merchant account tips: proven methods for reducing online credit card fraud & risk
DESCRIPTION
Excellent Presentation done by Chris West, CDGcommerce owner. In this presentation Chris will educate you on how to better protect your business against fraudulent transactions using AVS scrubbing, VbV/MSC, among several others tools provided by CDGcommerce. www.cdgcommerce.comTRANSCRIPT
Produced by Chris West, CDGcommerce
Proven Methods for Reducing Online Fraud & Risk
Increase your sales without increasing your risk!
Produced by Chris West, CDGcommerce
The Goal of this Presentation
We all want more sales. We all want less fraud.
The question quickly becomes – how do we reach that “optimal” point of maximizing our sales while minimizing the amount of fraud losses that we encounter?
The goal of this presentation is to help you answer exactly that question for your business using an analysis of the tools that can help you and real life examples from our industry.
There are no “perfect solutions” or “silver bullets” – but by intelligently combining a variety of techniques, you can truly get the best of both worlds.
Produced by Chris West, CDGcommerce
Fraud: How & Why They Do It
Common Methods of Compromise• Physical Card Skimming – as much as 40% by some estimates• “Phishing” E-mails & Attacks – we have all seen many of these• Security Breaches
– External Attacks (Packet Sniffing, Direct Hacking, etc.)– Internal Attacks (“Inside Jobs” from Disgruntled Employees, etc.)
• The “Secondary Market” of Card Sharing Forums/Chats• Card Testing Attacks – to determine which cards are still valid
Common Motivations Behind Fraud• Selling them to other Fraudsters for Profit (now a $1B industry)• Steal Easy-to-Resell Products• “Steal & Spam” (host hopping for bulk e-mail campaigns)• “Because I can” (ego motivated)
Produced by Chris West, CDGcommerce
The Risk Management Toolkit
• AVS
• CVV
• IP/GEO/BIN
• Cardholder Authentication (VbV/MSC)
• Phone Verifications
• Manual Order Reviews
• Chargebacks & Representments
• PCI Compliance & Data Security
Produced by Chris West, CDGcommerce
AVS - Address Verification Service
How It Works• Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual
Address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be)
Implementation• Available on any Internet merchant account and virtually any Payment Gateway• Most gateways provide an AVS configuration area where you can specify whether you want to automatically
“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match
Benefits• Easy to implement
Limitations• Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.• A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases
– will also contain the necessary information to provide a valid AVS match result.
Recommendation• If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions
but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not be considered a primary means of verifying the validity of a transaction.
PORTFOLIO METRIC: nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results. However, 50% of our portfolio CB’s still have FULL AVS match results.
Produced by Chris West, CDGcommerce
CVV – Card Verification Value
How It Works• A service with many names – CVV2, CVC2, CID – but the premise is the same for all• Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV
is NOT encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.
Implementation• Available on any Internet merchant account and virtually any Payment Gateway• Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do not
settle) an authorization that has an CVV non-match or non-entry
Benefits• Works for virtually ALL cardholder accounts – both U.S. and international• There is no valid reason why a legitimate cardholder, in possession of the card, would not be able to enter a 100% matching
number for this.• Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.
Limitations• CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring
Transactions.
Recommendation• CVV is a recommended service to utilize for ALL initial transactions processed.
PORTFOLIO METRIC: based on our internal chargeback analysis, merchants can reduce their fraud rates by as much as 70% by simply requiring a matching CVV result.
Produced by Chris West, CDGcommerce
IP/GEO/BIN Scrubbing
How It Works• Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California
ordering from Europe?)• Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer is
using an US-issued credit card but they are from Europe?)• Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction
Implementation• Custom direct integration into a service such as MaxMind.com• Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,
ASPDotNetStorefront.• Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.• Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.
Benefits• Fast, Cost Effective and Non-Intrusive• Provides merchants with an excellent “do the pieces fit consistently?” analysis• Can block up to 89% of all fraud if properly implemented
Limitations• Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)• Proxy database is always in a real-time process of being updated as new proxies open up
Recommendation• IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk”
for more intensive scrubbing vs. being an outright decline.
Produced by Chris West, CDGcommerce
IP/GEO/BIN Scrubbing
INSIDER INSIGHT:
Since 2002, MaxMind.com has provided geo-location and online fraud detection tools. Over 6,000 e-commerce businesses currently benefit from MaxMind and clients include About.com, AT&T, Dupont, Earthlink, eBay, IBM, Lexis Nexis, Lycos, Match.com, Morgan Stanley, Orbitz, Red Hat, Reed Elsevier, Sony, Walgreens, Wal-Mart, Warner Brothers, WebEx and Yahoo!.
MaxMind’s minFraud service – which has screened over 100,000,000 transactions - combines IP Address Reputation with a Collaboration Network of more than 10,000 merchants to piece together the most relevant risk indicators that are the consistent earmarks of a fraudulent transaction.
Produced by Chris West, CDGcommerce
IP/GEO/BIN Scrubbing
Examples of what IP Geo-Location can tell you:
YELLOW ALERTS:Free E-mail Address: is the user ordering from a free e-mail address?
Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)
BIN Country Match: does the BIN # from the card match the country the user states they are in?
BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?
BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?
RED ALERTS:Country Match: does the country that the user is ordering from match where they state they are ordering from?
High Risk Country: is the user ordering from one of the designated high risk countries?
Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
Ship Forwarding Address: is the user specifying a known drop shipping address
Now let’s take a look at some interesting stats on the above…
Produced by Chris West, CDGcommerce
IP/GEO/BIN Scrubbing
Open/Anonymous Proxies: an open proxy is often a compromised“zombie” computer running a proxy service that was installed by acomputer virus or hacker. The computer is then used to commitcredit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an ongoing battle as new ones pop up and may remain undetected for some time.
26% of orders placed with from open proxies on the MaxMind minFraud
service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from anopen/anonymous proxy.
Produced by Chris West, CDGcommerce
IP/GEO/BIN Scrubbing
High-Risk Countries: these are countries that have a
disproportionate amount of fraudulent orders, specifically
Egypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,
Nigeria, Pakistan, Romania, Serbia and Montenegro,
Ukraine and Vietnam.
32% of orders placed through the MaxMind minFraud
service from high-risk countries were fraudulent. Extra
verification steps should be required for any
transaction originating from a high risk country.
Produced by Chris West, CDGcommerce
IP/GEO/BIN Scrubbing
Country Mismatch: this takes place when the IP
geolocation country of the customer does not match their
billing country.
21% of orders placed with a country mismatch on the
MaxMind minFraud service ended up being fraudulent.
Extra verification steps are recommended for any
transaction with a country mismatch.
Produced by Chris West, CDGcommerce
IP/GEO/BIN Scrubbing
Results that speak for themselves:
ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services
to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it
sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After
implementing MaxMind, losses were reduced by 90%.
MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting
has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house
checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting at
least 60 chargebacks and $6,000 in unnecessary costs.
Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for small
and medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4%
while reducing its chargebacks by 90%.
365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base
that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced by
over 96% from more than $10,000 per month to less than $500 per month. At this point, most chargebacks
are general order disputes as opposed to fraud.
Produced by Chris West, CDGcommerce
Cardholder Authentication
How It Works• Verified by Visa (VbV) / MasterCard SecureCode (MSC) is a unique fraud protection tool provided by Visa and MasterCard whereby
cardholders can specify a secret password that only their bank knows to use as an added authentication factor.• VbV & MSC protects both cardholders & merchants against unauthorized use of the card. Liability protection shifts from the acquiring bank (and
merchant) to the issuing bank on an authenticated transaction.• Think of VbV/MSC as an “insurance policy against fraudulent transactions” – it helps out a lot but there are always certain limitations
Implementation• Utilize a Shopping Cart/Billing System that has a VbV/MSC module already integrated such as X-Cart, LiteCommerce, Cart32,
ASPDotNetStorefront, Lagarde, PinnacleCart, Miva Merchant or a solution with available modules such as osCommerce or ZenCart.• Utilize a Payment Gateway that has built-in support for VbV/MSC such as the Quantum Payment Gateway, Authorize.Net and others• Custom direct integration into CardinalCommerce.com• Additional fees apply with most gateways & merchant processors – ranging from FREE to several hundred dollars setup fees, $10-50 per
month, $0.15-0.25 per transaction, depending on who the service is acquired through.
Benefits• Actually blocks chargebacks (and chargeback fees!) for covered Reason Codes from reaching the merchant• Provides liability protection for both enrolled & non-enrolled cardholder• Virtually impossible to get a false declines• Provides substantially enhanced chargeback representment case even when Chargeback Block coverage does not exist
Limitations• Certain limitations to coverage exist – please see the Coverage Matrix on the next page• Chargeback blocking is only available on an initial transaction – not a subsequent Recurring Trans
Recommendation• VbV/MSC should be used for ALL initial transactions for merchants with Large Tickets or a High Risk Profile.• VbV/MSC should be strongly considered for use with all other merchant types as well due to its substantial benefits.
Produced by Chris West, CDGcommerce
Cardholder Authentication
INSIDER INSIGHT:
Cardinal Commerce is the leading provider of cardholder authentication (Verified by Visa / MasterCard SecureCode) and provides authentication services to more than 30,000 merchants worldwide with more than $100 billion worth of authenticated transactions processed since its inception.
In 2007, VbV/MSC was the most sought after fraud tool by major merchants. VbV/MSC is the only technology sponsored by the Card Associations which truly helps to level the playing field between the Issuing & Acquiring side with E-Commerce transactions.
Produced by Chris West, CDGcommerce
Cardholder AuthenticationWhen you use VbV/MSC, you are in very good company…
Produced by Chris West, CDGcommerce
Cardholder AuthenticationResults that speak for themselves:
Geeks.com:
Chris Beatty, Customer Service and Order Processing Manager of Geeks.com comments, "We have been able to approve more orders, faster. We spend less time reviewing orders protected by Verified by Visa, but still maintain our confidence in the validity of the order.“ “Overall, we consider using Verified by Visa and MasterCard SecureCode an eCommerce industry best practice that can decrease chargebacks and increase consumer confidence," comments Chris Herzog, Geeks.com, VP of eCommerce Development.
TigerDirect:
“We now have the ability to reduce our processing rates, make fraud significantly easier to identify and ultimately reduce fraud by utilizing Verified by Visa and MasterCard SecureCode,” said Joe Dunne, Executive Vice President for TigerDirect. “On top of it all, we were able to re-deploy staff and turn eCommerce order reviewers into eCommerce order takers, how much better can it get?”
Crucial Technology:
“Since our implementation of Verified by Visa and MasterCard SecureCode, we have seen significant reduction in chargebacks,” said Shane Baker, Global Credit Manager for Crucial Technology. “We also feel our participation in leading-edge fraud prevention programs acts as a deterrent to potential fraudsters.”
PORTFOLIO METRIC: nearly 60% of the Chargeback Reason Codes from our Internet merchant portfolio are covered by VbV/MSC.
Produced by Chris West, CDGcommerce
Cardholder AuthenticationWhy these clients have all used VbV/MSC:
Transaction liability• Card-not-present, no guarantees
Chargebacks• Acquirer fines• Lost merchandise
Extensive Fraud Screening * Manual Review and 3rd party services
* False negatives - turning away good customers* False positives - accepting fraud
Low Conversion Rates* Insulted customers can’t pay the way they want* Insulted customers turned away as too risky* Lost ‘repeat business’ compounds impact
International Orders - added risk but also added market opportunity* Bill To/Ship To does not match•No AVS available (as mentioned earlier)
Produced by Chris West, CDGcommerce
Cardholder Authentication
• Fraudulent Chargeback Blocking on all U.S. consumer Visa
transactions regardless of cardholder enrollment• There is NO automatic Chargeback Blocking with international,
corporate or prepaid gift cards• Fraud Liability Shifted to Card Issuer• Accept International Orders with Protection
Programs extend Worldwide• Dramatically Lower Manual Review• Current Enrollment – over 380,000,000 cards enrolled in VbV to date• Increase Conversion
Consumers feel safer shopping on your site and in turn, spend more
Verified by Visa Benefits Coverage Specifics:
Produced by Chris West, CDGcommerce
Cardholder Authentication
• Chargeback Blocking on interregional and intraregional transactions (non-U.S.) regardless of cardholder enrollment
• There is NO automatic Chargeback Blocking for U.S. transactions• MasterCard offers chargeback representment rights for US to US authenticated
transactions– If a chargeback is issued for reason codes 37, 63 or 49, the merchant may represent the
transaction to have it reversed– When a consumer enters a PIN at checkout, ECI and CAVV data will be attached to that
transaction thus ‘securing’ that order• Fraud Liability Shifted to Card Issuer• Accept International Orders with Protection (see next slide)• Dramatically Lower Manual Review • Enrollment - MSC is currently enabled on 250,000 web sites and run on 20% of all e-
commerce transactions globally• Increase Conversion
– Consumers feel safer shopping on your site and in turn, spend more
MasterCard SecureCode Coverage Specifics:
Produced by Chris West, CDGcommerce
Cardholder Authentication
Verified by Visa
23: Invalid T&E83: Fraudulent MOTO/Ecommerce75: Cardholder does not recognize
MasterCard SecureCode37: Non Cardholder Authorization63: Cardholder Does Not Recognize49: Questionable Merchant Activity
Covered Chargeback Reason Codes:
Here’s an easy way to know if VbV/MSC would help you – look at the CB Reason Code on the CB’s that you have already received!
Produced by Chris West, CDGcommerce
Cardholder Authentication Non-Enrolled Authentication Experience
There is no change in the user checkout process
Produced by Chris West, CDGcommerce
Cardholder AuthenticationPre-Enrolled Authentication Experience
Presented to cardholders after suggested enrollment advertising from issuer
Enrollment Is Optional
Produced by Chris West, CDGcommerce
Cardholder AuthenticationEnrolled Authentication Experience
Secure inline frame prompt from issuer – for cardholders who already voluntarily enrolled
Produced by Chris West, CDGcommerce
Phone Verification Calls
How It Works• Phone verification calls can be done manually by employees OR done through an automated system that provides the online
purchaser with a special PIN # or keyword and then calls them up on the phone and asks them to enter the information. The latter can be done 24 x 7 x 365 without any actual employees present.
• By calling up the customer at their specified phone #, it is possible to verify that the number itself is valid and that the customer actually is present. With a stolen card or fraudulent purchase, it is very unlikely that you will ever reached a live human being.
Implementation• Use an existing 3rd party service such as TeleSign.com, Varilogix.com, DialVerify• Build your own VOIP system to make automated phone calls to customers
Benefits• Reliable method for validating “proof of life” on the part of a remote purchaser.• Automated implementations can save employee time & cost.• You can use the phone call as a dual “verification plus welcome” call for the customer.
Limitations• Additional fees apply when using an automated solution – the costs can be a per-minute fee based on destination phone # or a flat
monthly fee which includes a specific amount of calls with overage costs for calls above and beyond that.• For international sales, there can be a language barrier issue and/or telecom connection problems under certain circumstances.• By using VOIP lines or prepaid wireless, a savvy fraudster can still get past this method of fraud scrubbing although this is still the
exception to the rule – most still do not want any phone # that can directly reach them if they can avoid it. (In addition, some systems can determine whether the # being called is a VOIP or pre-paid phone, etc.)
Recommendation• Phone Verification calls should be implemented on a case by case basis depending on the merchant’s risk profile. For high ticket or
higher risk transactions, phone verification calls should be used. The decision to use Manual Calls vs. Automated Calls depends on the frequency of calls, order fulfillment speed needed to be competitive and staff availability.
Produced by Chris West, CDGcommerce
Phone Verification Calls
INSIDER INSIGHT:
Ace-Host is a leading Web hosting company that currently serves the needs of more than 40,000 webmasters worldwide. Jerald Darow, one of the founders, was kind enough to share his company’s internal order verification process. Many aspects of this process were developed on a trial & error basis as a result of various fraud losses early on and Jerald’s hope is that other Web hosting companies can benefit from what his organization has learned along the way.
Produced by Chris West, CDGcommerce
Phone Verification Calls
AceHost Order Review Process:
STEP ONE: INITIAL ORDER SCREENING PROCESS• Use Varilogix + ModernBill for the initial automated phone verification process• Use VbV/MSC for Dedicated Server Orders (which are higher tickets by nature)
STEP TWO: COMPLETE ORDER REVIEW & DECISION•Use custom order review system – which ties into ModernBill – to review the results of the IP/BIN/GEO results as per the screenshot and review to get an overall assessment of how risky the transaction appears•Pay close attention to the Phone Area Code Checking against User-entered State Address (U.S. only)•Pay close attention to the Bank BIN-to-IP comparison to ensure that Credit Card is from the same Country.
Produced by Chris West, CDGcommerce
Manual Order Review
How It Works• Using the “Mark 1 Eyeball” method, you review the information on an order to make sure that it makes sense and is consistent with
previous order patterns. In addition, you can cross-check WHOIS, review a customer’s Web site and take other subjective steps. A manual review also helps to flag situations such as:
• Nonsensical e-mail, phone or address information (“1234 Test Street”, “123-456-7890”, “1 Gonna Git You Drive”• A large ticket purchase without prior discussion that normally would entail extensive prior negotiation• A large ticket transaction that the customer wants rushed to them regardless of the shipping cost• Too many risk factors together (high fraud score, AVS non-match, CVV non-match, unable to reach customer, mis-matching IP/GEO/BIN scoring
Implementation• This process requires employee time. Employees must be tasked to review every order manually before capture/settlement OR
only to review flagged orders that are considered higher risk.• For additional verification, employees could request supporting documents such as: Copy of Credit Card, Copy of Credit Card
Statement, Copy of Government-issued Photo ID, Copy of Utility Bill or Bank Statement. (keep in mind that some of the above will be objectional to legitimate purchasers and so there could be a trade off in the form of lost sales)
Benefits• Subjective analysis - the human brain is the best single tool against fighting fraud… as long as the benefits provided by the other
tools in the toolkit are used in conjunction with it.
Limitations• Employee time & cost are the biggest limitation for manual order reviews.
Recommendation• Manual order review is always recommended for high ticket or high risk transactions. For other scenarios, it is a case by case
analysis which is largely dependent on the merchant’s risk profile.
Produced by Chris West, CDGcommerce
Manual Order Review
INSIDER INSIGHT:
Hostgator is the world’s leading provider of reseller accounts with over 20,000 resellers and 1,000,000 websites on its shared and reseller plans. Hostgator has done an excellent job managing its online order risk throughout its incredible growth as a business and Brent Oxley, the founder & owner was kind enough to share his company’s internal method for manual order review & phone verifications.
Produced by Chris West, CDGcommerce
Manual Order Review
Hostgator Order Review Process:STEP ONE: INITIAL ORDER SCREENING PROCESS• Check IP/GEO fraud score and distance to billing• Do a WHOIS search (dnsstuff.com, iptools.com)• If PayPal, verify to make sure the name and e-mail matches info in ModernBill• Require additional verification on any account with the following words in their domain:
proxy bank warez forex torrent paypal lolita hyip• All accounts with Proxy Score of over 3.00 must verify by sending in supporting docs.• IRAN: no accounts can be accepted from Iran due to legal/trade restrictions.• CHINA: payment must be made via Western Union or bank wire transfer.• NIGERIA/SOUTH AFRICA (ZA): verification via Photo ID + Copy of Credit Card required. If paying by PayPal, the government ID must match
with what we have on file• GREAT BRITAIN: has larger distance scores so try to do a WHOIS and verify details carefully• ROMANIA: usually has a high fraud score so check WHOIS and verify details carefully• If in doubt, make a Phone Verification Call – verify the domain, last 4 of CC and address (see STEP TWO)
STEP TWO: CALL EVERY ACCOUNT YOU ARE ABOUT TO MARK AS “FRAUD” BEFORE DECLINING IT:- If they answer and verify the info - activate the account!- If they do not answer but name on voicemail matches, leave message and activate- If they do not answer and voicemail is non-specific, leave a message and pend- If the number is invalid, mark the account as fraud and cancel the order- If they do not speak English, mention you will send an e-mail and notate the ticket
Produced by Chris West, CDGcommerce
Other Fraud Prevention Tools
• IP Velocity Scrubbing – recommended for all merchants to avoid card testing attacks.
• Split Charge with Customer Verification – a great idea but not widely implemented yet.
• Stolen Card Alert Services – an interesting idea; success depends on scale.
• Credit Bureau Identity Verification – an interesting idea but one that has realized mixed success.
Produced by Chris West, CDGcommerce
Chargebacks & Representments
• The Mechanics of a Visa/MasterCard ChargebackA chargeback takes place when a cardholder disputes a transaction with a merchant. The cardholder must specify a reason which is then translated into
one of a large list of possible “Reason Codes.” The Issuing Bank sends through the chargeback and reverses the original transaction with the Acquiring
Bank. The Acquiring Bank debits the merchant for the sale amount plus a chargeback fee and notifies the merchant. It is then up to the merchant to
submit a “re-presentment” of the original sale along with a rebuttal as to why the chargeback was invalid. If successful, the sales funds are once again
debited from the Issuing Bank (and cardholder), transmitted to the Acquirer and deposited back to the Merchant.
• First ChargebacksThe first Chargeback initiated between a Cardholder and a Merchant is considered the “First” chargeback. However, this does not mean that it is the
only Chargeback that can take place. However, in most cases if a merchant wins the representment/rebuttal, the case is closed. The rules that govern
chargeback disputes are very extensive – they literally take up a book that is over 1.5 inches thick just for the Visa rules.
• Second Chargebacks & the Arbitration ProcessUnder certain circumstances, a 2nd chargeback between the same Cardholder and Merchant can be initiated by the Issuing Bank pertaining to the same
transaction. Normally this is submitted under a different Reason Code. If the merchant wishes to dispute this, the process then will go to Arbitration
whereby each party will state their case before a panel from Visa or MasterCard. The problem here is that there are filing fees and other costs that will
be borne by the merchant if the merchant loses the case. Since these fees are often in excess of $400, the only time the risk of arbitration makes sense
is when there is a very large ticket involved AND the merchant’s case is extremely solid. Most of the time, one of these two situations is not the case and
so the better course of action is to pursue collection of the payment through the civil/legal side.
Produced by Chris West, CDGcommerce
Chargebacks & Representments
• Keys to Avoiding Non-Fraud Chargebacks– Make sure that the Domain and DBA/Merchant Descriptor match closely– Make sure that your Merchant Phone # is always kept up to date with your merchant processor– Make sure that any customer inquiries about a transaction are responded to in a very timely manner– Make sure that instructions for cancellation of service are clearly understood and that it is not difficult to do so– Make sure to clearly and promptly communicate if there is ever a billing error to avoid a chargeback– “If in doubt, refund it out” – it just isn’t worth the headache on a small ticket to argue over a TOS or AUP only to get
a CB
• Keys for Successful Chargeback Representments– Respond in a timely manner to any chargeback advisories that you receive– Clearly notate if there was a positive CVV, AVS or CAVV match on the transaction– Clearly notate if you have a faxed signature from the cardholder– If you have correspondence from the customer or proof of delivery, include all of this information– Remember: you will lose 100% of the chargebacks that you do not even ATTEMPT to combat!
PORTFOLIO METRIC: nearly 42% of the representments attempted by our merchants have been successful
Produced by Chris West, CDGcommerce
Chargebacks & Representments
• Chargeback Ratios & High Risk Merchant Monitoring ProgramsIt is up to each individual merchant processor how they want to set their acceptable chargeback thresholds for their
merchants. Most merchant processors set a guideline of 1% chargeback volume-to-sales volume. The actual Visa and
MasterCard internal thresholds vary from 1-2.5% based on volume-to-volume or # of CB to # of sales measurements. Under
certain circumstances, a larger volume merchant can be placed on the Visa or MasterCard high risk merchant monitoring
programs. This is NOT a happy place to be and penalty fees can quickly start to ramp up into the tens of thousands of dollars.
This also brings additional and unwanted scrutiny upon the merchant processor with the Associations and in many cases, a
merchant processor will politely (or not so politely!) request that a merchant move their processing elsewhere if this begins to
happen. The best way to address this is to avoid this situation in the first place using the methods outlined in this presentation.
PORTFOLIO METRIC: the average CB ratio for our Internet merchant portfolio is only 0.003%.
• Disputes with Other Non-Visa/MasterCard Card BrandsOther card brands (Amex, Discover, JCB) and payment methods like PayPal have their own specificdispute policies.
Produced by Chris West, CDGcommerce
PCI DSS Compliance & Data Security
• What is PCI DSS and why it is important
PCI DSS is the Payment Card Industry’s Data Security Standards. It exists to provide a common set of security standards that all market participants
can agree to adhere to… instead of having to comply with varying guidelines from every different card brand and processor. Due to the amount of
reputational risk and financial exposure that exists whenever there is a well publicized security breach and cardholder data is compromised, Visa and
MasterCard have embarked on an extensive campaign to ensure that all participants in their networks adhere to these guidelines to minimize the
likelihood of future compromises. In turn, this has put pressure on Acquiring Banks to ensure that their Merchants are also PCI compliant. A good
reference site to look at for the full PCI standards is at:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
• The Recent Myth of “PCI Compliance Fees”
A lot of merchant processors have been using the recent buzz about PCI to leverage additional fees onto their merchant bases under the auspices of it
being “required” by Visa and MasterCaard. This is simply NOT the case. Most Internet merchants are Level 4 merchants and it is completely up to the
Acquiring Bank what they want to require. Under almost all circumstances, a detailed internal review and a Self-Assessment form by itself should be the
only necessary action step needed by most merchants. External scanning is certainly encouraged as well and some acquiring banks may mandate this
in the future for their Level 4 merchants.
• The Road Towards PCI Compliance
There is no easy or quick way to ensure PCI compliance. The 12-Step process can indeed be an arduous undertaking. There are a few quick pointers
that are worth sharing on this, however: (THIS IS BY NO MEANS AN EXHAUSTIVE LIST!)– Avoid direct storage (even if encrypted) of cardholder data if possible and outsource this to a PCI-certified gateway.– If you must store data, make sure never to store CVV data under any circumstances. This is a major Visa/MC violation.– If you do store data, ensure that it is encrypted and that the decryption key is not stored on the same server(s) as your data.– If you do store data, ensure that you have a separate firewall dedicated to that database server which only allows authenticated connections from your Web server or
other non-public IP’s.– Make sure to segregate applications – one application per server. Do not have a Web server that also runs a database or a database server that also handles your e-mail.– Make sure that your server/network requires 2-factor authentication in order to gain physical access to any equipment.– Make sure to develop and maintain a compliant security policy manual, use strong passwords and log all activity carefully.
Produced by Chris West, CDGcommerce
Let’s Fight Fraud Together!
Thank you for reading…
We hope you enjoyed the presentation!Questions? Feedback? Ideas? Tips?
E-mail: social @ cdgcommerce.com
Chris West
CDGcommerce
www.cdgcommerce.com