Credit Card Processing Blog

Travel agencies are among the highest-risk merchants, as far as credit card processors are concerned. The reason is that historical data show that consumers are much more likely to dispute and charge back travel agency transactions than most others. To give you an idea of how the payment card industry views travel agencies, consider the fact that travel agencies are placed in the same risk group with merchants selling adult products, escort and companion services, fortune tellers, diet programs with guaranteed results and sports forecasting or odds making. The consequence of this policy is that new travel agencies find it extremely difficult to set up a merchant account, as most processors require prior credit card processing experience to show them that the applicant can manage risk sufficiently well to keep customer disputes and chargebacks within reasonable limits. Established travel agencies are closely monitored to ensure that they too remain focused on managing risk.

So what should you do, whether you have just started your travel agency or have been in business for years to mitigate credit card processing risk?

Firstly, before you even apply for a merchant account, you will need to understand the potential sales agent liability associated with selling air fares online. Understanding your risk exposure will help you take adequate steps to minimize it and protect your travel agency from losses associated with chargebacks resulting from customer disputes and fraudulent transactions. As a sales agent of an airline, for example, your travel agency may be liable for the entire amount of an airline ticket, if it is successfully disputed by a customer or if it was purchased with a stolen credit card. To mitigate your risk, you will need to set up card acceptance policies and procedures to address the following issues:

• An authorization request that is approved by an issuer indicates that the credit card account is in good standing. However, the authorization approval is not a proof that the legitimate cardholder is making the purchase, nor is it a guarantee of payment. Be advised that, in most cases, airlines are liable for fraudulent card-not-present transactions, even when they were approved by the card issuer.
• As a travel agency, your organization may not necessarily be a Visa or MasterCard merchant, subject to the Credit Card Associations’ rules and regulations. However, the airline is a Visa and MasterCard merchant and it is subject to their rules and regulations. Be advised that, in most fraud-related transactions, the airline transfers financial liability to the travel agency it has partnered with as part of the contractual agreement. In such cases your organization will bear the full financial responsibility.

When selecting a payment processor, be sure to choose one with experience in working with travel agencies and other high risk merchants. Your processor must be able to assist you in developing and implementing your fraud-prevention procedures and be proactive in identifying and correcting potential weak spots in your processing cycle. It is true that at first you may not have much of a choice when applying for a merchant account, as most U.S. processors will not accept a new travel agency under any circumstances. Once you establish yourself, however, you will have much more leverage. Typically, processors will request that established high risk merchants provide processing statements for the latest six months of operations. If your statements show that you have managed to keep chargebacks down, most processors will be willing to work with you and you will have the choices you were initially denied.

There are certain e-commerce transaction characteristics that are statistically very likely to be present when fraud is being committed. These risk signs vary from one organization to another, depending on a multitude of factors, so merchants should compile their own lists and update them over time.

Listed below are 12 of the most common risk characteristics, the presence of which should alert merchants operating in a card-not-present environment to the possibility that a fraudulent transaction may be under way. If only one or two of these signs are present, this may not be a cause for concern but if several are identified in a single transaction, the merchant should investigate and verify the validity of both the card and the cardholder before processing the payment.

1. First-time shoppers. Criminals are always looking for new victims. Once they commit a fraud at one merchant, they usually move on to another and never come back.
2. Larger-than-average orders. Stolen payment cards have a very limited life span so criminals need to make a quick use of them. Large-size orders are one way of doing that.
3. Orders for several items of the same kind. Just as with larger-than-average orders, purchasing multiple items of the same kind is a way of maxing out stolen cards as quickly as possible.
4. Big-ticket items. Big-ticket items have high resale value, maximizing the fraudsters’ profits.
5. Orders with overnight delivery. Naturally, criminals do not much care about shipping costs and are more likely than legitimate shoppers to order items with an overnight or another type of a rushed delivery.
6. Orders from internet addresses at free email services. Free email services have no billing relationship with their users, leaving no possibility for verification that a legitimate cardholder has opened the account.
7. International shipping addresses. A substantial number of fraudulent transactions are shipped to international addresses. The Address Verification Service can only work for U.K. addresses outside the U.S.
8. Similar account numbers. There are various software tools for generating card account numbers, such as CreditMaster. These numbers are often very similar.
9. Multiple orders shipped to the same address. Such orders may indicate the use of a stolen batch of cards or of fraudulently generated account numbers.
10. Multiple transactions on one card in a short amount of time. Such transactions may indicate that a criminal is attempting to run up a stolen card’s credit line as quickly as possible, before the account is closed.
11. Multiple shipping addresses. Similarly to the previous scheme, a card may be used multiple times in a short amount of time with the orders going to several shipping addresses.
12. Multiple cards from a single IP address. Such transactions may indicate multiple orders placed from the same computer, even if different names and shipping addresses have been used.

Visa monitors chargeback levels of all merchants accepting their credit and debit cards. Merchants are required to keep their chargeback rates below 1% and, whenever excessive chargeback levels are detected, merchants and their processing banks are required to take corrective measures.

Merchants should consider implementing into their chargeback monitoring process the following best practices:

• Track chargebacks and representments by reason code. Each reason code is associated with unique risk issues and requires specific remedies.
• Include initial chargeback amounts and net chargebacks after re-presentment.
• Track card-present chargebacks separately from card-not-present ones. If your business operates in both physical and virtual environment, you should track separately chargebacks resulting from each sales type. Card-present transactions not only generate less chargebacks than virtual ones, but the reasons behind them are different as well. If your organization combines e-commerce and MO / TO sales, the resulting chargebacks should also be tracked separately, for the same reason.

Visa monitors the chargeback activity of all merchants accepting their cards on a monthly basis and alerts the respective processing bank (also called an acquiring bank or simply an acquirer) when any one of their merchants reaches excessive chargeback levels. Typically, chargeback rates of 1% or greater are considered excessive.

When notified of a merchant with excessive chargeback rates, processing banks are expected to take adequate steps to reduce the merchant’s chargebacks. Remedial actions depend on various factors, including merchant type, sales volume, geographic location, and other risk factors. Often merchants need to provide their sales staff with additional training on card acceptance procedures. Merchants may also be required to work with their processing banks to develop a detailed chargeback-reduction plan.

Visa may impose substantial financial penalties (see below) on processing banks that fail to reduce their merchants’ excessive chargeback rates, providing another incentive to help ensure that merchants’ chargeback rates are kept within acceptable limits. Visa has three chargeback monitoring programs:

• Merchant Chargeback Monitoring Program (MCMP). The Merchant Chargeback Monitoring Program (MCMP) monitors chargeback levels for all processing banks and merchants on a monthly basis. If a merchant reaches excessive chargeback rates, Visa notifies the respective processing bank in writing. MCMP applies to all merchants with more than 100 total transactions per month – sales, credits, etc. – more than 100 chargebacks, and an overall chargeback-to-transaction rate of one percent or greater. First notification of excessive chargebacks for a specific merchant is considered a warning. Visa imposes fines only if remedial actions are not taken within a predetermined period of time to return chargeback rates to acceptable levels.
• High-Risk Chargeback Monitoring Program (HRCMP). The High Risk Chargeback Monitoring Program (HRCMP) is specifically designed to reduce excessive chargebacks by high-risk merchants.  As defined by Visa, high-risk merchants include direct marketers (mail order and telephone order merchants), travel services, outbound telemarketers, inbound teleservices, and betting establishments. HRCMP applies to all high-risk merchants with more than 100 total transactions per month – sales, credits, etc. – more than 100 chargebacks, and an overall chargeback-to-transaction rate of one percent or greater. Unlike the MCMP, under HRCMP, there is no warning period and fines of $100 per chargeback are imposed immediately if a merchant has an excessive chargeback rate.
• Global Merchant Chargeback Monitoring Program (GMCMP). The Global Chargeback Monitoring Program (GMCMP) is operated by Visa International (a separate entity from Visa USA) and administered by each region. The program is based on the U.S. Merchant Chargeback Monitoring Program (MCMP) and is intended to promote credit card processing best practices to help reduce chargebacks. The GMCMP applies when a merchant meets or exceeds specified International chargeback thresholds which differ by region. Under GMCMP, there is no warning period and fees may be assessed to the processing bank immediately if a merchant has an excessive chargeback rate.

MasterCard’s equivalent to the above programs is its Excessive Chargeback Program.