Credit Card Processing Blog

Reliable cardholder authentication in e-commerce transactions is critical for reducing fraud and chargeback levels – the two biggest issues web-based merchants have to deal with.

Although not as straightforward as in card-present transactions, the process of validating the identity of cardholders in a non-face-to-face setting can be designed in a way that produces consistently accurate results.

What Do Verified by Visa and MasterCard SecureCode Do?

To help you in your efforts, both Visa and MasterCard have developed authentication tools, based on the 3-D Secure protocol, which are available to all e-commerce merchants and all cardholders. These services are Verified by Visa and MasterCard SecureCode.

In addition to reducing fraud, Verified by Visa and MasterCard SecureCode protect participating e-commerce merchants from most cardholder “unauthorized” and “cardholder not recognized” chargebacks.

How Do the Authentication Services Work?

In order to participate in these programs, the merchant must first install them on its server. Your processing bank should be able to assist you with the implementation. Once installed, the authentication tools can only be used with cards that have been activated with the programs.

During the card activation process, the cardholder selects a unique password that is later used during the authentication process. Activation can be done in one of several ways:

• On the issuer’s website. Card issuers typically offer Verified by Visa and MasterCard SecureCode activation on their websites.
• Activation banners and buttons. Visa, MasterCard, card issuers, and participating merchants may display activation banners or buttons that enable cardholders to activate their card by clicking on the banner or button and following the prompts.
• During shopping. Cardholders may also activate their cards during shopping, on the merchant’s website.

Provided a credit or debit card is activated with the respective authentication service, it is automatically recognized when used for purchases at participating e-commerce websites. Then the validation process goes through the following stages:

1. Once a customer is ready to complete an order and make a payment at the e-commerce checkout, he or she enters the card number.
2. At this time a new window opens up with the Verified by Visa or MasterCard SecureCode verification page and the cardholder is asked for his or her preselected password. After the password is submitted, the card issuer will authenticate the transaction and confirm that the cardholder is authorized to make the purchase. There is an option for retrieving forgotten passwords as well. If the issuer does not participate in the authentication program, no interaction takes place. Crucially, however, the merchant is still protected from certain fraud-related chargebacks.
3. The issuer verifies its cardholder’s identity, sends a response to the merchant with the authentication result and the transaction can be completed. If the authentication fails, the merchant should request an alternative payment method.
4. When the verification process is complete, the merchant includes the issuer’s authentication response with the transaction authorization request.

The two authentication tools are not identical and there are slight differences in the two authentication processes, but these are the essentials. If you decide to make these services part of your fraud prevention strategy (and you should), contact your processor who should be able to help you integrate them into your system. If your processor does not support them, this by itself should be a sufficient reason for replacing it.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

E-commerce merchants need to develop a process for managing credit card transactions after an authorization response is received from the issuer. We have discussed the e-commerce transaction authorization process at length in separate posts, so we will not go over it again here. Once the issuer compares the information it receives in the authorization request to what it has on file for its cardholder, it will either approve or decline authorization. The merchant typically receives the response within a few seconds of submitting the request.

Whatever the authorization response, the merchant will need to have an established set of procedures in place and handle it quickly. An approval will typically be sufficient to warrant a settlement of the transaction, although it is not a guarantee against fraud and you should still examine the transaction for fraudulent characteristics. Remember that an authorization approval will not protect you against fraud-related chargebacks. If the response is a decline, you should not process the transaction. Instead, you should examine the reasons for the decline and use the lessons to avoid declines of this type in the future, where possible.

The following best practices should be incorporated into your post-authorization procedures:

• If the transaction is approved, send an email order confirmation to your customer. This will enable you to verify the validity of the cardholder’s email address. If the email turns out to be invalid, you should research the situation and determine whether the order is legitimate. To minimize customer disputes you should include in the email order confirmation details about the approved purchase.
• If the transaction is declined, review the reasons and take appropriate actions. Request that your customer corrects the submitted payment information or provides an alternative payment method that may allow you to complete the sale.
  • Log authorization declines for review and contact customers to correct problems with their cards (e.g. wrong expiration date or card security code) or ask for an alternative payment method.
  • If the card information is corrected, you will need to obtain authorization approval from the card issuer before completing the sale. Do not assume that the corrected information is valid.
• Regularly evaluate the success of your decline review strategy and modify it, as needed. Your long-term goal should be to drive down your overall authorization decline rate. You should also set separate goals for minimizing declines for specific reasons. The most common causes for authorization declines are:
  • Technical errors in entering payment information. There is not much you can do about technical errors, however you should at least make sure that the card numbers are valid by:
    • Matching the card’s brand to the first digit of the account number. Depending on the brand, the number should begin with:
      • American Express – 3.
      • Visa – 4.
      • MasterCard – 5.
      • Discover – 6.
    • Using the Mod 10 algorithm. Used specifically to validate credit card numbers, the Mod 10 algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits.
  • Fraud. With time, your fraud prevention measures should be getting stronger as your internal negative file grows and your transaction velocity limits and controls become more accurate. A transaction involving a credit card number in your negative file should not be sent for authorization, nor should you do that for transactions exceeding your velocity limits before you evaluate the risk.
• Monitor your order decline rates. You will need to be able to measure your progress (or the lack of it). In particular:
  • Track your order declines by reason on a daily basis.
  • Separate transactions declined by the card issuer from those declined by you for suspected fraud or other reasons.

Are there any other post-authorization procedures that work for you? Share them in the comments.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

How many passwords do you currently have for accessing your active online accounts? I don’t know either. Consumers today have accounts for all kinds of online services, both financial and other types. Unless we use the same password for all of our accounts or write them down and store them physically or electronically, either of which by the way would put us in a very vulnerable position if a criminal got a hold of it, chances are that we would at times forget one or two of them. In fact, this is almost certain to happen, as different websites use different password formats, regulating the length of the password, the use of capital letters and numbers, etc., so it’s difficult to stick to a single pattern for all accounts.

E-commerce merchants should have in place a simple and straightforward procedure for managing customer passwords. While you want to make sure that only your customer has access to his or her account information, you will also want to make it easy for them to retrieve their forgotten password. Consider implementing the following suggestions:

• Whenever a customer has troubles signing into his or her account or states that he or she has forgotten the password, you should use security information that was provided when the account was first set up to verify your customer’s identity. The process should follow these steps:
  • When creating a new account, ask your customer to select a question from a list – such as a father’s middle name, favorite movie, favorite sports team, etc. – and provide the correct response. For better protection, ask your customer to repeat the process two or three times.
  • Whenever a returning customer has forgotten the account password, ask the customer for the correct answer to the one of the questions that he or she selected at registration.
  • Verify the answer and, if correct, ask your customer to reset their password. You can do that by opening up in your customer’s browser a form asking for a new password to be created and re-entered. Send your customer a confirmation email to acknowledge that the password was updated successfully, but do not include the new password in the email! Email is not a safe form of communication and you should not use it for transmitting sensitive information.
• Use hint words to help customers remember passwords. The process of selecting and implementing hint words should follow these steps:
  • Ask the customer during the registration process to select a hint for his or her password.
  • Display the hint word on your website if the customer enters the wrong password when trying to log into his or her account.

Your password retrieval process should be automated and customers should be able to reset passwords quickly and without complications. In case there are technical issues, or if customers need additional help, provide a customer service phone number and make sure incoming calls are answered quickly. If you receive a call from a customer who cannot reset his or her password, verify their identity using the personal information that you have on file for them.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

E-commerce merchants should develop and implement a clear and detailed policy to communicate the terms and conditions of their billing procedures. You should clearly display on your website your billing policy to your customers at the time of purchase, and you should make it easily accessible on your website.

Your billing policy should provide the following information:

• When your customers’ cards will be charged. When developing your billing policy, you should account for the industry rule that, in an e-commerce transaction, the transaction date is the date on which the merchandise was shipped, or the service provided. This means that you should not charge your customer’s credit card before you have shipped the product.
• How the transaction will appear on your customers’ credit card statements. The way your transactions will appear on your customers’ credit card statements is managed through your merchant account’s billing descriptor. Contact your payment processor and make sure that your billing descriptor is set up correctly. This is especially important if your legal name is different from your DBA name. In such cases, consumers can easily get confused, as they can recognize your DBA, while processors typically use the legal name in the billing descriptor. If you are using a third-party billing company, inform your customers how the transaction will be described on their credit card statements (provide the third-party billing company’s name and the transaction amount).
• Ask your customers to save a copy of the transaction for their own records. The transaction copy should provide information about your store’s policies so customers can refer to it when in doubt about a particular issue.

It is essential that you understand the importance of not charging your customer’s card before the product has been shipped. Cardholders today can review their transactions online in almost real time and, if they see a charge on their accounts without having received the item or at least a delivery notification, they are likely to contact their card issuer and dispute the transaction. Customer disputes and the resulting chargebacks are the number one reason why e-commerce merchants get into trouble with their processing banks. Processors are required by Visa and MasterCard to monitor their merchants’ chargeback levels and to ensure that they remain below 1 percent of the total number of transactions.

In case your store sells digital content, your policy should also incorporate the following best practices:

• Do not charge your customers’ card accounts before the service is actually accessed on your website with the applicable password.
• Avoid the use of negative renewal options or other marketing techniques that may create the false impression that the product is free.
• Keep the sale’s terms and conditions clear and concise and communicate with your customers all special restrictions before the sale is completed.

Additionally, make sure that you include in your billing policy information about the transaction currency that will be used to complete the transaction. Remember that websites are accessible from all over the world and, unless you have decided against accepting international orders, your customers may be located anywhere. You should clearly state the currency, especially if it is not unique (a dollar may be Australian, New Zealand, Hong Kong or U.S.). Be advised that merchants cannot convert transaction amounts into different currencies. You may, however, display on your website equivalent amounts in different currencies, provided there is a clear notification that the conversion is for information purposes only. In order to further clear any currency confusion, you should provide on your website your place of business and your contact information.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

The payment card industry has established several risk levels for credit card acceptance. Often, merchants are surprised that such risk groups even exist. After all, merchants don’t get their money before the processing bank gets its transaction fee. So if there is something wrong with a transaction, the bank will simply hold on to the transaction amount until the investigation is complete, right? Well, it’s a bit more complicated than that.

When assessing credit card payment processing risk, Visa and MasterCard rely mostly on historical transaction data. The biggest component of their risk evaluation process is the probability of generating chargebacks. A chargeback results when a cardholder disputes with his or her credit card issuer the validity of a transaction posted on their monthly statement. The dispute sets in motion a transaction validation process, which involves the cardholder, the issuer, the processing bank and the merchant. If the dispute cannot be resolved among the affected parties, Visa or MasterCard will make the final decision. The chargeback process goes through the following stages:

1. The cardholder files an official dispute with his or her card issuing bank.
2. The issuer returns the disputed transaction to the processing bank, through Visa or MasterCard.
3. The processing bank either resolves the dispute or, if it needs additional information, it contacts their merchant and asks for a proof that the transaction is valid (a receipt would do just fine).
4. The merchant now either accepts the chargeback or provides (represents) the requested proof.
5. The processing bank forwards the representation to the issuer, through Visa or MasterCard.
6. The issuer receives the representation and, if appropriate, re-posts it to the cardholder’s account to complete the chargeback cycle.

The crucial point that needs to be emphasized is that whether the dispute is valid or not, it generates a certain amount of expenses that Visa, MasterCard, the issuer and the processor have to incur. This is the main reason for the premium rates that high-risk businesses have to pay on their processing rates.

Moreover, if one of their merchants generates excessive amounts of chargebacks, processing banks get fined substantial amounts by Visa and MasterCard. In the United States, excessive are chargeback levels of one percent or more of all monthly transactions. Typically, processing banks will freeze a merchant account long before chargebacks reach this threshold.

Typically, businesses that operate in a non face-to-face environment tend to generate higher levels of chargebacks and are considered high risk. E-commerce and MO / TO merchants are automatically included. Higher average tickets add an additional amount of risk, due to the higher liability for the processor. New merchants also add to the risk, due to their limited processing experience. There are other factors which can lead to some businesses being completely unacceptable to US-based processing banks. For example gambling websites are extremely risky, because cardholders may feel like victims and dispute a charge, even if the gambling site played by the rules. Adult-oriented websites, on the other hand, are prone to generating higher levels of chargebacks, because customers may be uncomfortable to admit using their services, even if they have.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).