Credit Card Processing Blog

Both Visa and MasterCard use special reason codes to designate chargebacks that result from processing credit card transactions for which authorization approval was not obtained or the cardholder claims that he or she did not authorize or participate in the transaction. Visa uses Reason Code 83, while MasterCard uses three separate Reason Codes: 4808, 4837 and 4847. As MasterCard’s Codes can point to slightly different chargebacks reasons, we will review them in a separate article.

What causes these chargebacks? Card issuers use code 83 when they receive a card-not-present transaction for which one of the following conditions applies:

• The merchant has processed a fraudulent card transaction or has not submitted an authorization request.
• The cardholder either does not recognize the merchant’s name on his or her statement or has given his or her card number to a telemarketer for purposes other than payment (for example to confirm a price).

How to manage such chargebacks? Your response to Reason Code 83 chargebacks will depend on the particular transaction circumstances and the actions you have taken (or not) so far:

• Authorization was obtained and AVS or CVV2 was used. If the chargeback resulted from a MO / TO or e-commerce transaction and you obtained an authorization approval and verified AVS or CVV2, inform your processing bank. If you received an authorization approval and an exact match to the AVS query, and have proof that the merchandise was delivered to the AVS-verified address, send a copy of the transaction invoice, proof of delivery and any other information relevant to the transaction to your processor who can use it in the re-presentment process.
• Authorization was obtained, but neither AVS nor CVV2 was used. If you did not use AVS and the item was charged back to you, send a copy of the transaction invoice, proof of delivery and any other relevant information you may have to your provider to use it in the re-presentment.
• The transaction at issue was card-present. If the card was present during the transaction, the chargeback is invalid. As a possible remedy you should provide to your processor either a copy of the sales receipt bearing the card imprint and signature of the customer or an authorization record proving the magnetic stripe was read.
• Recurring payment. Because recurring payment transactions occur on a regular basis over time, it is possible that a cardholder’s account gets closed and the account number or the card’s expiration date changed. If authorization is declined after previous payments had gone through successfully, you should contact the cardholder and obtain updated information or use the automatic account updater services (see below).

How to prevent chargeback Reason Code 83? The following card acceptance practices will help prevent this type of chargebacks:

• Obtain authorization for all card-not present transactions. Remember that all card-not-present transactions must be authorized. No exceptions!
• Verify the account number with your customer. For telephone transactions, always read back the account number to your customer to avoid errors.
• Identify the transactions as card-not-present. All card-not-present transactions should be identified by the appropriate code for mail order, telephone order, or internet during both the authorization and settlement process. This is typically done by your payment processing system. If not, you should write the appropriate code on the sales receipt: “MO” for mail order; “TO” for telephone order; and “ECI” for internet.
• Use risk management tools. If most of your payments are processed in a face-to-face environment and you are not familiar with the specific requirements for card-not-present transactions, ask your processor for assistance. At the very least, you should implement the following risk management tools:
  • Address Verification Service (AVS). AVS enables merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement for that account) provided by a customer with the billing address on the card issuer’s file before processing a transaction.
  • Card security codes. These are the 3-digit numbers on the back of all valid Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards and the 4-digit number on the front of American Express cards. Because merchants are not allowed to store card security codes, which makes them harder to obtain fraudulently, they are used to verify that the customer is in a physical possession of the card during the transaction.
  • Account updaters. Both Visa and MasterCard offer merchants processing recurring and installment payments a way to automatically update the account information they have on file for their customers. Account information can change due to several events, such as a card number replacement, a card expiration date change, etc. MasterCard Automatic Billing Updater and Visa Account Updater update such data automatically.
• Set up you billing descriptor correctly. The way your organization’s name appears on your customers’ monthly statements is managed through your merchant account’s billing descriptor and is the single most important factor in the cardholder recognition of transactions. Issues typically arise when a merchant’s legal name differs from the DBA name. Contact your processor and make sure that the billing descriptor is set up to show the latter, as it is the one your customers are familiar with.

Obtaining authorization approval for each card-not-present transaction is key to minimizing such chargebacks. You should always request it and, if you receive a decline, ask for an alternative payment method.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).

Authentication of an e-commerce credit card transaction is the process through which a merchant verifies the validity of the payment information provided be the customer. The process involves the verification of both the cardholder’s identity and the card’s authenticity. The Credit Card Associations of Visa and MasterCard have developed several authentication services that are all available to e-commerce merchants and it is recommended that they use them all to reduce the number of fraudulent transactions and chargebacks.

• Address Verification Service (AVS). AVS enables merchants who accept credit card payments in a non-face-to-face setting to compare the billing address (the address to which the card issuer sends its monthly statement for that account) provided by a customer to the billing address on the card issuer’s file before processing a transaction. After comparing the provided address with the one they have on file for their cardholder, the card issuer responds by issuing one of the AVS Response code listed in the table below.
  
  

  AVS Response Code	Explanation and Recommended Action
  X – exact match	Address and nine-digit ZIP code match – if the other fraud services raise no suspicions, you should process the transaction.
  Y – match	Address and five-digit ZIP code match – follow the instructions above.
  A – partial match	Address matches but ZIP code does not – a sign of a potential fraud. You may want to investigate further before making a decision.
  Z – partial match	ZIP code matches but address does not – a sign of a potential fraud. Follow the above instructions.
  N – no match	Neither address nor ZIP code match – a strong sign of a fraud. You should take additional steps to investigate the transaction.
  U – unavailable	The card issuer system is unavailable and the address cannot be verified. You need to make a decision whether to process the transaction without AVS or not.
  R – retry	The card issuer system is unavailable – you should try again later.
  U – no AVS support	If the card issuer does not support AVS you will have to make a decision whether to process the transaction or not based on other criteria.
  G – global	The address is outside of the U.S. – AVS cannot be used. You should take further steps to verify the authenticity of the transaction.

  
  Address verification and transaction authorization occur simultaneously and, within seconds, the merchant receives both results.

• Card Security Codes. Card Security Codes are the 3-digit numbers located on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, in or around the signature panel, and the 4-digit numbers located on the front of American Express (CID) cards, above the card account number. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction. Similarly to the AVS, the merchant includes the security code with the authorization request and the issuer replies with a response code, as listed in the table below:
  
  

  Response Code	Explanation and Recommended Action
  M – match	The code is valid. Complete the transaction, taking into account all other transaction characteristics.
  N – no match	The code is not valid. View this result as a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the code request.
  P – request not processed	You should resubmit the request.
  S – the cardholder has stated that the code is not on the card	The security code should be on all valid cards. Consider following up with your customer to verify that he or she has checked the correct card location.
  U – the issuer does not support the card security codes	In this case you should evaluate all other available information and decide whether to proceed with the transaction or investigate further.




• Verified by Visa and MasterCard SecureCode. Verified by Visa and MasterCard SecureCode are authentication systems that validate a cardholder’s ownership of an account in real-time during an e-commerce transaction. When the cardholder clicks “Buy” at the checkout page of a participating merchant’s website, a new screen automatically appears in the cardholder’s browser. The cardholder enters a password that allows the card issuer to verify his or her identity.

These services are free to cardholders who can register their credit card accounts online on the Associations’ or on the card issuers’ websites. During the registration process the cardholder creates the password he or she will use later during the authentication process. Once the card is registered and activated with Verified by Visa or MasterCard SecureCode, the card number will be automatically recognized whenever the cardholder shops at participating stores. The cardholder will be prompted to enter his or her password and, upon password verification, the transaction will be completed.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).

Fraud is a much bigger concern for e-commerce merchants than it is for their brick-and-mortar counterparts. The challenges of verifying the validity of both the card and the cardholder in a non-face-to-face environment are much greater than they are in a card-present setting. Yet, there are plenty of third-party tools that can help you screen fraudulent transactions. But perhaps the better way to prevent fraud from happening is to develop and implement an internal mechanism for screening transactions, which would, if certain predefined high-risk characteristics are found, suspend the processing of the transactions at issue.

If you decide to build your own, proprietary, fraud screening mechanism, consider implementing the following elements to serve as trigger points for suspending the processing of a transaction:

• Transaction data that matches information stored in your internal negative file. Internal negative files should include account information from previous transactions that have been proved to be compromised or fraudulent.
• Transactions that exceed your internal velocity limits and controls.
• Generates an Address Verification Service (AVS) mismatch. Implementing this fraud screening element is based on the assumption that you are employing AVS, which you should do! AVS verifies whether or not the billing address that your customer provides during a card-not-present transaction matches the one the card issuer has on file for the cardholder. The AVS verification process provides merchants with a response code for each transaction. A “No Match” response is a strong sign of a potential fraud and can be used as a trigger point in your fraud screening mechanism. The AVS can also generate a “Partial Match” response which, at the very least, should prompt an additional investigation.
• Generates a Card Security Code mismatch. As with the AVS element above, the assumption again is that you are using the security codes for every transaction, which you should do! These are the three-digit codes on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards and the four-digit codes on the front of American Express (CID) cards were introduced as an additional tool to help merchants verify that the cardholder is in a physical possession of the card at the time of the transaction. The Card Security Code verification process, just as the AVS verification process, generates response codes and the same procedures should be followed as with the AVS responses. You should never store these codes in your system.
• International shipping addresses. If your business is shipping abroad, perhaps you should screen international addresses for fraud as well. If you decide to do that, you should take into account the fact that some countries present a much higher risk than others. You may also want to consider not shipping to certain countries at all. Make sure that your processor supports the International AVS.
• Identify international IP addresses as high-risk. Statistical data show that international IP addresses have a substantially higher fraud rate than domestic addresses, particularly when merchants require a U.S. billing address.
• The shipping address is different from the billing address. You may want to require that these two addresses match, especially for big-ticket transactions and transactions for specific merchandise types.
• Screen for high-risk shipping addresses. Apart from international addresses, there are certain addresses that require special attention, such as P.O. boxes, prisons, hospitals and addresses with documented fraudulent activity. There are third-party databases of high-risk shipping addresses that you can use to compare to shipping addresses provided by your customers.
• Previous cardholder purchases should be a favorable factor in your fraud assessment procedures.

You should incorporate into your card processing procedures a mechanism for separating high-risk from low-risk transactions. By doing so you will be able to reduce costs by not having to screen every single transaction and concentrate your resources on the most likely offenders instead. Fraud scoring is a system of predictive fraud detection models or technologies that will help you do just that.

Credit card fraud affects everyone involved in it: the consumer whose card information is stolen, the merchant whose product is purchased, the processing bank that facilitates the transaction and the issuer who is charged with protecting its cardholders, to say nothing of Visa and MasterCard who spend millions developing products to help prevent it from happening. In previous posts we have written in detail about the various products and procedures that can be utilized to protect your web-based business from fraudulent transactions. In this post, we will offer a general overview of the e-commerce fraud prevention tools and strategies that we believe all e-commerce merchants should use to build their sales processing system around.

Firstly, however, it should be pointed out that no system is 100 percent fraud poof and yours will not be an exception. Even your best efforts will not protect you from processing a fraudulent sale or two on occasion. Whenever that happens, you will bear a certain financial responsibility. Although the merchant is just as much a victim of fraud as the cardholder whose card information was stolen, there are transaction fees that have been incurred in processing the payment and the merchant will end up paying them. On top of that, you will most likely be hit with a loss for the cost of the item that was sold and for shipping charges, if applicable.

It is important to emphasize that in credit card transactions, the payment information does not actually get to your processor until you submit your daily batch at the end of the day. The reason it is important is that it gives you some extra time to verify the validity of the orders that you accepted that day. If yours is a small business, you can probably go through each transaction every day. Larger organizations, however, will not have this option and should develop a process to set higher risk transactions aside for further review. Don’t hesitate to ask your processor for help. Remember that they also have a financial incentive to minimize fraud, just as you do.

There are several tools that were specifically developed to help e-commerce merchants fight fraud and you should take the time to get to know how these tools work and provide support for them all:

• Card Security Codes (CVV2, CVC 2 and CID). The three-digit codes on the back of Visa, MasterCard and Discover cards and the four-digit codes on the front of American Express cards were introduced as an additional tool to help merchants verify that the cardholder is in a physical possession of the card at the time of the transaction. You should never store these codes in your system.
• Address Verification Service (AVS). AVS enables merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement) provided by a customer with the billing address on the card issuer’s file before processing a transaction. A mismatch is a strong indication of fraud.
• Verified by Visa and MasterCard SecureCode. These are payment authentication systems that validate a cardholder’s ownership of an account in real-time during an online payment transaction. When the cardholder initiates a payment at the checkout page of a participating merchant’s website, a new screen automatically opens up in the cardholder’s browser. The cardholder enters a previously created password that allows the card issuer to verify his or her identity.
• Validating credit card numbers. The Mod 10 algorithm is used to verify credit card numbers before submitting transactions for authorization. Its algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits.

In addition to the tools, you should develop strategies for fighting fraud and implement them consistently:

• Understand e-commerce risk. Fraud, customer disputes, chargebacks come in various shapes and forms, yet all of them are costly, time consuming and require constant attention. You should invest the time to understand the risks associated with processing internet transactions.
• Learn how to process e-commerce transactions. Processing e-commerce transactions presents challenges that you will need to be prepared to handle.
• Learn how to handle chargebacks. Chargebacks are the single biggest reason why e-commerce businesses get into trouble with their credit card processing account. Processing banks are required by Visa and MasterCard to monitor their merchants’ chargeback levels and must ensure that the number of charged back transactions for any given month is below 1 percent of the total number of transactions. Because if their merchant’s chargeback ratio is above 1 percent they are assessed fines by the Associations, processors will suspend and close merchant account before their chargeback rates come even close to 1 percent.
• Learn how to manage authorization responses. All card-not-present transactions must be authorized before they are processed. The authorization response will typically be approval or decline. You should develop a process for handling transactions after the authorization response has been received and apply it consistently.
• Screen international transactions. International orders generate more fraud and should be scrutinized more rigorously than domestic ones. You will not be able to use AVS, unless the card issuer supports International AVS and then AVS can validate addresses in the United Kingdom. Moreover, the legal environment is different in each country and there is likely to be a language barrier that you should consider.
• Use fraud scoring. Fraud scoring is a system of predictive fraud detection models or technologies that payment processors use to identify the highest-risk transactions in card-not-present environment that require additional verification.
• Set up transaction velocity limits and controls. Set review limits on the number and dollar amount of transactions approved for a customer within a specified period of time. As you accumulate transaction data over time, adjust these limits to reflect the customer’s purchasing patterns.
• Comply with the Payment Card Security Data Security Standard (PCI DSS). The Payment Card Security Data Security Standard (PCI DSS) is a set of requirements for security management, policies, procedures, network architecture, software design and other protective measures. Compliance is mandatory for all e-commerce merchants.

Avoid using voice authorizations because they bypass your processor’s systems and cannot be used as supporting evidence in chargeback re-presentments. Also, whenever you get an order from a new customer, check the provided information and make sure there is nothing suspicious. Often, common sense is the most effective tool for fighting fraud that you have at your disposal.

There are several weak links in an e-commerce merchant account that are typically targeted by criminals looking to steal card account information. Understanding what these weak spots are and implementing a set of best practices to protect them will significantly improve your account’s protective mechanisms and keep sensitive data safe.

Among the favorite targets for cyber criminals looking for credit card data are an e-commerce website’s shopping cart and the payment gateway that connects it to the merchant’s processing bank’s system. Criminals usually attack web-based merchants that use weak or generic passwords. Once they gain access to the merchant account, they start processing fraudulent debit and credit transactions. The fraudulent sales are usually equal or similar in total amount to the deposited credits, so that they offset each other. This is done in an effort to avoid detection by deposit-volume monitoring.

To keep your e-commerce merchant account safe, merchants should apply the following best practices:

• Conduct daily monitoring of authorizations and transactions. In particular, you should check daily for the following:
  • Authorization-only transactions. An unusually high number of authorization-only transactions could indicate that your website is being tested for vulnerability.
  • An unusually high number, average size, or volume of credit transactions. This could be an indication of a fraud.
  • Identical or similar transaction amounts.
  • Transactions that do not include customer identification information.
  • Multiple transactions from the same Internet Protocol (IP) address.
  • Transactions with similar account numbers. Such credit card accounts may have been generated by software for generating fraudulent account numbers (e.g. CreditMaster).
  • Multiple transactions made using a single account within a short period of time. This is a typical sign of fraud where a criminal is attempting to run up as much charges as possible within the limited time he or she has before the stolen account is blocked.
• Monitor your daily batches. In particular:
  • Know what time your transactions settle. Make sure to review your transactions before settlement occurs.
  • If you use the Address Verification Service (AVS) or Card Security Codes (CVV2, CVC 2 and CID), look for transactions submitted without an AVS or a Card Security Code response in the authorization record. You should always use AVS and security code validation, before processing an e-commerce transaction. These tools were created specifically to fight e-commerce fraud and have been proved quite successful.
• Create a strong password for your payment gateway and change it regularly. For best results you should:
  • Use a combination of letters and numbers with a minimum of six characters.
  • Make sure that the log-in ID and password are different.
• Maintain compliance with the requirements of the Payment Card Industry (PCI) Data Security Standards (DSS). PCI DSS are specifically designed to help merchants with their data security management, policies, procedures, network architecture, software design and other protective measures. There are 12 mandatory standards built around several core principles: building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an information security policy.