Inside the Black Hole

Fraud is a much bigger concern for e-commerce merchants than it is for their brick-and-mortar counterparts. The challenges of verifying the validity of both the card and the cardholder in a non-face-to-face environment are much greater than they are in a card-present setting. Still, there are plenty of third-party tools that can help you screen fraudulent transactions. But perhaps the better way to prevent fraud from happening is to develop and implement an internal mechanism for screening transactions, which would, if certain predefined high-risk characteristics are found, suspend the processing of the transactions at issue.

If you decide to build your own, proprietary, fraud screening mechanism, consider implementing the following elements to serve as trigger points for suspending the processing of a transaction:

• Transaction data that matches information stored in your internal negative file. Internal negative files should include account information from previous transactions that have been proved to be compromised or fraudulent.
• Transactions that exceed your internal velocity limits and controls.
• Generates an Address Verification Service (AVS) mismatch. Implementing this fraud screening element is based on the assumption that you are employing AVS, which you should do! AVS verifies whether or not the billing address that your customer provides during a card-not-present transaction matches the one the card issuer has on file for the cardholder. The AVS verification process provides merchants with a response code for each transaction. A “No Match” response is a strong sign of a potential fraud and can be used as a trigger point in your fraud screening mechanism. The AVS can also generate a “Partial Match” response which, at the very least, should prompt an additional investigation.
• Generates a Card Security Code mismatch. As with the AVS element above, the assumption again is that you are using the security codes for every transaction, which you should do! These are the three-digit codes on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards and the four-digit codes on the front of American Express (CID) cards were introduced as an additional tool to help merchants verify that the cardholder is in a physical possession of the card at the time of the transaction. The Card Security Code verification process, just as the AVS verification process, generates response codes and the same procedures should be followed as with the AVS responses. You should never store these codes in your system.
• International shipping addresses. If your business is shipping abroad, perhaps you should screen international addresses for fraud as well. If you decide to do that, you should take into account the fact that some countries present a much higher risk than others. You may also want to consider not shipping to certain countries at all. Make sure that your processor supports the international AVS.
• Identify international IP addresses as high-risk. Statistical data show that international IP addresses have a substantially higher fraud rate than domestic addresses, particularly when merchants require a U.S. billing address.
• The shipping address is different from the billing address. You may want to require that these two addresses match, especially for big-ticket transactions and transactions for specific merchandise types.
• Screen for high-risk shipping addresses. Apart from international addresses, there are certain addresses that require special attention, such as P.O. boxes, prisons, hospitals and addresses with documented fraudulent activity. There are third-party databases of high-risk shipping addresses that you can use to compare to shipping addresses provided by your customers.
• Previous cardholder purchases should be a favorable factor in your fraud assessment procedures.

You should incorporate into your card processing procedures a mechanism for separating high-risk from low-risk transactions. By doing so you will be able to reduce costs by not having to screen every single transaction and concentrate your resources on the most likely offenders instead. Fraud scoring is a system of predictive fraud detection models or technologies that will help you do just that

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Credit card fraud affects everyone involved in it: the consumer whose card information is stolen, the merchant whose product is purchased, the processing bank that facilitates the transaction and the issuer who is charged with protecting its cardholders, to say nothing of Visa and MasterCard who spend millions developing products to help prevent it from happening. In previous posts we have written in detail about the various products and procedures that can be utilized to protect your web-based business from fraudulent transactions. In this post, we will offer a general overview of the e-commerce fraud prevention tools and strategies that we believe all e-commerce merchants should use to build their sales processing system around.

Firstly, however, it should be pointed out that no system is 100 percent fraud poof and yours will not be an exception. Even your best efforts will not protect you from processing a fraudulent sale or two on occasion. Whenever that happens, you will bear a certain financial responsibility. Although the merchant is just as much a victim of fraud as the cardholder whose card information was stolen, there are transaction fees that have been incurred in processing the payment and the merchant will end up paying them. On top of that, you will most likely be hit with a loss for the cost of the item that was sold and for shipping charges, if applicable.

It is important to emphasize that in credit card transactions, the payment information does not actually get to your processor until you submit your daily batch at the end of the day. The reason it is important is that it gives you some extra time to verify the validity of the orders that you accepted that day. If yours is a small business, you can probably go through each transaction every day. Larger organizations, however, will not have this option and should develop a process to set higher risk transactions aside for further review. Don’t hesitate to ask your processor for help. Remember that they also have a financial incentive to minimize fraud, just as you do.

There are several tools that were specifically developed to help e-commerce merchants fight fraud and you should take the time to get to know how these tools work and provide support for them all:

• Card Security Codes (CVV2, CVC 2 and CID). The three-digit codes on the back of Visa, MasterCard and Discover cards and the four-digit codes on the front of American Express cards were introduced as an additional tool to help merchants verify that the cardholder is in a physical possession of the card at the time of the transaction. You should never store these codes in your system.
• Address Verification Service (AVS). AVS enables merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement) provided by a customer with the billing address on the card issuer’s file before processing a transaction. A mismatch is a strong indication of fraud.
• Verified by Visa and MasterCard SecureCode. These are payment authentication systems that validate a cardholder’s ownership of an account in real-time during an online payment transaction. When the cardholder initiates a payment at the checkout page of a participating merchant’s website, a new screen automatically opens up in the cardholder’s browser. The cardholder enters a previously created password that allows the card issuer to verify his or her identity.
• Validating credit card numbers. The Mod 10 algorithm is used to verify credit card numbers before submitting transactions for authorization. Its algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits.

In addition to the tools, you should develop strategies for fighting fraud and implement them consistently:

• Understand e-commerce risk. Fraud, customer disputes, chargebacks come in various shapes and forms, yet all of them are costly, time consuming and require constant attention. You should invest the time to understand the risks associated with processing internet transactions.
• Learn how to process e-commerce transactions. Processing e-commerce transactions presents challenges that you will need to be prepared to handle.
• Learn how to handle chargebacks. Chargebacks are the single biggest reason why e-commerce businesses get into trouble with their credit card processing account. Processing banks are required by Visa and MasterCard to monitor their merchants’ chargeback levels and must ensure that the number of charged back transactions for any given month is below 1 percent of the total number of transactions. Because if their merchant’s chargeback ratio is above 1 percent they are assessed fines by the Associations, processors will suspend and close merchant account before their chargeback rates come even close to 1 percent.
• Learn how to manage authorization responses. All card-not-present transactions must be authorized before they are processed. The authorization response will typically be approval or decline. You should develop a process for handling transactions after the authorization response has been received and apply it consistently.
• Screen international transactions. International orders generate more fraud and should be scrutinized more rigorously than domestic ones. You will not be able to use AVS, unless the card issuer supports International AVS and then AVS can validate addresses in the United Kingdom. Moreover, the legal environment is different in each country and there is likely to be a language barrier that you should consider.
• Use fraud scoring. Fraud scoring is a system of predictive fraud detection models or technologies that payment processors use to identify the highest-risk transactions in card-not-present environment that require additional verification.
• Set up transaction velocity limits and controls. Set review limits on the number and dollar amount of transactions approved for a customer within a specified period of time. As you accumulate transaction data over time, adjust these limits to reflect the customer’s purchasing patterns.
• Comply with the Payment Card Security Data Security Standard (PCI DSS). The Payment Card Security Data Security Standard (PCI DSS) is a set of requirements for security management, policies, procedures, network architecture, software design and other protective measures. Compliance is mandatory for all e-commerce merchants.

Avoid using voice authorizations because they bypass your processor’s systems and cannot be used as supporting evidence in chargeback re-presentments. Also, whenever you get an order from a new customer, check the provided information and make sure there is nothing suspicious. Often, common sense is the most effective tool for fighting fraud that you have at your disposal.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

Re-presentment is a chargeback that is rejected and returned to a card issuer by the merchant’s processing bank on the merchant’s behalf. A chargeback may be re-presented, or re-deposited, if the merchant or the processing bank can remedy the problem that led to the chargeback. To be valid, a re-presentment must be in accordance with regulations established by Visa and MasterCard and to be submitted within the specified time frame. The two Credit Card Associations have the final say as to the validity of a chargeback or a re-presentment, if the two affected banks cannot resolve the issue between themselves.

E-commerce merchants must understand their re-presentment rights and work with their processing banks to apply the necessary actions in a timely manner or otherwise these rights will be lost.

• AVS and Card Security Code re-presentment rights*. In cases of chargebacks associated with the use of the Address Verification Service (AVS) and the Card Security Codes (CVV2, CVC 2 and CID), processing banks can represent a charged back transaction if the merchant:
  • Received an AVS positive match in the authorization message and if the billing and shipping addresses are the same. A proof needs to be submitted of the shipping address and the delivery. You should design your sales and order processing procedures in a way that will allow you to store and easily access billing and shipping information for future references.
  • Submitted an AVS query during authorization and received a “U” response from a U.S. card issuer. This response means that the card issuer is unavailable or does not support AVS. Even though you did not receive a positive AVS match, you are still protected, because you attempted AVS verification.
  • Submitted a Card Security Code verification request during authorization and received a “U” response from a U.S. card issuer. The response means that the card issuer does not support the respective code. Just as with the above AVS verification response, you receive protection when the issuer does not support a card security code, because you attempted verification.

*Even though an acquiring bank has the right to represent a transaction on its merchant’s behalf under the above circumstances, there is no guarantee that the disputed items will be accepted.

If you believe that you have AVS or Card Security Code re-presentment rights on a charged back transaction, all available supporting evidence should be provided to the acquiring bank to be submitted with the re-presentment. Be advised that all relevant documentation must be submitted within a specified time frame. Every time supporting documentation is requested, your processor will notify you what the deadline for receiving it is. If you are late, you will forfeit your re-presentment right.

Verified by Visa and MasterCard SecureCode re-presentment rights. Merchants who participate in Verified by Visa and MasterCard SecureCode are in most cases protected from “unauthorized use” types of chargebacks. If you participate in these programs and receive a fully authenticated or attempted authentication response from the card issuer and the authentication data was provided in the authorization request, you retain re-presentment rights.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).

MasterCard, just like bigger rival Visa, puts security codes on all credit and debit cards that bear its logo, as an additional security feature to help merchants who accept payments in a card-not-present environment fight fraud. The CVC 2, which stands for Card Validation Code 2, is located on the back of all MasterCard cards. It is a three-digit code indent printed on the signature panel of MasterCard cards. The CVC 2 is preceded by the last four digits of the card’s account number, printed in the signature panel. This added security measure enables e-commerce and MO / TO retailers to verify that the buyer has the actual card in his or her possession during a card-not-present transaction. Visa’s equivalent security code is called Card Verification Value 2 (CVV2).

The CVC 2 is a security feature that all major payment gateways and virtual terminals support and your payment processor should make it available to you.

How to use CVC 2? The CVC 2 should be used in every e-commerce or MO / TO transaction. Consider implementing the following steps:

1. Ask your customers for the last three digits in the signature panel on the back of the MasterCard card. Do not ask for the CVC 2 number, as your customer will most likely have no idea what this is.
2. Depending on the response your customer gives to your CVC 2 request, include one of the following indicators in your authorization request, along with the card’s expiration date and the account number:
   
   

   Indicator	When to Use It
   0	If the CVC 2 is not included in the authorization request.
   1	If the CVC 2 is included in the authorization request.
   2	If your customer has stated that the CVC 2 is illegible.
   9	If your customer has stated that the CVC 2 is not on the card.




3. The card issuer will reply to your request with one of the CVC 2 result codes listed below. Take it into consideration, along with all other factors in determining the validity of the transaction.
   
   

   Result Code	Recommended Action
   M – Match	The CVC 2 is valid. Complete the transaction, taking into account all other transaction characteristics.
   N – No Match	The CVC 2 is not valid. View this result as a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the CVC 2 request.
   P – CVC 2 request not processed	You should resubmit the request.
   S – the cardholder has stated that the CVC 2 is not on the card	The CVC 2 code should be on all MasterCard cards. Consider following up with your customer to verify that he or she has checked the correct card location.
   U – the card issuer does not support CVC 2	In this case you should evaluate all available information and decide whether to proceed with the transaction or investigate further.

Storing of CVC 2 is prohibited. Never keep or store CVC 2 codes once a transaction is completed. Storing CVC 2 codes is prohibited and could result in fines. You may store other account information, e.g. cardholder name, account number and expiration date but not the CVC 2.

Why should you use CVC 2? Using CVC 2 will benefit your organization in a number of ways, including:

• Enhanced fraud protection. Card-not-present merchants run a greater risk of processing fraudulent transactions than their store-front counterparts. Using CVC 2 provides an additional step in the process of verifying the validity of both the card and the cardholder.
• Reduced chargebacks. Reduced fraud leads to reduced fraud-related chargebacks. Chargebacks due to other reasons, however, will remain unaffected by the use of CVC 2.
• Improved bottom line. Fraudulent and charged-back transactions lead to lost revenue and can mean extra processing time and costs. CVC 2 helps limit such losses and minimize operating costs.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

Chargebacks are the single biggest reason why e-commerce businesses get into trouble with their payment processing provider. Processing banks are required by Visa and MasterCard to monitor their merchants’ chargeback levels and must ensure that the number of charged back transactions for any given month is below 1 percent of the total number of transactions. If you cannot keep your chargeback rate under 1 percent, your processor will suspend and eventually close your merchant account. In reality, processors suspend and close merchant accounts before their chargeback rates come even close to 1percent.

So what are chargebacks and what you should do about them?

What is a chargeback? Chargeback is a transaction that is returned by the card issuer and / or the cardholder to the processing bank, and most often directly to the merchant, as a financial liability. In essence, it reverses a sales transaction, as follows:

1. The card issuer subtracts the transaction dollar amount from the cardholder’s account. The cardholder receives a credit and is no longer financially responsible for the dollar amount of the transaction.
2. The card issuer debits the processing bank for the dollar amount of the transaction.
3. The processing bank will most often deduct the transaction amount from the merchant’s account. The merchant loses the dollar amount of the transaction.

Why do chargebacks occur? There are many reasons why chargebacks occur, but there are several that stand out:

• Customer disputes.
• Fraud.
• Processing errors.
• Authorization issues.
• Non-fulfillment of transaction copy requests (only if fraud or illegible).

What do you do when a transaction is charged back? Chargebacks probably cannot be completely eliminated, although merchants can take steps to reduce them in number. Many of the chargebacks are a result of improper transaction processing procedures and can be easily avoided with making adjustments where necessary and we have discussed this subject elsewhere. Other chargebacks, however, are beyond the control of the merchant. When a transaction is charged back to you:

1. First try to resolve it without losing the sale. Provide to your processor all available additional information about the transaction at issue or about the shipping, delivery or other issues that you may have had. A chargeback may have been initiated because the consumer has not received the product or service on the agreed-upon date. You may be able to resolve the issue by providing evidence that the merchandise was received within the specified time frame, however the cardholder has not taken into account the weekend days. Send this information to your merchant processing provider as soon as possible. It is always advisable that you provide as much information, relevant to the issue, as you have available, including:
   1. Account number.
   2. Card expiration date.
   3. Cardholder name.
   4. Transaction date.
   5. Transaction amount.
   6. Authorization code.
   7. Merchant name.
   8. Merchant website address.
   9. General description of the merchandise or services.
   10. Shipping address, if applicable.
   11. Address Verification Service (AVS) response code, if applicable.
2. Represent the transaction. Once your processor has sufficient evidence to support your case, the transaction will be represented on your behalf, through the Credit Card Network of Visa or MasterCard, to the credit card issuer.
3. Provide timely responses to information requests. The most important factor in the chargeback process is time. You will have a certain time limit to complete each step of the process. If you do not respond to a particular request within the specified time-frame, you will lose your representment rights and will not be able to get your money back. For example, the card issuer can charge back a transaction if you do not respond to an information request within 30 days.
4. Understand your rights related to using the AVS and card security codes. Using AVS and the card security codes gives you stronger representment right for some type of chargebacks. Specifically, a charged back transaction can be represented if:
   1. You received an AVS positive match in the authorization message and if the cardholder’s billing and shipping addresses are the same. Your re-presentment will need to include a proof of the shipping address and delivery.
   2. You submitted an AVS query during the authorization process and received a “U” response from a U.S. card issuer. This response means that the card issuer is unavailable or does not support AVS.
   3. You submitted a card security code verification request during the authorization process and received a “U” response from a U.S. card issuer. This response means the issuer does not support the particular security code.

   
   If you believe you have AVS or card security code re-presentment rights on a charged back transaction, work with your processor to ensure that all supporting evidence for the re-presentment is submitted.

5. Understand your Verified by Visa and MasterCard SecureCode representment rights. If you participate in Verified by Visa and / or MasterCard SecureCode and you have received a fully authenticated or attempted authentication response from the card issuer, you retain your representment rights. The same applies for chargebacks resulting from unauthorized use.

Sometimes a chargeback cannot be reversed, either because you don’t have supporting evidence to represent or for another reason. In such cases the best course of action will be to accept it and move on, saving valuable time and money.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).