eCommerce Risk Management Guide payment processing settled

eCommerce Risk Management Guide

Fourteen Steps to Managing eCommerce Risk

Following are the most important procedures for managing risk in eCommerce transactions.

  1. Understand the risks and train your staff. Exposure to eCommerce risk depends on your business policies, operational practices, fraud detection and prevention tools, security controls, and the types of products and services that you provide. Everyone in your organization should understand the risks associated with online transactions and be able to implement your established risk management procedures.
  2. Select the right acquiring bank and merchant services provider. The right acquiring bank and merchant services provider will provide effective risk management support have a complete understanding of eCommerce fraud risk and liability. An adequate customer data protection capabilities is also something you will want to consider when making your selection.
  3. Develop essential website content. Your website must include your privacy, shipping, return and refund policies. It must be reliable and to provide customers with easy and simple navigation.
  4. Concentrate on risk reduction. A properly established sales order process will help you address a number of risk concerns. You should indicate or highlight required transaction fields and verify card and cardholder data that you receive from your customers over the internet.
  5. Design and implement internal fraud prevention structure. The profitability of your eCommerce store depends on your internal strategies and controls for minimizing fraud. A risk management structure, combined with intelligent transaction controls, will help you avoid fraud-related losses.
  6. Use fraud-prevention tools. There are a number of fraud-prevention tools to help reduce your risk exposure. The most widely used among them are the Address Verification Service (AVS), the Card Security Codes, Verified by Visa and MasterCard SecureCode.
  7. Apply fraud screening. When properly implemented, the screening of online card transactions can help you minimize fraud for large-ticket items and for high-risk transactions.
  8. Protect your merchant account from intrusion. Implementing proactive measures can minimize the risk of criminals gaining access to your shopping cart or payment gateway and making fraudulent fund deposits.
  9. Create a secure process for routing authorizations. You need to set up a secure and efficient process for submitting authorization requests over the internet, before you can start accepting card payments online.
  10. Set up a process for handling transaction post-authorizations. You need an effective process in place for dealing with approved and declined authorizations before fulfilling an order.
  11. Protect cardholder information through PCI compliance. The Payment Card Industry Data Security Standards provide eCommerce merchants with standards, procedures and tools for data protection. You will need reliable encryption capabilities for data transmission and effective internal controls for protecting stored card and cardholder information. You will also need to review your security measures on a regular basis.
  12. Avoid unnecessary chargebacks. Chargebacks represent extra processing time and costs, hurt your profits and may result in a loss of revenue. By carefully tracking and managing chargebacks, you will be able to take steps to avoid future chargebacks. You will also need to know your representment rights.
  13. Monitor chargebacks. Effective chargeback monitoring mechanisms will help you detect excessive chargeback activity, identify the causes, and apply corrective measures to bring chargeback levels down.
  14. Use collection efforts to minimize losses. A well-designed collection system can help recover unwarranted chargeback losses.

Risk Awareness and Staff Training

Internet fraud and security breaches can be very costly for eCommerce merchants and necessitate a clear understanding of the risks associated with doing business online. Your entire staff should be well educated and understand the impact of fraudulent activities and chargebacks on internet transactions. They should also be well trained in your organization’s risk management procedures. The following best practices can be used as the foundation of your risk mitigation policies.

  • Understand eCommerce Risk. Educate yourself on the variety of risk factors involved in online payment processing. The more you know about it, the better prepared you will be to devise your operational policies, fraud prevention tools and security controls.
  • Understand the Chargeback Process. The importance of understanding chargebacks and developing procedures to deal with them cannot be overstated. Chargebacks are not only costly and time consuming but, if they exceed 1% of the total number of your sales transaction, your merchant processing account may be closed. The following suggestions will help you keep chargebacks under control:
    • Work with your merchant account processor to develop protective mechanisms against charged-back transactions. Make sure you have a complete understanding of: transaction authorization requirements; expired authorization rules; time limits for fulfilling copy requests; cardholder disputes; fraudulent use of account numbers.
    • Understand your rights and resubmit transactions that have been charged-back to you for fraud reasons.
    • Utilize MasterCard SecureCode and Verified by Visa to reduce your risk exposure.
  • Train your Personnel in eCommerce Risk Management. Without your staff being able to implement your risk management procedures your efforts will not be effective. Your staff should:
    • Have a complete understanding of eCommerce security issues and fraud risk.
    • Understand the chargeback rules in regards to online transactions.
    • Be capable of implementing your risk management policies.

Typical eCommerce Risks

Internet fraud and security breaches cost eCommerce and direct marketing businesses billions of dollars annually, making it imperative for merchants to understand the risks associated with doing business online. You should develop an internal policy to address the potential risks and train your staff on implementing it. Following are the typical risks that an eCommerce organization will encounter:

  • Fraud. Internet fraud can take several shapes:
    • A customer uses a stolen card number to fraudulently purchase products or services.
    • A family member uses a card to make purchases without the cardholder’s authorization.
    • A customer falsely claims that he or she did not receive a shipment.
    • Criminals hack into an eCommerce merchant’s card payment processing system and issue credits to themselves.
  • Account Information Theft by Hackers. There are a couple of ways for hackers to access personal payment card data.
  • Account Information Theft from a Physical Site. There is a number of ways in which data can be stolen from a physical repository, including:
    • Stealing cardholder data by an outsider from a merchant account provider site and using it or selling it for unauthorized use.
    • Stealing cardholder data by a merchant account provider’s employee and using it or selling it for unauthorized use.
    • A dumpster-truck’s driver steals unshredded personal account data from a merchant services provider site.
  • Customer Disputes and Chargebacks. There are many reasons why a customer will dispute a transaction but the most common are:
    • The merchandise or service is not as described in the promotional material or website.
    • The customer is billed before the goods are shipped or the services provided.
    • There is a misunderstanding about the cancellation of an order (often in recurring payment plans) or the return and refund of a product.
    • The customer is billed twice for the same order, or the transaction amount is incorrect.
    • The customer does not recognize the merchant’s name on his or her credit card statement.
    • The customer’s card is charged without his or her approval.

Be advised that, in a card-not-present environment, fraud is usually committed to obtain high-priced goods that can be easily resold, e.g. electronics, computers, jewelry, etc.

Selecting the Right Merchant Services Provider

The importance of choosing the right eCommerce merchant account provider for your business cannot be overstated. You will need to look beyond the processing rates at factors that will influence your chargeback and risk management capabilities. It is very important that your acquiring bank has a proven eCommerce expertise. The following list suggests what you should be especially careful when evaluating a proposal.

  • Service Characteristics. Make certain that your prospective merchant services partner will provide:
  • Authorization Message Content. Make sure that your prospective merchant processing bank can incorporate the authentication results in the authorization message.
  • Payment Card Industry (PCI) Data Security Standard (DSS) Compliance. Make sure that your prospective card payment processor is PCI DSS compliant.
  • Merchant Processing Agreement Terms and Conditions. Make sure you understand the terms of your payment processing agreement. You should pay special attention to the following:
    • Conditions under which a deposit can be held.
    • Your liability for fraudulent transactions.
    • Your liability for losses from stolen or compromised account data.
    • Time frames for providing required supporting documentation for chargeback representation or a copy of a sales receipt.

It is strongly recommended that you consult with an attorney before you sign your payment processing services agreement.

What Payment Processing Companies Require from Merchants

Payment processing providers require merchants to meet specific standards in order to be allowed to apply for a merchant account for their business. Following is a list of the most important requirements. Be advised that merchant account providers have different approval criteria and their requirements may vary.

  • Credit History. A review of the business’ financial performance will almost certainly be done during the application process. A typical request a card processing company will make is to see the business’ financial statements for the latest two years. The organization’s principals will also be scrutinized and they are usually required to provide their tax returns for the latest two years. The business’ Dunn & Bradstreet credit file will most likely be reviewed, as well as the principals’ personal credit files. Personal bankruptcies are taken into account when the decision is made.
  • Business Type. Applicants for payment processing services will be asked to describe, in details, the type of product or service they are selling and for relevant marketing materials. The type of product or service offered and the way it is sold, are the two most important factors in determining the processing rates that the applicant will get. Generally transactions of high-ticket items and merchandise sold online or over the phone are processed at the higher rates than smaller-ticket ones sold in a face-to-face environment.
  • Data Security. Merchants are required to take adequate measures to ensure that personal account information is adequately protected. A special emphasis is given to eCommerce businesses. Their websites are checked thoroughly and need to include a Privacy Policy, a Terms and Conditions policy statement and the payment acceptance form needs to be SSL-secured.
  • Site Inspections. A merchant services provider may conduct a site inspection of the merchant’s office to make sure that the business is legitimate. A representative of the merchant services provider may also call the business as a customer to evaluate its customer service.

Additional requirements that a merchant processing account provider may request include the organization’s Articles of Incorporation, its business license (if applicable), a proof of tax-exempt status (for non-profit organizations), etc.

Privacy Policy Guidelines

ECommerce merchants communicate with their customers mainly through their websites. Moreover, a website is usually the first contact that a consumer makes with an eCommerce merchant, further increasing its importance. If the first impression a potential customer gets is less than positive, the chances of him or her becoming a real customer will significantly decrease. Beyond the marketing side of your website there are certain requirements that eCommerce merchants have to comply with. In order to avoid customer disputes or misunderstandings, you must develop a privacy policy which needs to incorporate the following best practices:

  • Make it Clear and Concise. You will want your customers to understand their responsibilities, as well as yours so your privacy statement should be concise and readable. It may also be subject to legal requirements and you will have to consult with an attorney about it. Typically, to address consumer concerns about providing personal data, your privacy policy should provide details on:
    • What customer data is collected and tracked.
    • Whether this information is shared with third parties and, if so, with whom.
    • How customers can opt out.
  • Make it Available to Visitors through a Link on your Homepage. Your website’s homepage is usually the most trafficked page and your Privacy Policy should be made available there. It is a good idea that you place a link to it in your website’s footer or header which typically remain the same on all of your pages so that visitors will have a ready access from anywhere.
  • Register with a Privacy Organization. A good way to enhance your website’s security credentials is to register with a privacy organization and obtain a “seal of approval” or an equivalent from them. The Better Business Bureau’s BBBOnLine Privacy program is one example of such a program.

Data Security Policy

Consumers expect that eCommerce merchants protect the personal information they provide during a transaction. They also expect that merchants describe the measures and procedures they have established to keep sensitive account data save. For a better customer experience, eCommerce merchants should consider implementing the following best practices on information security:

  • Educate Customers about your Security Practices. Create a page that details your website’s security practices and controls. Consider including in it the following:
    • Explain in details how payment information is protected at all stages of the transaction process: during transmission, while on your server and at your physical work site.
    • Make the page available to all visitors to your website. You should consider placing a link to it in your home page. Placing a link in your header or footer will make the page accessible from any page of your website.
  • Include Security tips in a FAQ Page. Create a FAQ page and include in it questions and answers on how customers can protect themselves while shopping online.
  • Add the Logos of Fraud Prevention Services that you are Using. Place on your website the logos of all fraud prevention and data protection services that you are using.
  • Warn Customers against Sending Payment Information by Email. Email is not a secure way to do business, however some customers are not aware of that. To protect their personal information you should highlight your security practices on your website and in your email correspondence. Advise customers that:
    • Email is an insecure method of communication and should never be used for transmitting account data or other sensitive information.
    • Your website’s encryption services ensure that personal information is protected from unauthorized access and provides the safest way for shopping online.

Payment Choices

Customers should be provided with clear payment choices at the checkout. Unfortunately there are a number of ways in which a customer can get confused when selecting a payment choice. For example options such as “Debit” and “Credit” can be misleading as their meaning may be interpreted differently, depending on the customer’s understanding. Providing the option of selecting a payment brand gives the customer a clear payment choice. It is easy to distinguish a Visa card from a MasterCard or an American Express. You should consider placing a menu of radio buttons for each card brand that your payment processing account supports. It is also a good idea to use each brand’s logo next to the button.


Once a customer selects the brand of card that they want to use as payment, you should make sure that their choice is honored. Merchants are allowed to suggest a form of payment or to display their preferred choice but you cannot mislead or confuse the customer or omit important information in the process. The customer has the right to use whatever payment method he or she chooses, provided it is supported by the merchant and once the selection is made, the merchant should facilitate the processing of the transaction.


Merchants are not allowed to charge customers additional fees for selecting to use credit or debit cards for payment for products or services. It is allowed, however, to offer a discount if a customer selects to pay in cash, for example. Also, if a merchant accepts card payments, cards should be accepted for all amounts. It is not allowed to set limits on transaction amounts for card payments. Merchants can lose their card payment processing accounts if they do not comply with these requirements.

Product Description

Online customers are fully reliant on the merchant’s product description for any relevant information about the merchandise or service they are interested in. Unlike an old-fashioned brick-and-mortar store, where consumers can go in and physically inspect the product, in the virtual world of eCommerce this is not possible. Moreover, a physical store presents the opportunity of discussing the product’s or service’s qualities and features with a live sales person – a presence that many consumers find reassuring. Many customers simply feel more comfortable communicating with another human being and do not trust the descriptions that eCommerce merchants make available on their websites for the products and services they sell. Taking this into account, the question becomes “How do we make an eCommerce website a more consumer-friendly place and how do we make an online product and service description better?” There are simple best practices that can be employed to help address these concerns.


In order to make sure that your website presents an accurate description of the products and services that you sell and to boost your customers’ confidence in shopping at your store, you should:

  • Develop clear and comprehensive product descriptions. Be as detailed as you can. Provide a PDF or other type of a file with the complete manufacturer product sheet. Also, remember that the eCommerce is a global industry and your customers can be anywhere. Unless you limit your sales to a local market, you should include in your product description information that domestic merchants can ignore. For example, if you sell electric goods, you should state the voltage requirements, as they vary around the world. Also, when you provide the products’ dimensions you should use both English and metric measures.
  • Use product photos and images, if applicable. An image of a product is a very powerful marketing tool. Many of us will not consider making a purchase unless we see what it is we are buying. You should use high-quality images and provide shots from various angles of the product.

Shipping Policy

A web-based store’s shipping policy communicates to consumers the terms and conditions for delivering a product or service purchased on the merchant’s eCommerce website. It has to be written in a clear and concise manner and to be made available to consumers through a link on the merchant’s website, as well as sent to customers in the confirmation emails that they receive after they place an order. In order to avoid misunderstandings and to minimize customer disputes, your shipping policy should include the following information:

  • Details on the shipping options that you offer and the expected delivery time frame for each one of them.
  • A full disclosure for all shipping and handling fees. It is extremely important that your customers know in advance the exact amount of the shipping charge. This is one of the most common causes for disputes and chargebacks.

Once the product has been shipped and the customer has been informed of the expected delivery time frame, you should monitor the shipping process. If there is a delay, you should immediately inform your customer of the new circumstances and provide him with the updated delivery date. Be advised that if your customer does not receive the product by the expected delivery date, it is very likely that he or she will file a dispute, initiating a chargeback.

Be advised that criminals have exploited a weak link in the shipping process. When placing an order on an eCommerce merchant website, they will provide the stolen card number with the correct billing address. Once the merchandise has been shipped and they are given a tracking number, they will redirect the shipment to their own address. To protect the integrity of your card processing account and your customers from this type of fraud, you should consider not providing a confirmation number on a selective basis, when selling higher-risk merchandise or shipping to higher-risk addresses.

Billing Policy

ECommerce merchants should develop a thorough policy regulating the terms and conditions of their billing procedures and should make it available to customers at the time of purchase. Your policy should include the following information:

  • Inform your customers when their cards will be charged.
  • If you are using a third party to do your billing, inform your customers how the transaction will be reflected on their credit card statement (provide the third-party service provider’s name and the transaction amount). Providing these details will help customers recognize your transaction and minimize the chance that they will file a dispute with their card issuer, initiating a chargeback.
  • Encourage your customers to retain a copy of the transaction.

Be advised that it is very important that you do not charge your customer’s card before the product has been shipped. Cardholders today can review their transactions in almost real time and, if they see a charge on their accounts without having received the item or at least a delivery notification, they are likely to contact their card issuer and dispute the transaction.


If your organization provides digital content, your policy should also include the following best practices:

  • You should never charge your customer’s account before the service is actually accessed on your website with the applicable password.
  • You should avoid the use of negative renewal options or other marketing techniques that may create the impression that the product is free.
  • You should communicate with your customer all special restrictions before the sale is completed.

Lastly, be sure to include in your billing policy the transaction currency that will be used to complete the transaction. Remember that eCommerce merchant websites are accessible from all over the world and, unless there are special restrictions, your customers may be located anywhere. Clearly state the currency, especially if it is not unique (a dollar may be Australian, New Zealand, Hong Kong or U.S.). Be advised that merchants cannot convert transaction amounts into different currencies. You may, however, display equivalent amounts in different currencies, but they must be clearly indicated for information purposes only. You should also state on your website your address information.

Customer Service Access

Providing an easy way for customers to contact you is invaluable in creating customer loyalty and preventing disputes and chargebacks. Customers are likely to have questions or concerns regarding their purchases and they expect, and have the right to, that these concerns are addressed in a timely manner. Consider implementing the following best practices into your customer service procedures:

  • Provide an email inquiry form. You should display email “Contact Us” options on your website and make them easily accessible. Consider providing different email contacts for your support and sales departments as well as for shipping information.
  • Develop an email inquiry response policy. You should implement an auto-response email program to acknowledge receipt of inquiries and provide a time frame for your response. Once you do that, you should make sure that you have sufficient staff available to handle the inquiries within the set time limit.
  • Monitor your customer service to ensure that your organization’s inquiry response policies are being implemented adequately.
  • Provide a toll-free number to contact your customer service department and display it prominently on your website. Providing a toll-free contact number is key for ensuring the highest level of customer satisfaction and preventing disputes and chargebacks. Many consumers prefer having their questions and concerns addressed in a conversation with a live person and are uncomfortable or unwilling to use the email response system. Make sure that you have adequate staff to respond to telephone inquiries in a timely manner.

Customer Passwords

Passwords are established to ensure the privacy of eCommerce accounts. Unfortunately, every now and then, consumers will forget their log-in details. You should establish a procedure for existing customers to safely retrieve their forgotten password while protecting their accounts from fraudsters. Consider implementing the following suggestions:

  • When a customer has troubles signing in or claims that he or she has forgotten a password, you should use a customer-provided security data to verify his or her identity. The process should follow these steps:
    • When registering a new account, ask your customer to select a category – such as place of birth, mother’s maiden name, favorite sports team – and provide the correct response.
    • If a returning customer has forgotten his or her password, ask the customer for the correct answer to the category that he or she selected at registration.
    • Verify the response and, if correct, prompt the customer to reset their password.
  • Use hints to help customers remember passwords. The process of selecting and implementing hint words should follow these steps:
    • Ask the customer during the registration process to select a hint for his or her password.
    • Display the hint word on your website if the customer enters the wrong password when trying to log into his or her account.

For a better customer experience you should try to keep the process of resetting a password simple and have a customer service phone number available for customers to contact you if their attempts fail. Be advised that consumers today have many account profiles on various websites and it is more than possible that they forget a password or a hint. If you receive a call from a customer who cannot reset his or her password, you should verify their identity using personal information that you have on file for them.

Required Payment Form Data Fields

Requiring customers to fill in certain transaction data fields can help eCommerce merchants detect potentially risky situations. To assess the risk of fraud and minimize potential losses, merchants should define the data fields that will help recognize high-risk transactions and require that customers complete them before purchasing products and services. Key risk fields include the following data:

  • Telephone numbers which can be verified using reverse directory services.
  • Email address, particularly when it uses an anonymous service.
  • Cardholder name and billing address which, too, can be verified using reverse directory services.
  • Shipping name and address, if different from the billing data.
  • Card security codes – the 3- and 4-digit numbers on the back or front of credit and debit cards. If there is a mismatch, you should attempt to review the provided code, particularly if the other risk indicators have shown no mismatches. The customer may have simply provided the wrong number.

Once you have selected the required fields in your transaction forms, you should indicate that they must be completed before the form is submitted. You can use color to highlight them or bold fonts, or asterisks to achieve that. You should also provide an explanatory note to your customers, informing them that the highlighted fields are mandatory.


To reduce risk exposure, mandatory fields should be edited and validated in real time. The following best practices should be incorporated into your procedures:

  • Instantly notify your customers when their required data fields are incorrect or incomplete.
  • Ask your customer to correct the data he or she provided if it was not complete or submitted in the proper format.
  • Identify a field that needs to be completed in the return message if the customer omits a required field. You can do that by highlighting the field in a way of your choosing.
  • Allow your customer to correct the incomplete or omitted field while retaining the previously entered information. Customers are easily annoyed when they are returned to the payment form and have to fill it out all over again, just because they missed a single field.

Using Web Cookies

Web cookies (also called tracking cookies, HTTP cookies or just cookies), are parcels of text sent by a server to a web client (usually a browser) and then sent back unchanged by the client each time it accesses that server. Cookies are used for authenticating, session tracking, and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts. Web browser cookies are an effective tool to help eCommerce merchants recognize and acknowledge existing customers. They simplify the order process for repeat customers by not requesting that they provide payment details that have already been provided during a previous visit. Consider the following suggestions to improve the effectiveness of the use of browser cookies:

  • Use permanent browser cookies to retain non-sensitive cardholder information and preferences to enable repeat customers to order products and services without having to re-enter this information. This simple procedure will help increase customer loyalty as consumers appreciate not having to submit their payment details every time they visit a website.
  • Use browser cookies to maintain active user sessions, but once the session expires, you should request that the user logs in again, regardless of the computer being used.

Avoiding Duplicate eCommerce Orders

ECommerce merchants need to develop procedures to help them identify and prevent duplicate orders from being processed. Unlike face-to-face transactions, where once the card is swiped, it is pretty easy to determine whether or not the transaction has been processed, orders placed online are susceptible to being duplicated, as sometimes it takes a long time for the customer to receive an authorization response and he or she might do it all over again. Duplicate orders can lead to higher card processing costs, as merchants will pay for every transaction that their merchant account provider processes, regardless of whether it is legitimate or not. Moreover, merchants will have to spend extra time to sort out the duplicate transactions, issue credits to the affected customers which all leads to additional expenses as well. Another unwanted side effect from duplicate transactions is the customer dissatisfaction that naturally results from having their credit card accounts billed twice for the same purchase. Customers may, in such cases, call their card issuer directly, instead of contacting the merchant and try to clear up the issue. They are likely to dispute the transaction, initiating a chargeback.


As you see there are plenty of reasons why you should establish controls to prevent customers from inadvertently submitting a transaction twice. You can use the following best practices to build your procedures around:

  • Require customers to make positive clicks on order selections, rather than hit the “Enter” key on their keyboard. In other words, have customers click on a “Submit” or a similar button.
  • Once the order has been submitted, display an “Order Being Processed” or a similar message.
  • Regularly check your orders for duplicates.
  • Send email messages to customers to confirm whether or not a duplicate order was intentional.

Card Data Validation

Validating the provided card information during an eCommerce transaction is a process to help merchants protect themselves from fraudulent transactions. It is recommended that you consider implementing the following suggestions into your card validation procedures.

  • Implement a “Mod 10” card validation procedure before submitting a transaction for authorization. The Luhn algorithm, also known as “Mod 10” algorithm, is a simple formula used to validate a variety of identification numbers, including credit card numbers. Most credit card companies use the algorithm as a simple method of distinguishing valid numbers from collections of random digits. The Luhn algorithm will detect any single-digit error, as well as almost all transpositions of adjacent digits. In order to take advantage of it, you should follow these steps:
    • Ask your merchant services provider for the Mod 10 algorithm.
    • Use the Mod 10 algorithm to check all online transactions before submitting them for authorization.
    • Inform the cardholder immediately if the card fails to pass the Mod 10 validation check, for example “The card number you provided is not valid. Please try again.”
    • Do not request authorization until the account number passes the Mod 10 validation check.
  • Display only the last four digits when showing a number to a repeat customer. The last four digits will provide your customer with enough information to identify the card and decide whether to use it or select another payment mode. At the same time this practice will reduce risk and indicate to your customer that you are handling his or her payment information in a secure manner.

Cardholder Validation

Just as validating the authenticity of a card account number is important in making sure that no false cards are used in eCommerce payment transactions, confirming the provided cardholder information ensures that no authentic cards are used by unauthorized persons. The two validation processes are complementing each other, they represent the two sides of the same coin and should both be implemented in every web-based merchant’s card acceptance procedures.


The process of validating a payment card number consists of checking the correctness of the provided customer’s telephone number, physical address and email address. The following simple verification steps will help eCommerce merchants identify errors or potential fraudulent activity:

  • Use a telephone area code and prefix table to ensure that the provided area code and prefix are valid for the entered city and state. If mismatches are identified, alert the customer and allow him or her to review the information. Also you should allow re-entering the data as the information initially entered may be valid due to recent additions or changes in telephone area codes.
  • Use a ZIP-code table to verify that the entered ZIP code is valid for the entered city and state. Although changes in ZIP codes are rarer than changes in area codes, you should still allow customers to override alerts as updates do occur or data may be erroneous.
  • Test the validity of the provided email address by sending an order confirmation.

Screening High-Risk International Addresses

Every eCommerce merchant should carefully consider whether or not to serve international customers. There are a number of risk factors to evaluate but, if you choose to do so, you should consider screening high-risk addresses to limit your risk exposure. The following suggestions will help you build your screening procedures:

  • Firstly you should identify the high-risk countries that are heavily involved in online fraud. Your merchant services provider should be able help you with that.
  • Test your international market and track your fraud experience for various international locations.
  • Obtain the contact information of the card issuer from your merchant account provider and contact them to verify the cardholder information for first-time buyers.
  • Require the billing address to be the same as the shipping address.
  • Review the Internet Protocol (IP) address and identify the computer network source:
    • There are a number of online services which will enable you to easily determine the IP address country.
    • Match the IP address country with the one provided by your customer. If there is a mismatch, you should investigate further.

Building an eCommerce Risk Management Infrastructure

In order to reduce losses resulting from excessive risk exposure, eCommerce merchants must implement internal fraud prevention measures and controls that are designed to their environment’s specifics. A dedicated fraud control department can provide the direction that the organization needs to take to fight fraud. Consider implementing the following measures:

  • Establish an official fraud control function. Consider implementing the following suggestions when setting up a fraud control position or department:
    • Elevate fraud detection and prevention to the highest priority.
    • Develop day-to-day objectives that promote profitability, such as:
      • Minimizing the percentage of fraudulent transactions.
      • Minimizing the affect of fraud-prevention efforts on legitimate sales.
      • Minimizing fraud-related chargebacks.
    • Clearly define responsibilities for detecting and reviewing fraudulent transactions.
    • If yours is a larger organization and you have a separate group that deals with chargebacks, you should encourage a close cooperation between the fraud-prevention and chargeback-monitoring groups, as one of the most common causes for chargebacks is fraud.
  • Monitor fraud-control performance. Your fraud-prevention efforts will become more effective if you track areas like:
    • Overall fraud as a percentage of your total sales.
    • Fraud recoveries as a percentage of your total fraud.
    • Speed of reviewing and making decisions on suspicious transactions.
    • Number of complaints from customers regarding legitimate sales.

Maintaining an Internal Negative File

Establishing and maintaining an internal negative file is an invaluable tool that eCommerce merchants have at their disposal for fighting fraudulent transactions. It will ensure that you will not fall victim multiple times to the same fraudulent account. When building and maintaining an internal negative file, you should make certain to implement procedures to ensure that only details from fraudulent transactions are stored and recorded. Information that relates to customer disputes or chargebacks should be left out of the negative file. The following suggestions will help you build and manage the file.

  • Building and maintaining of an internal negative file. You should begin with a review of your own history of fraudulent transactions. Record the details of the fraudulently used accounts to protect your organization from possible future fraud committed by the same person. Follow these steps:
    • Record all key elements of fraudulent transactions. Your file should include names, email addresses, shipping addresses, customer identification numbers, passwords, phone numbers and card account numbers. Remember that it is not allowed to store the 3- or 4-digit card security codes.
    • Set up a process to remove from the negative file information about legitimate customers whose card accounts have been compromised. Their information may have been used by criminals.
  • Using the internal negative file to screen transactions. If a transaction data matches data stored in your negative file, you should decline the transaction or, at the very least, initiate a thorough review.

Transaction Controls

Implementing transaction controls will help eCommerce merchants reduce their risk exposure by identifying high-risk transactions. These controls will help determine when a cardholder or a transaction should be more thoroughly investigated. When establishing your transaction control policies and procedures, consider implementing the following steps:

  • Setting up transaction controls and velocity limits. The initial process of establishing and implementing your organization’s transaction control should adopt the following procedures:
    • Establish review limits on the number and dollar amount of transactions approved for a customer within a specified period of time. Later you should adjust these limits to reflect the customer’s purchasing patterns.
    • Establish review limits based on single transaction amount.
    • Make sure that velocity limits are checked for multiple characteristics, including shipping address, telephone number and email address.
    • Track and adjust velocity limits as you accumulate information on your customers’ purchasing patterns. The limit should be stricter for new customers and looser for customers with solid purchasing and payment track record.
    • Contact customers that exceed your preset limits to determine whether the activity is legitimate and should be approved.
  • Adjust transaction controls and velocity limits based on transaction risk. Use your risk experience regarding selected products, shipping locations and customer purchasing patterns and modify your transaction controls and velocity limits to reflect it.

Implementing transaction controls will help prevent fraud, minimize customer disputes and reduce the number of chargebacks.

Card Type, Account Number and Expiration Date

Credit and debit cards bear several identification features that make them unique and help merchants and cardholders prevent their fraudulent use. These features are used during the transaction authorization process as well. Merchants should incorporate the following best practices to ensure that transactions are processed in a safe and secure fashion:

  • Request that customers provide both the account number and the card type and ensure that they match. Consider applying the following procedures:
    • Request that customers select their card’s type (Visa, American Express, MasterCard, Discover, etc.) before they enter the card’s account number.
    • Verify the validity of the provided information by comparing the selected card type and the first digit of the provided card number. The credit card companies use different account numbering systems. The first digit of every payment card identifies its type. Listed in the table below are the first digits that the major American card brands place in their account numbers.

      Card Type

      First Digit of Account Number

      American Express

      3

      Visa

      4

      MasterCard

      5

      Discovers

      6


    • Display an error message if there is a mismatch between the selected card type and the provided account number and request that the customer re-enters the data.
    • Allow customers to enter card account numbers with or without hyphens, with or without spaces between digits, or clearly identify your preferred format.
  • Request that customers provide their card’s expiration date. You can either provide a blank field to be filled in by the customer or a pull-down menu from which the customer to make a selection. If you choose the latter option, make sure that you do not provide a default month and year of the expiration date to prevent the customer from erroneously select it. The default date will most likely be different from the actual one and the transaction will be declined.

Processing AVS Requests

Address Verification Service may be used with or without an authorization request.

  • AVS with an Authorization Request. MO/TO and eCommerce merchant account users can process AVS requests just as they process authorizations, either in real time or in a batch using a terminal or a PC. Real-time authorization requests are used typically for transactions where the customer waits for a response online. Batch authorizations are used for transactions where there is no immediate need for a response. The process of transaction authorization and address verification goes through the following stages:
    1. A consumer places an order in a card-not-present environment.
    2. The merchant confirms the order information, including the merchandise description, price, card account number, card expiration date and shipping address. The merchant now requests that the customer provides a new piece of information – his or her billing address (the billing address is where the cardholder receives his or her card statements).
    3. The merchant enters the provided billing address information into its authorization request, along with the rest of the transaction information. Both requests are sent to the merchant’s payment processing provider who sends them on to Visa or MasterCard.
    4. The Credit Card Association (Visa or MasterCard) then sends the requests on to the card issuer who makes separate decisions on each request. The card issuer compares the provided billing address to the one it has on file for its cardholder. It then returns both the authorization and the address verification responses through the same channel. The address verification response consists of a single-digit code which the merchant’s credit card processing provider may change to make it easier to understand.
  • AVS without an Authorization Request. In some cases merchants can send an address verification request without a transaction authorization request. Such situations may arise when:
    • Merchants want to verify a customer’s billing address before a transaction authorization is requested.
    • An earlier transaction authorization request has received an approval but an AVS request has received a “Try again later” response.

Fraud Screening

There are multiple fraud-screening services that are available to merchants today to help verify the validity of a payment card being used in a card-not-present transaction. Fraud prevention tools can be developed internally or obtained from third-party vendors. When implementing fraud screening procedures within your organization, you should consider the following:

  • Implement tools to identify high-risk transactions. Once you identify a high-risk transaction, you should:
    • Suspend processing a transaction with high-risk attributes. High-risk transaction attributes can include: match data stored in internal negative files; exceeded velocity limits and controls; an Address Verification Service (AVS) mismatch; a high-risk profile match.
    • Develop effective review procedures to investigate high-risk transactions. The goal should be to reduce the percentage of fraudulent transactions while minimizing the impact of this effort on legitimate transactions.
  • Identify international IP addresses as high-risk. Statistical data show that international IP addresses have a substantially higher fraud rate than domestic addresses, particularly when merchants require a U.S. billing address. Be sure to check international transactions for a positive match on their Card Security Codes (CVV2, CVC2 and CID) and AVS (available only for U.K. addresses outside of the U.S.).
  • Require that billing addresses match shipping addresses for high-risk transactions. Such transactions can include big-ticket transactions and transactions for specific merchandise types.
  • Screen for high-risk shipping addresses. There are third-party databases of high-risk shipping addresses which you can use to compare to shipping addresses provided by your customers. Special attention should be placed on P.O. boxes, prisons, hospitals and addresses with documented fraudulent activity.
  • Treat international transactions as high-risk. You should require greater scrutiny and verification for international transactions. You should consider tighter transaction controls and velocity limits on international orders. Also you should consider using third-party scoring services for non-U.S. transactions. Your merchant services provider should be able to suggest such services to you. The type of goods purchased, the transaction amount and the country where the card was issued can further influence your risk assessment. Prior to shipping goods in a high-risk transaction, you should contact the card issuer to verify the cardholder information.
  • Previous cardholder purchases should be a favorable factor in your fraud assessment procedures.

Possible Signs for eCommerce Fraud

The following signs should alert merchants operating in a card-not-present environment of the possibility that a fraudulent transaction may be under way. If only one sign is present, this may not be a cause for concern but if several are identified in a single eCommerce card processing transaction, the merchant should investigate and establish the legitimacy of the card and the customer before processing the payment.

  1. First-Time Shoppers. Fraudsters are always prowling for new victims. Once they commit a fraud at a particular merchant, they usually move on to another and never come back.
  2. Larger than Average Orders. Stolen payment cards have a very limited life span so criminals need to make use of them as quickly as possible. Large size orders are one way of doing that.
  3. Orders for Several of the Same Items. Just as with larger-than-average orders, purchasing multiple items of the same kind is a way of maxing out stolen cards as quickly as possible.
  4. Big-Ticket Items. Big-ticket items have high resale value, maximizing the criminals’ profits.
  5. Orders with Overnight Delivery. Naturally, criminals do not much care about shipping costs and are more likely than legitimate shoppers to order items with an overnight or another type of a rushed delivery.
  6. Orders from Internet Addresses at Free Email Services. Free email services have no billing relationship with their users, leaving no possibility for verification that a legitimate cardholder has opened the account.
  7. International Shipping Addresses. A disproportionately large number of fraudulent transactions are shipped to international addresses. The Address Verification Service can only work for U.K. addresses outside the U.S.
  8. Similar Account Numbers. There are various software tools for generating card account numbers, such as CreditMaster. These numbers are often very similar.
  9. Multiple Orders Shipped to the Same Address. Such orders may indicate the use of a stolen batch of cards or of fraudulently generated account numbers.
  10. Multiple Transactions on One Card in a Short amount of Time. Such transactions may indicate that a criminal is attempting to run up a stolen card’s credit line as quickly as possible, before the account is closed.
  11. Multiple Shipping Addresses. Similarly to the previous scheme, a card may be used multiple times in a short amount of time with the orders going to several shipping addresses.
  12. Multiple Cards from a Single IP Address. Such transactions may indicate multiple orders placed from the same computer, even if different names and shipping addresses have been used.

Fraud Scoring

Merchants operating in a card-not-present environment should develop internal transaction fraud-scoring procedures or use third-party solutions to do that. Fraud-scoring procedures are used to identify the highest-risk transactions that require additional verification. The fraud score provides the probability that a transaction may be fraudulent. The following best practices should be followed for best results:

  • Merchants should perform internal fraud screening before submitting transactions for fraud scoring. When submitting transactions for fraud scoring, consider the following suggestions:
    • Only submit transactions that have passed your organization’s internal screening procedures. Transactions that have failed are obviously high-risk and you do not need their fraud score to indicate that.
    • You should not obtain fraud scores for transactions that were declined by the card issuer or have raised flags for suspected fraud or other reasons.
  • Merchants should evaluate the costs and benefits of fraud scoring for low-risk transactions. For many merchants it will not be cost-effective to obtain fraud scores, internal or third-party, for every single MO / TO or eCommerce card processing transaction. Eliminating the low-risk transactions from the fraud-scoring process will help keep costs down.
    • If using third-party scoring, merchants should analyze their service agreements and determine the cost of submitting transactions to them.
    • Merchants should identify transactions where the potential fraud losses are lower than the cost of fraud scoring. The following factors should be taken into account:
      • Total dollar amount of the sale.
      • Whether it is a new or repeat customer.
      • Type of service or product being sold.
      • The merchant’s website click-through patterns.
      • Address Verification Service results.
      • Card Security Code results.
      • Verified by Visa or MasterCard SecureCode results.

Suspect Transactions Review Procedures

Direct marketing and eCommerce merchants need to establish procedures for sorting out transactions with high potential for being fraudulent. When merchants identify that certain transactions are suspicious, they need to have established cost-effective thresholds for determining which transactions to review. Reviewing all transactions manually is both time-consuming and costly and is generally justified only for high-risk transactions. To ensure that your transaction review costs remain lower than the potential losses from suspect transactions, consider implementing the following procedures:

  • Utilize transaction screening that lets you avoid the manual reviews of low-risk transactions. Criteria that you can use in your transaction screening procedures can include:
    • Low transaction amounts.
    • Repeat customers that have good record for at least the past 90 days and merchandise has been shipped to their address before.
    • An Address Verification Service (AVS) match and a shipping address that is the same as the billing address, in addition to a purchase amount that is below the established dollar threshold.
  • Make certain that all transactions that display high-risk characteristics are declined or routed for fraud review. Such transactions should include:
    • Transactions that match information in your internal negative file.
    • Transactions from international IP addresses.
    • International billing or shipping addresses.

Cardholder Verification Procedures

Merchants that accept payments in card-not-present settings need to implement into their procedures for reviewing suspicious transactions a cardholder verification process. The process of verifying the validity of the transaction activity must be cost-effective to justify implementing it in the first place. Mail order, telephone order and eCommerce merchants must develop call verification procedures in a way that addresses the need to identify potential fraud while leaving legitimate customers with a positive impression of their organizations. There are a number of services that are available to merchants today to help them in their efforts to verify the validity of their customers. You should consider implementing the following:

  • Telephone Directory Assistance. A simple 411 call will give you information on who a particular phone number is registered with and at what address. It can provide a phone number for a business or a person which you can compare with the one provided by your customer.
  • Internet Search Tools. Most of the 411 telephone services are available online, as well as a number of other tools that will quickly enable you to verify the validity of provided phone numbers and addresses. Many online search services are free and there are powerful paid search tools as well.
  • Card Issuing Banks. You can contact the bank that issued the card used in the transaction you are reviewing and verify the information. When speaking with the bank representative:
    • Confirm name, address and telephone number associated with the card number.
    • Inquire whether a recent address change has been made.
  • Call the Cardholder. Contact the cardholder directly to confirm the transaction and resolve any discrepancies. Inform the customer that you are doing that as a protection against possible fraud.

Transaction Qualification Guidelines

ECommerce merchants must ensure that all transactions pass the qualification requirements before processing them. The following simple procedures will help reduce risk exposure and the losses from fraudulent transactions.

  • Merchants must ensure that their merchant processing bank or payment processing services provider is providing the authentication results and the Electronic Commerce Indicator (ECI) in the transaction authorization message. The Electronic Commerce Indicator and the result of the authentication must be provided in the authorization message to receive chargeback protection from fraudulent transactions and the best available interchange rate.
  • Merchants should monitor the percentage of settled transactions that are authenticated or authentication has been attempted. This will help identify potential processing problems.
    • The share of authenticated transaction varies based on product sold or service provided and on the customer base. It should represent 80 percent to 90 percent of the overall transactions. A lower percentage could indicate a processing issue and reduced protection from fraud-related chargebacks.
    • For best results merchants should monitor on a daily basis to identify and respond to potential problems early on.

Protecting Merchant Accounts from Intrusion

There are a number of ways that criminals are exploiting in their efforts to breach the security mechanisms of eCommerce merchant accounts. Often their targets are the merchant’s shopping cart and payment gateway. The criminals typically attack online merchants that use weak or generic passwords. Once they gain access to the merchant account, they start processing fraudulent debit and credit transactions. The fraudulent sales are usually similar in total to the deposited credits, thus offsetting them. This is done in an effort to avoid detection by deposit-volume monitoring. Implementing the following procedures will help eCommerce merchants protect their payment processing accounts against cyber-criminals.


Monitoring your Merchant Account

  • Perform daily monitoring of authorizations and transactions. ECommerce merchants should be on a lookout for:
    • Authorization-only transactions. A higher-than-usual number of such transactions may be an indication of a vulnerability test.
    • Higher than usual number, average size and volume of credit transactions. As explained above, credits may be used by criminals to offset debits in an effort to avoid detection.
    • Identical or similar transaction amounts.
    • Transactions that do not include customer identification information.
    • Multiple transactions from the same Internet Protocol (IP) address.
    • Transactions with similar account numbers. These accounts may have been generated by a software for generating fraudulent account numbers (e.g. CreditMaster).
    • Multiple transactions on a single account within a short period of time. This is a typical sign of fraud.
  • Regularly monitor your daily batches.
    • ECommerce merchants should review their daily transactions before they are settled.
    • Merchants using the Address Verification Service (AVS) and the Card Security Codes should be on a lookout for transactions that have been submitted without an AVS or a CVV2 / CVC2 request.

Additionally, eCommerce merchants should regularly change their payment processing gateway‘s password. For best results you should use a combination of letters and numbers with at least six characters. Also your password should be different from your user name.

Routing Authorizations

The transaction authorization process has a significant impact on risk, customer service and operational expenses. Implementing the following best practices will ensure that it is managed properly.


Transaction Authorization Routing Sequence


The transaction authorization routing sequence must be implemented with a focus on fraud prevention. When a customer initiates a transaction, merchants should:

  • If you are participating in Verified by Visa (VbV) or MasterCard SecureCode, complete the authentication process and provide the authentication data in the authorization request.
  • Perform internal fraud screening. Transactions should be matched against velocity parameters, high-risk locations and internal negative files. Transactions that raise suspicions should be subjected to a further review.
  • For transactions that pass your internal scrutiny, you should obtain authorization from the card issuer. The authorization should include Address Verification Service (AVS) and Card Security Verification (the 3- or 4-digit codes on the back or front of credit and debit cards) to determine whether the card issuer or you will decline the transaction.
  • If you use a third-party fraud screening service, merchants should obtain a fraud score for these transactions that have not yet been declined by you or the card issuer.


Authorization Requirements


Merchants should make sure that all authorizations comply with the following requirements:

  • All internet transactions should be identified with the correct Electronic Commerce Indicator (ECI). The ECI should be entered into the appropriate field of the authorization and settlement messages to identify eCommerce transactions as such. Your merchant services provider should help you implement the ECI which is required for all internet transactions.
  • New authorizations should be obtained when the original ones expire. ECommerce merchants that ship merchandise more than seven days after the original authorization (back order), should obtain a new authorization before proceeding with the shipment. This practice protects eCommerce merchants from chargebacks due to no authorization.

Post-Authorizations

ECommerce merchants should consider sending a confirmation before completing an order in an online transaction that was approved by the card issuer. If the transaction was declined, however, merchants need to have procedures in place for handling such situations with the customer. Merchants must also look for ways to avoid declines of this type in the future, where possible. The following best practices should be incorporated into your post-authorization procedures:

  • If the transaction was approved, issue an email order confirmation. This will enable you to verify the validity of the cardholder’s email address. If the email turns out to be invalid, you should research the situation and determine whether the order is legitimate. To minimize customer disputes you should include in the email order confirmation details about the approved purchase.
  • If the transaction was declined, you should review the situation and take appropriate actions. You should obtain corrected information or an alternative payment that may allow you to complete the sale.
    • Log authorization declines for review and contact customers to correct problems with their cards (e.g. wrong expiration date) or ask for an alternative payment method.
    • If the card information is corrected, make certain to obtain authorization approval from the card issuer before completing the sale.
    • Regularly evaluate the success of your decline review strategy and modify it, as needed.
  • Monitor your order decline rates. This will help you increase your approval rates and sales volumes, as well as enable you to uncover potential problems related to changes in the authorization process.
    • Track your order declines by reason on a daily basis.
    • Separate transactions declined by the card issuer from those declined by you for suspected fraud or other reasons.

Protecting Cardholder Data through PCI Compliance

Before they order products and services online, consumers want to be sure that their account information is safe and will not be compromised and misused. To address this need, the Credit Card Associations joined forces to create a program that spells out the procedures that eCommerce merchants must implement into their organizations in order to protect sensitive personal data.

All merchants are required to comply with the requirements set forth in the Payment Card Industry (PCI) Data Security Standard (DSS). The Standard is a result of a collaboration between Visa and MasterCard to create common industry security requirements for protection of sensitive cardholder information. Other credit card companies have endorsed the Standard within their their programs. The PCI consists of twelve basic requirements.

PCI Data Security Standard

Requirements

Build and Maintain a Secure Network 1. Install and maintain a firewall to protect data.
2. Do not use vendor-supplied passwords and other security parameters.
Protect Cardholder Data 3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software.
6. Develop and maintain secure applications.
Implement Strong Access Control Measures 7. Restrict access to data on a need-to-know basis.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy 12. Maintain a policy that addresses information security.

Actions in Case of a Security Breach

If a data security breach is suspected or confirmed, the merchant should take immediate actions to contain and limit the exposure. In order to prevent any further loss of data, a thorough investigation should be conducted of the suspected or confirmed compromise. The following concrete actions should be taken:

  • Compromised systems should not be accessed. Merchants should not change passwords or other log-in details.
  • Compromised systems should not be turned off. Instead, compromised machines should be isolated from the network by unplugging the cable.
  • All logs and electronic evidence should be preserved.
  • All actions should be logged.
  • In a case of a wireless network, the network key of the access point should be changed and the machines using the network should be updated (with the exception of all compromised systems).
  • The merchant should remain on high alert for the duration of the investigation and monitor all components of its payment processing system.

All parties involved in the payment processing cycle should be immediately alerted of the suspected or confirmed security breach. This includes:

  • Internal information security group, if applicable.
  • The merchant’s legal department.
  • The merchant’s processing bank.
  • The merchant services provider, if different from the processing bank.
  • The Credit Card Associations.
  • The local FBI office.

The Credit Card Associations and the merchant processing bank will contact the merchant to discuss the compromise and the measures that need to be taken to prevent similar events from occurring in the future. The Associations will request that the merchant provides the compromised account numbers and will provide instructions on how this will be done. The compromised account numbers will then be distributed to the card issuers which may issue new replacement account numbers. The Associations and the merchant processing bank will instruct the merchant on all other actions that may need to be taken, including providing an incident report, undergoing an independent forensic review, etc.

Avoiding Unnecessary Chargebacks

In order to minimize losses merchants need an adequate chargeback tracking system and a set of procedures to ensure that unnecessary chargebacks are avoided. The following best practices should be implemented:

  • Promptly address valid customer disputes and issue the appropriate credit in a timely manner. Failing to do so will result in unnecessary disputes and eventually in chargebacks and the costs associated with them. Send your customer an email to inform him or her that a credit has been issued.
  • Provide adequate responses to sales receipt requests.
    • When responding to sales receipt requests from your merchant services provider, you should provide full information about the sale, including the following elements:
      • Account number.
      • Card expiration date.
      • Cardholder name.
      • Transaction date.
      • Transaction amount.
      • Authorization code.
      • Merchant name.
      • Merchant online address.
      • General description of the merchandise or service.
      • Shipping address, if applicable.
      • Address Verification Service (AVS) response code, if applicable.
    • If available, provide additional information to help your merchant services provider resolve disputes and minimize chargebacks, such as:
      • Transaction time.
      • Customer email address.
      • Customer telephone number.
      • Customer billing address.
      • Detailed description of the merchandise or service.
      • Information on whether or not a receipt signature was obtained upon delivery of the merchandise or service.

      By providing details of the transaction at issue, you may be able to resolve the request and avoid a chargeback.

  • Provide timely responses to sales receipt requests.
    • Work with your merchant processing bank to design and implement a timely and efficient process for fulfilling sales receipt requests.
    • Investigate fax fulfillment by your merchant processing bank, if this is appropriate for the merchandise or service that you provide.

    Be advised that your merchant processing bank may charge a transaction back to you if the requested sales receipt is not received within 30 days of the request date. By fulfilling such requests promptly, you can avoid such chargebacks and their associated costs.

Re-Presentment Rights

Merchants operating in the the eCommerce and mail order and telephone order (MO / TO) industries should be familiar with their chargeback representment rights associated with the use of the Address Verification Service (AVS) and the Card Security Verification Codes (CVV2, CVC2 and CID). Your merchant bank can represent a transaction if you:

  • Received an AVS positive match to your authorization request and if the billing and shipping addresses are the same. You will need to submit a proof of the shipping address and a delivery confirmation.
  • Submitted an AVS request during authorization and received a “U” response code from a U.S. card issuer. The response means that the card issuer is unavailable (e.g. technical difficulties) or that it does not support AVS.
  • Submitted a Card Security Code verification request during authorization and received a “U” response from a U.S. card issuer. The response means that the card issuer does not support the Card Security Code.

If you believe that you have representment rights on a transaction that was charged back to you, work with your merchant bank to ensure that all available supporting evidence for representment is submitted in a timely manner. Be advised that, even though your merchant bank has the right to represent on your behalf under the above mentioned circumstances, there is no guarantee that the disputed items will be accepted.


Merchants who participate in Visa’s Verified by Visa program or in MasterCard’s MasterCard SecureCode program are protected from unauthorized use chargebacks, in most cases. Merchants who participate in these programs and receive a fully authenticated or attempted authentication response from the card issuer and provided the authentication data in the authorization request, retain representment rights.

Chargeback Monitoring

Just as with copy requests, monitoring your organization’s chargeback rates can help you identify problematic areas in your business and improve your prevention efforts. Yet, even though copy requests are a good indicator of potential chargebacks, the actual chargeback rates and monitoring strategies vary by merchant type. General best practices for chargeback monitoring include:

  • Track chargebacks and representments by reason code. Each reason code is associated with unique risk issues and requires specific remedies and reduction strategies. Monitoring chargebacks by reason codes will help you to identify the weak spots in your sales cycle and concentrate your chargeback prevention efforts where they are needed the most.
  • Monitor initial chargeback amounts and net chargebacks after representments. Separate monitoring of initial and chargeback rates after representment helps in evaluating the success rate of your representment strategy.
  • Track card-present and card-not-present chargebacks separately. If your business accepts both face-to-face payments and card-not-present payments (MO / TO or eCommerce), you should track chargebacks resulting from either card acceptance environment separately. If you accept both MO / TO and eCommerce payments, you should tracks their respective chargeback rates separately as well. Implementing this best practice enables merchants to pinpoint the card acceptance type that generates the most chargebacks and needs the most help.

Recovering Losses through Collections

Often customers are responsible for transactions that are charged back to your business. Merchants should employ the following best practices to attempt to recover such losses:

  • Using e-mail collection messages and letters to collect low-dollar amounts. If a customer claims that a transaction was fraudulent but you have determined that the customer has actually received the goods or services, you should contact the customer directly to recover the chargeback amount. For low-dollar-amount transactions, the most cost-effective tools at your disposal are the email and the letter. Send one to the customer requesting that the amount at issue is paid in full by a certain date. If you have received a letter from your customer as part of the transaction dispute, try to address the customer concerns and resolve the issue in a way that is mutually satisfactory.
  • Using phone calls in your collection efforts. Customers who do not respond to emails and letters should be contacted by phone. Once again you should firmly request that the outstanding balance is paid in full by a certain deadline.
  • Using collection agencies. Customers who do not respond to your internal collection efforts should be outsourced to external collection agencies. Collection agencies are generally paid on a contingent basis. Their rates vary depending on a multitude of factors, including total amount of the accounts, average account balance, age of the accounts, etc. Before selecting a collection agency, you should thoroughly evaluate the candidates and check their references. Make sure that they have experience working with other businesses in your industry and that their recovery rates are adequate.


eCommerce Risk Management Guide

ECommerce Risk Management Guide

Accept Payments on Your Website

Accept Payments on Your Website

  • Accept All Major Cards Core: Plus:
  • High Risk Tolerance
  • TMF Merchant Acceptance
  • Chargeback Flexibility
  • Internationals Welcome
  • Multi-Currency Settlement
  • Full PCI Compliance
Accept Payments by Phone

Accept Payments by Phone

  • Accept All Major Cards Core: Plus:
  • High Risk Tolerance
  • TMF Merchant Acceptance
  • Chargeback Flexibility
  • Internationals Welcome
  • Multi-Currency Settlement
  • Full PCI Compliance
Accept Payments at Your Store

Accept Payments at Your Store

  • Accept All Major Cards Core: Plus:
  • High Risk Tolerance
  • TMF Merchant Acceptance
  • Chargeback Flexibility
  • Internationals Welcome
  • Multi-Currency Settlement
  • Full PCI Compliance
Enter your contact information
  1. (required)
  2. (required)
  3. (required)
  4. (valid email required)
Tell us about your business
  1. (required)
  2. (required)
  3. (required)
  4. (required)
  5. (required)
 

Enter your contact information
  1. (required)
  2. (required)
  3. (required)
  4. (valid email required)
Tell us about your business
  1. (required)
  2. (required)
  3. (required)
  4. (required)
  5. (required)
 

Enter your contact information
  1. (required)
  2. (required)
  3. (required)
  4. (valid email required)
Tell us about your business
  1. (required)
  2. (required)
  3. (required)
  4. (required)
  5. (required)
 

RapidSSL Trust Mark