Credit Card Processing Blog

When it comes to fraud prevention, the size of your average sale’s amount is of a huge importance. In effect, it sets a limit on the amount you can spend on verifying each transaction’s validity, which places small-ticket merchants at a disadvantage, while the opposite is true for their big-ticket counterparts. Not to mention that it is often physically impossible for merchants selling small-ticket items to scrutinize each transaction, even if it were financially justifiable.

On the other hand, the good news for small-ticket merchants is that they can absorb much more easily a number of fraudulent transactions that would be totally unacceptable (possibly ruinous) to a seller of large-ticket items. It is a numbers game for both merchant types and you need to know how to play it.

Why Fraud Is Hard to Combat

In theory, e-commerce merchants can prevent just about all fraudulent credit card transactions from being processed. Online shopping has been around long enough to have allowed for solid fraud prevention tools and best practices to be developed that could, if applied consistently, shut down the vast majority, if not all, of fraudulent transactions. And yet, fraud stubbornly persists and even thrives. Yes, criminals are hard at work at devising ever more sophisticated strategies of their own, but their ingenuity can take us only so far towards explaining why fraud is so hard to combat.

Part of the reason for the failure to eradicate fraud is that many merchants are either inexperienced or do not allocate enough resources for fraud prevention. But even well-funded e-commerce businesses that take the issue seriously and have equipped their well-trained fraud prevention staff with the latest tools find it hard to achieve a total victory over the criminals.

For a big-ticket merchant, anything less than a complete shutdown of fraud may well be unacceptable, but that is not the case for small-ticket ones. It’s a numbers game in both cases, but the lower your average sale’s amount is, the greater the number of fraudulent transactions you can live with. With that in mind, if you sell inexpensive merchandise, your goal should not be to eradicate, but to control fraud. Achieving total victory, even if it were possible, could turn out to be unaffordable.

How to Screen Small-Ticket Transactions

When devising your fraud screening procedures, you should account for the fact that it is not cost-effective to review each and every one of your transactions. Your system should be able to identify and set aside for review only transactions with potential fraud losses that are lower than the cost of a manual examination. In particular, consider the following factors:

• Dollar amount of the sale. Set a lower limit on transactions for manual reviews.
• Cardholder relationship. You would not want to review orders placed by returning customers.
• AVS result. You should not be reviewing transactions, for which you received a negative AVS result. These should be rejected.
• Card security code. As with the AVS, you should put a stop to transactions, for which the security code provided by the cardholder did not match the one on file with the issuer.
• Cardholder authentication result. If it makes financial sense to participate in Verified by Visa and MasterCard SecureCode, these two services will be doing some of the screening for you.

Once you have applied these fraud screening procedures, you can proceed to manually review the transactions that have survived the culling process or, again if it makes financial sense, you can run them through a third party fraud scoring service to further narrow the field.

The Takeaway

The victory over e-commerce fraud comes at a cost and the point of implementing fraud screening procedures is to ensure that we don’t spend more trying to prevent it than what makes sense. That means that we have to learn to live with risk and to accept fraud losses as a cost of doing business. Again, it is a numbers game and what counts is winning the war, not each individual battle. Moreover, if you process thousands of small-ticket transactions, individual losses don’t really matter all that much.

Image credit: Serglo.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

E-commerce transactions are vulnerable to fraud, customer disputes and chargebacks to a much greater extent than card-present ones. There are several major reasons why this is the case and the most obvious among them are that neither the merchant can physically verify the validity of the card used for payment and the authenticity of the cardholder, nor can the customer physically inspect the product she is purchasing. Then there are the potential complications that can arise from a late delivery of a purchased product or a premature posting of the transaction to the cardholder’s account that are typically not an issue in payments accepted in a face-to-face setting.

It is unlikely that we will ever be able to bring e-commerce risk down to brick-and-mortar levels, but we can certainly take measures to make it tolerable. Listed below are eleven specific best practices that you should adhere to when accepting credit card payments on your website. Make them part of your sales process and you will see fewer chargebacks and fraudulent transactions.

11 Steps to Processing E-Commerce Transactions

1. Obtain the cardholder’s name, address and phone number. If the shipping address is different from the billing one, make a phone call to your customer or send her an email to verify the order. Do not proceed with the transaction until you get a satisfactory response from your customer.

2. Collect the card account information. Get the card number and brand. Most consumers, including criminals, do not know that a card’s brand can be determined by the card number, so a discrepancy here may indicate that the customer is not in a physical possession of the card. Also obtain the card’s expiration date and security code – the CVC 2, CVV2 or CID number, located near the signature panel on the back of the card (or on the front for American Express cards). The security code is another tool used to ensure that the customer is in possession of the card.

3. Enroll in Verified by Visa and MasterCard SecureCode. These services are used to authenticate cardholders who had previously enrolled in the programs. Participating merchants are protected from certain fraud-related chargebacks, even when customers have not enrolled.

4. Always use Address Verification Service (AVS). The AVS allows you to verify a cardholder’s billing address with the issuer. Perpetrators of fraud often do not know the account’s correct billing address.

5. Authorize every transaction. All e-commerce transactions must receive an authorization approval.

6. Avoid using voice authorizations. These cannot be used as supporting evidence in chargeback re-presentments.

7. Do not use forced authorizations. Forced is a transaction which, after an authorization request has been declined, is key-entered by the merchant. Do not do it, nor should you make repeated authorization requests in the hope of eventually receiving an approval.

8. Ship within seven days of receiving the authorization approval. If unable to do so, make a new authorization request.

9. Inform your customer of the expected delivery date. If the purchased merchandise or services are not delivered to the cardholder at the time of the transaction, inform your customer of the delivery method and (expected) date. If the delivery is running late, inform your customer immediately and provide a new delivery date.

10. Deposit transactions after the product is shipped or delivered. In card-not-present environment, the transaction date is the date on which the product is shipped, not the one on which the payment is accepted. Make the deposit within three days of the shipping (transaction) date.

11. Use the original authorization number for your deposit and refund transactions. Doing so eliminates the possibility of depositing refunds for sales transactions for which an authorization approval has not been received and which should not have been processed. This is a great fraud-prevention measure.

The Takeaway

This is a very short list and there are many other items that can be added to it. However, if you only stick to these eleven best practices, you will be in good shape and have far fewer chargebacks, customer disputes and fraudulent transactions to deal with.

As you gain experience and your business grows, it would be a good idea to start building an internal negative file, set up velocity limits and controls, implement fraud screening and other risk management best practices.

Image credit: Diariopyme.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Detecting and preventing e-commerce fraud can be quite time consuming if you have not designed and implemented a mechanism to automate the process. There are quite a few third-party vendors to help you do that, but I would suggest that a better approach would be for the management of each e-commerce business to invest the time and develop a proprietary internal system for screening potentially fraudulent transactions. It only makes sense that, as fraud prevention should be at the top of your priorities, you would want to become at least a minor an expert in the field.

Such a proprietary fraud screening mechanism should be able to detect certain preselected high-risk transaction characteristics and suspend the processing of the payment at issue until it is investigated more closely.

8 Characteristics of Potentially Fraudulent Transactions

The following transaction characteristics should be built into your fraud screening mechanism to trigger the suspension of a payment:

1. Negative file match. If you maintain an internal negative file (and you should!), it will store information from transactions previously identified as fraudulent. Your fraud screening system should automatically match information from all new transactions against it.
2. Exceeding your internal velocity limits and controls. You will need to establish review limits on the number and dollar amount of transactions approved for a single customer over a specified time period. These should be continually adjusted, as you accumulate more data.
3. Address Verification Service (AVS) mismatch. AVS verifies whether or not the billing address provided by your customer at the checkout matches the one on file with the issuer. A “No Match” response is a strong fraud indicator and a “Partial Match” should also be investigated.
4. Card security code mismatch. These are the three- or four-digit codes used to verify that the cardholder is in possession of the card during the transaction. All valid payment cards have a security code and a mismatch is a strong indicator of potential fraud.
5. International shipping address. If you do accept orders from some foreign countries, but not from others, you should screen the undesirable transactions.
6. International IP addresses. If you have identified certain international IP addresses as having a higher fraud rate than domestic or other foreign IP addresses, you would probably want to screen them as well.
7. Different shipping and billing addresses. If you do not accept orders with a mismatch between the billing and shipping addresses or accept them, but want to take a closer look at them first, you would want to screen them.
8. High-risk shipping address. A shipping address does not need to be international to be high-risk. There are certain domestic addresses that you may want to screen, such as P.O. boxes, prisons, hospitals, as well as ones found in third-party databases of high-risk shipping addresses.

What your fraud screening system does is separating high-risk from low-risk transactions, based on criteria you have pre-set, so that you don’t waste time reviewing orders that are unlikely to be fraudulent. As data accumulate, you will need to periodically review your selected criteria and make adjustments, as necessary. For example, you may want to add a high-risk shipping or IP address or add a country to your non-shipping list.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Verifying transaction information, especially in a card-not-present environment, is a topic we write about often, and for a good reason. With so much credit card fraud going on around us all the time, merchants who fail to get at least a basic grasp of transaction verification methodology, create a security hole that criminals sooner or later will exploit.

Now, you can never create a system that will protect your online business against all possible fraud-attack scenarios, but you can certainly make it very hard for criminals to use a stolen card on your website and keep improving your defenses as you go.

Industry Transaction Verification Tools

The credit card companies and associations provide several verification services, the use of which can (and should) be automated.

• Verified by Visa and MasterCard SecureCode. These two services are developed by the two Card Associations to help e-commerce merchants verify that the customer is an authorized user of the card that is presented for payment. If a card has been signed up for one of these services, each time the cardholder enters the account number at the checkout of a participating merchant, he or she is asked to enter a pass code in the Verified by Visa or MasterCard SecureCode window that opens up. Only then is the cardholder allowed to proceed with the payment.
• Transaction authorization. The approval or decline of a bank card transaction by the card issuer is called authorization. In a card-not-present environment, authorization occurs when the payment information is submitted on the e-commerce website. You must obtain an authorization approval for all card-not-present payments. It will not protect you against fraud-related chargebacks, but an authorization approval is an important step toward verifying a transaction’s legitimacy.
• Card security codes. These are the three-digit codes that are located in the right ends of the signature boxes on the back of Visa, MasterCard and Discover cards and the four-digit codes  that are typically, but not always, located above and to the right of the account numbers of American Express cards. Merchants are not allowed to store these codes, so that when criminals get hold of credit card data, they typically don’t have access to the security codes. Merchants submit the security codes to the issuers as part of the authorization requests. A positive response indicates that the customer is in a physical possession of the card.
• Address Verification Service (AVS). AVS is a service that allows merchants accepting non-face-to-face transactions to compare the billing address provided by a customer with the one on the card issuer’s file prior to processing a transaction. A non-match is seen as a strong fraud indicator. The address verification and transaction authorization processes occur simultaneously and the merchant receives both results within seconds of submitting the requests.

Often the responses you get to your inquiries with the above industry services will not be sufficient. In such cases, you can turn to the web and use directories and reversal services to verify that the provided phone number and address belong to the cardholder. Additionally, you can call the card issuer directly and confirm the name, address and phone number associated with the card number, as well as check whether the cardholder has made a recent address change. Finally, you can call the cardholder at the number on file with the issuer and confirm the transaction.

There are other fraud prevention tools and best practices that you should consider implementing into your system, such as maintaining negative files, using velocity limits and controls, fraud screening procedures, etc. You should always keep an eye out for the latest fraud prevention developments and we will help keep you up to date.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Successful e-commerce businesses have learned that support for a large variety of payment options at the checkout is a critical element of the sales process. That’s right, the checkout is very much a stage of the sales process. It is where a sale is completed or falls through, because the visitor discovers that her favorite choice is not supported and is unwilling or unable to use another form of payment.

That’s why you see so many logos of payment companies at the checkout pages of big e-commerce websites.

Offer As Many Payment Choices As You Can

Here is a list of payment options your e-commerce checkout should support:

• Payment cards. Support for all major credit and debit card brands is mandatory. I know that some merchants don’t like accepting American Express, because it charges considerably more than its peers. Don’t do it! Yes, it costs more to process an AmEx payment, but it is preferable to losing a sale.
• Third-party payment services. Enable payments through third-party services and especially PayPal and Google Checkout. Many consumers without credit cards use PayPal as their primary, often exclusive, online payment option. There is no excuse for not supporting it. Keep in mind that, even if they wanted to, millions of consumers simply could not pay you any other way.
• Electronic checks. Most major gateway support e-check acceptance and there is absolutely no reason not to take advantage of it. In fact, processing e-checks cost you much less than credit cards.
• Financing options. Services like eBillme make it very easy for e-commerce businesses to offer a simple form of financing to customers.

5 Tips for Managing Payment Options

Once you select the payment options for your checkout, you need to make sure that they are properly managed. Following the guidelines below will help you do that:

1. Offer clear payment options. Customers should quickly and easily be able to make their payment choice. Focus on clarity in these particular areas:
   • Choice of card brands. To avoid confusing card brands, request that customers choose the brand they are using, in addition to providing the card’s number. You can do that through a drop-down menu or a list of radio buttons. If there is a discrepancy, it will be easily discovered, as a card’s brand can be identified by the account number’s first digit, as listed below:
     
     

     Card Type	First Digit of Account Number
     American Express	3
     Visa	4
     MasterCard	5
     Discover	6

   
   

   • Debit vs. Credit. Understanding of the meaning of options like “Debit” or “Credit” can vary, so don’t offer the choice.
2. Inform visitors that third-party payment services require setting up an account with them. PayPal, Google Checkout, eBillme and other third-party payment options can only be used if the consumer has an account with the service provider. Make sure you communicate that to your website visitors, don’t assume that they know it.
3. Do not set a default payment option. This is something you should never do! You may indicate or advertise a preferred payment option, but do not pre-select any one of them. All options should be unchecked, so that customers can make a selection.
4. Honor your customer’s payment selection. Once a consumer has made a payment choice, do not try to dissuade them, but honor their selection. Otherwise, you are inviting trouble in the form of bad publicity, customer disputes and chargebacks.
5. Confirm your customer’s selection. To prevent any possible misunderstanding, display the selected payment option on a confirmation page and ask that your customer verifies it by clicking on an “Accept”or a similar type of button.

These are fairly simple procedures to implement, but with great potential impact. You can add your own items to the process, but don’t overdo it. You don’t want to make the checkout process more cumbersome than it needs to be.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).