Credit Card Processing Blog

Fraudulent e-commerce transactions typically display certain high risk characteristics. Merchants should be able to identify these features and use them as trigger points for a more detailed examination of the transaction information to determine whether the payment should be processed or not. By itself, each one of these high risk characteristics is rarely a clear signal of fraud. If, however, a transaction displays several of them, there is a good chance that it is fraudulent. Your fraud prevention process should be designed to identify and alert you each time one of the following 10 high risk characteristics is present in an e-commerce transaction:

• First-time customer. Criminals can use stolen cards for a very short time, so they are always looking for new victims. Of course you will want just as many new customers as you can get but it is a good idea to pay closer attention to their first orders.
• Large orders. Orders with larger-than-normal amounts should too be examined closely. Criminals will try to maximize the potential of the stolen card by buying as much as they can before the account is closed. They can do that by purchasing multiple items at once or by purchasing big-ticket items.
• Big-ticket orders. As described above, big-ticket items conveniently achieve the criminal’s goal of maximizing the profit from a stolen card.
• Orders for several identical items. Such purchases may too be the result of a criminal’s attempt to utilize the card’s full potential before the account is closed. As they typically don’t make purchases for personal use but for resale, fraudsters don’t care what it is that they are buying, but how quickly they can flip it.
• Overnight delivery. Criminals do not much care about shipping costs, because they are not paying for them, so they are likely to forgo a free delivery option in order to get the merchandise as soon as possible.
• International shipping addresses. A substantial number of fraudulent e-commerce transactions are shipped to international addresses and you should carefully examine such orders before fulfilling them. Be advised that the Address Verification Service (AVS) can only be used to confirm addresses in the U.S., unless the card issuer supports international AVS (unfortunately, international AVS is not currently widely supported by issuers). If you request verification for an address outside of the U.S., you will receive a response “G” for “Global” In such cases, you will be liable for any chargebacks even if you receive authorization approval from the issuer.
• Transactions involving similar card account numbers. Software that generates card account information is in wide circulation and is often used by criminals. Account numbers generated in such fashion are often similar and your fraud prevention system should be designed to identify these similarities and alert you when it detects them.
• Orders from several cards with the same billing address. Multiple transactions involving cards with the same billing address may indicate that criminals are using several stolen cards at once. They may have stolen a wallet or may have fraudulently obtained information for multiple credit card account holders from a computer used by several residents of the same household.
• Multiple card transaction over a short time. Placing multiple transactions in quick succession may indicate that criminals are trying to max out a stolen card’s credit line as quickly as they can, before they get caught.
• Multiple shipping addresses. If several orders are placed using one card but with several shipping addresses, it may be a sign of organized fraudulent activity, rather than the work of a single criminal. In any case, having deliveries sent to different shipping addresses is not at all a typical consumer behavior and you should investigate such transactions.

Merchants are often unclear on what payment gateways do and why they need them. There is often confusion concerning the gateway’s functionality and how it differs from an e-commerce shopping cart. Just as often, merchants tend to equate payment gateways with merchant accounts. In this article we will try to clear the confusion and put the gateway in its proper place in the e-commerce credit card processing cycle.

What is a payment gateway? Payment gateway is a web-based service that integrates into an e-commerce website’s shopping cart and collects payment information provided by customers at the check-out. The gateway then encrypts the data and transmits it to the card issuing bank for authorization. The authorization response is then sent to the merchant and is displayed to the cardholder. In essence, the payment gateway serves for web-based merchants the same purpose that a point-of-sale (POS) terminal does for brick-and-mortar businesses. We have previously written in greater detail about the e-commerce authorization process and the gateway’s place in it and you can review the article here.

What does a payment gateway do? Just as their POS counterparts, payment gateways support the full range of processing services: authorization only, authorization and capture, refunds and voids. Every major gateway offers a virtual terminal option which enables merchants to enter in a browser the payment information as they are completing a transaction over the phone or have received a payment over the mail. Moreover, the virtual terminal allows you to create and save customer profiles within the gateway, which you can access later for a speedier payment processing. Additionally, you can use the virtual terminal to set up installment or recurring payment plans, as well as process deferred payments. All major payment gateways now support AVS and CVV2 / CVC 2 verification services.

How does a payment gateway interact with a shopping cart? Payment gateways and shopping carts enter the transaction cycle at different stages. Shopping carts enable customers to select items for purchase and calculate the total cost of the order, including shipping and handling charges and taxes, if applicable. Once that is done and the customer places the order, the customer is taken to the check-out where he or she is asked to provide the payment information, which is then collected and managed by the gateway as described above.

Payment gateway vs. merchant account. It is important to understand that payment gateways, just as POS terminals, are tools for handling payment information. Just as the POS terminal is a part of each retail merchant account, the payment gateway is an essential part of every e-commerce merchant account. Yet, the merchant account service goes beyond handling the information provided by the cardholder. It enables a merchant to accept credit and debit cards, as well as other payment methods, by connecting the merchant’s physical and / or virtual check-out tools with a processing bank that “acquires” the transactions and funds the merchant’s account the transaction amount, after subtracting the transaction’s processing costs. This whole process, from the capturing of the information at the point of sale (whether physical or virtual), to the settlement of the funds is what a merchant account service provides.

Here is a detailed description of the e-commerce transaction process:

1. The cardholder fills out a payment information form to pay for a purchase at an e-commerce website’s check-out.
2. The gateway collects the payment information and sends it, securely encrypted, to the processing bank for authorization.
3. The processing bank sends the request, through Visa’s or MasterCard’s payment networks, on to the card issuer. Be advised that Discover and American Express act as both card issuers and processors, so the authorization process is much simpler.
4. The card issuer approves or declines the transaction and sends its response, through Visa or MasterCard, to the processing bank.
5. The processing bank forwards the response, through the gateway, to the merchant who completes the transaction accordingly.
6. In the case of an approved transaction, the merchant deposits the receipt with its processing bank, requesting payment.
7. The processor then credits the merchant’s account and submits the transaction to Visa or MasterCard for a settlement.
8. Visa or MasterCard then pays the processing bank, while simultaneously debiting the card issuer’s account.
9. The card issuer then posts the transaction to the cardholder’s account and requests payment with a monthly statement.

If you have spent any length of time in the e-commerce industry, chances are that you have become all too familiar with the various types of risks involved in selling products and services over the internet. Fraud, customer disputes, chargebacks come in various shapes and forms, yet all of them are costly, time consuming and require constant attention. Risk exposure in a card-not-present environment is determined by the established business policies, operational practices, security controls, fraud detection and prevention tools and the types of products and services sold. If your business is to be successful in minimizing fraud and chargebacks, your entire staff should clearly understand the risks associated with processing e-commerce transactions.

Understanding e-commerce risk. Understanding e-commerce risk will help you better design your business and operational policies and in selecting the right fraud prevention tools and security controls for your organization. The typical risks that an e-commerce organization will encounter are:

• Fraud. E-commerce fraud can take several shapes:
  • Use of a stolen card number to fraudulently purchase products or services.
  • A family member uses a card to make purchases without the cardholder’s authorization.
  • A customer falsely claims that he or she did not receive a shipment.
  • Hackers penetrate an e-commerce merchant’s system and issue credits to themselves.
• Account information theft by hackers. There are a couple of ways for hackers to access personal account data:
  • Intercepting customer account data during transmission to or from the merchant.
  • Accessing inadequately protected systems and stealing data from them.
• Account information theft from a physical site. Data can be stolen from a physical site in a number of ways, including:
  • Stealing cardholder data by an outsider from a merchant’s site and using it or selling it for unauthorized use.
  • Stealing cardholder data by a merchant’s employee and using it or selling it for unauthorized use.
  • Stealing unshredded cardholder data by a dumpster-truck’s driver.
• Customer disputes and chargebacks. There are many reasons why a customer will dispute a transaction but the most common are:
  • The product or service is not as described in the promotional material or website.
  • The customer is billed before the product is shipped or the service provided.
  • There is a misunderstanding about the cancellation of an order (often in a recurring payments plan) or the return and refund of a product.
  • The customer is billed twice for the same order, or the transaction amount is incorrect.
  • The customer does not recognize the merchant’s name on his or her credit card statement.
  • The customer’s card is charged without his or her approval.

Understand the chargeback process. The importance of understanding chargebacks and developing procedures to deal with them cannot be overstated. Chargebacks are not only costly and time consuming but if they exceed 1% of the total number of your sales transactions, your account will be suspended and, if you cannot reduce the rate, it will be closed altogether. The following suggestions will help you keep chargebacks under control:

• Work with your payment processor to understand chargebacks and to develop protective mechanisms against charged-back transactions. A special emphasis should be given to:
  • Transaction authorization requirements.
  • Expired authorization rules for unshipped products.
  • Time limits for fulfilling sales receipt requests.
  • Customer disputes.
  • Fraudulent transactions.
• Understand your rights for re-submitting transactions charged back for fraud reasons.
• Implement fraud prevention tools.

Train your staff in e-commerce risk management. If your staff is unable to implement your risk management procedures, all of your efforts will be in vain. Every member of your organization should:

• Have a complete understanding of e-commerce security issues and fraud risk.
• Understand the chargeback rules in regards to internet transactions.
• Be well-trained and capable of implementing your risk management policies.

Support for multiple payment choices at the checkout helps ensure that you can accommodate every customer’s favorite option and that no sale is lost at the last moment. Acceptance of all major credit and debit card brands and support for third-party non-cash services, such as PayPal, Google Checkout and Amazon Payments, increases customer retention and helps attract new customers who would only make a purchase if the merchant is able to accommodate their preferred payment choice. Remember that if consumers do not find their favorite payment option supported at your website’s checkout, they are likely to go to the competition, costing you a lost sale and, potentially, a repeat customer. When offering customers payment choices at the checkout, consider implementing the following best practices:

• Provide clear payment choices.
  • Your customers must be provided with a clear choice of card brands. Confusion can result when customers believe that they are paying with one brand, but the transaction is actually processed using another. To avoid that, ask customers to select the brand of card they are using, in addition to entering the card’s account number. You can tell the card’s brand by looking at the account number’s first digit, see below:
    
    

    Card Type	First Digit of Account Number
    American Express	3
    Visa	4
    MasterCard	5
    Discover	6

  
  

  • Confusion can also result from the different understanding that customers may have for options such as “Debit” or “Credit.” Selecting a specific payment brand provides the customer with a clear choice.
  • Display on your checkout page a menu or radio buttons of all of the payment brands that your store accepts and that allows your customers to make an informed choice.
• Tell customers that third-party services require that they open an account with them. If you decide to support third-party non-cash payment services like PayPal, Google Checkout, Amazon Payments, eBillme or others, inform your customers that these providers require that consumers have set up accounts with them, before they can make payments using their services.
• Do not provide a default payment choice. You should not preselect a particular payment option, although you are allowed to indicate and advertise a preferred payment choice. You should leave all options unchecked and leave the customer to make a selection.
• When a customer makes a payment selection, it must be honored. Although, as mentioned above, you are allowed to indicate a preferred payment choice, you cannot confuse and mislead customers or omit important information in the process. The choice ultimately belongs to the customer and you must honor it. Otherwise, you should brace yourself for customer disputes and chargebacks.
• Provide a payment choice confirmation page. In order to avoid any possible misunderstanding about your customer’s payment choice, consider showing a confirmation page during the checkout process that specifies the selected payment option and requires that your customer acknowledges it by clicking on an “Accept” or “Agree” button.

Payment gateway is a web-based service that transmits transaction information between an e-commerce website and the merchant’s processing bank. It is the e-commerce equivalent of the physical point-of-sale (POS) terminal used by brick-and-mortar merchants in card-present transactions. To protect sensitive account information, the data that the gateway collects from the website is SSL-encrypted before transmittal.

The payment gateway integrates with the website’s shopping cart and activates once a customer places an order. The card-not-present transaction process goes through the following stages:

• A customer places an order on an e-commerce website and provides his or her card information for payment.
• The payment information is SSL-encrypted and sent to the merchant’s hosting server.
• The payment gateway then gathers the submitted data and, after another SSL encryption, transmits it to the processing bank’s server.
• The processing bank then sends the payment details to Visa or MasterCard.
• If the cardholder used a Discover or an American Express card, the processing bank serves as an acquiring bank and makes a decision on whether or not to authorize the transaction; then forwards the response to the merchant.
• Visa or MasterCard forward the transaction to the card issuer.
• The card issuer either authorizes or declines the transaction and sends a response (approval or decline) back to the processing bank. The responses for declined transactions provide details for the reason the transaction did not get approved.
• The processing bank then sends the response to the payment gateway.
• The payment gateway sends the response on to the merchant’s website and it is presented to the cardholder.
• The whole process, from submitting the payment information to receiving the response, takes seconds.
• At the end of the business day, all authorized transactions (also called a “batch”) are submitted to the processing bank for settlement.
• The processing bank then deposits the total transaction amount, minus the interchange fees and processing costs, into the designated merchant’s bank account.
• The entire process, from authorization to settlement, takes approximately 2-3 business days.

Processing banks typically provide payment gateways as part of their processing services. They charge a monthly fee for the service ($10 – $25) and may charge a fee for the set up as well. Every major gateway supports the latest fraud prevention solutions, including the Address Verification (AVS) and card security code (CVC 2, CVV2, and CID) validation services.

Payment gateways provide merchants with other ways to process card-not-present payments too. The gateway’s virtual terminal offers merchants the processing capabilities of a POS terminal through an internet browser. It is typically used by direct marketing (mail order and telephone order) merchants to process payments they receive over the phone or in the mail. The customer’s payment information is entered into a web interface and the payment gateway then handles it in the way described above.

Many virtual terminals offer managed billing and customer profile management services. The latter is used to store customers’ payment information on the server hosted by the payment gateway to give merchants a convenient access to it for completing transactions faster. The managed billing solution enables merchants to use the stored customer profiles for setting up recurring and installment billing plans and to process deferred payments automatically.