Sunday, July 15, 2012

Non-US Merchant Services for American Merchants

In order to provide small business merchant accounts to American businesses, credit card processing companies must be registered as Independent Sales Organizations (ISO) and Member Service Providers (MSP). The former designation is provided by Visa USA and the latter - by MasterCard. Both authorizations are given solely to US-based businesses, after the applicants to provide credit card payment processing service have been thoroughly evaluated and have paid the registration fees.

Similarly, a US-based credit card merchant processor cannot provide merchant account processing services to non-US organizations. All applicants must have their businesses based in the US, maintain an American office and have a checking account with a US bank.

It is very easy to check if a credit card processing account provider is based in the US. The Credit Card Associations have mandated that ISOs and MSPs display the name of their sponsoring bank on each page in their website and on all marketing and promotional materials. A sponsor bank is a bank that is a member of the American branches of Visa and MasterCard and can, therefore, operate as an acquiring bank in the US. Acquirers, also called merchant banks, authorize, clear and settle merchant's card payment processing transactions. Usually acquiring banks also are credit card issuing banks as well.

Sunday, July 8, 2012

Merchant Account Processing Minimum

Your merchant account contract may include a provision that will allow your credit card merchant processor to charge you a minimum processing fee if you do not reach a predetermined processing level. What this means is that if your credit card processing provider does not get a certain minimum of processing fees from you in any given month, they will just charge you the minimum fee instead. If your payment processing fees exceed the minimum, it becomes irrelevant, as your merchant account processor simply gets what has been charged already and there is no need to charge anything in addition.

Although some credit card processing companies still charge a minimum processing fee, specifically to small business merchant accounts users, it has become an increasingly rare occurrence. You should carefully review every proposal that includes such a charge and compare it to other proposals you have received. Although the overall credit card processing costs are composed of several charges and all of them should be taken into account, chances are that, if a credit card processing company wants to charge you a minimum fee, they will want to charge you other unnecessary charges and will probably not be your best option to choose.

Sunday, July 1, 2012

Address Verification Service (AVS)

The Address Verification Service (AVS) is a risk management tool for merchants accepting credit and debit cards when neither the card nor the cardholder are present, or when the card is present but its magnetic stripe cannot be read by a terminal at the point of sale. Provided by the major card associations, AVS helps reduce the risk of fraudulent transactions by verifying the cardholder’s billing address on file at the card issuer. Merchants submit the AVS request through their credit card merchant processor directly to the specific credit card association for address comparison.

As you see, AVS is benefiting mostly eCommerce merchant account users. It was developed to bridge the security gap that existed between face-to-face and card-not-present credit card payment processing environments. All major credit card processing companies support and encourage using it.

To request address verification in a card-not-present merchant account processing set up, follow these steps:
  • Enter the billing address as it appears on the monthly statement.

  • Follow your terminal or computer instructions to enter and send this information.

  • Research the returned AVS result codes.
Your small business merchant accounts provider will return one of the following result codes:
  • Exact Match. Generally speaking, you will want to proceed with transactions for which you have received an authorization approval and an "exact match."

  • Partial Match. Street address matches, ZIP code does not, or vice versa. You may want to follow-up before shipping the merchandise or providing the service. Things to look for in these orders: larger than normal orders; orders containing several units of the same item; orders shipped overnight; orders shipped to an address other than the billing address.

  • No Match. Neither the street address nor the ZIP code match. Typically a strong indicator of fraud, however the cardholder may have moved recently and not yet notified the issuer or the cardholder may have given you the shipping address instead of the billing address. Actions you should take include: call the customer to verify the phone number, the address and whether the cardholder has recently moved; call the card issuer to determine whether the name, address and telephone number match the information on file; use directory assistance or internet search to contact the individual at the billing address and confirm that he or she initiated the transaction.

  • Unavailable. Address information is unavailable for that account number, or the card issuer does not support AVS. Since you now have no way to verify the address, you must decide whether to investigate further, proceed, or cancel the transaction. One solution is to fax a credit card slip to the consumers requesting a signature be faxed-back to actually verify the order.

  • Global. Address information not verified for International transaction. Follow suggestions for "Unavailable."

  • Retry. Issuer authorization system is unavailable, retry later.
Declines can be handled politely by displaying a message that states "We are unable to process your order at this time, if you wish to continue your purchase, please call our toll-free number..." At that time the merchant may be able to obtain more information from the customer to verify why the address did not match, such as recently moved. Always ask your merchant account processor for assistance when you are not sure how to proceed.

Sunday, June 24, 2012

What to Look for in a Merchant Account

All credit card processing companies offer the same service. They provide merchant account services that enable merchants to accept credit cards, debit cards, a variety of other charge cards, electronic checks, etc. The vast majority of US small business merchant accounts providers use a handful of banks to acquire their merchant's transactions. So the major difference between them is to be found in the cost of accepting payments.

A sophisticated merchant needs to be able to look beyond the advertisements, in order to get the whole picture. What you most often see on a credit card merchant processor's website are numbers like 1.59% + $0.20 or something like it, usually embedded into a brilliantly colored button, asking that you click on it and proceed to the application form. Unfortunately, this does not tell you much. The credit card transaction processing cost is comprised of a number of different components and the rate is just one of them. You need to know what all of them are and calculate the total credit card payment processing cost for your business. There are available tools out there which will help you with that but you can also request that every credit card processing provider that you contact gives you a cost estimate, based on the sales volumes and average ticket amount that you expect to have.

Elsewhere in this blog we have written about the various components of the credit card processing account cost and have offered our view on what should be considered as acceptable for each of them.

Thursday, June 21, 2012

E-Commerce Payment Gateway Basics

An eCommerce payment gateway is a service that enables PC based credit card processing merchants to securely transmit their payment information to a processor over the internet (see our offering here). It is a part of every eCommerce merchant account and it integrates with the website's shopping cart. Typically, it is a third-party solution but there are credit card processing companies that offer the service directly to their merchants.

An eCommerce gateway will provide a browser-accessible interface that will allow merchants to review batches and manage their small business merchant accounts from anywhere internet connection is available.

It is important to understand that a payment gateway does not support a "card swipe" transaction acceptance method. It is a virtual service and, as such, will accept key-entered transactions, either by a cardholder on the merchant's website or, through a virtual terminal, by the merchant itself. It supports all features found in a physical terminal, including authorization, capture, refunds and voids.

Every major gateway provides fraud protection services, most notably AVS and CVV2 verification services.

It is important to know that internet credit card payment processing services are more expensive than their physical counterparts and one of the reasons is the cost of using a gateway. In addition to the other merchant account service costs, there are gateway transaction and monthly fees. These fees vary by credit card merchant processor but your monthly fee should not exceed $15 and your transaction cost should not be greater than $0.12.

Sunday, June 17, 2012

How to Respond to a Chargeback

I will give a short outline of the chargeback process so you can get an idea of what it is and what you can do in regard to a disputed transaction. It is the process we follow at UniBul, but it is a fairly standard for the industry as well.

A chargeback begins with the cardholder contacting his card issuer, notifying them that he is disputing a transaction. Most issuers will request that their cardholder signs a written statement, in which he describes, in detail, the circumstances of the transaction at issue. In most cases, before a chargeback is initiated, the card issuer requests a copy of the sales record as well. If there is sufficient evidence to support the cardholder’s request, the card issuer sends the transaction back to the credit card merchant processor (your processing bank), who, if not able to resolve the issue, may contact you for additional information. What that means is that you should deal directly with your payment processor. Tell them what happened and provide supporting evidence.

If you provide sufficient evidence to warrant a reversal of the chargeback, your credit card processing companies will forward the representation to the issuer through the Credit Card Association (Visa or MasterCard). In essence, the transaction will be reinstated and you will get your money back.

Merchants should make every effort to avoid chargebacks altogether. Even if the dispute is resolved in your favor, the mere fact that a chargeback was initiated, is held against you. Visa and MasterCard hold the credit card payment processing companies responsible for their merchants' chargeback levels. If you generate chargebacks in excess of 1% of your total transactions, your processor is assessed a fine. If you don't reduce that rate, you will lose your small business merchant account.

No business is immune against chargebacks, even manual credit card processing merchants can have one every now and again. Yet, most vulnerable are businesses that operate in a card-not-present environment. Direct marketing and PC based credit card processing merchants need to familiarize themselves with the chargeback methodology and implement in their sales process a set of best practices to help minimize the potential of customer disputes. That way they will ensure that their processing rates are the lowest possible and will not have to worry about the status of their merchant account.

Friday, June 15, 2012

E-Commerce Merchant Account Pricing Considerations

In order to set up an eCommerce merchant account, you need the following:
  • A functioning website with a valid SSL certification.

  • A shopping cart - to allow your customers to enter their payment information.

  • Online payment gateway - the online equivalent of the point of sale (POS) terminal facilitates the transfer of information between your website and your processor or acquiring bank, quickly and securely.
The first two should be provided by your website developer. The eCommerce payment gateway service will be provided and set up for you by the credit card merchant processor (e.g. UniBul) that you will choose to work with. You should not be paying any application or set up fees. There will be a monthly gateway service fee and it should not exceed $15 per month. There is another monthly fee that you will be charged and it is a bank fee. Different merchant services credit card processing providers may call it differently but, in essence, it is a processing statement fee. It should not cost you more than $15.

So you should not have to pay anything until you actually start using your PC based credit card processing service. Your biggest concern, however, as far as costs are concerned, should be your credit card processing rates. You should carefully study your pricing proposals before making the decision which credit card processing service provider to select. I would recommend that you contact at least ten credit card processing companies and request a detailed proposal from each one of them. The payment processing cost consists of several components and you need to know exactly how much you will be paying for each one of them. Following is a breakdown of the most common fees and charges associated with an internet credit card processing account:
  • Discount rate - the amount a merchant is charged by his acquirer for processing the merchant’s transactions. It consists of a percentage fee (e.g. 2.25%) and a fixed, per transaction, charge (e.g. $0.25). For an internet or direct marketing account it should be no more than 2.20% + $0.25 per transaction.

  • Authorization fee - another "per-transaction" fee. You should not pay more than $0.12 for any type of account.

  • Application and set up fee - one-time fees to apply for and set up your credit card processing service. You should not pay any set up or application fees!

  • Monthly statement fee - as the name suggests, it is charged monthly to keep your account on file. You should not be paying more than $15.

  • Support fee - another monthly charged for customer service. You should not pay any such fees.

  • Payment gateway fee - specific to the eCommerce industry. It should not cost you more than $15 per month.
If you see any other charges for your credit card transaction processing account, you will be well advised to look elsewhere. Also, when evaluating a new proposal, your prospective processors should provide you with comparison tables to make your choice a better informed one.

Wednesday, June 13, 2012

Merchant Account Cost

There should be no application or set up fee for opening up a small business merchant account (we certainly don't charge one). Depending on the type of credit card processing service that you need, you may have to incur some expenses before you start accepting payments.
  • Retail merchants - you will need a processing terminal for your customers to swipe their cards through. You should be able to get it from your credit card payment processing provider for less than $200 or lease it for a small monthly payment.
  • Internet merchants - you will need an eCommerce payment gateway to connect your shopping cart with your processing bank and relay the transaction information. Your credit card processing company should set one up for you for free and they will charge you a monthly gateway fee for the service. That fee should not exceed $15.
  • MO/TO merchants - unless you need web-based payment acceptance capabilities, you should be able to get a virtual terminal for free. A virtual terminal is the web-based service that allows you to key in your customers' payment details as you are taking their orders over the phone or entering the payment information that you received in the mail. You will need a payment processing gateway only if you will support an eCommerce website.

Tuesday, June 12, 2012

What Card Issuers Should Do when Card Data Is Compromised

When a card issuer becomes aware that an account data compromise event may have occurred at the site of the card issuer or an MSP, DSE, or other person handling account data on behalf of the card issuer, within 24 hours the card issuer must take the following actions:
  • Notify the MasterCard Compromised Account Team via e-mail at
  • Provide a written statement detailing what is known about the account data compromise event (including the contributing circumstances) via email at
  • Provide the Merchant Fraud Control Department with the complete lists of all known at-risk and confirmed compromised account numbers.
MasterCard will not distribute the provided account numbers to acquiring banks. When a card issuer becomes aware that the account data has been lost, stolen, misplaced, or the like, by any person (for example, a tape of account data lost during transit to a storage site), the card issuer must report the occurrence as described above. MasterCard will determine whether or not it considers such occurrence to be an account data compromise event.

Read an account of a real-life data compromise.

Saturday, June 9, 2012

What is the difference between credit card processing companies and sales agents?

Merchants need to know who they are dealing with when they select a merchant services credit card processing provider. It is more than simply selecting a vendor for another service that you need in order to operate your business. A good processor will help you optimize your sales cycle so that the costs associated with card acceptance are as low as they can possibly be. By optimizing I mean implementing a set of best practices that will ensure compliance with Visa and MasterCard regulations. These regulations were put in place to ensure that payments are processed securely and that consumers have a positive transaction experience.

Credit card processing companies are directly registered with the Associations (Visa and MasterCard) and have gone through an extensive selection process. They are allowed to sign up sales agents to represent them. Keep in mind that agents cannot advertise themselves as providers of credit card processing service, only entities authorized by the Associations can. Usually sales agents offer credit card payment processing as a complementary service to their main offering and are not very familiar with the service.

With that in mind, if you are looking for a large or small business merchant accounts provider, be sure to thoroughly examine each prospects' credentials. If they are a direct credit card processing service provider, they will have the name of their processing bank listed in the footer of every one of their web pages. An example you will find on our website and it reads as follows:

© 2008, UniBul Merchant Services LLC.
UniBul Merchant Services LLC is a registered ISO/MSP of JP Morgan Chase Bank, N.A.

I would recommend that you confine your search to registered processors. They are in the best position to provide the expertise that you will need to get the most out of your credit card processing account. Whether it is a virtual solution, a physical terminal or an old-fashioned manual credit card processing service, you will need your processing partner's help with and risk chargeback management, online reporting, additional products, such as gift cards, cash advance programs and a lot more. So, once you compose the list of prospects and after you receive their pricing proposals, it would be a good idea to call the ones who offered the lowest rates and evaluate first hand how their customer service handles inquiries and what their level of expertise is.

Tuesday, June 5, 2012

Face-to-Face Card Payment Acceptance

Card-present transactions (also called face-to-face transactions) occur when both the card and the cardholder are present throughout the payment processing. Face-to-face payment processing settings reduce the risk of fraudulent transactions. The cardholder has the card in his physical possession and the payment information is read from the card's magnetic stripe as it is swiped through the terminal. The merchant has a responsibility to make sure that the transaction is legitimate and should physically examine the card and compare the cardholder's signature on the back panel to the one the customer provided on the sales receipt. Because of the lower processing risk, associated with card-present transactions, Visa and MasterCard have set lower interchange rates for them. The processing rate, at which a transaction is processed, is the sum of the interchange fees for this particular card type and the processing cost incurred by the acquiring bank. Besides processing rates there are other fees and charges that merchants pay for using their processing accounts. Following is a breakdown of card-present merchant account processing rates and fees and our suggestions as per what they should be.
  • Discount rate. Discount rate is a percentage of the transaction amount. You should pay no more than 1.69% for credit cards and 1.40% for debit cards. These are the rates for consumer cards which are the most widely used. Various business-to-businesses, commercial, rewards and other types of cards typically get charged at a higher interchange rate (the base processing rates set by Visa and MasterCard). You need to ask your merchant services provider what pricing structure they are using. The best choice for you will most likely be the interchange-plus pricing which will ensure that the payment processing costs they add to the interchange fees are the same for all types of cards and you will not get overcharged.
  • Transaction fee. Transaction fee is a fixed dollar amount that you pay for each transaction. You should not accept anything higher than $0.20 (it will most likely be the same for debit and credit cards).
  • Set up fee. You should not be paying any set up or application fees, even if your merchant account provider attempts to convince you otherwise!
  • Monthly maintenance fee. Every merchant account provider will charge you such a monthly fee, although they might have different names for it. You should not be paying more than $10.
  • Support fee. Another monthly fee that you should not agree on paying.
In order to accept cards, you will need a payment processing terminal and your merchant account provider will provide you one and configure it to work with their system. You can purchase the terminal from a third-party vendor as well. You should carefully review the whole merchant processing agreement for charges that may make it more expensive than it seems. All agreements will include provisions for chargebacks, bounced checks, representations, etc.

Card-Present Transactions Processing without using a Terminal

Often in card-present processing environments merchants will find themselves unable to read the card's account information with the use of their terminal or they may not be able to obtain an authorization for the transaction. The issue may be caused by one of three things:
  • The terminal's magnetic stripe reader is not working properly.
  • The card is not being swiped through the reader correctly.
  • The card's magnetic stripe has been damaged or demagnetized. Be advised that damage to the card may happen by accident, but it may also be a sign that the card is counterfeit or has been altered.
When the terminal is not reading the card's information, the terminal operator should:
  • Check the terminal to make sure that it is working properly and that the cardholder is swiping the card correctly.
  • If the terminal proves to be in order, the point-of-sale staff should examine the card to make certain that it has not been tampered with and it is valid.
  • If the examination of the card discovers that the problem is caused by the magnetic stripe, the point-of-sale person should follow store procedures. One option would be to override the swiping procedure and to key-enter the transaction data or a call to the merchant services provider's authorization center may be required.
  • For both key-entered and voice authorized transactions the merchant should take a manual imprint of the front of the card to prove that the card was present. The imprint should be made on the sales receipt or on a separate sales receipt signed by the customer. The card imprint protects the merchant from chargebacks if a case of a fraud.
Although keyed card payment processing transactions are fully acceptable, the merchant should keep in mind that they are associated with higher levels of fraud and chargebacks. A significant disadvantage proves to be the fact that certain security features, such as expiration date and Card Security Codes, are unavailable.

Card-Present Processing

Processing card transactions in a card-present environment offers the advantage of having the card available for inspection and the cardholder is present so he or she can be asked to provide additional information, if needed. To benefit from this advantage and to ensure that transactions are processed the right way, merchants need to follow a few simple procedures at the point of sale. Incorporating these suggestions into your card payment processing practices will significantly lower the levels of fraudulent transactions at your establishment. Consequently, customer disputes and chargeback levels will also decrease and your payment processing costs will be the lowest possible.
  • Swiping the card. The first step in the card payment acceptance process is the swiping the card. Place the card's magnetic stripe against the card reader and hold it through the entire transaction. This procedure can be performed, and usually is, by the cardholder.
  • Checking the card's security features. While waiting for the authorization response, check the card's security features to make certain it is authentic. Make sure that the card account and verification numbers have not been tampered with and that the back of the card is signed.
  • Obtaining your customer's signature on the sales receipt. If the authorization response is positive, you should obtain the cardholder's signature on the sales receipt. Without a signed receipt you may lose your representation rights in the case of a chargeback.
  • Comparing the information on the sales receipt to the one on the card. Once you have obtained your customer's signature, compare it to the one on the back of the card. Also, compare the name and account number on the card to the ones printed on the receipt. If everything checks out, return the card to your customer and provide him with the bottom copy of the receipt. You will want to keep the top, white copy of the receipt because it produces better quality copies, in case you need one later.
  • If you suspect a fraud, make a "Code 10" call. If a security feature is missing or it appears as if it has been tampered with, or if the signature that your customer provided on the sales receipt does not much the one on the back of the card, make a "Code 10" call to your authorization center for instructions on how to proceed. You may be asked to decline the transaction and keep the card. You should only keep the card if it is safe to do so. Otherwise, complete the transaction and alert the card issuer after the customer leaves the store.

Card-Present Fraud Signs

There are signs of suspicious behavior that unauthorized card users may display at the point of sale and, if your personnel have received the proper training, they should be able to identify them and act according to your organization's procedures. Identifying fraud before it actually takes place helps to avoid chargebacks against which you have no remedy. Following is a list of suspicious signs at the point of sale that you should look out for:
  • Purchasing large quantities without much attention to details. If a customer is purchasing a sizable amount of merchandise, without much care for size, color, or even price, that might be an indication for fraud.
  • Ignoring free delivery options. If your customer asks no questions or completely ignores a free delivery option, in favor of a quicker but paid one, this could be a warning sign.
  • Rushing the cashier into a quicker processing of the payment. Although your customer may really be in a hurry, such behavior may be intended to force the point-of-sale person to circumvent fraud prevention measures.
  • Making multiple purchases within a short period of time. If a customer completes a purchase, leaves the store and then comes right back in, he or she might be doing it because they believe that making multiple fraudulent transactions, each for a lesser amount, would not attract much scrutiny.
  • Shopping either right after the store opens or before it closes. A fraudster might be shopping early in the morning or late in the evening, in the hope that the point-of-sale personnel will not be as attentive as during other stretches of the day.
Be advised that, although suspicious, a certain behavior might be perfectly well justified and explained in another, completely legitimate way. By themselves, none of the above examples constitutes a proof of a fraudulent activity. You should always use your observations of customer behavior in the context of the particular setting. Different establishments attract different types of customers and what is considered a normal customer behavior at one place might be interpreted as completely irregular at another.

Once the point-of-sale person has accumulated enough observations to conclude that a fraudulent activity is probably taking place, you should contact your merchant bank's authorization center and make a "Code 10" request. You should keep the card in your possession, but only if it is safe to do so. If you feel threatened or uncomfortable, complete the transaction and make the call to your merchant account bank's center right after the customer leaves. Then follow the instructions your merchant bank gives you.

Skimming of Credit Cards

What is skimming. Skimming is a fraudulent activity involving the illegal copying, or "skimming", of the account information, stored in the magnetic stripe of a credit or debit card. Skimming typically takes place after the card has been presented to be used in a legitimate transaction. The copied information is subsequently used to make copies of the payment card to be used in fraudulent transactions or the information itself may be sold to criminals.

The skimming process. Sadly it is way too easy to skim the information off of a credit or debit card. The information theft is usually committed in a card-present setting, for example in a restaurant, a bar or in other similar establishments where the swiping of the payment card takes place out of sight of the cardholder. Once the customer presents his or her card and it is taken to the processing terminal, it is run through a small mobile device which copies the information contained in the magnetic stripe. Then the card is also run through the terminal's slot to complete the legitimate transaction and it is eventually returned to the unsuspecting cardholder.

Preventing skimming. Skimming is illegal and it is every merchant's responsibility to ensure that it is not taking place in his or her establishment. You and your personnel should be on guard against:
  • The use of all electronic devices that are not needed or normally used in your type of business. If you are not sure exactly what a particular device is used for, you should investigate.
  • Any offers to record payment card account information for whatever reason.
If you believe or suspect that skimming might be taking place in your establishment, you should immediately contact your payment processing provider and take the appropriate measures against the employee(s) involved.

Minimizing Key-Entered Transactions

Merchants that accept payments in a face-to-face environment have the advantage of processing transactions at lower rates compared to their counterparts operating in a card-not-present environment. Key-entered transactions, however, are charged at higher rates and should be kept to a minimum.

The first step in the process of minimizing the key-entered card processing transactions is to estimate their share of the total transactions. To do that you should divide the total number of key-entered transactions for a certain period (a month or a quarter) by the total number of sales. If your business is processing mail order and telephone order transactions, you should exclude them from both totals. To represent the result as a percentage, you should multiply it by 100.

If your key-entered transactions exceed one percent per terminal, you should investigate the situation. Following is a list of the most common reasons for high rates of key-entered transactions and possible solutions.
  • Damaged Magnetic Stripe Reader. Check magnetic stripe readers regularly to make sure they are working.
  • Dirty Magnetic Stripe Readers. Clean magnetic stripe reader heads several times a year to ensure continued good use.
  • Magnetic Stripe Reader Obstructions. Remove obstructions near the magnetic stripe reader. Electric cords or other equipment could prevent a card from being swiped straight through the reader in one easy movement.
  • Spilled Food or Drink. Remove any food or beverages near the magnetic stripe Falling crumbs or an unexpected spill could soil or damage the machines.
  • Anti-Theft Devices that Damage Magnetic Stripes. Keep magnetic anti-theft deactivation devices away from any counter area where customers might place their cards. These devices can erase a card’s magnetic stripe.
  • Improper Card Swiping.
    • Swipe the card once in one direction, using a quick, smooth motion.
    • Never swipe a card back and forth.
    • Never swipe a card at an angle; this may cause a faulty reading.

Code 10

Credit card processing companies offer the Code 10 authorization procedure as an additional protection against fraud in a card-present transaction environment. Code 10 is an authorization call that a processing terminal operator can make to his or her payment processing provider's authorization center when he or she suspects that a customer is attempting to commit a fraud at the point of sale. The cause for a suspicion may be that the card looks as if it has been tampered with or altered, or that the customer is behaving in a suspicious manner. If the terminal operator believes that there is enough evidence to suspect that a fraudulent activity is taking place, he or she should make a "Code 10" call and request a voice authorization for the transaction at issue with their payment processing provider.

The process of requesting a "Code 10" transaction authorization is pretty straightforward. It consists of the following steps:
  • Having the card in his or her possession the terminal operator should dial the payment processing provider's voice authorization center.
  • The operator should then state to the representative who picks up the call "I have a Code 10 authorization request." The authorization center's representative will probably asked for some transaction details and then the call will be routed to the card issuer.
  • When speaking with a representative at the card issuer's authorization center, the terminal operator will be asked questions about the transaction at issue which he or she will answer by a simple yes or no. The card issuer's representative will then determine whether or not the transaction is fraudulent and provide instructions on how to proceed.
  • The operator should follow the instructions of the card issuer's representative.
  • If the instruction is for the card to be picked up, it should only be done if it is safe. Otherwise the transaction should be completed and further action should be taken after the customer leaves the store.
Placing a Code 10 call after the customer has left the store is very important. Even though a fraudulent transaction might already have been processed, placing the call at that time will prevent the same fraud from being committed elsewhere or even in the same store in the future.

Credit Card Recovery

Visa and MasterCard regulations demand that in certain circumstances a credit card should be picked up from a customer at the point of sale, but only if it is safe to do so. Typically, if there is sufficient evidence to believe that a credit or debit card is being used fraudulently or if its security features look as if they have been altered, your point-of-sale personnel should attempt to recover the payment card. Any of the following examples would provide a sufficient reason for picking up a payment card:
  • The card's security features are missing or altered. If the 3- or 4-digit card verification security code (CVV2, CVC2 or CID) is missing or has been tampered with, or if the hologram does not appear right, or if the "Good Through" date is altered, that should raise your suspicion.
  • The card number on the sales receipt does not match the account number on the card. If the account number that your terminal has read from the magnetic stripe and printed on the sales receipt does not match the one on the front of the card, this should immediately raise a red flag.
  • The merchant receives a pick-up response. If, upon placing a "Code 10" call with the card issuer, you have been instructed to pick up the card, you should follow the instructions.
When attempting to pick up a card from a customer you should follow these procedures:
  • A card recovery should only be attempted if it is safe to do so. If not, you should complete the transaction and, once the customer leaves, alert the card issuer and the management of your business. Do not try to be a hero, if your customer is threatening you or becomes violent, you should let him or her go.
  • Inform the cardholder that the card issuer has instructed you to recover the card and that, for more information, he or she should contact them.
  • Be polite and courteous with the cardholder. Treat the situation as a business transaction, not as a law-enforcement procedure.
  • Once you have recovered the card, contact your payment processing provider for further instructions.
  • Cut the card in half lengthwise and be sure to not damage the hologram and the account number or the magnetic stripe.
  • Send the recovered card's pieces to your payment processing provider.
Be advised that there are cash rewards that the Credit Card Associations of Visa and MasterCard pay to merchants who have recovered counterfeit cards. Ask your payment processing provider for details.

Zero-Percent Tip Authorizations

Transaction amounts should never be estimated. Following this rule is particularly important for restaurant merchants and it means that card transactions should only be authorized for the known amount of the bill. Merchants should never add on an estimated tip. Consumers today can, and do, check their credit card activity online in almost real time. If they see an amount that they do not recognize, cardholders are likely to ask questions and contact their card issuer.

Policies on Unsigned Cards

One of the merchant's responsibilities at the point of sale is to make certain, using the information that is available, that the card used to make the payment is valid and to compare the signature on its back panel to the one provided by the customer on the sales receipt. But what is to be done when the card is not signed? Well, all unsigned cards are considered invalid and should not be accepted, even if all other security features are valid and there is no other reason to be suspicious. When you are presented with an unsigned card at the point of sale, you should follow these steps:
  • Request that your customer provides a valid ID. A driver's license or a passport would be sufficient. Where the law allows it, the ID's serial number and expiration date should be written on the receipt before the transaction is completed.
  • Request that the customer signs the card. The card should be signed in front of you. Examine the signature and compare it to the one on the ID. If the customer refuses to sign the card, the card remains invalid and you should not accept it. Ask for another payment method.
  • If the provided signature matches the one on the ID, go ahead and complete the transaction.
If your customer refuses to sign the card and you still accept it, you will most likely have no recourse if the transaction is later disputed and will end up with a chargeback.

Card Type, Account Number and Expiration Date

Credit and debit cards bear several identification features that make them unique and help merchants and cardholders prevent their fraudulent use. These features are used during the transaction authorization process as well. Merchants should incorporate the following best practices to ensure that transactions are processed in a safe and secure fashion:
  • Request that customers provide both the account number and the card type and ensure that they match. Consider applying the following procedures:
    • Request that customers select their card's type (Visa, American Express, MasterCard, Discover, etc.) before they enter the card's account number.
    • Verify the validity of the provided information by comparing the selected card type and the first digit of the provided card number. The credit card companies use different account numbering systems. The first digit of every payment card identifies its type. Listed in the table below are the first digits that the major American card brands place in their account numbers.
      Card Type
      First Digit of Account Number
      American Express
    • Display an error message if there is a mismatch between the selected card type and the provided account number and request that the customer re-enters the data.
    • Allow customers to enter card account numbers with or without hyphens, with or without spaces between digits, or clearly identify your preferred format.
  • Request that customers provide their card's expiration date. You can either provide a blank field to be filled in by the customer or a pull-down menu from which the customer to make a selection. If you choose the latter option, make sure that you do not provide a default month and year of the expiration date to prevent the customer from erroneously select it. The default date will most likely be different from the actual one and the transaction will be declined.
(Learn more here.)

eCommerce Card Pyment Acceptance

The eCommerce card payment acceptance process goes through several stages:
  • eCommerce Transaction Authentication

    Authentication of an eCommerce transaction is the process through which a merchant verifies the validity of the payment information provided be the customer. The process can include a verification of both the cardholder's identity and the card's authenticity. It is important to understand that eCommerce merchants have the responsibility to select and apply the appropriate transaction authentication services. The proper application of the transaction authentication process reduces the number of customer disputes and chargebacks.

    The most popular card processing transaction authentication tools are:

    • Address Verification Service. Address Verification Service (AVS), as its name suggests, is a service that helps eCommerce merchant account users verify a cardholder's billing address. The verification is done simultaneously with the payment processing transaction authorization. The merchant sends an address verification request to the card issuer who compares the provided data with the information it has on file for its cardholder and sends back a response code indicating the result of the comparison.
    • Card Security Verification. Card Security Verification (CSV) is 3- or 4-digit number located on the back (Visa, MasterCard and Discover) or the front (American Express) of every payment card. In eCommerce transactions the CSV number is used to verify that the customer is actually in physical possession of the card. Similarly to AVS, the CSV request is routed to the card issuer, who compares the provided value to the one it has on file for its cardholder and responds accordingly.
    • Verified by Visa and MasterCard SecureCode. These services provide cardholders with the option of registering their cards with the respective Association. Upon registration with Verified by Visa (VbV) or MasterCard SecureCode, the cardholder is given a password. When the card is used at a participating eCommerce merchant, the cardholder is asked to enter this password before the transaction can be completed. The provided password is compared to the one the card issuer has on file and, upon confirmation, the cardholder is allowed to complete the transaction.

    Employing the above listed authentication tools will greatly improve your ability to fight fraud in your card payment processing operations and will have a positive effect on your bottom line.

    • Product Description. Online customers are fully reliant on the merchant's product description for any relevant information about the merchandise or service they are interested in. Unlike an old-fashioned brick-and-mortar store, where consumers can go in and physically inspect the product, in the virtual world of eCommerce this is not possible. Moreover, a physical store presents the opportunity of discussing the product's or service's qualities and features with a live sales person - a presence that many consumers find reassuring. Many customers simply feel more comfortable communicating with another human being and do not trust the descriptions that eCommerce merchants make available on their websites for the products and services they sell. Taking this into account, the question becomes "How do we make an eCommerce website a more consumer-friendly place and how do we make an online product and service description better?" There are simple best practices that can be employed to help address these concerns.

      In order to make sure that your website presents an accurate description of the products and services that you sell and to boost your customers' confidence in shopping at your store, you should:

      • Develop a clear and comprehensive product descriptions. Be as detailed as you can. Provide a PDF or other type of a file with the complete manufacturer product sheet. Also, remember that the eCommerce is a global industry and your customers can be anywhere. Unless you limit your sales to a local market, you should include in your product description information that domestic merchants can ignore. For example, if you sell electric goods, you should state the voltage requirement, as it varies around the world. Also, when you provide the products dimensions you should use both English and metric measures.
      • Use product photos and images, if applicable. An image of a product is a very powerful marketing tool. Many of us will not consider making a purchase unless we see what it is we are buying. You should use high-quality images and provide shots from various angles of the product.
    • Shipping Policy. A web-based store's shipping policy communicates to consumers the terms and conditions for delivering a product or service purchased on the merchant's eCommerce website. It has to be written in a clear and concise manner and to be made available to consumers through a link on the merchant's website, as well as sent to customers in the confirmation emails that they receive after they place an order. In order to avoid misunderstandings and to minimize customer disputes, your shipping policy should include the following information:

      • Details on the shipping options that you offer and the expected delivery time frame for each one of them.
      • A full disclosure for all shipping and handling fees. It is extremely important that your customers know in advance the exact amount of the shipping charge. This is one of the most common causes for disputes and chargebacks.

      Once the product has been shipped and the customer has been informed of the expected delivery time frame, you should monitor the shipping process. If there is a delay, you should immediately inform your customer of the new circumstances and provide him with the updated delivery date. Be advised that if your customer does not receive the product by the expected delivery date, it is very likely that he or she will file a dispute, initiating a chargeback.

      Be advised that criminals have exploited a weak link in the shipping process. When placing an order on an eCommerce merchant website, they will provide the stolen card number with the correct billing address. Once the merchandise has been shipped and they are given a tracking number, they will redirect the shipment to their own address. To protect the integrity of your card processing account and your customers from this type of fraud, you should consider not providing a confirmation number on a selective basis, when selling higher-risk merchandise or shipping to higher-risk addresses.

    • Merchant Account Benefits. Setting up a merchant account is a process that requires that the merchant invests a certain amount of his or her time to first find the right processing provider and then to go through the actual application and set up. Once the service is established, it has a certain monthly maintenance cost, in the form of a statement fee and, in some cases, other fees and charges. Moreover, payment processing contracts are usually for two or three years. So it is a legitimate question to ask what benefits your establishment will get from a merchant account and is it worth the investment of time and effort to set one up.

      For most merchants the answer is that yes, it is worth it and you should consider setting one up as soon as your processing volumes grow large enough to justify it. By that I mean that there is a break-even point, specific for every business, beyond which the lower card processing rates, associated with merchant accounts, fully offset the fixed monthly fees, which are absent with third party solutions. The main benefits of having your very own merchant account service are:

      • A more professional image. All types of merchant accounts are perceived, and justifiably so, as a sign that the business is of a certain size and it is committed to providing a complete shopping service. Actually, taking into account the strict requirements that payment processing companies demand that applicants meet, it is true that a merchant account shows a certain level of commitment on the part of the merchant.
      • A lower card processing cost. The difference in card processing rates, that a direct merchant account provides over a third party processing solution, is significant and cannot be overstated. A comparison between an average eCommerce merchant account and PayPal shows that the difference can be as high as 0.8% + $0.05 per transaction for merchants that process less than $3,000 per month. Now that is substantial!
      • More control over your account. A third party processing solution leaves your processor with a complete control over your card payment processing activity. They can hold on to your money and even freeze your account if a suspicious activity is thought to have occurred. A direct merchant account gives you complete control over your processing activities, provided you follow the rules established in your processing agreement. As far as fraudulent transactions are concerned, the final decision, and responsibility, on whether a payment should be processed or not, is yours and various fraud prevention services are available to help you reach that decision.
    • Avoiding Duplicate eCommerce Transactions. ECommerce merchants need to develop procedures to help them identify and prevent duplicate orders from being processed. Unlike face-to-face transactions, where once the card is swiped, it is pretty easy to determine whether or not the transaction has been processed, orders placed online are susceptible to being duplicated, as sometimes it takes a long time for the customer to receive an authorization response and he or she might do it all over again. Duplicate orders can lead to higher card processing costs, as merchants will pay for every transaction that their merchant account provider processes, regardless of whether it is legitimate or not. Moreover, merchants will have to spend extra time to sort out the duplicate transactions, issue credits to the affected customers which all leads to additional expenses as well. Another unwanted side effect from duplicate transactions is the customer dissatisfaction that naturally results from having their credit card accounts billed twice for the same purchase. Customers may, in such cases, call their card issuer directly, instead of contacting the merchant and try to clear up the issue. They are likely to dispute the transaction, initiating a chargeback.

      As you see there are plenty of reasons why you should establish controls to prevent customers from inadvertently submitting a transaction twice. You can use the following best practices to build your procedures around:

      • Require customers to make positive clicks on order selections, rather than hit the "Enter" key on their keyboard. In other words, have customers click on a "Submit" or a similar button.
      • Once the order has been submitted, display a "Order Being Processed" or a similar message.
      • Regularly check your orders for duplicates.
      • Send email messages to customers to confirm whether or not a duplicate order was intentional.

  • eCommerce Transaction Processing
    • Transaction Settlement. Settlement is a process through which a card issuing bank exchanges funds with an acquiring bank to complete a cleared transaction, where clearing is the exchange of transaction information between the card issuer and the acquirer. Clearing and settlement occur simultaneously. The settlement process may vary slightly from one merchant account service provider to another but it goes through the following stages:

      1. Once the service has been provided or the merchandise shipped, the merchant captures the transaction payment information and submits it, with the daily batch, to its merchant processing services provider for settlement.
      2. The merchant processing bank submits the transaction data to the Credit Card Association (Visa or MasterCard) for settlement.
      3. The Credit Card Association sends the transaction information to the card issuer and then settles it by crediting the merchant processing bank's account and debiting the card issuer's account. The amount, debited from the card issuer's account is equal to the transaction amount, minus interchange. The amount credited to the processor is equal to the transaction amount, minus interchange, minus the association fees.
      4. The merchant processing bank receives its funds, usually within 24 hours of the transaction, and credits the merchant's account, usually within 48 hours of the transaction. The merchant receives an amount that is equal to the amount credited to the merchant bank's account, minus payment processing costs.
      5. The card issuer posts the transaction information on its cardholder's account and sends a monthly statement. The cardholder has the option to pay the full amount or a lesser amount, but no less than a minimum amount, established in the cardholder agreement. If the cardholder chooses to pay an amount, lesser than the full amount, the remaining balance will be charged an interest rate.
    • Transaction Controls. Implementing transaction controls will help eCommerce merchants reduce their risk exposure by identifying high-risk transactions. These controls help determine when a cardholder or transaction should be more thoroughly investigated. When establishing your transaction control policies and procedures, consider implementing the following steps:

      • Setting up transaction controls and velocity limits. The initial process of establishing and implementing your organization's transaction control should adopt the following procedures:
        • Establish review limits on the number and dollar amount of transactions approved for a customer within a specified period of time. Later you should adjust these limits to reflect the customer's purchasing patterns.
        • Establish review limits based on single transaction amount.
        • Make sure that velocity limits are checked for multiple characteristics, including shipping address, telephone number and email address.
        • Track and adjust velocity limits as you accumulate information on your customers' purchasing patterns. The limit should be stricter for new customers and looser for customers with solid purchasing and payment track record.
        • Contact customers that exceed your preset limits to determine whether the activity is legitimate and should be approved.

      • Adjust transaction controls and velocity limits based on transaction risk. Use your risk experience regarding selected products, shipping locations and customer purchasing patterns and modify your transaction controls and velocity limits to reflect it.
      Implementing transaction controls will help prevent fraud, minimize customer disputes and reduce the number of chargebacks.

    • AVS Processing. Address Verification Service may be used with or without an authorization request.

      • AVS with an Authorization Request. MO/TO and eCommerce merchant account users can process AVS requests just as they process authorizations, either in real time or in a batch using a terminal or a PC. Real-time authorization requests are used typically for transactions where the customer waits for a response online. Batch authorizations are used for transactions where there is no immediate need for a response. The process of transaction authorization and address verification goes through the following stages:
        1. A consumer place an order in a card-not-present environment.
        2. The merchant confirms the order information, including the merchandise description, price, card account number, card expiration date and shipping address. The merchant now requests that the customer provides a new piece of information - his or her billing address (the billing address is where the cardholder receives his or her card statements).
        3. The merchant enters the provided billing address information into its authorization request, along with the rest of the transaction information. Both requests are sent to the merchant's payment processing provider who sends them on to Visa or MasterCard.
        4. The Credit Card Association (Visa or MasterCard) then sends the requests on to the card issuer who makes separate decisions on each request. The card issuer compares the provided billing address to the one it has on file for its cardholder. It then returns both the authorization and the address verification responses through the same channel. The address verification response consists of a single-digit code which the merchant's credit card processing provider may change to make it easier to understand.
      • AVS without an Authorization Request. In some cases merchants can send an address verification request without a transaction authorization request. Such situations may arise when:
        • Merchants want to verify a customer's billing address before a transaction authorization is requested.
        • An earlier transaction authorization request has received an approval but an AVS request has received a "Try again later" response.

Processing Recurring Payments

Recurring payments help simplify the process of billing a cardholder for a product or a service that is being provided on a continuous basis. A recurring payment plan exists when multiple transactions are processed at predetermined intervals, as a result of an agreement for the purchase of products or services. A cardholder authorizes a merchant to charge his or her payment card on a regular basis (usually monthly, but it can be at other intervals) for a period of time, however the interval between any two consecutive transactions cannot exceed one year. The transaction amount can be fixed or it can vary. The recurring payment plan is in effect until canceled by the consumer. A good example is a newspaper subscription where a consumer can be making payments indefinitely, until the subscription is canceled. A recurring plan differs from an installment payment plan in that in the latter you have a fixed amount to be paid and the installments are agreed upon in advance and made until paid in full.

The main benefit that merchants get from a recurring payment plan is that it reduces costs, associated with the processing of a single payment. Recurring payments also help increase customer loyalty, increase efficiency and improve the cash flow by ensuring timely and regular payments.

To ensure managing recurrent billing in an effective manner, merchants should incorporate into their procedures the following practices:
  • Allow customers to choose the billing date. They know best when the money will be available.
  • Inform the cardholder the name that will be presented. Ensure that the "Doing Business As" name, or some other name, easily recognized by the cardholder, is used when billing or corresponding with the cardholder. Your merchant processing provider will be able to set your billing descriptor to show the desired name.
  • Provide a clear statement of the cancellation policy on the cardholder's agreement and your website. This will help minimize chargebacks.
  • Provide the cardholder with clear information regarding the billing arrangements, all charges related to the delivery of products and services.
  • Ensure that billing is discontinued immediately upon the cardholder fulfilling the cancellation terms - provide the cardholder with cancellation confirmation including when the last billing will occur if this has not already occurred, or if a credit is due when the credit will be processed.
  • Ensure that the cardholder is notified when goods or services cannot be delivered or provided on the agreed upon date.
  • Provide the cardholder with an easily accessible contact number for customer service inquiries, and also the right to terminate the recurring transaction.
  • Ensure an authorization request is made and approval is obtained before a payment is submitted for clearing.
  • Make sure that all transactions reflect the Recurring Payment Indicator.
  • Contact the cardholder to obtain alternative account billing details if the authorization response is a decline.
Provide a Merchant Pre-Billing Notification prior to submitting an authorization request for a recurring transaction and you will see less customer disputes and chargebacks.

This type of a payment plan offers many advantages to both the merchant and his customers and these advantages have been discussed previously in this blog. There are, however, certain characteristics, inherent in every recurring payment plan, that make them particularly vulnerable to customer disputes and chargebacks. Implementing the following recommendations will help minimize such problems:
  • First Payments in a Recurring Plan. The first payment of a recurring plan should be processed just as every other eCommerce or MO / TO card processing transaction. You should always use AVS and the Card Security Verification codes. For Visa and MasterCard transactions it is advisable that you also utilize Verified by Visa and MasterCard SecureCode. The sales receipt of the first recurring payment should include the following information:
    • The words "recurring transaction."
    • The frequency of the charges.
    • The period of time that the cardholder has agreed to making payments (if applicable).
  • All Recurring Payments. To best protect themselves against customer disputes and chargebacks, merchants should:
    • Always use the Address Verification Services (AVS). Only process transactions for which you receive a positive match.
    • Keep a file with your customers' card expiration dates and include them in all authorization requests.
    • Identify recurring transactions as such. This identification will typically be handled by your merchant account service provider but you should make sure that it is set up properly.
    • Always notify your customers before each recurring charge. Provide the notice at least ten days in advance. In the notice you should include the amount and date on which it will be charged.
    • Create adequate controls to protect stored cardholder data.
    • Never store Card Security Verification codes - the 3- or 4-digit numbers on the back or front of all credit cards.
    • Check for customer complaints and respond promptly. Adequately addressed complaint will help resolve the issue before it deteriorates to a chargeback.

Policies for eCommerce Merchants

When constructing their websites, merchants doing business over the internet should take into consideration the following policies:
  • Information security policy. Consumers expect that eCommerce merchants protect the personal information they provide during a transaction. They also expect that merchants describe the measures and procedures they have established to keep sensitive account data save. For a better customer experience, eCommerce merchants should consider implementing the following best practices on information security:
    • Educate customers about your security practices. Create a page that details your website's security practices and controls. Consider including in it the following:
      • Explain in details how payment information is protected at all stages of the transaction process: during transmission, while on your server and at your physical work site.
      • Make the page available to all visitors to your website. You should consider placing a link to it in your home page. Placing a link in your header or footer will make the page accessible from any page of your website.
    • Include security tips in a FAQ page. Create a FAQ page and include in it questions and answers on how customers can protect themselves while shopping online.
    • Add the logos of fraud prevention services that you are using. Place on your website the logos of all fraud prevention and data protection services that you are using.
    • Warn customers against sending payment information by email. Email is not a secure way to do business, however some customers are not aware of that. To protect their personal information you should highlight your security practices on your website and in your email correspondence. Advise customers that:
      • Email is an insecure method of communication and should never be used for transmitting account data or other sensitive information.
      • Your website's encryption services ensure that personal information is protected from unauthorized access and provides the safest way for shopping online.
  • Payment choice selection. Customers should be provided with clear payment choices at the checkout. Unfortunately there are a number of ways in which a customer can get confused when selecting a payment choice. For example options such as "Debit" and "Credit" can be misleading as their meaning may be interpreted differently, depending on the customer's understanding. Providing the option of selecting a payment brand gives the customer a clear payment choice. It is easy to distinguish a Visa card from a MasterCard or an American Express. You should consider placing a menu of radio buttons for each card brand that your payment processing account supports. It is also a good idea to use each brand's logo next to the button.

    Once a customer selects the brand of card that they want to use as payment, you should make sure that their choice is honored. Merchants are allowed to suggest a form of payment or to display their preferred choice but you cannot mislead or confuse the customer or omit important information in the process. The customer has the right to use whatever payment method he or she chooses, provided it is supported by the merchant and once the selection is made, the merchant should facilitate the processing of the transaction.

    Merchants are not allowed to charge customers additional fees for selecting to use credit or debit cards for payment for products or services. It is allowed, however, to offer a discount if a customer selects to pay in cash, for example. Also, if a merchant accepts card payments, cards should be accepted for all amounts. It is not allowed to set limits on transaction amounts for card payments. Merchants can lose their card payment processing accounts if they do not comply with these requirements.

  • Account number verification. The merchant has a responsibility to verify the card account number at the point of sale, during the transaction process. It is also in your own best interest, as every unauthorized or fraudulent transaction will most likely result in a chargeback. Most point-of-sale terminals allow merchants to verify that the account number embossed on the front of the card is the same as the account number encoded in the magnetic stripe of the card. The exact verification procedure will depend on the type of terminal used at your store. Some terminals will display the information contained in the magnetic stripe or will print it on the sales receipt. Others will check the numbers electronically. The latter type of terminals will need the merchant to input the last four digits of the embossed card number and compare the provided information with the one stored in the magnetic stripe.

    If you are using a terminal that displays or prints the account number on the sales receipt, it will usually use the last four digits of the number. If the numbers do not match, you will receive a "No Match" message. In such instances you should make a "Code 10" call.

    The Credit Card Associations now require that point-of-sale terminals truncate card account numbers when printing them on sales receipts. This means that only the last four digits of the account number should be printed on a sales receipt and the expiration date should not be shown at all. This is intended to be an additional preventive measure to protect consumers against card processing fraud.

  • Billing policy. ECommerce merchants should develop a thorough policy regulating the terms and conditions of their billing procedures and should make it available to customers at the time of purchase. Your policy should include the following information:
    • Inform your customers when their cards will be charged.
    • If you are using a third party to do your billing, inform your customers how the transaction will be reflected on their credit card statement (provide the third-party service provider's name and the transaction amount). Providing these details will help customers recognize your transaction and minimize the chance that they will file a dispute with their card issuer, initiating a chargeback.
    • Encourage your customers to retain a copy of the transaction.
    Be advised that it is very important that you do not charge your customer's card before the product has been shipped. Cardholders today can review their transactions in almost real time and, if they see a charge on their accounts without having received the item or at least a delivery notification, they are likely to contact their card issuer and dispute the transaction.

    If your organization provides digital content, your policy should also include the following best practices:

    • You should never charge your customer's account before the service is actually accessed on your website with the applicable password.
    • You should avoid the use of negative renewal options or other marketing techniques that may create the impression that the product is free.
    • You should communicate with your customer all special restrictions before the sale is completed.
    Lastly, be sure to include in your billing policy the transaction currency that will be used to complete the transaction. Remember that eCommerce merchant websites are accessible from all over the world and, unless there are special restrictions, your customers may be located anywhere. Clearly state the currency, especially if it is not unique (a dollar may be Australian, New Zealand, Hong Kong or U.S.). Be advised that merchants cannot convert transaction amounts into different currencies. You may, however, display equivalent amounts in different currencies, but they must be clearly indicated for information purposes only.

  • Customer service access. Providing an easy way for customers to contact you is invaluable in creating customer loyalty and preventing disputes and chargebacks. Customers are likely to have questions or concerns regarding their purchases and they expect, and have the right to, that these concerns are addressed in a timely manner. Consider implementing the following best practices into your customer service procedures:
    • Provide an email inquiry form. You should display email "Contact Us" options on your website and make them easily accessible. Consider providing different email contacts for your support and sales departments as well as for shipping information.
    • Develop an email inquiry response policy. You should implement an auto-response email program to acknowledge receipt of inquiries and provide a time frame for your response. Once you do that, you should make sure that you have sufficient staff available to handle the inquiries within the set time limit.
    • Monitor your customer service to ensure that your organization's inquiry response policies are being implemented adequately.
    • Provide a toll-free number to contact your customer service department and display it prominently on your website. Providing a toll-free contact number is key for ensuring the highest level of customer satisfaction and preventing disputes and chargebacks. Many consumers prefer having their questions and concerns addressed in a conversation with a live person and are uncomfortable or unwilling to use the email response system. Make sure that you have adequate staff to respond to telephone inquiries in a timely manner.
  • Card-not-present fraud prevention guidelines. The ability to accept card payments over the phone, in the mail or online makes possible the existence of mail order, telephone order and eCommerce businesses. It is a very convenient payment method for both consumers and merchants. There are, however certain challenges that both industries face when it comes to fraud protection, challenges that are very different from the ones a merchant operating in a card-present environment faces. Because payment processing transactions are done in the virtual domain, the merchant never gets to see either the card or the cardholder. The only way to obtain the consumer's account details is to rely on the information, provided by the consumer himself. The good news is that there are a number of fraud protection services which, combined with a set of best practices, implemented and followed scrupulously, will help both direct marketing and eCommerce merchants reduce fraud and improve their bottom line.

    Following is a list of guidelines to help merchants operating in the virtual world reduce fraud.

    • Always authorize all transactions. Be advised that the floor limit for all card-not-present transactions is zero which means that you should request an authorization for every single one of them, no matter what the transaction amount. Not obtaining authorization leaves you helpless against both fraud and customer disputes.
    • Always obtain the cards' expiration dates. You should always ask your customer to provide his or her card's "Good Through" date. It is another way to verify that the customer is in a physical possession of the card at the time of the transaction.
    • Always obtain the card security verification codes. Card Security Verification is the 3- (for Visa, MasterCard and Discover) or 4-digit (for American Express cards) non-embossed numeric code on the back (for Visa, MasterCard and Discover) or the front of a payment card (for American Express). Obtaining the Card Verification Code in a card-not-present transaction is another, and very powerful, tool to verify that your customer is in actual possession of the card. Be advised that you should never store Card Verification Codes in your system. It is prohibited by the Credit Card Associations and violators may be assessed significant fines.
    • Always use AVS. The Address Verification Service (AVS) allows merchants to verify the authenticity of the billing address that a cardholder has provided at the checkout. It works by routing the provided address, through the Credit Card Associations, to the card issuer. The Issuer then compares the provided address to the one it has on file for its cardholder and responds by issuing a response code which contains the result of its investigation.
    Utilizing the above listed fraud prevention services and implementing the suggested procedures will help eliminate fraud and reduce your chargeback levels. A good payment processing provider should be able to assist you in this process.

  • Visa's CVV2. All major credit card companies have implemented an additional security feature on their credit and debit cards in their continuous efforts to make shopping online and over the phone a safer proposition. Visa's Card Verification Value 2 (CVV2) is a three-digit number printed on the back of every Visa credit or debit card. It is located in the top right corner of the signature panel or immediately to the right of it. It is preceded by the last four digits of the card's account number, printed in the signature panel. CVV2 was introduced to serve as an additional fraud prevention measure, to help eCommerce and MO/TO merchants verify that their customers are in a physical possession of their cards. It is a feature that all major eCommerce payment gateways support and your payment processing provider should make it available to you.

    If your organization operates in either the eCommerce or the MO/TO industry, you should follow these procedures when accepting credit and debit cards:

    • Always ask your customers for the last three digits in the signature panel on the back of the card. Do not ask for the CVV2 number as customers will most likely have no idea what this is.
    • Depending on the response the customer gives to your CVV2 request, you should include one of the following indicators in your authorization request, along with the card's expiration date and the account number:
      • "0" - if the CVV2 is not included in the authorization request.
      • "1" - if the CVV2 is included in the authorization request.
      • "2" - if your customer has stated that the CVV2 is illegible.
      • "9" - if your customer has stated that the CVV2 is not on the card.
    • When the card issuer replies with the CVV2 result code, you should take it into consideration, along with all other factors in determining the validity of the transaction. You will receive one of the following result codes:
      • "M" - Match - the CVV2 is valid.
      • "N" - No Match - the CVV2 is not valid, a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the CVV2 request.
      • "P" - CVV2 request not processed - you should resubmit the request.
      • "S" - the cardholder has stated that the CVV2 is not on the card. The CVV2 code should be printed on all Visa cards. In the case of an "S" response you should verify that the customer is looking for it in the right place.
      • "U" - the card issuer does not support CVV2. In this case you should considering other fraud prevention services.
    Be advised that storing of CVV2 is prohibited. You may store other account information, e.g. cardholder name, account number and expiration date but not the CVV2. Contact your payment processing provider for additional information on using CVV2. It is not only a very effective fraud prevention measure but it also protects against chargebacks as well.

  • Using cookies and passwords. Web browser cookies are an effective tool to help eCommerce merchants recognize and acknowledge existing customers. They simplify the order process for repeat customers by not requesting that they provide payment details that have already been provided during a previous visit. Consider the following suggestions to improve the effectiveness of the use of browser cookies:
    • Use permanent browser cookies to retain non-sensitive cardholder information and preferences to enable repeat customers to order products and services without having to re-enter this information. This simple procedure will help increase customer loyalty as consumers appreciate not having to submit their payment details every time they visit a website.
    • Use browser cookies to maintain active user sessions, but once the session expires, you should request that the user logs in again, regardless of the computer being used.

    You should establish a procedure for existing customers to safely retrieve their forgotten password while protecting their accounts from fraudsters. Consider implementing the following suggestions:

    • When a customer has troubles signing in or claims that he or she has forgotten a password, you should use a customer-provided security data to verify his or her identity. The process should follow these steps:
      • When registering a new account, ask your customer to select a category - such as place of birth, mother's maiden name, favorite sports team - and provide the correct response.
      • If a returning customer has forgotten his or her password, ask the customer for the correct answer to the category that he or she selected at registration.
      • Verify the response and, if correct, prompt the customer to reset their password.
    • Use hints to help customers remember passwords. The process of selecting and implementing hint words should follow these steps:
      • Ask the customer during the registration process to select a hint for his or her password.
      • Display the hint word on your website if the customer enters the wrong password when trying to log into his or her account.

    For a better customer experience you should try to keep the process of resetting a password simple and have a customer service phone number available for customers to contact you if their attempts fail. Be advised that consumers today have many account profiles on various websites and it is more than possible that they forget a password or a hint. If you receive a call from a customer who cannot reset his or her password, you should verify their identity using personal information that you have on file for them.

  • Required transaction data fields. Requiring customers to fill in certain transaction data fields can help eCommerce merchants detect potentially risky situations. To assess the risk of fraud and minimize potential losses, merchants should define the data fields that will help recognize high-risk transactions and require that customers complete them before purchasing products and services. Key risk fields include the following data:
    • Telephone numbers which can be verified using reverse directory services.
    • Email address, particularly when it uses an anonymous service.
    • Cardholder name and billing address which, too, can be verified using reverse directory services.
    • Shipping name and address, if different from the billing data.
    • Card security codes - the 3- and 4-digit numbers on the back or front of credit and debit cards. If there is a mismatch, you should attempt to review the provided code, particularly if the other risk indicators have shown no mismatches. The customer may have simply provided the wrong number.

    Once you have selected the required fields in your transaction forms, you should indicate that they must be completed before the form is submitted. You can use color to highlight them or bold fonts, or asterisks to achieve that. You should also provide an explanatory note to your customers, informing them that the highlighted fields are mandatory.

  • Merchant direct access service. The Merchant Direct Access Service (MDAS) is a fraud prevention system that provides merchants with access to Address Verification Service AVS by telephone. Developed for smaller direct marketing and eCommerce merchants, MDAS provides AVS service on a pay-as-you-go, per-transaction basis.

    The process of using the Merchant Direct Access Service is pretty straightforward, all you need is a telephone and a Merchant Access Code (MAC) which you will get from your merchant account provider. To request an AVS, you will dial a toll-free number and follow the instructions that the automated system will give you. You will need to provide your customer's address and account number and the system will give you the verification results.

    The responses MDAS provides are very similar to the ones AVS provides but do not include response codes. You will receive one of the following Merchant Direct Access Service responses:

    • Exact Match - it means that both the street address and the ZIP code match and you should proceed and complete the transaction.
    • Partial Match - the street address matches but the ZIP code does not. It is a potential fraud. It is up to you whether to investigate further or to complete the transaction.
    • Partial Match - the ZIP code matches but the street address does not. It is a potential fraud. Depending on the transaction amount, you may decide to investigate further or to complete the transaction.
    • No Match - both the street address and the ZIP code do not match. It is a strong indication of fraud and you should take further steps to validate the transaction.
    • Retry Later - it means that the card issuer's system is unavailable at present. You should resubmit your authorization request later.
    • Global - it means that it is an international address and the system cannot verify it.

    Your merchant account provider is best positioned to provide you with additional information on MDAS and to help you get started. Be advised that both the eCommerce and mail order/ telephone order payment processing solutions require the implementation of robust fraud prevention solutions and AVS is one of the most powerful among them.

  • Validating card information. Validating the provided card information during an eCommerce transaction is a process to help merchants protect themselves from fraudulent transactions. It is recommended that you consider implementing the following suggestions into your card validation procedures:
    • Implement a "Mod 10" card validation procedure before submitting a transaction for authorization. The Luhn algorithm, also known as "Mod 10" algorithm, is a simple formula used to validate a variety of identification numbers, including credit card numbers. Most credit card companies use the algorithm as a simple method of distinguishing valid numbers from collections of random digits. The Luhn algorithm will detect any single-digit error, as well as almost all transpositions of adjacent digits. In order to take advantage of it, you should follow these steps:
      • Ask your merchant services provider for the Mod 10 algorithm.
      • Use the Mod 10 algorithm to check all online transactions before submitting them for authorization.
      • Inform the cardholder immediately if the card fails to pass the Mod 10 validation check, for example "The card number you provided is not valid. Please try again."
      • Do not request authorization until the account number passes the Mod 10 validation check.
    • Display only the last four digits when showing a number to a repeat customer. The last four digits will provide your customer with enough information to identify the card and decide whether to use it or select another payment mode. At the same time this practice will reduce risk and indicate to your customer that you are handling his or her payment information in a secure manner.
  • Split transactions. Split transactions occur when a merchant divides the cost of a single transaction between two or more sales receipts, using a single cardholder account. A merchant may split transactions in an attempt to circumvent authorization limits imposed on its merchant account agreement. Splitting sales is prohibited.

    When a merchant applies for a card payment processing account, one of the questions he or she is asked to answer in the application form is about the expected average sales amount and overall monthly card processing volume. Merchant account providers need this information to help them estimate the merchant's potential risk exposure. Larger average sales amounts, for example, are riskier because, in a case of a customer dispute or a chargeback, the potential loss is larger, compared to smaller amounts. As a result, the merchant's processing rates are given accordingly. Once the payment processing account is established, the processor will monitor the transactions and, if the merchant exceeds its declared sales amount on a regular basis, its rates may be increased or a processing limit may be imposed, or both. That is the reason why a merchant may try to split sales.

    Split sales may be prohibited but split-tender transactions are accepted. Split-tender transactions occur when a customer presents a card to pay for a purchase plus some other form of payment, such as cash or a check or another card. Merchants should set their own policies on whether or not to accept split-tender transactions.

  • Validating cardholder information. Just as validating the authenticity of a card account number is important in making sure that no false cards are used in eCommerce payment transactions, confirming the provided cardholder information ensures that no authentic cards are used by unauthorized persons. The two validation processes are complementing each other, they represent the two sides of the same coin and should both be implemented in every web-based merchant's card acceptance procedures.

    The process of validating a payment card number consists of checking the correctness of the provided customer's telephone number, physical address and email address. The following simple verification steps will help eCommerce merchants identify errors or potential fraudulent activity:

    • Use a telephone area code and prefix table to ensure that the provided area code and prefix are valid for the entered city and state. If mismatches are identified, alert the customer and allow him or her to review the information. Also you should allow re-entering the data as the information initially entered may be valid due to recent additions or changes in telephone area codes.
    • Use a ZIP-code table to verify that the entered ZIP code is valid for the entered city and state. Although changes in ZIP codes are rarer than changes in area codes, you should still allow customers to override alerts as updates do occur or data may be erroneous.
    • Test the validity of the provided email address by sending an order confirmation.
  • Risk management infrastructure. In order to reduce losses resulting from excessive risk exposure, eCommerce merchants must implement internal fraud prevention measures and controls that are designed to their environment's specifics. A dedicated fraud control department can provide the direction that the organization needs to take to fight fraud. Consider implementing the following measures:
    • Establish an official fraud control function. Consider implementing the following suggestions when setting up a fraud control position or department:
      • Elevate fraud detection and prevention to the highest priority.
      • Develop day-to-day objectives that promote profitability, such as:
        • Minimizing the percentage of fraudulent transactions.
        • Minimizing the affect of fraud-prevention efforts on legitimate sales.
        • Minimizing fraud-related chargebacks.
      • Clearly define responsibilities for detecting and reviewing fraudulent transactions.
      • If yours is a larger organization and you have a separate group that deals with chargebacks, you should encourage a close cooperation between the fraud-prevention and chargeback-monitoring groups, as one of the most common causes for chargebacks is fraud.
    • Monitor fraud-control performance. Your fraud-prevention efforts will become more effective if you track areas like:
      • Overall fraud as a percentage of your total sales.
      • Fraud recoveries as a percentage of your total fraud.
      • Speed of reviewing and making decisions on suspicious transactions.
      • Number of complaints from customers regarding legitimate sales.
  • Internal negative file. Establishing and maintaining an internal negative file is an invaluable tool that eCommerce merchants have at their disposal for fighting fraudulent transactions. It will ensure that you will not fall victim multiple times to the same fraudulent account. When building and maintaining an internal negative file, you should make certain to implement procedures to ensure that only details from fraudulent transactions are stored and recorded. Information that relates to customer disputes or chargebacks should be left out of the negative file. The following suggestions will help you build and manage the file.
    • Building and maintaining of an internal negative file. You should begin with a review of your own history of fraudulent transactions. Record the details of the fraudulently used accounts to protect your organization from possible future fraud committed by the same person. Follow these steps:
      • Record all key elements of fraudulent transactions. Your file should include names, email addresses, shipping addresses, customer identification numbers, passwords, phone numbers and card account numbers. Remember that it is not allowed to store the 3- or 4-digit card security codes.
      • Set up a process to remove from the negative file information about legitimate customers whose card accounts have been compromised. Their information may have been used by criminals.
    • Using the internal negative file to screen transactions. If a transaction data matches data stored in your negative file, you should decline the transaction or, at the very least, initiate a thorough review.