Credit Card Processing Blog

MasterCard’s Site Data Protection (SDP) Program is designed to ensure that payment processors, merchants and third party service providers take adequate measures to protect against account data compromises. It is the responsibility of processing banks to ensure that their merchants implement the SDP program. Implementation is achieved through compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Merchants and service providers must validate their compliance with PCI DSS by using the following tools:

• On-site reviews. On-site reviews are an annual requirement for Level 1 merchants and for Level 1* and 2* Service Providers. Merchants can use an internal auditor or independent assessor recognized by MasterCard as acceptable. Service providers must use an acceptable third-party assessor. Both Visa and MasterCard have published lists with authorized third-party assessors.
• The Payment Card Industry (PCI) Self-Assessment Questionnaire. The PCI Self-Assessment Questionnaire is available on PCI Security Standards Council’s website. To be compliant, each Level 2*, 3*, and 4* merchant, and each Level 3* service provider must generate acceptable ratings on an annual basis.
• Network security scan. The network security scan evaluates the security measures in place at a website. To fulfill the network scanning requirement, all Level 1* to 3* merchants and all service providers must conduct scans on a quarterly basis using an authorized vendor.

  * Merchant level definitions for PCI certification.
  
  

  Merchant Level	Definition
  Level 1	Level 1 are merchants processing over 6million Visa or MasterCard transactions per year.
  Level 2	Level 2 are merchants processing from 150,000 to 6 million Visa or MasterCard transactions per year.
  Level 3	Level 2 are merchants processing from 150,000 to 6 million Visa or MasterCard transactions per year.
  Level 4	Level 4 are all merchants not included in Levels 1, 2 or 3.

As part of the SDP Program, processing banks send quarterly reports for each Level 1, Level 2, and Level 3 merchant to MasterCard, which include the following information:

• The name and primary address of the merchant.
• The name and phone number of the primary contact for the merchant.
• The merchant’s identification number with the processor.
• The name of each service provider that stores card account data on the merchant’s behalf.
• The number of transactions that the processing bank processed for the merchant during the previous 12-month period.
• The merchant’s level under the implementation schedule.
• The names of any assessor, auditor, or vendor engaged to conduct an on-site review or network security scan, and the expected completion dates of any reviews or security scans.
• The date on which the merchant most recently completed the PCI Self-Assessment Questionnaire.
• The date on which the processor most recently registered the merchant as SDP compliant.

Processors are required to communicate all SDP Program requirements to each Level 1, Level 2, and Level 3 merchant.

Beginning July 1, 2012, a new Payment Application Data Security Standard (PA DSS) Program will take effect to specifically address common vulnerabilities that have been identified as main causes in credit card data breaches. PA DSS updates the standards for vendors of third party payment applications and the Credit Card Associations will enforce compliance, so make sure your service providers have passed the tests.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Customers who attempt to fraudulently use a credit card at the checkout are often betrayed by specific signs of suspicious behavior. Such signs may have a perfectly reasonable explanation that has nothing to do with an unauthorized credit card use, however statistical data show that they are associated with a higher rate of fraud. You should be able to identify such signs and act according to your organization’s established fraud prevention procedures. We have written at length in previous posts about the way these procedures should be designed and recommend that you review our suggestions. Following is a list of five suspicious signs at the point of sale that you should look out for:

• Purchasing large quantities of merchandise without much attention to details. This is a very strong fraud indicator! If a customer is purchasing a sizable amount of merchandise, without much care for size, color, or even price, he or she is probably interested much more in its resale value than its utility.
• Rushing the cashier into a quicker processing of the payment. Although your customer may really be in a hurry, such behavior may also be intended to force you to circumvent standard fraud prevention procedures. While you would not want to delay a legitimate customer any longer than necessary, you should never forgo regular card acceptance procedures, as this is exactly what the criminal’s goal would be. Explain to your customer that you appreciate the fact that they are short on time, but you are responsible for ensuring that all payments are legitimate and cardholders’ interests are protected.
• Making multiple purchases within a short period of time. If a customer completes a purchase, leaves the store and then comes right back in, he or she may be doing it because they believe that making multiple fraudulent transactions for smaller amounts is less suspicious than making a single large-amount purchase.
• Shopping either right after the store opens or before it closes. A fraudster may be shopping early in the morning or late in the evening, in the hope that the merchant will not be as attentive as during other stretches of the day.
• Ignoring free delivery options (where applicable). If your customer asks no questions or completely ignores a free delivery option, in favor of a quicker but paid one, this could be a warning sign.

Now, it should be reiterated that, although suspicious, a certain behavior might be perfectly well justified and explained in another, completely legitimate way. By themselves, none of the above characteristics constitutes a proof of a fraudulent activity. You should always use your observations of customer behavior in the context of the particular setting. Different businesses attract different types of customers and what is considered a normal customer behavior at one place might be interpreted as completely irregular at another.

Once you have accumulated enough evidence to conclude that a fraudulent activity may be taking place, you should contact your processor’s voice authorization center and make a Code 10 call. You should keep the card in your possession during the call and follow the instructions you are given. If the instruction is to retain the card, you should only do it if it is safe to do so and then ask your customer for an alternative form of payment. If you feel threatened or uncomfortable, complete the transaction and make the call right after the customer leaves.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

All e-commerce merchants need to develop a process for managing credit card transactions after an authorization response is received from the issuer. We have discussed the e-commerce transaction authorization process at length in separate posts, so we will not go over it again here. Once the issuer compares the information it receives in the authorization request to what it has on file for its cardholder, it will either approve or decline authorization. The merchant typically receives the response within a few seconds of submitting the request.

Whatever the authorization response, the merchant will need to have an established set of procedures in place and handle it quickly. An approval will typically be sufficient to warrant a settlement of the transaction, although it is not a guarantee against fraud and you should still examine the transaction for fraudulent characteristics. Remember that an authorization approval will not protect you against fraud-related chargebacks. If the response is a decline, you should not process the transaction. Instead, you should examine the reasons for the decline and use the lessons to avoid declines of this type in the future, where possible.

The following best practices should be incorporated into your post-authorization procedures:

• If the transaction is approved, send an email order confirmation to your customer. This will enable you to verify the validity of the cardholder’s email address. If the email turns out to be invalid, you should research the situation and determine whether the order is legitimate. To minimize customer disputes you should include in the email order confirmation details about the approved purchase.
• If the transaction is declined, review the reasons and take appropriate actions. Request that your customer corrects the submitted payment information or provides an alternative payment method that may allow you to complete the sale.
  • Log authorization declines for review and contact customers to correct problems with their cards (e.g. wrong expiration date or card security code) or ask for an alternative payment method.
  • If the card information is corrected, you will need to obtain authorization approval from the card issuer before completing the sale. Do not assume that the corrected information is valid.
• Regularly evaluate the success of your decline review strategy and modify it, as needed. Your long-term goal should be to drive down your overall authorization decline rate. You should also set separate goals for minimizing declines for specific reasons. The most common causes for authorization declines are:
  • Technical errors in entering payment information. There is not much you can do about technical errors, however you should at least make sure that the card numbers are valid by:
    • Matching the card’s brand to the first digit of the account number. Depending on the brand, the number should begin with:
      • American Express – 3.
      • Visa – 4.
      • MasterCard – 5.
      • Discover – 6.
    • Using the Mod 10 algorithm. Used specifically to validate credit card numbers, the Mod 10 algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits.
  • Fraud. With time, your fraud prevention measures should be getting stronger as your internal negative file grows and your transaction velocity limits and controls become more accurate. A transaction involving a credit card number in your negative file should not be sent for authorization, nor should you do that for transactions exceeding your velocity limits before you evaluate the risk.
• Monitor your order decline rates. You will need to be able to measure your progress (or the lack of it). In particular:
  • Track your order declines by reason on a daily basis.
  • Separate transactions declined by the card issuer from those declined by you for suspected fraud or other reasons.

Are there any other post-authorization procedures that work for you? Share them in the comments.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

How many passwords do you currently have for accessing your active online accounts? I don’t know either. Consumers today have accounts for all kinds of online services, both financial and other types. Unless we use the same password for all of our accounts or write them down and store them physically or electronically, either of which by the way would put us in a very vulnerable position if a criminal got a hold of it, chances are that we would at times forget one or two of them. In fact, this is almost certain to happen, as different websites use different password formats, regulating the length of the password, the use of capital letters and numbers, etc., so it’s difficult to stick to a single pattern for all accounts.

E-commerce merchants should have in place a simple and straightforward procedure for managing customer passwords. While you want to make sure that only your customer has access to his or her account information, you will also want to make it easy for them to retrieve their forgotten password. Consider implementing the following suggestions:

• Whenever a customer has troubles signing into his or her account or states that he or she has forgotten the password, you should use security information that was provided when the account was first set up to verify your customer’s identity. The process should follow these steps:
  • When creating a new account, ask your customer to select a question from a list – such as father’s middle name, favorite movie, favorite sports team, etc. – and provide the correct response. For better protection, ask your customer to repeat the process two or three times.
  • Whenever a returning customer has forgotten the account password, ask the customer for the correct answer to the one of the questions that he or she selected at registration.
  • Verify the answer and, if correct, ask your customer to reset their password. You can do that by opening up in your customer’s browser a form asking for a new password to be created and re-entered. Send your customer a confirmation email to acknowledge that the password was updated successfully, but do not include the new password in the email! Email is not a safe form of communication and you should not use it for transmitting sensitive information.
• Use hint words to help customers remember passwords. The process of selecting and implementing hint words should follow these steps:
  • Ask the customer during the registration process to select a hint for his or her password.
  • Display the hint word on your website if the customer enters the wrong password when trying to log into his or her account.

Your password retrieval process should be automated and customers should be able to reset passwords quickly and without complications. In case there are technical issues, or if customers need additional help, provide a customer service phone number and make sure incoming calls are answered quickly. If you receive a call from a customer who cannot reset his or her password, verify their identity using the personal information that you have on file for them.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Processors go into great lengths to ensure that each merchant account they underwrite is used according to the terms and conditions set out in their processing agreements. Before setting up the account, the processor will closely scrutinize the financial situation of both the applicant business and its principals. The evaluation process includes examining the owner’s credit report and the business’s operations, premises and previous processing history (if available), to help establish the applicant’s credit worthiness. If they are not entirely satisfied by what they’ve seen there, the processor’s credit managers may request additional documentation, such as the owner’s tax returns and the business’s financial statements.

Once the merchant account is approved and set up, the processor will monitor its activity to ensure it is used as agreed. If they see something suspicious, the processor’s risk managers will contact the merchant and request a clarification. For example, if the merchant has stated in its application that the average transaction amount would be $150 and then starts accepting payments averaging $500, that would raise a red flag. Similarly, if the approved annual processing volume is reached in a couple of months, an explanation will be requested. However, if the merchant responds promptly to its processor’s request and provides the necessary documentation, the issue will probably be resolved quickly.

There are circumstances, however, that can result in the suspension of a merchant account. There are three main reasons why this can happen:

• Fraud. The first and most obvious reason that will automatically lead to a suspension is fraud committed by the merchant. Fraud can take many shapes and forms. Misusing personal information like credit card numbers and details, overcharging, not delivering products and services as advertised are just a few examples.
• Excessive chargebacks. Another reason your processor may shut down your merchant account is a consistently high level of chargebacks. Chargeback is a transaction that is returned to the merchant as a financial liability. It is generated when a cardholder disputes a transaction or when the merchant does not follow proper card acceptance procedures. In essence, it reverses a sale. The importance of keeping chargebacks under control cannot be overstated. Both Visa and MasterCard require that merchants keep chargebacks below one percent of the total number of transactions they process. In reality, your processor will suspend your merchant account long before you reach one percent, to avoid being fined by the Associations (Visa and MasterCard).
• Multiple merchant accounts. Processors typically will not allow you to have another active merchant account while you are using the one they have underwritten. Some will close an account if they find out that you have opened one with a competitor.

It should be emphasized that fraud and excessive chargebacks are a huge problem in the payment card industry and processors are required to closely monitor their merchants for signs of unusual activity. Most of the time, such activities are completely legitimate and it is easy to prove it. It is important that merchants respond promptly to all information requests and cooperate with their processors. Keep in mind that your processor does not want to suspend your merchant account. The only way they can make money is to have you as a customer. Work with them whenever they reach out to you and help resolve the issues before they deteriorate to the point where the processor is forced to take an action you might not like.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).