Tuesday, June 5, 2012

Policies for eCommerce Merchants

When constructing their websites, merchants doing business over the internet should take into consideration the following policies:
  • Information security policy. Consumers expect that eCommerce merchants protect the personal information they provide during a transaction. They also expect that merchants describe the measures and procedures they have established to keep sensitive account data save. For a better customer experience, eCommerce merchants should consider implementing the following best practices on information security:
    • Educate customers about your security practices. Create a page that details your website's security practices and controls. Consider including in it the following:
      • Explain in details how payment information is protected at all stages of the transaction process: during transmission, while on your server and at your physical work site.
      • Make the page available to all visitors to your website. You should consider placing a link to it in your home page. Placing a link in your header or footer will make the page accessible from any page of your website.
    • Include security tips in a FAQ page. Create a FAQ page and include in it questions and answers on how customers can protect themselves while shopping online.
    • Add the logos of fraud prevention services that you are using. Place on your website the logos of all fraud prevention and data protection services that you are using.
    • Warn customers against sending payment information by email. Email is not a secure way to do business, however some customers are not aware of that. To protect their personal information you should highlight your security practices on your website and in your email correspondence. Advise customers that:
      • Email is an insecure method of communication and should never be used for transmitting account data or other sensitive information.
      • Your website's encryption services ensure that personal information is protected from unauthorized access and provides the safest way for shopping online.
  • Payment choice selection. Customers should be provided with clear payment choices at the checkout. Unfortunately there are a number of ways in which a customer can get confused when selecting a payment choice. For example options such as "Debit" and "Credit" can be misleading as their meaning may be interpreted differently, depending on the customer's understanding. Providing the option of selecting a payment brand gives the customer a clear payment choice. It is easy to distinguish a Visa card from a MasterCard or an American Express. You should consider placing a menu of radio buttons for each card brand that your payment processing account supports. It is also a good idea to use each brand's logo next to the button.

    Once a customer selects the brand of card that they want to use as payment, you should make sure that their choice is honored. Merchants are allowed to suggest a form of payment or to display their preferred choice but you cannot mislead or confuse the customer or omit important information in the process. The customer has the right to use whatever payment method he or she chooses, provided it is supported by the merchant and once the selection is made, the merchant should facilitate the processing of the transaction.

    Merchants are not allowed to charge customers additional fees for selecting to use credit or debit cards for payment for products or services. It is allowed, however, to offer a discount if a customer selects to pay in cash, for example. Also, if a merchant accepts card payments, cards should be accepted for all amounts. It is not allowed to set limits on transaction amounts for card payments. Merchants can lose their card payment processing accounts if they do not comply with these requirements.

  • Account number verification. The merchant has a responsibility to verify the card account number at the point of sale, during the transaction process. It is also in your own best interest, as every unauthorized or fraudulent transaction will most likely result in a chargeback. Most point-of-sale terminals allow merchants to verify that the account number embossed on the front of the card is the same as the account number encoded in the magnetic stripe of the card. The exact verification procedure will depend on the type of terminal used at your store. Some terminals will display the information contained in the magnetic stripe or will print it on the sales receipt. Others will check the numbers electronically. The latter type of terminals will need the merchant to input the last four digits of the embossed card number and compare the provided information with the one stored in the magnetic stripe.

    If you are using a terminal that displays or prints the account number on the sales receipt, it will usually use the last four digits of the number. If the numbers do not match, you will receive a "No Match" message. In such instances you should make a "Code 10" call.

    The Credit Card Associations now require that point-of-sale terminals truncate card account numbers when printing them on sales receipts. This means that only the last four digits of the account number should be printed on a sales receipt and the expiration date should not be shown at all. This is intended to be an additional preventive measure to protect consumers against card processing fraud.

  • Billing policy. ECommerce merchants should develop a thorough policy regulating the terms and conditions of their billing procedures and should make it available to customers at the time of purchase. Your policy should include the following information:
    • Inform your customers when their cards will be charged.
    • If you are using a third party to do your billing, inform your customers how the transaction will be reflected on their credit card statement (provide the third-party service provider's name and the transaction amount). Providing these details will help customers recognize your transaction and minimize the chance that they will file a dispute with their card issuer, initiating a chargeback.
    • Encourage your customers to retain a copy of the transaction.
    Be advised that it is very important that you do not charge your customer's card before the product has been shipped. Cardholders today can review their transactions in almost real time and, if they see a charge on their accounts without having received the item or at least a delivery notification, they are likely to contact their card issuer and dispute the transaction.

    If your organization provides digital content, your policy should also include the following best practices:

    • You should never charge your customer's account before the service is actually accessed on your website with the applicable password.
    • You should avoid the use of negative renewal options or other marketing techniques that may create the impression that the product is free.
    • You should communicate with your customer all special restrictions before the sale is completed.
    Lastly, be sure to include in your billing policy the transaction currency that will be used to complete the transaction. Remember that eCommerce merchant websites are accessible from all over the world and, unless there are special restrictions, your customers may be located anywhere. Clearly state the currency, especially if it is not unique (a dollar may be Australian, New Zealand, Hong Kong or U.S.). Be advised that merchants cannot convert transaction amounts into different currencies. You may, however, display equivalent amounts in different currencies, but they must be clearly indicated for information purposes only.

  • Customer service access. Providing an easy way for customers to contact you is invaluable in creating customer loyalty and preventing disputes and chargebacks. Customers are likely to have questions or concerns regarding their purchases and they expect, and have the right to, that these concerns are addressed in a timely manner. Consider implementing the following best practices into your customer service procedures:
    • Provide an email inquiry form. You should display email "Contact Us" options on your website and make them easily accessible. Consider providing different email contacts for your support and sales departments as well as for shipping information.
    • Develop an email inquiry response policy. You should implement an auto-response email program to acknowledge receipt of inquiries and provide a time frame for your response. Once you do that, you should make sure that you have sufficient staff available to handle the inquiries within the set time limit.
    • Monitor your customer service to ensure that your organization's inquiry response policies are being implemented adequately.
    • Provide a toll-free number to contact your customer service department and display it prominently on your website. Providing a toll-free contact number is key for ensuring the highest level of customer satisfaction and preventing disputes and chargebacks. Many consumers prefer having their questions and concerns addressed in a conversation with a live person and are uncomfortable or unwilling to use the email response system. Make sure that you have adequate staff to respond to telephone inquiries in a timely manner.
  • Card-not-present fraud prevention guidelines. The ability to accept card payments over the phone, in the mail or online makes possible the existence of mail order, telephone order and eCommerce businesses. It is a very convenient payment method for both consumers and merchants. There are, however certain challenges that both industries face when it comes to fraud protection, challenges that are very different from the ones a merchant operating in a card-present environment faces. Because payment processing transactions are done in the virtual domain, the merchant never gets to see either the card or the cardholder. The only way to obtain the consumer's account details is to rely on the information, provided by the consumer himself. The good news is that there are a number of fraud protection services which, combined with a set of best practices, implemented and followed scrupulously, will help both direct marketing and eCommerce merchants reduce fraud and improve their bottom line.

    Following is a list of guidelines to help merchants operating in the virtual world reduce fraud.

    • Always authorize all transactions. Be advised that the floor limit for all card-not-present transactions is zero which means that you should request an authorization for every single one of them, no matter what the transaction amount. Not obtaining authorization leaves you helpless against both fraud and customer disputes.
    • Always obtain the cards' expiration dates. You should always ask your customer to provide his or her card's "Good Through" date. It is another way to verify that the customer is in a physical possession of the card at the time of the transaction.
    • Always obtain the card security verification codes. Card Security Verification is the 3- (for Visa, MasterCard and Discover) or 4-digit (for American Express cards) non-embossed numeric code on the back (for Visa, MasterCard and Discover) or the front of a payment card (for American Express). Obtaining the Card Verification Code in a card-not-present transaction is another, and very powerful, tool to verify that your customer is in actual possession of the card. Be advised that you should never store Card Verification Codes in your system. It is prohibited by the Credit Card Associations and violators may be assessed significant fines.
    • Always use AVS. The Address Verification Service (AVS) allows merchants to verify the authenticity of the billing address that a cardholder has provided at the checkout. It works by routing the provided address, through the Credit Card Associations, to the card issuer. The Issuer then compares the provided address to the one it has on file for its cardholder and responds by issuing a response code which contains the result of its investigation.
    Utilizing the above listed fraud prevention services and implementing the suggested procedures will help eliminate fraud and reduce your chargeback levels. A good payment processing provider should be able to assist you in this process.

  • Visa's CVV2. All major credit card companies have implemented an additional security feature on their credit and debit cards in their continuous efforts to make shopping online and over the phone a safer proposition. Visa's Card Verification Value 2 (CVV2) is a three-digit number printed on the back of every Visa credit or debit card. It is located in the top right corner of the signature panel or immediately to the right of it. It is preceded by the last four digits of the card's account number, printed in the signature panel. CVV2 was introduced to serve as an additional fraud prevention measure, to help eCommerce and MO/TO merchants verify that their customers are in a physical possession of their cards. It is a feature that all major eCommerce payment gateways support and your payment processing provider should make it available to you.

    If your organization operates in either the eCommerce or the MO/TO industry, you should follow these procedures when accepting credit and debit cards:

    • Always ask your customers for the last three digits in the signature panel on the back of the card. Do not ask for the CVV2 number as customers will most likely have no idea what this is.
    • Depending on the response the customer gives to your CVV2 request, you should include one of the following indicators in your authorization request, along with the card's expiration date and the account number:
      • "0" - if the CVV2 is not included in the authorization request.
      • "1" - if the CVV2 is included in the authorization request.
      • "2" - if your customer has stated that the CVV2 is illegible.
      • "9" - if your customer has stated that the CVV2 is not on the card.
    • When the card issuer replies with the CVV2 result code, you should take it into consideration, along with all other factors in determining the validity of the transaction. You will receive one of the following result codes:
      • "M" - Match - the CVV2 is valid.
      • "N" - No Match - the CVV2 is not valid, a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the CVV2 request.
      • "P" - CVV2 request not processed - you should resubmit the request.
      • "S" - the cardholder has stated that the CVV2 is not on the card. The CVV2 code should be printed on all Visa cards. In the case of an "S" response you should verify that the customer is looking for it in the right place.
      • "U" - the card issuer does not support CVV2. In this case you should considering other fraud prevention services.
    Be advised that storing of CVV2 is prohibited. You may store other account information, e.g. cardholder name, account number and expiration date but not the CVV2. Contact your payment processing provider for additional information on using CVV2. It is not only a very effective fraud prevention measure but it also protects against chargebacks as well.

  • Using cookies and passwords. Web browser cookies are an effective tool to help eCommerce merchants recognize and acknowledge existing customers. They simplify the order process for repeat customers by not requesting that they provide payment details that have already been provided during a previous visit. Consider the following suggestions to improve the effectiveness of the use of browser cookies:
    • Use permanent browser cookies to retain non-sensitive cardholder information and preferences to enable repeat customers to order products and services without having to re-enter this information. This simple procedure will help increase customer loyalty as consumers appreciate not having to submit their payment details every time they visit a website.
    • Use browser cookies to maintain active user sessions, but once the session expires, you should request that the user logs in again, regardless of the computer being used.

    You should establish a procedure for existing customers to safely retrieve their forgotten password while protecting their accounts from fraudsters. Consider implementing the following suggestions:

    • When a customer has troubles signing in or claims that he or she has forgotten a password, you should use a customer-provided security data to verify his or her identity. The process should follow these steps:
      • When registering a new account, ask your customer to select a category - such as place of birth, mother's maiden name, favorite sports team - and provide the correct response.
      • If a returning customer has forgotten his or her password, ask the customer for the correct answer to the category that he or she selected at registration.
      • Verify the response and, if correct, prompt the customer to reset their password.
    • Use hints to help customers remember passwords. The process of selecting and implementing hint words should follow these steps:
      • Ask the customer during the registration process to select a hint for his or her password.
      • Display the hint word on your website if the customer enters the wrong password when trying to log into his or her account.

    For a better customer experience you should try to keep the process of resetting a password simple and have a customer service phone number available for customers to contact you if their attempts fail. Be advised that consumers today have many account profiles on various websites and it is more than possible that they forget a password or a hint. If you receive a call from a customer who cannot reset his or her password, you should verify their identity using personal information that you have on file for them.

  • Required transaction data fields. Requiring customers to fill in certain transaction data fields can help eCommerce merchants detect potentially risky situations. To assess the risk of fraud and minimize potential losses, merchants should define the data fields that will help recognize high-risk transactions and require that customers complete them before purchasing products and services. Key risk fields include the following data:
    • Telephone numbers which can be verified using reverse directory services.
    • Email address, particularly when it uses an anonymous service.
    • Cardholder name and billing address which, too, can be verified using reverse directory services.
    • Shipping name and address, if different from the billing data.
    • Card security codes - the 3- and 4-digit numbers on the back or front of credit and debit cards. If there is a mismatch, you should attempt to review the provided code, particularly if the other risk indicators have shown no mismatches. The customer may have simply provided the wrong number.

    Once you have selected the required fields in your transaction forms, you should indicate that they must be completed before the form is submitted. You can use color to highlight them or bold fonts, or asterisks to achieve that. You should also provide an explanatory note to your customers, informing them that the highlighted fields are mandatory.

  • Merchant direct access service. The Merchant Direct Access Service (MDAS) is a fraud prevention system that provides merchants with access to Address Verification Service AVS by telephone. Developed for smaller direct marketing and eCommerce merchants, MDAS provides AVS service on a pay-as-you-go, per-transaction basis.

    The process of using the Merchant Direct Access Service is pretty straightforward, all you need is a telephone and a Merchant Access Code (MAC) which you will get from your merchant account provider. To request an AVS, you will dial a toll-free number and follow the instructions that the automated system will give you. You will need to provide your customer's address and account number and the system will give you the verification results.

    The responses MDAS provides are very similar to the ones AVS provides but do not include response codes. You will receive one of the following Merchant Direct Access Service responses:

    • Exact Match - it means that both the street address and the ZIP code match and you should proceed and complete the transaction.
    • Partial Match - the street address matches but the ZIP code does not. It is a potential fraud. It is up to you whether to investigate further or to complete the transaction.
    • Partial Match - the ZIP code matches but the street address does not. It is a potential fraud. Depending on the transaction amount, you may decide to investigate further or to complete the transaction.
    • No Match - both the street address and the ZIP code do not match. It is a strong indication of fraud and you should take further steps to validate the transaction.
    • Retry Later - it means that the card issuer's system is unavailable at present. You should resubmit your authorization request later.
    • Global - it means that it is an international address and the system cannot verify it.

    Your merchant account provider is best positioned to provide you with additional information on MDAS and to help you get started. Be advised that both the eCommerce and mail order/ telephone order payment processing solutions require the implementation of robust fraud prevention solutions and AVS is one of the most powerful among them.

  • Validating card information. Validating the provided card information during an eCommerce transaction is a process to help merchants protect themselves from fraudulent transactions. It is recommended that you consider implementing the following suggestions into your card validation procedures:
    • Implement a "Mod 10" card validation procedure before submitting a transaction for authorization. The Luhn algorithm, also known as "Mod 10" algorithm, is a simple formula used to validate a variety of identification numbers, including credit card numbers. Most credit card companies use the algorithm as a simple method of distinguishing valid numbers from collections of random digits. The Luhn algorithm will detect any single-digit error, as well as almost all transpositions of adjacent digits. In order to take advantage of it, you should follow these steps:
      • Ask your merchant services provider for the Mod 10 algorithm.
      • Use the Mod 10 algorithm to check all online transactions before submitting them for authorization.
      • Inform the cardholder immediately if the card fails to pass the Mod 10 validation check, for example "The card number you provided is not valid. Please try again."
      • Do not request authorization until the account number passes the Mod 10 validation check.
    • Display only the last four digits when showing a number to a repeat customer. The last four digits will provide your customer with enough information to identify the card and decide whether to use it or select another payment mode. At the same time this practice will reduce risk and indicate to your customer that you are handling his or her payment information in a secure manner.
  • Split transactions. Split transactions occur when a merchant divides the cost of a single transaction between two or more sales receipts, using a single cardholder account. A merchant may split transactions in an attempt to circumvent authorization limits imposed on its merchant account agreement. Splitting sales is prohibited.

    When a merchant applies for a card payment processing account, one of the questions he or she is asked to answer in the application form is about the expected average sales amount and overall monthly card processing volume. Merchant account providers need this information to help them estimate the merchant's potential risk exposure. Larger average sales amounts, for example, are riskier because, in a case of a customer dispute or a chargeback, the potential loss is larger, compared to smaller amounts. As a result, the merchant's processing rates are given accordingly. Once the payment processing account is established, the processor will monitor the transactions and, if the merchant exceeds its declared sales amount on a regular basis, its rates may be increased or a processing limit may be imposed, or both. That is the reason why a merchant may try to split sales.

    Split sales may be prohibited but split-tender transactions are accepted. Split-tender transactions occur when a customer presents a card to pay for a purchase plus some other form of payment, such as cash or a check or another card. Merchants should set their own policies on whether or not to accept split-tender transactions.

  • Validating cardholder information. Just as validating the authenticity of a card account number is important in making sure that no false cards are used in eCommerce payment transactions, confirming the provided cardholder information ensures that no authentic cards are used by unauthorized persons. The two validation processes are complementing each other, they represent the two sides of the same coin and should both be implemented in every web-based merchant's card acceptance procedures.

    The process of validating a payment card number consists of checking the correctness of the provided customer's telephone number, physical address and email address. The following simple verification steps will help eCommerce merchants identify errors or potential fraudulent activity:

    • Use a telephone area code and prefix table to ensure that the provided area code and prefix are valid for the entered city and state. If mismatches are identified, alert the customer and allow him or her to review the information. Also you should allow re-entering the data as the information initially entered may be valid due to recent additions or changes in telephone area codes.
    • Use a ZIP-code table to verify that the entered ZIP code is valid for the entered city and state. Although changes in ZIP codes are rarer than changes in area codes, you should still allow customers to override alerts as updates do occur or data may be erroneous.
    • Test the validity of the provided email address by sending an order confirmation.
  • Risk management infrastructure. In order to reduce losses resulting from excessive risk exposure, eCommerce merchants must implement internal fraud prevention measures and controls that are designed to their environment's specifics. A dedicated fraud control department can provide the direction that the organization needs to take to fight fraud. Consider implementing the following measures:
    • Establish an official fraud control function. Consider implementing the following suggestions when setting up a fraud control position or department:
      • Elevate fraud detection and prevention to the highest priority.
      • Develop day-to-day objectives that promote profitability, such as:
        • Minimizing the percentage of fraudulent transactions.
        • Minimizing the affect of fraud-prevention efforts on legitimate sales.
        • Minimizing fraud-related chargebacks.
      • Clearly define responsibilities for detecting and reviewing fraudulent transactions.
      • If yours is a larger organization and you have a separate group that deals with chargebacks, you should encourage a close cooperation between the fraud-prevention and chargeback-monitoring groups, as one of the most common causes for chargebacks is fraud.
    • Monitor fraud-control performance. Your fraud-prevention efforts will become more effective if you track areas like:
      • Overall fraud as a percentage of your total sales.
      • Fraud recoveries as a percentage of your total fraud.
      • Speed of reviewing and making decisions on suspicious transactions.
      • Number of complaints from customers regarding legitimate sales.
  • Internal negative file. Establishing and maintaining an internal negative file is an invaluable tool that eCommerce merchants have at their disposal for fighting fraudulent transactions. It will ensure that you will not fall victim multiple times to the same fraudulent account. When building and maintaining an internal negative file, you should make certain to implement procedures to ensure that only details from fraudulent transactions are stored and recorded. Information that relates to customer disputes or chargebacks should be left out of the negative file. The following suggestions will help you build and manage the file.
    • Building and maintaining of an internal negative file. You should begin with a review of your own history of fraudulent transactions. Record the details of the fraudulently used accounts to protect your organization from possible future fraud committed by the same person. Follow these steps:
      • Record all key elements of fraudulent transactions. Your file should include names, email addresses, shipping addresses, customer identification numbers, passwords, phone numbers and card account numbers. Remember that it is not allowed to store the 3- or 4-digit card security codes.
      • Set up a process to remove from the negative file information about legitimate customers whose card accounts have been compromised. Their information may have been used by criminals.
    • Using the internal negative file to screen transactions. If a transaction data matches data stored in your negative file, you should decline the transaction or, at the very least, initiate a thorough review.

No comments:

Post a Comment