Payment Card Acceptance Best Practices Guide payment processing settled

Payment Card Acceptance Best Practices Guide

UniBul Merchant ServicesPayment Card Acceptance Best Practices Guide was developed to help merchants process transactions in a way that is compliant with the latest industry regulations for protecting cardholders’ personal information and verification of the validity of transactions. Complying with these rules will ensure that merchants increase their profitability by:

  • Getting the lowest possible processing rates.
  • Minimizing fraudulent transactions.
  • Reducing chargebacks.

1. Website Requirements

Certain content or features should be clearly displayed on your website. These elements are intended to promote ease of use for your customers and reduce potential disputes and chargebacks.

1.1 Customer service contact information.
Customer service telephone number as well as email address should be clearly displayed on every page of the website, on shipping materials and on monthly statements. If customers cannot contact you, they will contact their card issuer which may result in a chargeback.

1.2 Policies.
Return, refund, cancellation and delivery policies should be available to online customers through clearly visible links on your home page. You should also provide ?Ç£click-through?Ç¥ confirmation for important elements of the policy. For example, when purchasing tickets for a sporting event, customers should be able to click on a button – Accept or I Agree – to acknowledge that they understand the tickets are non-returnable unless the event is postponed or canceled. This will help your processor fight chargebacks and win representments. Any restrictions on delivery should be clearly posted on the website.

1.3 Order and refund confirmations.
Send email confirmations and summaries within one business day of processing orders and refunds. State time frames for refunds and indicate that a full billing cycle may be needed for the issuer to apply the credit to the cardholder?ÇÖs account.

2 Transaction Processing

The Credit Card Associations have established a range of fraud-prevention policies, guidelines and services. Implementing these tools and best practices will help protect you from fraudulent transactions and will reduce chargebacks.

2.1 Cardholder information.
If the shipping address differs from the billing address, follow-up with a phone call or an email to verify the order. Be sure to ask for a phone number in your order form.

2.2 Card information
Get the cardholder?ÇÖs name and the card number and type (most consumers do not know that a card?ÇÖs type can be determined by the card number), the card?ÇÖs expiration date (make sure it is in the future) and the card ID – the CVC2, CVV2 or CID number, located on the back of the card (or on the front for American Express cards). The card ID serves to ensure that the customer is in possession of the card.

2.3 Implement Verified by Visa and MasterCard SecureCode.
The Associations introduced these tools to help merchants fight fraud and reward merchants who use them with very strong representment rights.

2.4 Always use AVS.
The Address Verification Service (AVS) allows you to check a cardholder?ÇÖs billing address. The perpetrators of fraud often do not know the account?ÇÖs correct billing address.

2.5 Only ship to an AVS verified address.

2.6 Deliver the merchandise or services to the cardholder at the time of the transaction.
If that is impossible, inform the cardholder of the delivery method and the tentative delivery date. Transactions cannot be deposited until goods or services have been delivered.

2.7 Do not use voice authorizations.
They bypass the processors?ÇÖ systems and cannot be used as supporting evidence in chargeback representments.

2.8 Each deposit should refer to one authorization.
Do not use forced authorizations.

2.9 Ship within seven days of authorization.
Otherwise you should obtain a new authorization.

2.10 Deposit transaction receipts within three days of the transaction date.
For card-not-present transactions, the transaction date is the ship date, not the order date. Transactions deposited more than 30 days after the original transaction date may be charged back to you.

2.11 Use the same transaction ID returned from your auths for your deposit and refund transactions.
This eliminates deposits of refunds where auths have not been performed and can substantially reduce fraud.

3 Payment Card Industry (PCI) Data Security Standard (DSS)

3.1 What is the Payment Card Industry (PCI) Data Security Standard (DSS)?
In 2006 all major credit card companies joined forces to create the Payment Card Industry (PCI) Data Security Standard (DSS). It is the first unified data security standard that Visa, MasterCard, American Express, Discover and JCB released to address the growing problem of data security compromises in the payment card industry. Prior to its release, the credit card companies used proprietary tools to fight unauthorized data management. The best known among them are Visa?ÇÖs Cardholder Information Security Program (CISP) and MasterCard?ÇÖs Site Data Protection (SDP).

3.2 Who must comply with the PCI DSS?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. All merchants must comply with this standard and periodically review their compliance. Failing to do so can result in significant fines and, potentially, in cancellation of their merchant accounts.

3.3 What data can you store?
The following table illustrates commonly used elements of cardholder and sensitive authentication data; whether storage of each data element is permitted or prohibited; and if each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.

Data Element





Cardholder data

Primary account number (PAN)



Cardholder name*



Service code*



Expiration date*



Sensitive authentication data**

Full magnetic stripe






PIN / PIN block



* These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of these data or proper disclosure of a company’s practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.
**Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).

3.4 PCI DSS requirements.
The following requirements comprise the PCI DSS requirements.

3.4.1 Install and maintain a firewall configuration to protect cardholder data.
All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees?ÇÖ Internet-based access through desktop browsers, or employees?ÇÖ e-mail access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

3.4.2 Do not use vendor-supplied defaults for system passwords and other security parameters.
Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.

3.4.3 Protect stored cardholder data.
Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed and not sending PAN in unencrypted e-mails.

3.4.4 Encrypt transmission of cardholder data across open, public networks.
Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit.

3.4.5 Use and regularly update anti-virus software or programs.
Many vulnerabilities and malicious viruses enter the network via employees?ÇÖ e-mail activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software.

3.4.6 Develop and maintain secure systems and applications.
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.

3.4.7 Restrict access to cardholder data by business need-to-know.
This requirement ensures critical data can only be accessed by authorized personnel.

3.4.8 Assign a unique ID to each person with computer access.
Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.

3.4.9 Restrict physical access to cardholder data.
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hard copies, and should be appropriately restricted.

3.4.10 Track and monitor all access to network resources and cardholder data.
Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.

3.4.11 Regularly test security systems and processes.
Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software.

3.4.12 Maintain a policy that addresses information security for employees and contractors.
A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.

3.5 Merchant level definitions for PCI certification.

Merchant Level


Level 1

Level 1 are merchants processing over 6 million Visa or MasterCard transactions per year.

Level 2

Level 2 are merchants processing from 150,000 to 6 million Visa or MasterCard transactions per year.

Level 3

Level 3 are merchants processing from 20,000 to150,000 Visa or MasterCard transactions per year.

Level 4

Level 4 are all merchants not included in Levels 1, 2 or 3.

3.6 PCI certification requirements by merchant level.

Merchant Level

Annual On-Site Review

Annual Self-Assessment

Quarterly Security Scans

Level 1

Required by a certified 3rd party


Required by a certified 3rd party for external IP addresses.*

Level 2


Required to complete questionnaire.**

Required by a certified 3rd party for external IP addresses.*

Level 3


Required to complete questionnaire.**

Required by a certified 3rd party for external IP addresses.*

Level 4


Recommended Annually.

Recommended Annually.

*Internet accessible.
**PCI self-assessment questionnaire.

You can access the latest version of the Payment Card Industry?ÇÖs Data Security Standard here.

4 Chargebacks

4.1 Overview.

A chargeback is a transaction that an issuer returns to a merchant bank – and most often, to the merchant – as a financial liability. In essence, it reverses a sales transaction, as follows:

  • The card issuer subtracts the transaction dollar amount from the cardholder?ÇÖs credit card account. The cardholder receives a credit and is no longer financially responsible for the dollar amount of the transaction.
  • The card issuer debits the merchant bank for the dollar amount of the transaction.
  • The merchant bank will, most often, deduct the transaction dollar amount from the merchant?ÇÖs account. The merchant loses the dollar amount of the transaction.

For merchants, chargebacks can be costly. You lose both the dollar amount of the transaction being charged back and the related merchandise. You also incur your own internal costs for processing the chargeback. On top of that, if your chargebacks amount to more than one percent of your card sales volume, you may be fined and ultimately, lose your merchant account.

4.2 Chargeback reasons.

The most common reasons for chargebacks are:

  • Customer dispute. A customer may dispute a transaction because a credit was not issued when the customer expected it to be; merchandise was not received; a service was not performed as expected; the purchase was fraudulent. Most of these reasons indicate customer dissatisfaction and addressing their causes should be an integral part of your sales and customer service policies. Please refer to the ?Ç£Transaction Processing?Ç¥ section of this guide for guidance.
  • Fraud.
  • Processing errors.
  • Improper authorization.
  • Inaccurate transaction information.

Although you probably cannot avoid chargebacks completely, you can take steps to reduce or prevent them. Many chargebacks result from easily avoidable mistakes, so the more you know about proper transaction-processing procedures, the less likely you will be to inadvertently do, or fail to do, something that might result in a chargeback.

4.3 Your responsibility.
The main interaction in a chargeback is between the card issuer and the merchant bank. The issuer sends the chargeback to the merchant bank, which may or may not need to involve the merchant who submitted the original transaction. This processing cycle does not relieve merchants from direct responsibility for taking action to remedy and prevent chargebacks. In most cases, the full extent of your financial and administrative liability for chargebacks is spelled out in your merchant agreement.

4.4 Chargeback remedies.
Even when you do receive a chargeback, you may be able to resolve it without losing the sale. Simply provide your merchant bank with additional information about the transaction or the actions you have taken related to it. For example, you might receive a chargeback because the cardholder is claiming that credit has not been given for returned merchandise. You may be able to resolve the issue by providing proof that you submitted the credit on a specific date. Send this information to your merchant bank in a timely manner.

4.5 Avoiding chargebacks.

Most chargebacks result from inadequate payment processing procedures and can be prevented with appropriate training. The following best practices will help you minimize chargebacks:

  • Always conduct an AVS check and ensure that you received a ?Ç£positive AVS,?Ç¥ i.e. Address + 5 ZIP or Address + 9 ZIP.
  • Only ship to a billing address with an approved AVS response.
  • Obtain evidence of receipt of goods (e.g. signed shipping receipt).
  • Use ?Ç£Verified by Visa?Ç¥ and MasterCard?ÇÖs ?Ç£SecureCode?Ç¥ programs (for eCommerce only), which guarantees the card was used legitimately by its owner and gives you strong representment rights.
  • Require a card ID (CVC2, CVV2 or CID), the 3- or 4-digit code on the back of the card (or on the front for American Express cards).
  • Process refunds as quickly as possible.
  • Notify consumers in writing (e-mail or regular mail) when a refund has been issued or a membership canceled. Provide them with the date of refund and a cancellation number, applicable.
  • Always provide a clear billing descriptor and phone number so the consumer can contact you directly rather than calling their bank to discuss any dispute.
  • Always provide a clear contact phone number on your website for consumers to contact you directly rather than calling their bank to discuss any dispute.
  • State terms and conditions of the sale (or membership) clearly and in plain view.
  • Use e-mail to notify the consumer at each billing cycle.
  • Obtain a signature from the cardholder giving you permission to charge their card on a regular basis for monthly fees or recurring payments.
  • Make it very easy for members or subscribers to cancel ?Çô have a ?Ç£no-questions-asked?Ç¥ policy.
  • Authorizations must always be done for every deposit.
  • Deposits must not exceed the amount you have authorized.
  • Authorizations must be ?Ç£positive.?Ç¥
  • Avoid using voice authorizations.
  • Avoid recycled authorizations?Çô get a new authorization for each deposit.
  • If you are settling a transaction with an authorization more than 7 days old, you must reauthorize the transaction. You may receive a better interchange rate because the authorization will be closer to the date of the deposit.

5 Optimizing Processing Fees

5.1 Understanding card transaction processing fees.
Unfortunately, statements from payment processors don?ÇÖt always tell the full story and often leave out hidden costs that are difficult to keep track of, especially in processing bank card transactions from Visa and MasterCard. (American Express, Discover, and specialized cards like Carte Blanche are handled directly by the card issuers, who have significantly less opportunity to introduce questionable fees.)

When a customer uses Visa or MasterCard to pay for a product or service, you pay a compound fee, the largest portion of which is the interchange. This fee goes to the card issuer and consists of:

  • A percentage of the purchase (for example 1.8%).
  • A small transaction fee (for example $0.10).
  • A tiny transaction percentage fee (less than 0.1%), which goes to the Card Association, referred to as the ?Ç£Assessment?Ç¥.

In addition, your payment processor charges you another fee, either per transaction or bundled with the interchange and assessment. If the latter, the resulting charge is called the discount. The discount in turn can be a flat percentage, or like interchange, it might consist of a percentage fee plus a per-item charge.

Sound confusing? Well, it is. If your fees are bundled and contain a percentage component, it is virtually impossible to determine what you are paying the individual players.

This can make a real difference. Since August 2003 debit cards have enjoyed a lower interchange rate. If you are paying a bundled rate, and this rate did not decrease at that point, you are probably missing out on an interchange reduction opportunity. In fact, you may be paying up to 25 basis points in extra interchange on up to 50% of your orders. Instead of going to you, this interchange windfall stays with your payment processor.

If you are paying a bundled discount rate, you should seriously pursue different pricing terms, paying for the interchange and assessments on a pass-through basis. Under this scenario, you and your processor agree to an independent fee which the processor receives for each transaction. It can be percentage based, or it can be transaction based. Of course, good reporting plays a big role in making this system work and is important in quickly identifying downgrade issues.

5.2 Common problems with fees and payments.

5.2.1 The refund trap.
What happens to interchange when you process a refund? In theory, the card issuer should return the interchange to the merchant. In practice, the issuer actually returns the interchange back to the payment processor and in many cases the payment processor keeps the returned interchange.

If your refunds average more than 10% of sales, this missing rebate can really add up. If your processor charges a 2.3% discount rate and they are not rebating interchange on returns, that 2.3% can become an effective rate of 3% or higher. Of course, average ticket price must be considered in the calculation, but you can see the potential for this hidden cost.

5.2.2 Dial-up blues.
Many payment processors offer some sort of ?Ç£fast-batch?Ç¥ authorization, providing real-time processing by the Card Associations without the need to drop off files and pick them up later. If you?ÇÖre using a dial-up connection, and the transmission is interrupted, the batch must be retransmitted which can result in orders being authorized a second time (or more, if it happens multiple times), and you pay for this. Worse, your customer?ÇÖs credit limit will be reduced each time the authorization is retransmitted.

A reasonable standard for authorizations is no more than 110% of sales (for every 10 orders you should have about 11 authorizations, which allows for decline resubmissions and renewal of authorizations for shipping back orders after the original authorization has expired). Individual merchants may have higher rates, but if your authorization-to-settlement ratio exceeds 130%, you should certainly have a closer look.

There are instances of merchants paying tens of thousands of dollars in excess charges, resulting from their processors?ÇÖ mismanagement of fast-batch transmissions.

5.2.3 The problem with downgrades.
Interchange is actually a general term describing dozens of rates legislated by the Card Associations, depending on a variety of factors related to the sale and the way the charge is processed. When a transaction fails to meet all of the necessary standards, the merchant receives a less-than-optimal interchange rate. This is known as a downgrade. Most likely, your payment processor will report downgrades as ?Ç£non-qualified?Ç¥ transactions. But many processors simply lump all of the downgrades together and report them as a miscellaneous fee.

Rule of thumb: if your downgrades or miscellaneous fees exceed 10%, you have a problem.

To protect the integrity of their system, the Associations do not publish their rules and regulations or the processing standards required to get the lowest interchange rate. It?ÇÖs up to your payment processor to know and implement them to your benefit. A high downgrade rate may indicate that your processor doesn?ÇÖt know the standards, or may be reluctant to implement best practices or new rules changes.

Please be advised that such problems may arise from the way you process your orders, and may have little to do with your payment processor. Yet, even if the cause originates with your business practices, your processor should be reviewing your account and suggesting ways to reduce these downgrades.

5.3 How can you avoid hidden fees?

  • First and foremost, have your billing done on a pass-through basis.
  • Establish your own benchmarks and evaluate the cost-effectiveness of your own business rules and the effect of other factors on your processing fees.
  • Finally, work with your processor to make sure that you fully understand the basis on which you are being charged for your credit card processing, and monitor and audit those charges on an on-going basis. That will help you set standards and benchmarks, and reduce or eliminate the possibility that you are being unnecessarily or routinely downgraded or otherwise victimized by hidden processing charges.

6 Address Verification Service

6.1 What is Address Verification Service (AVS)?
Address Verification Service (AVS) is a risk management tool for merchants accepting transactions in which neither the card nor the cardholder are present (e.g., mail, telephone order, internet transactions), or in which the card is present but its magnetic stripe cannot be read by a terminal at the point of sale. AVS helps reduce the risk of accepting fraudulent transactions by facilitating verification of the cardholder?ÇÖs billing address with the card issuer. This address information helps you determine whether to accept a particular transaction or to take further follow-up action.

6.2 How does AVS work?
AVS is easy to use. You simply include the street address and ZIP code of the cardholder?ÇÖs billing address in your authorization request to the card processor. The processor compares this information with the respective information at the cardholder?ÇÖs issuing bank, along with other factors (card number, expiration date, etc.) and if approved, issues an AVS code. This additional address information will help you make a more informed decision about whether or not to complete a particular transaction.

6.3 How to use AVS?

To request address verification in a card-not-present situation, follow these steps:

  • Enter the billing address as it appears on the monthly statement.
  • Follow your terminal or computer instructions to enter and send this information.
  • Research the returned AVS result codes.

6.4 AVS Result codes.
One of the following AVS result codes will be returned to you, indicating the response to your address verification request.




Suggested Action


Exact Match

Street address and 5- or 9-digit ZIP code match

Generally speaking, you will want to proceed with transactions for which you have received an authorization approval and an ?Ç£exact match.?Ç¥


Partial Match

Street address matches, ZIP code does not

You may want to follow-up before shipping the merchandise or providing the service. Things to look for in these orders:

  • Larger than normal orders.
  • Orders containing several units of the same item.
  • Orders shipped overnight.
  • Orders shipped to an address other than the billing address.


Partial Match

ZIP code matches, street address does not


No Match

Street address and ZIP code do not match

Typically a strong indicator of fraud, however the cardholder may have moved recently and not yet notified the issuer or the cardholder may have given you the shipping address instead of the billing address. You should:

  • Call the customer to verify the phone number, the address and whether the cardholder has recently moved.
  • Call the issuer to determine whether the name, address and telephone number match the information on file.
  • Use directory assistance or internet search to contact the individual at the billing address and confirm that he or she initiated the transaction.



Address information is unavailable for that account number, or the card issuer does not support AVS

The address information for this account is not available; as a result, address verification cannot be performed. You will also receive this response when an issuer does not support AVS. Since you now have no way to verify the address, you must decide whether to investigate further, proceed, or cancel the transaction. One solution is to fax a credit card slip to the consumers requesting a signature be faxed-back to actually verify the order. This may not be the most cost effective means for all international orders, so an order dollar amount most likely should be established to determine which orders to perform this on.



Address information not verified for International transaction



Issuer authorization system is unavailable, retry later

The issuer?ÇÖs authorization system may be down (not working). Try your AVS request again later.

*U.S. merchants use the “G” result code to identify internationally-issued cards.

Caution: When you receive a ?Ç£partial match?Ç¥ or ?Ç£no match?Ç¥ AVS response, you should take appropriate steps to assure yourself that the customer is not acting fraudulently. Simply asking the customer for another card will not reduce your risk if the card is being used fraudulently.

Declines can be handled politely by displaying a message that states ?ǣWe are unable to process your order at this time, if you wish to continue your purchase, please call1-800?Ǫ?ǥ At that time the merchant may be able to obtain more information from the customer to verify why the address did not match, such as recently moved. The merchant can also ensure their product is shipped via a delivery service that provides a signed receipt to ensure it was received by the proper person.

6.5 Why is using AVS important?
Obtaining a positive AVS response is one key step to remedy many ?Ç£Unauthorized Use?Ç¥ and ?Ç£Non-Receipt of Merchandise?Ç¥ chargebacks. Without a positive AVS response (on-line) merchants have no dispute rights. AVS is designed to help merchants protect themselves against fraudulent, lost, or stolen credit cards and chargebacks. Visa transactions utilizing AVS are given a better interchange rate than those that do not. You should always be maintaining a customer database or account history files to track buying patterns and compare. Evaluate individual sales for signs of possible fraud. Keep in mind that none of the above by itself means you’re having fraud committed, but check everything. AVS is not foolproof, but a tool to aid merchants to identify possible fraud orders. It should be combined with your own internal fraud detection tools such as CVV2, CVC2 and CID.

7 Card Security Verification

7.1 What is card security verification?
All major credit card companies have implemented a three- or four-digit security code that is printed on the front or back of the card. This added security measure enables a retailer to verify that the buyer has the actual card in hand during a card-not-present transaction, thus reducing fraudulent transactions. Please refer to the table below for information on the card security codes for each of the major brands.

Payment card

Security code




Card Verification Value 2

Located on the back of all Visa cards, the CVV2 consists of the last three digits printed on the signature panel.



Card Verification Code 2

CVC 2 is a three-digit code indent printed on the signature panel of MasterCard cards.



Card Identification Number

CID is a three-digit code printed on the signature panel of Discover cards.

American Express


Card Identification Number

CID is a four-digit code printed above the card number on the front of American Express cards.

7.2 How do card security codes work?

7.2.1 The merchant asks the customer for the security code and sends it to the card issuer as part of the authorization request.

7.2.2 The card issuer checks the security code to determine its validity, and then sends a result code back to the merchant along with the authorization decision.

7.2.3 The merchant evaluates the result code, taking into account the authorization decision and any other relevant or questionable data.

7.3 Card security result codes and suggested actions.

Result code


Suggested Action

M – Match

The number given by the customer matches the one on file with the issuer.

Complete the transaction (taking into account all other relevant or questionable data).

N – No Match

The number given by the customer does not match the one on file with the issuer.

View the “No-Match” as a sign of potential fraud and hold the order for further verification.

P – Request not processed

Processor is not available.

Resubmit the authorization request.

S – Customer reports that there is no security code on the card

Customer cannot locate the security code or is not in possession of the card.

All valid cards are required to have a security code. Consider following up with your customer to verify that he or she checked the correct card location.

U ?Çô Issuer does not support CVC2 or CVV2

Issuer is not certified to use CVC2 or CVV2.

Evaluate all available information and decide whether to proceed with the transaction or investigate further.

7.4 What else should you know about card security verification?

  • Not all payment processors support security codes. You must check to see if it is available on their system.
  • Uncertified card issuers lose chargeback rights for fraudulent Mail Order/Telephone Order (MO/TO) transactions when CVV2 is included in the authorization message.
  • To protect them from being compromised, merchants should never keep or store card security codes once a transaction has been completed. Such action is prohibited and could result in fines.
  • Card security codes are only printed on the cards, they are not contained in the magnetic strip information and do not appear on sales receipts or statements.

7.5 Why should you implement card security verification?
Merchants who implement card security verification benefit in a number of ways:

7.5.1 Enhanced Fraud Protection.
Because card-not-present merchants are at greater risk for stolen account number schemes, you need to be diligent in your fraud control efforts. Implementing card security verification can help a merchant differentiate between good customers and fraudsters. It allows you to make a more informed decision before completing a transaction in a card-not-present environment.

7.5.2 Reduced Chargebacks.
Using card security verification potentially reduces fraud-related chargeback volume by helping you verify that the customer is in actual possession of the card.

7.5.3 Improved Bottom Line.
For card-not-present merchants, fraudulent transactions and fraud-related chargebacks can lead to lost revenue and can also mean extra processing time and costs, which often narrow profit margins. Card security verification complements your current fraud detection tools to provide a greater opportunity to control losses and operating costs.

8 Credit Card Authentication

8.1 What is credit card authentication?
Both Visa and MasterCard offer authentication services enabling issuers to verify a cardholder’s account ownership during an online purchase. With Verified by Visa (VbV) and MasterCard SecureCode, consumers are assured that using a bankcard online is as safe as using it at a local merchant. And merchants are fully protected from issuer chargebacks on transactions which have been fully authenticated. Since the transaction is authenticated by the issuing bank, the merchant will be paid. Merchants no longer need to bear the risk or the cost of fraud.

8.2 How does credit card authentication work?
When a cardholder shops at a participating VbV or SecureCode merchant site, the checkout process remains the same until the “buy” button is selected. If the bankcard is registered with a participating issuer, consumers will be asked for their VbV password or their SecureCode issuer specific access credentials. Through this simple checkout process, the bankcard issuer confirms a consumer’s identity in real time.

8.3 What do merchants have to do to participate?
Merchants must deploy a software module (referred to as a merchant plug-in) or develop their own software capabilities to support VbV and SecureCode. This software allows merchants to pass cardholder credentials to the cardholder registration servers, and receive responses. Merchants must capture and send authentication data to their processor. Note: Certified Merchant Plug-In (MPI) software vendors work directly with merchants to implement solution.

8.4 Why should you implement credit card authentication?
Implementing credit card authentication improves the security of payment transactions in the electronic commerce environment over open networks. It increases both cardholder and merchant confidence in internet purchases, and reduces disputes and fraudulent activity related to the use of payment cards.

8.4.1 Reduce fraud.
The participating merchant gets explicit evidence of an authorized purchase (authentication data) – all with minimal cost impact and time investment.

8.4.2 Minimize chargebacks.
Once merchants have deployed SecureCode and Verified by Visa, it?ÇÖs up to the issuer to authenticate its cardholders for online transactions. The authentication data, together with an authorization approval, gives the merchants a transaction that is guaranteed against the most common types of chargebacks ?Ç£cardholder not authorized?Ç¥ and ?Ç£cardholder not recognized?Ç¥ chargebacks.

8.4.3 Increase cardholder confidence.
MasterCard research shows 90% of online non-buyers worry that their personal and financial information may fall into the hands of hackers. Seventy-one percent are concerned about credit card fraud. On the other hand, more than 70 percent of consumers surveyed by Visa indicated that they would be more likely to make purchases at websites that support Verified by Visa.

8.4.4 Simple set-up.
No special software or digital wallet are required. To get started, all merchants need to do is contact their transaction processor to ensure processing support and to update their site to include the plug-in application. The initial and ongoing costs are minimal.

9 Recurring and Installment Payments

9.1 Definitions and distinction.

9.1.1 Recurring payments.
With recurring payments, the consumer authorizes a merchant or service provider to bill a specific card on a regular basis (e.g., monthly, quarterly or annually). Payment amounts can be fixed or fluctuate, and a payment agreement can exist indefinitely.

9.1.2 Installment payments.
Installment payment is a single purchase of goods and services billed to an account in multiple segments, over a period of time agreed between a cardholder and a merchant.

9.1.3 Distinction between recurring and installment payments.
The distinction between the two transactions is that, a recurring transaction is payment for goods or services that are received over time, however, an installment transaction represents a single purchase, with payment occurring on a schedule agreed by a cardholder and merchant.

9.2 Recurring and installment payments best practices.

The following best practices will help merchants manage recurring and installment transactions effectively:

  • Allow customers to choose the billing date. This will help ensure that the cardholder?ÇÖs funds are available.
  • Inform the cardholder the name that will be presented. Utilize soft billing descriptors to ensure that cardholders can easily recognize charges on their statements (see next section).
  • On the first billing, ask the cardholder for the billing address as it appears on their statement and if different, the complete ?Ç£ship to?Ç¥ name and address.
  • Provide a clear statement of the cancellation policy on the cardholder?ÇÖs agreement or on your website. That will help minimize chargebacks.
  • Provide the cardholder with clear information concerning the billing arrangements and all charges related to the delivery of goods and services. If billing information is provided online, send a pre-authorization reminder 14 days prior processing event.
  • For internet transactions, require the cardholder to click an ?Ç£Accept?Ç¥ button on the disclosure statement to confirm they have read your terms and conditions.
  • On the first transaction, utilize AVS and card security codes.
  • Ensure that billing is discontinued immediately upon the cardholder fulfilling the cancellation terms. Provide the cardholder with cancellation confirmation including when the last billing will occur if it has not occurred already, or if a credit is due, when it will be processed. This will help minimize chargebacks.
  • Process credits promptly.
  • Ensure that the cardholder is notified when goods or services cannot be delivered or provided on the agreed-upon date. This will help minimize chargebacks.
  • Provide the cardholder with a toll-free phone number for customer service inquiries and cancellation requests.
  • Ensure that an authorization request is approved for all payments before submitting them for clearing.

9.3 Merchant pre-billing notification.
Merchants who provide this type of customer notification prior to submitting an authorization request for a recurring transaction should see fewer disputes when done regularly. Following is a sample of such a notification.

To: customer From: merchant
Subject: Recurring transaction notification Date: 3 May 2004 03:15:02 -0500

Dear Customer Name,

This email confirms your authorization* of the
transaction listed below, entered on 5/3/2004 at 3:14:49 AM
has been processed and will be debited from your

Transaction Origination Date: 5/3/2004
Name on Account: Cardholder Name
Amount: $14.95
Description: Approved recurring charges on 2008-04-03

*You have authorized Merchant Name Services, Inc and your
financial institution to initiate the transaction
detailed below. You have acknowledged that the origination
of debit or credit transactions to your account must comply with
the provisions of local laws. This authorization is to
remain in full force and effect until Merchant Name Services,
Inc has received written notification from you of its
termination in such time and manner as to afford
Merchant Name Services, Inc and your financial institution a
reasonable opportunity to act on it.

Processed for: Merchant Name Services, Inc
Phone #: 800-111-1111
Email: merchant

10 Billing Descriptors

10.1 Types and definitions.

10.1.1 Default billing descriptor.
Default billing descriptor is the description of your company that appears on the cardholder?ÇÖs credit card statement. In order to qualify for the lower interchange rate offered to merchants operating in a card-not- present environment (Visa: CPS; MasterCard: Merit 1), the company name and a customer service number must appear in this field. If your company offers a single product or service this descriptor would be sufficient. For example:

ABC SERVICES 800-111-2345.

10.1.2 Soft billing descriptor.
The soft billing descriptor allows the description field in the cardholder?ÇÖs statement to be modified to include a more detailed description of the transaction. The merchant?ÇÖs name is usually truncated to three letters plus an asterisk followed by a short description of the service or product being billed. Note that this field is typically limited to 25 characters (excluding the phone number). Be sure to check with your processor to see if they support this feature and for their format requirements. For example:

ABC* Instant Oil Change 800-111-2345.

10.2 Why should you use billing descriptors?

By utilizing billing descriptors, merchants can make it easier for cardholders to recognize charges on their statements While it is essential that all merchants make proper use of the description field, this is especially important for merchants who offer more than one product or service. Good billing descriptors:

  • Reduce customer inquiries.
  • Minimize chargebacks.
  • Improve your bottom line.

To learn more about card payment processing, contact our sales department at:

617.861.6101 ?Çô phone; ?Çô email.

Or send us your feedback at:

Payment Card Acceptance Best Practices Guide

Payment Card Acceptance Best Practices Guide

Accept Payments on Your Website

Accept Payments on Your Website

  • Accept All Major Cards Core: Plus:
  • High Risk Tolerance
  • TMF Merchant Acceptance
  • Chargeback Flexibility
  • Internationals Welcome
  • Multi-Currency Settlement
  • Full PCI Compliance
Accept Payments by Phone

Accept Payments by Phone

  • Accept All Major Cards Core: Plus:
  • High Risk Tolerance
  • TMF Merchant Acceptance
  • Chargeback Flexibility
  • Internationals Welcome
  • Multi-Currency Settlement
  • Full PCI Compliance
Accept Payments at Your Store

Accept Payments at Your Store

  • Accept All Major Cards Core: Plus:
  • High Risk Tolerance
  • TMF Merchant Acceptance
  • Chargeback Flexibility
  • Internationals Welcome
  • Multi-Currency Settlement
  • Full PCI Compliance
Enter your contact information
  1. (required)
  2. (required)
  3. (required)
  4. (valid email required)
Tell us about your business
  1. (required)
  2. (required)
  3. (required)
  4. (required)
  5. (required)

Enter your contact information
  1. (required)
  2. (required)
  3. (required)
  4. (valid email required)
Tell us about your business
  1. (required)
  2. (required)
  3. (required)
  4. (required)
  5. (required)

Enter your contact information
  1. (required)
  2. (required)
  3. (required)
  4. (valid email required)
Tell us about your business
  1. (required)
  2. (required)
  3. (required)
  4. (required)
  5. (required)

RapidSSL Trust Mark