Credit Card Processing Blog

The Federal Trade Commission has filed charges in relation to the $10 million credit card scam that we first learned about a month and a half ago, we learn from the New York Times. The NYT article tells us that the charges against the bogus companies set up to facilitate the fraudulent transactions were filed back in March, three months before the FTC announced the scam in a press release.

It was a very elaborate scheme, involving more than 16 dummy corporations the scammers had set up in various Eastern European and Central Asian countries, including Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan. The criminals then opened up more than 100 merchant accounts in the U.S. to process the payments. In order to do so, however, they had to convince the processing banks that their business was legitimate. Here is how they did that, according to the NYT:

…false storefronts were set up on the Web, pretending to sell electronics or office supplies, in case a bank investigated.

The perpetrators also rented a street address from a company that provided that service and had their mail forwarded to another company that scanned and forwarded it a second time as e-mail, the suit says.

Once the merchant accounts were operational, the criminals started to charge small amounts to credit and debit card accounts whose information they had stolen. Most of the charges were for $9, although the amounts could be as low as $0.20 and as high as $10, according to Steven M. Wernikoff from FTC’s Midwest Region Office.

The criminals succeeded in stealing so much money mostly because the small individual charges either went unnoticed by many of their victims or they simply didn’t bother to dispute them.

Yet, with so many fraudulent transactions, complaints were bound to pile up and eventually the FTC received more than 1,000 of them. Interestingly, there “were more complaints about the 20-cent charges because they looked really odd,” according to Wernikoff.

The FTC’s investigation lasted for nine months, however the identities of the individuals who masterminded the scam are still unknown. No one is defending the companies in this law suit either. Less than $100,000 has been recovered so far from the U.S. assets of the false companies. The FTC hopes to recover some of the money transferred abroad, but it is unlikely that it will meet with much success there.

Apart from its sheer scale, the most striking thing about this scam is the discipline and patience with which it was executed. The criminals had detailed understanding of how the credit card processing system operated, had identified its vulnerabilities and knew how to exploit them. It must have taken them months just to lay down the groundwork of setting up U.S. corporations and opening up e-commerce websites and merchant accounts for them. They must have known that eventually the whole thing would be found out, but that it would take months for it to happen. In the mean time they managed to steal money from 1.3 million people. This must be some kind of a record, but I’m also wondering if we have learned the full extent of the scam. Take a look at your January statement. Maybe you’ll see a $0.20 transaction from Link Services or Site Management.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

Visa and MasterCard can initiate an audit of a merchant’s credit card processing account, whenever they have reasons to believe that the merchant may be a high-risk one or is processing invalid transactions. In particular, the following two reasons can be sufficient to trigger an audit:

• The processing bank may have reason to believe that the merchant is engaging in collusive or otherwise fraudulent or illegal activity.
• The processor determines that the merchant’s chargeback ratio or credits-to-sales ratio exceeds the standards set by Visa and MasterCard or its own standards, or both. We have discussed the Associations’ rules on excessive chargebacks in previous posts and encourage you to revisit them.

Processors will typically act quickly when they notice an activity that is outside of the established merchant pattern, because they are responsible for fraud-related chargebacks. For example, if a merchant submits a transaction at an amount substantially higher than the average transaction amount approved for the account, the processor will probably contact the merchant and want to find out why the amount is so high. Similar attention is paid to sales volumes. As completely legitimate merchants have learned to their surprise and annoyance, a rapid rise in their monthly sales invariably attracts their processor’s attention.

Moreover, even when fraud is absent or nor suspected, processing banks can have good reasons to be alert. The Associations assess processors penalty fees for merchants with high levels of chargebacks. For example, processors are required to report every merchant whose chargeback-to-transaction ratio (CTR) exceeds 50 basis points (0.50 percent) and pay a reporting fee of $50 for each report submitted. The fee rises steeply when the CTR exceeds 100 basis points (1 percent). To avoid paying these fees, processors will initiate a review long before the merchant comes even close to reaching either of these thresholds.

Whenever an audit is initiated by one of the Associations, it will contact the processor to explain the reasons why it believes the merchant may be in violation of the rules against processing invalid transactions and request information. Processors have 30 calendar days to return the requested information to the Association. Requested information typically includes the following items:

• A statement explaining whether, when, and how the processor became aware of fraudulent activity or chargeback or customer service issues, the steps it took to control the occurrence of fraud, and the circumstances surrounding the merchant’s termination.
• All internal documents about the opening and signing of the merchant including its application, merchant processing agreement, credit report, and certified site inspection report.
• All internal documents regarding the due diligence procedures followed before signing the merchant, including background checks of the company and its principals, as well as trade and bank references that the processor verified during the due diligence procedure.
• If an Independent Sales Organization (ISO) or a Member Service Provider (MSP) of the processing bank has facilitated the signing of the merchant, the ISO / MSP must include the due diligence documents. (In such cases the processor must distinguish between the due diligence conducted by its employees and its ISO’s / MSP’s employees.)
• Additionally, if an ISO / MSP assisted in the signing of the merchant, the processing bank must provide all due diligence documents regarding the representative that signed the merchant.
• Reports confirming an inquiry by the processor into the Member Alert to Control High-Risk Merchants (MATCH) system before signing the merchant and, if applicable, input of the merchant to the MATCH system database within five business days after its decision to close the merchant.
• Additionally, during the review period, the processor will be required to provide the following documentation:
  • Authorization logs for the merchant.
  • A monthly breakdown of chargeback and credits by count, amount, and issuer bank identification number (BIN) for the violation period.
  • A complete record of the merchant sales volume, including the number of transactions at the location, for the period for which the authorization logs are requested.

As you see, there is a lot of documentation that will be looked at and, if something is not done according to the applicable rules, it will most likely be found and the account will be terminated (if it has not been already) and the merchant will be added to the MATCH file. Moreover, during an audit, the merchant may be listed on the MATCH system under MATCH reason code 00 (Questionable Merchant).

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Visa uses chargeback reason code 57 to designate chargebacks caused by multiple credit card transactions posted by a merchant on a single credit card account within a short period of time. MasterCard does not have an equivalent reason code.

Reason code 57 is issued when the card issuer receives a written claim from a cardholder, acknowledging participation in at least one credit card transaction at the merchant but disputing participation in the remaining transactions. The cardholder also states that the card was in his or her possession at the time of the disputed transactions.

What causes these chargebacks? Reason code 57 chargebacks typically occur when the merchant fails to void multiple transactions or processes transactions fraudulently. Code 57 only applies to card-present transactions and does not apply to e-commerce or MO / TO transactions.

How to manage this type of chargebacks? When you receive a reason code 57 chargeback, your response will depend on your particular circumstances. For example:

• You have already processed a credit for the disputed transaction. A possible solution, if you have already processed the appropriate credit to your customer’s card account, is to send to your processing bank evidence of the credit. Even if you do not have any documentation to prove that credits were issued, give your processor information on the credit transaction’s date and amount. They should be able to locate the transaction within their system’s history.
• The cardholder actually participated in multiple transactions. A possible remedy in cases where your customer actually participated in more than one valid transaction is to provide your processor with supporting evidence, such as:
  • Sales receipts.
  • Shipping invoice or delivery receipts.
  • Description of merchandise or service purchased.
• Credit was not processed on the disputed transaction. If you have not processed the credit, there is nothing you can and you should accept the chargeback. Do not process a credit now as the chargeback has already performed this function.

How to prevent chargeback reason codes 57? There are two major reasons for this type of chargeback – processing errors and fraud – and each should be addressed separately.

Above all, your payment processing system should be designed to recognize and warn you whenever a duplicate transaction is detected. You should review each batch of paper sales receipts prior to deposit to ensure that only bank copies – and not merchant copies – are included. If transactions are sent electronically for processing, make sure that each batch is sent only once and has a separate batch number.

Fraud, however, can be much more challenging to combat. We have discussed various fraud prevention strategies at length in other posts and encourage you to review them. There is no substitute for vigilance and the management should investigate all potentially fraudulent transaction activities, both external and from within your organization. These types of chargebacks can have very serious consequences for your business. Whenever you receive a reason code 57, your goal should be to discover the root cause of the issue so that remedial actions can be applied.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).

Often, when we receive a merchant account application, the applicant leaves the field for the “annual credit card volume” and “average credit card ticket” blank. Typically, the omission is made by an applicant with no previous processing experience, but it is not rare that a merchant with an existing merchant account fails to provide its processing volumes or average ticket. But why is this field included in the application in the first place and what should you answer if your business is new and you have no idea how much revenue it will bring in the first week, never mind the first year?

In order to answer this question, we will first have to look at the application process through the eyes of the underwriter, i.e. the processing bank. From your processor’s perspective, you are applying for a line of credit. This is often difficult for merchants to understand, because, from their stand point, a merchant account has nothing to do with extending any credit. Well, this is not exactly so, even though it is true that typically the processor gets paid before it pays the merchant (after subtracting its processing fee from the transaction amount). The problem processors are faced with is that fraudulent and other invalid transactions can be charged back, i.e. reversed, up to 180 days after the transaction date. If it is still operating, the merchant will bear the liability for these transactions. However, if the merchant has closed down shop or if its merchant account has been terminated (which can happen for any number of reasons), the processor will bear the liabilities.

One of the processor’s major objectives when evaluating a merchant account application is to estimate its own potential liability and to do that, a key piece of data each credit manager relies on is the merchant’s expected annual credit card volume. After all, the processor’s liability cannot exceed the total amount processed by the merchant.

It should be emphasized here that, provided you keep your merchant account in good standing, you will be allowed to accept credit card payments, even if you exceed your stated annual processing volume. Issues are certain to arise, however, if your track record is less than perfect, in which case your account may be frozen.

Moreover, all underwriters set an annual volume threshold, which varies by processor, but is typically around $450,000. All applications that list processing volumes above the threshold are automatically subjected to a more rigorous examination and applicants may be required to provide additional supporting documentation.

Of course, there are other risk factors that come into play and they are taken into account as well. For example, some industries are typically prone to higher levels of chargebacks. Prime examples are adult-oriented websites, third party collection agencies, used car dealerships, etc.

Certain factors, however, go across industry lines and the average sale’s amount is among the more important ones. The reason is that the bigger the average sale’s ticket, the bigger the potential chargeback or fraud liability. Even if sales take place in a face-to-face environment and the potential for fraud is minimal, consumers are much more likely to have a change of heart and dispute a $1,500 purchase than a $10 one.

Now that you understand what your prospective processor’s priorities are when evaluating a merchant account application, what should you enter in those two fields? First and foremost, you should try to be as accurate as possible. If you have been in business for some time and are looking to switch processors, this should not be an issue. For new merchants, unless you are absolutely certain that your sales will exceed the annual volume threshold mentioned above, provide a figure that is below $450,000. As the year progresses, you can request an update, if necessary.

Regarding your average credit card ticket, you should provide a figure at the higher end of the expected range. For example, if your sales will range from $50 to $500, enter $450. Your processor will not mind seeing sales in lower amounts than the stated one, but higher-amount sales will be raising red flags, especially if processed on a consistent basis. The reason again has to do with fraud and liability. A fraudulent transaction is much more likely to be for a large amount than a small one.

With all that in mind, you know your business better than anyone and should be able to provide a fairly good estimate of your expected sales amounts. When in doubt, it is better to state a figure closer to the higher end of your estimates than to the lower one.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

The Credit Card Associations of Visa and MasterCard maintain the Global Merchant Audit Program (GMAP), which is a rolling six-month database that identifies merchants that for any one calendar month have:

• At least three fraudulent transactions.
• A cumulative total of at least $2,000 in fraudulent transactions.
• A minimum fraud-to-sales volume ratio of 1%.

Merchants identified under the GMAP program are divided into the following three tiers based on their fraud-to-sales volume ratio in any one month:

• Tier 1 – fraud-to-sales volume ratio minimum of 1% and not exceeding 3.99%.
• Tier 2 – fraud-to-sales volume ratio minimum of 4% and not exceeding 6.99%.
• Tier 3 – fraud-to-sales volume ratio of at least 7%.

If a merchant is identified in Tiers 1 or 2 more than one time in a 12-month period, it will be automatically escalates into the next higher tier. If a merchant is escalated into Tier 2, the processor is required to provide it with additional training on fraud control. If a merchant is escalated into Tier 3, the processor is required to decide whether to accept liability for fraud related chargebacks or to terminate the merchant account.

If a merchant is identified in any one of these tiers, it should expect certain actions from its processor. Some of these actions are required by Visa and MasterCard, for others the processor will follow its own policies.

• Tier 1 merchants. When a processor is notified that one of its merchants is placed into Tier 1, there is no requirement that the processor respond formally to the notice. A Tier 1 notice is provided for information only. The merchant should expect, however, that the processor will implement a fraud control program or enhance an existing one.
• Tier 2 merchants. When a processor is notified that one of its merchants is placed into Tier 2, it is required to conduct training on credit card acceptance and fraud control procedures at the merchant location. The Credit Card Associations (Visa and MasterCard) do not require processors to terminate the merchant account, although the processor can do it, if that is its policy. The more likely scenario is that the processor will implement a rigorous fraud control program.
• Tier 3 merchants. When a processor is notified that one of its merchants is placed into Tier 3, the Associations require that it must either terminate the merchant account or accept liability for chargebacks for all reported fraudulent transactions (except fraudulent application and account takeover fraud) during the applicable chargeback period. The chargeback period will be determined to be a minimum of six months or a maximum of 12 months. Most likely, the processor will terminate the merchant account.

Should the processor choose to accept chargeback responsibility, the merchant will be placed into the Global Security Bulletin with the applicable chargeback liability period. Issuers will then have the right to charge back any fraudulent transaction that occurred during the applicable period, other than the fraudulent application or account takeover fraud types. The chargeback liability period begins on the first day of the month following the month in which the merchant was placed in the GMAP and lasts for at least six months, but it may be increased to a 12-month period.