Inside the Black Hole

Payment processors are the most critical providers of third-party services for any merchants that accept credit cards, but especially for e-commerce businesses. Their job is to enable you to accept electronic payments on your own e-commerce website quickly and securely. The best payment processors are the ones whose existence is unnoticed by the card acceptors, as well as the cardholders. Any time a merchant is reminded of their processor, chances are that there is an issue that needs to be resolved.

When choosing a processor, you have to look beyond the advertised card acceptance rates. Apart from the fact that rates can be misleading, your total processing cost is greatly influenced by your ability to manage customer disputes, chargebacks, risk and fraud. A good payment processor will help you get each of these handled.

What to Look for In an E-Commerce Payment Processor

When selecting an e-commerce payment processor, look for one who will provide:

1. Proven e-commerce expertise. More specifically, your processor needs to provide:
   • Solid expertise in processing e-commerce transactions and data security procedures, such as encryption.
   • Fraud prevention services. Support for the following services is mandatory:
     • Address Verification Service (AVS).
     • Card security codes.
     • Verified by Visa.
     • MasterCard SecureCode.
     • Fraud scoring.
   • Transaction identification with the Electronic Commerce Indicator (ECI).
2. Understanding and compliance with the requirements of the Payment Card Industry (PCI) Data Security Standards (DSS). PCI compliance is now mandatory for all card acceptors. These standards are a work in progress and you need to make sure that your processor can keep up with the constant changes and can help you maintain compliance. Of course, when it comes to PCI, at least equally important is your web host’s role and you should be very careful when selecting them as well.
3. A merchant processing agreement with clear terms and conditions. It is critical that you fully understand all contract provisions, especially the ones concerning the holding of your funds and your fraud liability and chargeback management. Closely examine the following clauses:
   • The duration and conditions for holding funds. Typically, deposits are held when the processor detects an unusual transaction pattern and needs to verify that the activity is legitimate. You need to understand what can trigger such processes.
   • Your liability for fraudulent transactions. A transaction can turn out to be fraudulent, even if you have received an authorization approval for it and an AVS and security code match. You need to understand what your liability is in such cases.
   • Your liability for losses resulting from data breaches. This can be a very gray area, but you need to clarify it as much as you can.
   • Chargeback management. Chargebacks are typically the single biggest issue for e-commerce merchants. You need to understand exactly what your processor’s definition for excessive chargebacks is and how they handle such events. Keep in mind that, although Visa and MasterCard consider 1 percent to be an excessive chargeback rate, processors will act way before you come even close to this threshold, because, if you reach it, they will be slapped with heavy fees by the Associations.
   • Procedures for handling copy requests for re-presentments. Re-presentment is the process of re-submitting a disputed transaction, along with supporting documentation. You need to be very clear on how you need to do it and in what time frames. If you are late providing the requested paperwork, the dispute will most likely deteriorate into a chargeback.

Keep in mind that if your payment processor cannot provide strong expertise in the areas listed above, the rates you get from them won’t matter. These rates are only as good as your ability to maintain your account in good standing before the Associations and that should be your and your processor’s primary priority.

Accept credit cards at one flat rate!

Accept credit cards with our flat rate e-commerce merchant account with no fixed monthly fees! You will get:

• One rate for all types of MasterCard and Visa cards (including rewards, commercial, etc.).
• No mid-qualified and non-qualified fees.
• No merchant account application or set-up fees.

The check-out page is among the most underrated parts of an e-commerce website. Many merchants feel like by the time a customer is taken to the check-out, the sale is complete and they can move on. Well, this is not exactly the case. The check-out form is very much a part of the sales process and not even the end of it. The sale is not complete until all necessary transaction information is collected, verified and processed successfully. After all, what good is there in a sale that comes back a week or two later as a fraud or chargeback?

The e-commerce check-out process should be designed in a way that allows merchants to collect all information that is needed to verify the validity of both the card and the customer and then to make a well-informed decision on how to proceed with the transaction.

Required E-Commerce Check-out Data Fields

The check-out process begins with the customer filling out a payment form. In order to enable you to verify the validity of the transaction and to identify high-risk orders, customers must be required to populate the following data fields:

• Cardholder name and billing address. If needed, the cardholder’s name and billing address can be verified using reverse directory services.
• Card number and expiration date. These will be verified during the authorization process.
• Shipping name and address. If these are different from the billing information, the transaction’s risk level increases greatly. You have the option of not accepting orders if shipping and billing data don’t match, but this is a bit too drastic of a solution.
• Telephone number. As with names and addresses, if needed you can validate phone numbers using reverse directories.
• Card security codes. These are also referred to as card verification or validation codes. For Visa, MasterCard and Discover, security codes are the three-digit numbers located in the right corners of the signature panels on the back of the cards. For American Express, security codes are the four-digit numbers located above the account numbers on the front of the cards. These numbers are used to verify that cardholders are in physical possession of their cards at the time of the transaction. Merchants are not allowed to store security codes, which makes it very difficult for hackers to obtain them, even if other account data are compromised.

If the customer leaves any of the above fields blank, your system must be designed to prompt him to fill it out, before the transaction information can be processed. You may also want to ask for an email address. Although its validity cannot be verified, a free email address is higher-risk than a paid one (like a business email). Additionally, you can ask for the card’s brand and check whether the first digit of the account number corresponds to the brand’s allocated one. For example, the first digit of a Visa card is always 4, for MasterCard it is 5, for American Express – 3 and for Discover it is 6.

Editing of Check-out Information

If your customer submits incomplete or erroneous information or if the response to your authorization or security code validation request is negative, your system should prompt him to edit the data in real time. More specifically, you should:

• Immediately display in your customer’s browser which required information fields are incorrect or incomplete. You can do that by highlighting the fields using for example a different color, bold font or an asterisk.
• Request that your customer corrects the information if it was incomplete or not provided in the required format.
• If corrections are needed, allow editing of the incomplete fields, while saving all correct information. You can very easily annoy legitimate customers if you send them back to the check-out form and have them fill it out all over again, just because they have made a single error.

Additionally, you should specify the number of corrections a customer is allowed to make, before the system locks him out. You need to do that to prevent criminals from trying to guess a particular piece of information they have not been able to obtain.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Fraudulent e-commerce transactions typically display certain characteristics that businesses should be able to identify. However, what is equally important, especially for high-volume merchants, is to be able to rate fraud risk, so that the highest-risk transactions get the most attention. Fraud scoring does just that.

Additionally, you need to be able to identify transactions for which the cost of an additional verification may be higher than the potential fraud loss. You need to decide whether your policy for such transactions should be to be processed without any further verification or to be rejected.

What Is Fraud Scoring?

Fraud scoring models are used to identify and rate the highest-risk card-not-present transactions that need to be additionally verified. They can pick up patterns of fraudulent activity and can differentiate these patterns from legitimate transaction activity. A numeric value (a score) is calculated for each transaction, reflecting the probability that it may be fraudulent.

If successfully implemented, a fraud scoring model would automate the decision-making process during periods of high transaction count, so that only transactions with a fraud score above a pre-determined level would be scrutinized.

How Is A Fraud Score Calculated?

Each transaction’s fraud score is a sum of the points the model assigns for various high-risk elements. Such elements typically include the following:

• Geolocation taken from the IP address.
• Anonymous IP address.
• AVS result code.
• Time of day the order is placed
• Type of merchandise.
• Shipment method.
• Sale’s amount.
• Evidence of previous fraud on this card account.
• Number of computers that have placed orders with this card account.
• Different shipping and billing addresses.
• Mismatch between time zone and geolocation.
• Length of time as a customer.
• ZIP codes.

Each model assigns different point levels for approving, rejecting or reviewing an order. These levels should be continuously reviewed and adjusted, as more and more data come in. Additionally, adjustments should be made to reflect different trends and the time of the year.

How to Use a Fraud Scoring Model?

You should only perform fraud scoring on transactions that have passed your internal fraud screening process. Those that have not are obviously high-risk and should be rejected anyway. Also, do not score transactions for which the issuer has declined authorization or that have otherwise been identified as fraudulent.

Additionally, you should not score low-risk transactions to keep costs down. Your system should also be able to identify transactions for which the potential fraud losses would be lower than the cost of fraud scoring and not subject them to the process.

Your fraud scoring system should allow you to:

• Identify multiple orders placed with the same shipping address, but with different cards. This may indicate that criminals have stolen several card numbers.
• Identify orders for an unusually high count of a single item.
• Check if multiple orders are placed from the same IP address.
• Check the card numbers – if they vary by only a few digits, these numbers may be software-generated.
• Identify orders with the same card number, but different expiration dates. Often criminals who have stolen a card number don’t know the expiration date, so they will keep trying to guess it.
• Account for the fact that most fraudulent e-commerce orders in the U.S. are placed between midnight and 2 a.m.

Each fraud scoring model assigns different weight to the various fraud elements used in its formula and there is no right and wrong approach there. Some businesses are more vulnerable to a particular fraud element than they are to others and their fraud scoring model should account for this unique weakness by increasing the weight of this element.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Unless your e-commerce business sells downloadable software or other services that are immediately provided, industry regulations require you to develop a shipping policy and post it on your website. In fact, if you are applying for a merchant account, your application will not be approved until you do that.

Issues with Shipping

Just like most other industry rules, complying with this one makes perfect business sense, as one of the biggest reasons online shoppers dispute transactions is that a delivery is not received when expected. The reason may be that the delivery is running late or even that it is lost by the carrier, but it also may be caused by a miscommunication regarding the delivery time frame.

Moreover, criminals often try to exploit loopholes in the shipping process, allowing them to request shipping to fraudulent addresses or to redirect shipments originally sent to legitimate billing addresses.

E-Commerce Shipping Policy Guidelines

Whatever the cause, you will have to be prepared to handle shipping issues quickly and in a way that keeps customers satisfied. Remember that an immediate financial loss resulting from a mishandled delivery can be compounded by a dispute from a disgruntled customer, which can very easily deteriorate into a chargeback, not to mention a negative review.

Although you can probably never eliminate disputes resulting from shipping-related issues, you can certainly minimize them greatly by developing a good shipping policy and then applying it consistently. When doing so, you should follow these guidelines:

• Information your customers need to know. Your shipping policy should:
  • List the supported shipping options and the expected delivery time frames for each of them. Generally, the more shipping options, the better.
  • Disclose all applicable shipping and handling fees. You should clearly list all costs associated with each shipping option. Don’t try to hide anything or make things more complicated than necessary. Confusion and misinformation will lead to lost sales at the checkout or to disputes and chargebacks later.
• Clearly display your shipping policy. Make it accessible on every page of your website through a link within your header or footer.
• Keep customers up-to-date. You need to track the progress of each delivery and notify customers of any delays. This should be an automated process and you will need to design an email response system to manage these communications.
• Do not provide tracking numbers for deliveries of high-risk products. As mentioned above, criminals have exploited a loophole in the shipping process that allows them to redirect in-progress deliveries, where allowed by the carriers. After placing an order using the legitimate billing and shipping addresses, the criminals use the issued tracking number to redirect the delivery. To limit such fraud, you may consider withholding the tracking number for deliveries involving higher-risk merchandise and higher sales amounts. Avoid doing it for all deliveries, as not providing tracking numbers to legitimate customers may backfire and lead to complaints.

Just as any other policy, an e-commerce shipping policy should communicate that your business is all about keeping customers satisfied and any issues are quickly resolved. If you can do that successfully, you will create a loyal customer base that will do the marketing for you, much like what happened with Zappos. What shipping policy procedures have worked well for you? Share your experience in the comments below.

Accept credit cards at one flat rate!

Accept credit cards with our flat rate e-commerce merchant account with no fixed monthly fees! You will get:

• One rate for all types of MasterCard and Visa cards (including rewards, commercial, etc.).
• No mid-qualified and non-qualified fees.
• No merchant account application or set-up fees.

Accepting credit cards on your website has never been easier. The e-commerce has been around for more than a decade and has produced plenty of tools to help you process transactions quickly and securely.

Yet, even the most sophisticated fraud prevention and chargeback management software cannot protect you from poorly designed or inconsistently implemented transaction processing procedures. It is your responsibility to ensure that credit cards are accepted in accordance with industry rules and best practices and no one else’s.

So I decided to compile a short list of 10 must-follow credit card acceptance procedures that each payment submitted on your website must go through, before being settled.

1. Check the cardholder information. Ask for the full name, address, phone number and email address. If the billing address differs from the shipping address, follow-up with a phone call or email to confirm the order. If you can’t reach your customer or receive no response, you shouldn’t proceed with the transaction.

2. Verify the card information. You must collect the account number, expiration date and card security code. Submit the security code with your transaction authorization and evaluate the response. Do not settle transactions for which you received a negative response to your security code inquiry.

3. Use MasterCard SecureCode and Verified by Visa You must support these card authentication services and encourage customers to sign up for them from your website, if they haven’t already done so. MasterCard SecureCode and Verified by Visa protect e-commerce merchants from “cardholder unauthorized” or “cardholder not recognized” types of chargebacks.

4. Authorize every transaction. Every e-commerce transaction must be authorized. There are no exceptions, even for recurring and installment payments, where you had already verified the information.

5. Don’t use voice authorizations. If you cannot obtain an electronic authorization, try later. Avoid using voice authorizations, as they bypass your processor’s system and cannot be used in chargeback re-presentments.

6. Don’t force authorizations. If your electronic authorization request was declined, accept it and request an alternative payment method. Don’t call your processor for a voice authorization and force the transaction in your next batch. The processor can still decline the payment, not to mention that you won’t be protected from chargebacks.

7. Use the Address Verification Service (AVS). Request an Address Verification Service (AVS) confirmation for all of your transactions. AVS compares the billing address provided by your customer to the one on file with the card issuer. Don’t process the transaction if there is a mismatch.

8. Ship no later than 7 days after obtaining an authorization approval. Ship purchased items as soon as possible. If seven days have passed since obtaining authorization, request a new one, before shipping.

9. Deposit within 3 days of shipping. Do not deposit transactions before shipping the item or more than three days after that. Remember that in card-not-present transactions the shipping date is the transaction date. Don’t deposit transactions later than 30 days after the shipping date. If such a transaction is charged back to you, you would have no recourse.

10. Use the authorization ID for transaction deposits and refunds. The transaction ID returned to you with the authorization approval should be used with your refunds and deposits. By doing so, you will be able to easily identify fraudulent refund requests, which would lack authorization IDs.

It is a very short list, but if you implement these ten procedures in each of your transactions, you will significantly minimize both fraud and chargebacks. Do you have an 11^th procedure? If so, share it in the comments below.

Accept credit cards at one flat rate!

Accept credit cards on your website with our flat rate e-commerce merchant account with no fixed monthly fees! You will get:

• One rate for all types of MasterCard and Visa cards (including rewards, commercial, etc.).
• No mid-qualified and non-qualified fees.
• No merchant account application or set-up fees.