Credit Card Processing Blog

All e-commerce merchants need to develop a process for managing credit card transactions after an authorization response is received from the issuer. We have discussed the e-commerce transaction authorization process at length in separate posts, so we will not go over it again here. Once the issuer compares the information it receives in the authorization request to what it has on file for its cardholder, it will either approve or decline authorization. The merchant typically receives the response within a few seconds of submitting the request.

Whatever the authorization response, the merchant will need to have an established set of procedures in place and handle it quickly. An approval will typically be sufficient to warrant a settlement of the transaction, although it is not a guarantee against fraud and you should still examine the transaction for fraudulent characteristics. Remember that an authorization approval will not protect you against fraud-related chargebacks. If the response is a decline, you should not process the transaction. Instead, you should examine the reasons for the decline and use the lessons to avoid declines of this type in the future, where possible.

The following best practices should be incorporated into your post-authorization procedures:

• If the transaction is approved, send an email order confirmation to your customer. This will enable you to verify the validity of the cardholder’s email address. If the email turns out to be invalid, you should research the situation and determine whether the order is legitimate. To minimize customer disputes you should include in the email order confirmation details about the approved purchase.
• If the transaction is declined, review the reasons and take appropriate actions. Request that your customer corrects the submitted payment information or provides an alternative payment method that may allow you to complete the sale.
  • Log authorization declines for review and contact customers to correct problems with their cards (e.g. wrong expiration date or card security code) or ask for an alternative payment method.
  • If the card information is corrected, you will need to obtain authorization approval from the card issuer before completing the sale. Do not assume that the corrected information is valid.
• Regularly evaluate the success of your decline review strategy and modify it, as needed. Your long-term goal should be to drive down your overall authorization decline rate. You should also set separate goals for minimizing declines for specific reasons. The most common causes for authorization declines are:
  • Technical errors in entering payment information. There is not much you can do about technical errors, however you should at least make sure that the card numbers are valid by:
    • Matching the card’s brand to the first digit of the account number. Depending on the brand, the number should begin with:
      • American Express – 3.
      • Visa – 4.
      • MasterCard – 5.
      • Discover – 6.
    • Using the Mod 10 algorithm. Used specifically to validate credit card numbers, the Mod 10 algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits.
  • Fraud. With time, your fraud prevention measures should be getting stronger as your internal negative file grows and your transaction velocity limits and controls become more accurate. A transaction involving a credit card number in your negative file should not be sent for authorization, nor should you do that for transactions exceeding your velocity limits before you evaluate the risk.
• Monitor your order decline rates. You will need to be able to measure your progress (or the lack of it). In particular:
  • Track your order declines by reason on a daily basis.
  • Separate transactions declined by the card issuer from those declined by you for suspected fraud or other reasons.

Are there any other post-authorization procedures that work for you? Share them in the comments.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

How many passwords do you currently have for accessing your active online accounts? I don’t know either. Consumers today have accounts for all kinds of online services, both financial and other types. Unless we use the same password for all of our accounts or write them down and store them physically or electronically, either of which by the way would put us in a very vulnerable position if a criminal got a hold of it, chances are that we would at times forget one or two of them. In fact, this is almost certain to happen, as different websites use different password formats, regulating the length of the password, the use of capital letters and numbers, etc., so it’s difficult to stick to a single pattern for all accounts.

E-commerce merchants should have in place a simple and straightforward procedure for managing customer passwords. While you want to make sure that only your customer has access to his or her account information, you will also want to make it easy for them to retrieve their forgotten password. Consider implementing the following suggestions:

• Whenever a customer has troubles signing into his or her account or states that he or she has forgotten the password, you should use security information that was provided when the account was first set up to verify your customer’s identity. The process should follow these steps:
  • When creating a new account, ask your customer to select a question from a list – such as father’s middle name, favorite movie, favorite sports team, etc. – and provide the correct response. For better protection, ask your customer to repeat the process two or three times.
  • Whenever a returning customer has forgotten the account password, ask the customer for the correct answer to the one of the questions that he or she selected at registration.
  • Verify the answer and, if correct, ask your customer to reset their password. You can do that by opening up in your customer’s browser a form asking for a new password to be created and re-entered. Send your customer a confirmation email to acknowledge that the password was updated successfully, but do not include the new password in the email! Email is not a safe form of communication and you should not use it for transmitting sensitive information.
• Use hint words to help customers remember passwords. The process of selecting and implementing hint words should follow these steps:
  • Ask the customer during the registration process to select a hint for his or her password.
  • Display the hint word on your website if the customer enters the wrong password when trying to log into his or her account.

Your password retrieval process should be automated and customers should be able to reset passwords quickly and without complications. In case there are technical issues, or if customers need additional help, provide a customer service phone number and make sure incoming calls are answered quickly. If you receive a call from a customer who cannot reset his or her password, verify their identity using the personal information that you have on file for them.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

E-commerce merchants should develop and implement a clear and detailed policy to communicate the terms and conditions of their billing procedures. You should clearly display on your website your billing policy to your customers at the time of purchase, and you should make it easily accessible on your website. Your billing policy should provide the following information:

• When your customers’ cards will be charged. When developing your billing policy, you should account for the industry rule that, in an e-commerce transaction, the transaction date is the date on which the merchandise was shipped, or the service provided. This means that you should not charge your customer’s credit card before you have shipped the product.
• How the transaction will appear on your customers’ credit card statements. The way your transactions will appear on your customers’ credit card statements is managed through your merchant account’s billing descriptor. Contact your payment processor and make sure that your billing descriptor is set up correctly. This is especially important if your legal name is different from your DBA name. In such cases, consumers can easily get confused, as they can recognize your DBA, while processors typically use the legal name in the billing descriptor. If you are using a third-party billing company, inform your customers how the transaction will be described on their credit card statements (provide the third-party billing company’s name and the transaction amount).
• Ask your customers to save a copy of the transaction for their own records. The transaction copy should provide information about your store’s policies so customers can refer to it when in doubt about a particular issue.

It is essential that you understand the importance of not charging your customer’s card before the product has been shipped. Cardholders today can review their transactions online in almost real time and, if they see a charge on their accounts without having received the item or at least a delivery notification, they are likely to contact their card issuer and dispute the transaction. Customer disputes and the resulting chargebacks are the number one reason why e-commerce merchants get into trouble with their payment processors. Processors are required by Visa and MasterCard to monitor their merchants’ chargeback levels and to ensure that they remain below 1 percent of the total number of transactions.

In case your store sells digital content, your policy should also incorporate the following best practices:

• Do not charge your customers’ card accounts before the service is actually accessed on your website with the applicable password.
• Avoid the use of negative renewal options or other marketing techniques that may create the false impression that the product is free.
• Keep the sale’s terms and conditions clear and concise and communicate with your customers all special restrictions before the sale is completed.

Additionally, make sure that you include in your billing policy information about the transaction currency that will be used to complete the transaction. Remember that websites are accessible from all over the world and, unless you have decided against accepting international orders, your customers may be located anywhere. You should clearly state the currency, especially if it is not unique (a dollar may be Australian, New Zealand, Hong Kong or U.S.). Be advised that merchants cannot convert transaction amounts into different currencies. You may, however, display on your website equivalent amounts in different currencies, provided there is a clear notification that the conversion is for information purposes only. In order to further clear any currency confusion, you should provide on your website your place of business and your contact information.

The payment card industry has set several risk levels for credit card acceptance. Often, merchants are surprised that such risk groups even exist. After all, merchants don’t get their money before the processing bank gets its transaction fee. So if there is something wrong with a transaction, the bank will simply hold on to the transaction amount until the investigation is complete, right? Well, it’s a bit more complicated than that.

When assessing credit card payment processing risk, Visa and MasterCard rely mostly on historical transaction data. The biggest component of their risk evaluation process is the probability of generating chargebacks. A chargeback results when a cardholder disputes with his or her credit card issuer the validity of a transaction posted on their monthly statement. The dispute sets in motion a transaction validation process, which involves the cardholder, the issuer, the processing bank and the merchant. If the dispute cannot be resolved among the affected parties, Visa or MasterCard will make the final decision. The chargeback process goes through the following stages:

1. The cardholder files an official dispute with his or her card issuing bank.
2. The issuer returns the disputed transaction to the processing bank, through Visa or MasterCard.
3. The processing bank either resolves the dispute or, if it needs additional information, it contacts their merchant and asks for a proof that the transaction is valid (a receipt would do just fine).
4. The merchant now either accepts the chargeback or provides (represents) the requested proof.
5. The processing bank forwards the representation to the issuer, through Visa or MasterCard.
6. The issuer receives the representation and, if appropriate, re-posts it to the cardholder’s account to complete the chargeback cycle.

The crucial point that needs to be emphasized is that whether the dispute is valid or not, it generates a certain amount of expenses that Visa, MasterCard, the issuer and the processor have to incur. This is the main reason for the premium rates that high-risk businesses have to pay on their processing rates.

Moreover, if one of their merchants generates excessive amounts of chargebacks, processing banks get fined substantial amounts by Visa and MasterCard. In the United States, excessive are chargeback levels of one percent or more of all monthly transactions. Typically, processing banks will freeze a merchant account long before chargebacks reach this threshold.

Typically, businesses that operate in a non face-to-face environment tend to generate higher levels of chargebacks and are considered high risk. E-commerce and MO / TO merchants are automatically included. Higher average tickets add an additional amount of risk, due to the higher liability for the processor. New merchants also add to the risk, due to their limited processing experience. There are other factors which can lead to some businesses being completely unacceptable to US-based processing banks. For example gambling websites are extremely risky, because cardholders may feel like victims and dispute a charge, even if the gambling site played by the rules. Adult-oriented websites, on the other hand, are prone to generating higher levels of chargebacks, because customers may be uncomfortable to admit using their services, even if they have.

We constantly receive inquiries for e-commerce credit card processing services from applicants who are not quite certain what exactly such a service is and how their websites need to be built in order to be able to process online payments. This post will cover the basics of setting up an e-commerce website and merchant account.

An e-commerce credit card processing service does for web-based merchants what a point-of-sale (POS) solution does for brick-and-mortar businesses. The process is the same, only the tools are different. While store-front merchants use a physical POS terminal to read the credit card’s information and send a transaction authorization request to the card issuer over a phone line, their web-based counterparts use a shopping cart to collect the customer’s order and payment information, which is then encrypted and sent to the card issuer for authorization through a payment gateway.

To be able to accept credit card payments on your website, you will need the following:

• An e-commerce website. What makes an e-commerce website different from a non-e-commerce website is its ability to collect customers’ orders and then process their payments in a secure manner. It connects the merchant’s web-based store with a processing bank and, through it, with Visa, MasterCard and the banks that issue their cards, as well as with the other credit card companies. Specifically, your website will need to incorporate the following components:
  • SSL certificate. Secure Socket Layers (SSL) are services that encrypt data communicated online to provide security against unauthorized use. The SSL is identified by the “s” in the “https” at the beginning of the URL of a SSL-protected web page and often colors the URL bar.
  • E-Commerce shopping cart. Shopping cart is software that collects and organizes online customers’ list of items for purchase. Once the customer is ready to check out, the shopping cart calculates the order total and presents the customer with a payment information form to complete the transaction. All pages that contain sensitive personal information must be SSL-protected! There is a number of shopping cart providers out there, some of which offer their carts for free. The carts can also be custom-built by website developers.
  • Payment gateway. Payment gateway is a service that connects a shopping cart with the merchant’s payment processor’s system and transmits the transaction information that customers have provided. The processor then sends the information on to the card issuer for approval and the approval response is sent back to the merchant via the payment gateway. It is the e-commerce equivalent of the physical POS terminal used by store-front merchants in face-to-face transactions.
• E-Commerce merchant account. Merchant account is the service that enables merchants to accept credit and debit cards for payment. It is provided by a processing bank that is a member of Visa and MasterCard, either directly or through a third party. It links all of the above mentioned components into an inter-related system. Once a payment transaction is processed, the processing bank credits the merchant’s designated bank account for the transaction amount, after it subtracts its processing cost, as it is agreed on in the Merchant Processing Agreement. The processing bank then sends a payment request to the card issuer, who credits the processor’s account, after it subtracts its own costs. The issuer then sends a monthly statement to its cardholder to complete the cycle.

There are many merchant account providers in the U.S. and you should always request proposals from at least several of them, before deciding on whom to sign up with. Make sure that you evaluate the whole proposals in their entirety and do not make your decision based on the single rate or fee that usually gets advertised on the providers’ websites.