Credit Card Processing Blog

The checkout process on e-commerce websites is in many ways different and more complicated than it is in traditional brick-and-mortar stores. While in a face-to-face setting, the customer simply swipes a card through a terminal, which “reads” the account’s information from the magnetic stripe and prints out a receipt, at an e-commerce checkout the card’s information is manually entered into a payment form. This opens the possibility not only for a typo to creep in, but also for the customer to unwittingly make a wrong selection in a drop-down menu. For consumers, such errors can lead to frustration and for merchants – to declined authorization requests and possibly to lost sales.

So what can a merchant do to minimize such errors? Well, it turns out that there are a few simple procedures that can be adopted at the e-commerce checkout to help you limit such issues. While merchants don’t have control over the information their customers enter at the checkout, nor can they prevent typos, they can limit confusion by providing guidance and correct errors before requesting authorization.

Credit and debit cards bear several identification features that make them unique and are designed to help merchants and cardholders prevent fraud. These features are used during the transaction authorization process as well and some of them can also be used to detect errors and alert cardholders when wrong information is entered. In particular:

• Card account number. The card’s account number is not only unique, but it also contains information that allows you to check its validity. Request that customers provide both the account number and the card type and ensure that they match. Consider adopting the following procedures:
  • Request that customers select their card’s type (Visa, American Express, MasterCard, Discover, etc.) before they enter the card’s account number.
  • Verify the validity of the provided information by comparing the selected card type and the first digit of the provided card number. The credit card companies use different account numbering systems. The first digit of every payment card identifies its type. Listed in the table below are the first digits that the major American card brands place in their account numbers.
    
    

    Card Type	First Digit of Account Number
    American Express	3
    Visa	4
    MasterCard	5
    Discover	6

  
  

  • Display an error message if there is a mismatch between the selected card type and the provided account number and request that the customer re-enters the data.
  • Use the Mod 10 algorithm (also known as Luhn algorithm). Used to validate various identification numbers, the Luhn algorithm can be used specifically to validate credit card numbers, where it detects all single-digit errors, as well as almost all transpositions of adjacent digits. The first six digits of credit card numbers are known as the Issuer Identification Number (IIN). The rest are allocated by the card issuer.
  • Allow customers to enter card account numbers with or without hyphens, with or without spaces between digits, or clearly identify your preferred format.
  • Account updaters. Merchants processing recurring and installment payments can protect themselves from errors resulting from routine changes in account information over time, such as a card number replacement or a card expiration date change. Typically in a recurring payment plan, the customer provides his or her account information at the time the plan is set up and the merchant processes the first payment as it would process any other card-not-present payment. The cardholder’s account information is then stored and all subsequent payments are processed using the stored data. MasterCard Automatic Billing Updater and Visa Account Updater are services designed to verify that on-file information, including account number and expiration date, is correct, ensuring uninterrupted payments.
• Card expiration date. Always request that customers provide their card’s expiration date. You can either provide a blank field to be filled in by the customer or a drop-down menu from which the customer to make a selection. If you choose the latter option, make sure that you do not provide a default month and year of the expiration date to prevent it from being erroneously selected. The default date will most likely be different from the actual one and the transaction will be declined.

Make sure that all lines of communications are open when a customer is checking out of your store, so that if he or she needs help, they can contact you right away. Otherwise you risk losing the sale altogether!

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Have you noticed how quickly the number of available payment choices on e-commerce websites is proliferating? While credit cards are still the predominant customer choice, there are now all kinds of credit-based options for customers to choose from, including Bill Me Later and eBillme. Multiple providers offer electronic check acceptance. PayPal, Amazon Payments and Google Checkout allow consumers to consolidate all of their payment accounts, including credit cards and checking accounts and manage them all from one point of access. There are also the payment options of the “unbanked,” such as Western Union and MoneyGram.

Merchants have learned that offering multiple choices at the checkout helps attract new customers and reduces the number of lost sales at the last moment, when consumers would walk away if they didn’t see their favorite option. While offering multiple payment choices is great, however, you would also want to make sure that your checkout process makes it simple for your customers to make their payment selections and to avoid the confusion that can often arise when options are plentiful.

There are a number of ways in which a customer can get confused when selecting a payment method. For example, options such as “Debit” and “Credit” can be misleading, as their meaning may be interpreted differently, depending on the customer’s understanding. On the other hand offering the option of selecting a payment brand gives your customer a clear payment choice. It is easy to distinguish a Visa card from a MasterCard or a Discover. You should consider placing a menu of radio buttons for each card brand that your checkout account supports. Additionally, you should consider placing each card brand’s logo next to its button. Also, you would want to keep the various forms of payment separate from one another. Credit cards should be grouped together, separate from bank accounts, which in turn should be kept separate from Bill Me Later and eBillme, etc.

When your customer makes a payment selection, you must honor it. Some payment choices are costlier for you to accept than others, however once you make a decision to support the more expensive forms of payment, you have to stick to it. It is perfectly acceptable to suggest a form of payment or to display your preferred choice, but you cannot mislead or confuse the customer or omit important information in the process. Your customer has the right to use whatever payment method he or she chooses, provided it is supported at the checkout, and once the selection is made, you are required to facilitate the processing of the transaction.

Merchants are not allowed to charge customers additional fees for payments made with credit or debit cards, in order to make up for the associated processing costs. It is allowed, however, to offer a discount if a customer selects to pay in cash, for example, or in any other way that the merchant chooses. Additionally, if a merchant accepts card payments, cards should be accepted for all amounts. It is not allowed to set limits on transaction amounts for card payments. You can lose your merchant account if you do not comply with these requirements.

The most important thing to remember when designing your website’s checkout pages is that the checkout is where you close the sale. Your customer has already made a decision to buy and all you have to do is take the payment. However, if your customer feels like he or she is being misled or otherwise mistreated at the checkout, you will lose the sale. Keep the process simple and straightforward and be sure to play by the rules.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).

Credit card fraud affects everyone involved in it: the consumer whose card information is stolen, the merchant whose product is purchased, the processing bank that facilitates the transaction and the issuer who is charged with protecting its cardholders, to say nothing of Visa and MasterCard who spend millions developing products to help prevent it from happening. In previous posts we have written in detail about the various products and procedures that can be utilized to protect your web-based business from fraudulent transactions. In this post, we will offer a general overview of the e-commerce fraud prevention tools and strategies that we believe all e-commerce merchants should use to build their sales processing system around.

Firstly, however, it should be pointed out that no system is 100 percent fraud poof and yours will not be an exception. Even your best efforts will not protect you from processing a fraudulent sale or two on occasion. Whenever that happens, you will bear a certain financial responsibility. Although the merchant is just as much a victim of fraud as the cardholder whose card information was stolen, there are transaction fees that have been incurred in processing the payment and the merchant will end up paying them. On top of that, you will most likely be hit with a loss for the cost of the item that was sold and for shipping charges, if applicable.

It is important to emphasize that in credit card transactions, the payment information does not actually get to your processor until you submit your daily batch at the end of the day. The reason it is important is that it gives you some extra time to verify the validity of the orders that you accepted that day. If yours is a small business, you can probably go through each transaction every day. Larger organizations, however, will not have this option and should develop a process to set higher risk transactions aside for further review. Don’t hesitate to ask your processor for help. Remember that they also have a financial incentive to minimize fraud, just as you do.

There are several tools that were specifically developed to help e-commerce merchants fight fraud and you should take the time to get to know how these tools work and provide support for them all:

• Card Security Codes (CVV2, CVC 2 and CID). The three-digit codes on the back of Visa, MasterCard and Discover cards and the four-digit codes on the front of American Express cards were introduced as an additional tool to help merchants verify that the cardholder is in a physical possession of the card at the time of the transaction. You should never store these codes in your system.
• Address Verification Service (AVS). AVS enables merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement) provided by a customer with the billing address on the card issuer’s file before processing a transaction. A mismatch is a strong indication of fraud.
• Verified by Visa and MasterCard SecureCode. These are payment authentication systems that validate a cardholder’s ownership of an account in real-time during an online payment transaction. When the cardholder initiates a payment at the checkout page of a participating merchant’s website, a new screen automatically opens up in the cardholder’s browser. The cardholder enters a previously created password that allows the card issuer to verify his or her identity.
• Validating credit card numbers. The Mod 10 algorithm is used to verify credit card numbers before submitting transactions for authorization. Its algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits.

In addition to the tools, you should develop strategies for fighting fraud and implement them consistently:

• Understand e-commerce risk. Fraud, customer disputes, chargebacks come in various shapes and forms, yet all of them are costly, time consuming and require constant attention. You should invest the time to understand the risks associated with processing internet transactions.
• Learn how to process e-commerce transactions. Processing e-commerce transactions presents challenges that you will need to be prepared to handle.
• Learn how to handle chargebacks. Chargebacks are the single biggest reason why e-commerce businesses get into trouble with their credit card processing account. Processing banks are required by Visa and MasterCard to monitor their merchants’ chargeback levels and must ensure that the number of charged back transactions for any given month is below 1 percent of the total number of transactions. Because if their merchant’s chargeback ratio is above 1 percent they are assessed fines by the Associations, processors will suspend and close merchant account before their chargeback rates come even close to 1 percent.
• Learn how to manage authorization responses. All card-not-present transactions must be authorized before they are processed. The authorization response will typically be approval or decline. You should develop a process for handling transactions after the authorization response has been received and apply it consistently.
• Screen international transactions. International orders generate more fraud and should be scrutinized more rigorously than domestic ones. You will not be able to use AVS, unless the card issuer supports International AVS and then AVS can validate addresses in the United Kingdom. Moreover, the legal environment is different in each country and there is likely to be a language barrier that you should consider.
• Use fraud scoring. Fraud scoring is a system of predictive fraud detection models or technologies that payment processors use to identify the highest-risk transactions in card-not-present environment that require additional verification.
• Set up transaction velocity limits and controls. Set review limits on the number and dollar amount of transactions approved for a customer within a specified period of time. As you accumulate transaction data over time, adjust these limits to reflect the customer’s purchasing patterns.
• Comply with the Payment Card Security Data Security Standard (PCI DSS). The Payment Card Security Data Security Standard (PCI DSS) is a set of requirements for security management, policies, procedures, network architecture, software design and other protective measures. Compliance is mandatory for all e-commerce merchants.

Avoid using voice authorizations because they bypass your processor’s systems and cannot be used as supporting evidence in chargeback re-presentments. Also, whenever you get an order from a new customer, check the provided information and make sure there is nothing suspicious. Often, common sense is the most effective tool for fighting fraud that you have at your disposal.

Duplicate orders are a phenomenon seen more often than one might expect. So often, in fact, that Visa has a special chargeback code for it: “Chargeback Reason Code 82: Duplicate Processing.” Duplicate orders are expensive to deal with and e-commerce merchants need to develop procedures to help them identify and prevent such orders from being processed in the first place.

In a face-to-face transaction setting it is fairly easy to determine whether or not the transaction has been processed and the risk of a duplicate is minimal. Once the cardholder swipes the card, the transaction is typically authorized within seconds and the response is seen on the terminal’s screen. In e-commerce transactions, however, the authorization response can take longer to be generated and displayed on the customer’s computer screen and he or she may submit their order all over again. In such cases, often both transactions would be authorized, creating a duplicate sale.

Duplicate orders can lead to higher payment processing costs, as merchants will have to pay processing fees every time a transaction is processed, regardless of whether it is duplicate or not. Moreover, merchants will incur the cost of spending extra time to identify the duplicate transactions and issue credits to the affected customers (transaction fees are charged for processing credits too).

Another unwanted side effect resulting from dealing with duplicate transactions, and perhaps the one with the most serious and long-lasting effects, is that they generate customer dissatisfaction, as consumers are rarely happy when their credit card accounts are billed twice for the same purchase. Cardholders may, in such cases, call their card issuer directly, instead of contacting the merchant and try to clear up the issue with the bank. They are likely to dispute the transaction, initiating a chargeback.

As you see, there are enough reasons why you should develop and implement controls to prevent customers from inadvertently submitting transactions twice, as well as for preventing you from depositing sales receipts for the same transaction with your processing bank more than once. You can use the following best practices to guide you when building your procedures:

• Require your customers to make positive clicks when placing orders, rather than hit the “Enter” key on their keyboard. In other words, have customers click on a “Submit,” “Place Order” or a similar button.
• Once the order has been submitted, display a “Your order is being processed” or a similar message, while the authorization response is being generated and transmitted. Your customer must understand that his or her order is being processed, so that he or she does not resubmit it.
• Once an authorization approval is received, display on your customer’s screen a message that the order has been processed and provide an order confirmation number. Design your system in a way that will allow you to look up the order confirmation numbers in your database, so that you can quickly pull up an order if a customer contacts you with a question.
• Regularly check your orders for duplicates. You should review each batch of paper sales receipts prior to deposit to ensure that only bank copies – and not merchant copies – are included. If transactions are sent electronically for processing, make sure that each batch is sent only once and as a separate batch number.
• If a customer has placed multiple orders, send him or her an email message to confirm whether or not the duplicate order was intentional.
• If you receive a chargeback for processing a duplicate transaction, consider the following actions:
  • If you believe that the transactions at issue are not duplicates, provide your processing bank with information verifying that the two sales are separate, or send copies of the duplicate sales receipts and any other related documents that may be available, to your merchant bank. The receipts should clearly indicate that the two transactions are not charges for the same items or services.
  • If the transactions are duplicates and you have not already deposited a credit to correct the issue, you should accept the chargeback. Do not process a credit at this time, as the chargeback has already performed that function.
  • If you identified the duplicate transaction and processed an offsetting credit before you received the chargeback, inform your processing bank of the date the credit was issued.

What is Card Validation Code 2 (CVC 2)? MasterCard, just like bigger rival Visa, puts security codes on all credit and debit cards that bear its logo, as an additional security feature to help merchants who accept payments in a card-not-present environment fight fraud. The CVC 2, which stands for Card Validation Code 2, is located on the back of all MasterCard cards. It is a three-digit code indent printed on the signature panel of MasterCard cards. The CVC 2 is preceded by the last four digits of the card’s account number, printed in the signature panel. This added security measure enables e-commerce and MO / TO retailers to verify that the buyer has the actual card in his or her possession during a card-not-present transaction. Visa’s equivalent security code is called Card Verification Value 2 (CVV2).

The CVC 2 is a security feature that all major payment gateways and virtual terminals support and your payment processor should make it available to you.

How to use CVC 2? The CVC 2 should be used in every e-commerce or MO / TO transaction. Consider implementing the following steps:

1. Ask your customers for the last three digits in the signature panel on the back of the MasterCard card. Do not ask for the CVC 2 number, as your customer will most likely have no idea what this is.
2. Depending on the response your customer gives to your CVC 2 request, include one of the following indicators in your authorization request, along with the card’s expiration date and the account number:
   
   

   Indicator	When to Use It
   0	If the CVC 2 is not included in the authorization request.
   1	If the CVC 2 is included in the authorization request.
   2	If your customer has stated that the CVC 2 is illegible.
   9	If your customer has stated that the CVC 2 is not on the card.




3. The card issuer will reply to your request with one of the CVC 2 result codes listed below. Take it into consideration, along with all other factors in determining the validity of the transaction.
   
   

   Result Code	Recommended Action
   M – Match	The CVC 2 is valid. Complete the transaction, taking into account all other transaction characteristics.
   N – No Match	The CVC 2 is not valid. View this result as a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the CVC 2 request.
   P – CVC 2 request not processed	You should resubmit the request.
   S – the cardholder has stated that the CVC 2 is not on the card	The CVC 2 code should be on all MasterCard cards. Consider following up with your customer to verify that he or she has checked the correct card location.
   U – the card issuer does not support CVC 2	In this case you should evaluate all available information and decide whether to proceed with the transaction or investigate further.

Storing of CVC 2 is prohibited. Never keep or store CVC 2 codes once a transaction is completed. Storing CVC 2 codes is prohibited and could result in fines. You may store other account information, e.g. cardholder name, account number and expiration date but not the CVC 2.

Why should you use CVC 2? Using CVC 2 will benefit your organization in a number of ways, including:

• Enhanced fraud protection. Card-not-present merchants run a greater risk of processing fraudulent transactions than their store-front counterparts. Using CVC 2 provides an additional step in the process of verifying the validity of both the card and the cardholder.
• Reduced chargebacks. Reduced fraud leads to reduced fraud-related chargebacks. Chargebacks due to other reasons, however, will remain unaffected by the use of CVC 2.
• Improved bottom line. Fraudulent and charged-back transactions lead to lost revenue and can mean extra processing time and costs. CVC 2 helps limit such losses and minimize operating costs.