be taking place. The operator will ask you a series of “yes” and “no” questions to determine whether the transaction is legitimate or not. If the operator concludes that the customer is not an authorized cardholder, you may be asked to retain the card, which you should only do if it is safe to do so.
7. Make sure that the customer’s signature on the transaction receipt matches the signature on the back of the card.
8. Compare the name on the sales receipt, printed out by the POS terminal, to the name embossed on the front of the card. If they do not match, make a Code 10 call.


Card-not-present transactions. These are typically higher risk transactions, because the merchant cannot physically inspect either the card or the cardholder. Yet, merchants have plenty of fraud prevention tools at their disposal and should take the following actions during the transaction process:

9. Request cardholder name, exactly as it appears on the card.
10. Request the card number and expiration date.
11. Request the Card Identification Number (CID) – the four-digit code on the front of each American Express card, located above the embossed account number.
12. Request the card’s billing address, as well as the shipping address (if different from the billing address). Be advised that shipping to the billing address is necessary to avoid full recourse chargebacks.
13. Indicate on the electronic record that the transaction is “Mail Order,” “Phone Order” or “Internet.”
14. Use shipping services that do not allow re-routing of the shipment.
15. If you allow phone / internet orders to be picked up at retail locations, require the card to be presented at pick-up. Complete the transaction by swiping the card or obtaining an imprint.

Fraud can probably never be completely eliminated, but following the above suggestions will help you greatly minimize unauthorized transactions. The list is far from complete and there is a number of items that can be added to it, which you can do as you gain experience, however it gives you a solid platform on which you can base your fraud prevention strategy.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).