Chargeback & Fraud Guide 2015
03 W U
12 C C H C C H H
17 H C C H H
26 40
Introduction 4 6
What Does It All Mean? Understanding the Process
Chargebacks 7 9
Requests for Information (RFI) and Chargebacks Further chargeback stages 2nd Chargebacks and Pre-arbitration 10 Timescales 12 Responding to chargebacks 15 Cancellation of Continuous Authority 16 How can a chargeback be avoided?
What are PayPoint doing to help me? 18 3D Secure 20 Card Verification Value (CV2) 21 Address Verification Service (AVS) 22 Cashier 23 CardLock 24 FraudGuard
Visa and MasterCard Fraud and Risk Programs Glossary & Appendix
Introduction Here at PayPoint Online and Mobile we recognise that fraud and chargebacks are becoming an ever increasing problem for many of our merchants. With the online market growing at an increasing pace year on year, fraud and chargebacks are becoming two of the most common threats. In their simplest form, these related issues can reduce profit margins. At their most destructive, spiraling fraud and chargebacks can cripple a business, jeopardize your merchant status, and cause your acquiring facilities to be removed entirely. Fraud is widely considered the biggest contributing factor causing concern for merchants and payment service providers today, particularly card not present (CNP) transactions. It
is estimated that CNP fraud accounted for 63% of all card fraud in 2013. We would usually expect to see chargebacks as a direct result of fraud, however many other factors can result in a chargeback being raised, from misrepresentation, disputed services, and unauthorized activity. At PayPoint, protecting our merchants from these risks is something we take seriously. This is evidenced by the array of fraud prevention tools and chargeback management procedures offered once integrated with our platforms. These tools have been developed to give merchants every possible opportunity to tackle fraud and chargebacks by using both proactive and reactive measures.
3
IN THE FIRST HALF OF 2014
What Does It All Mean? Losses associated with remote card purchases (those made online, over the telephone or by mail order) rose to £174.5 million in the first six months of 2014, this up 23% from £142 million during the same period in 2013. Within this figure, the total e-commerce fraud loss is estimated to be as high as £110 million, an increase of 23% on the estimated £89.5 million throughout the first half of 2013 (UK Card Association). A badly managed fraud and chargeback process can have negative reputational and financial implications for any business. Certain levels of protection can be provided by card schemes (Visa and MasterCard for example) and card issuers, but ultimately it is the merchant who will be liable for the costs incurred. For any chargeback unsuccessfully defended, a business will lose not
4
only the deposited amount and the goods or services provided, but additional fees will be added. However, this is not the full extent of the issue. Excessive chargebacks, whether or not they are received due to fraudulent activity, will place a merchant’s account in jeopardy. Fraud and chargeback levels are monitored by the card schemes and those exceeding their threshold levels can have their account terminated and in extreme cases, receive high value fines. PayPoint offer a range of tools that assist in monitoring and combatting these potential risks. Recent trends are showing that the year on year percentage of e-commerce fraud is slowly increasing but with effective solutions at your disposal, PayPoint merchants can manage risk and trade with confidence.
5
Understanding the Process Most merchants running an online business will need to accept card payments of some description. Whether this is arranged through your bank, an online payment processer or by using popular payment schemes such as PayPal, this is typically a first priority. In order to accept payments online you will need two things: 1. An Internet Merchant Account (not to be confused with a “normal” business bank account) 2. A Payment Gateway An Internet Merchant Account (IMA, sometimes also referred to as a Merchant Account or MID) enables your business to process card transactions online and capture funds when used in conjunction with a
CUSTOMER
PAYMENT GATEWAY
ACQUIRING BANK
Payment Gateway. An IMA can be obtained directly via an acquiring bank or through a payment provider such as PayPoint. The role of a payment gateway is to facilitate and co-ordinate the communication of a payment transaction between various backend payment networks or banks. This enables the real-time online processing of credit cards and other payment types. The payment gateway provides an immediate response to your requests by either authorising or declining the transaction. The purpose of this one component in isolation can become hard to identify. To better understand the payment gateway process, please see the diagram below that illustrates the journey of a transaction before being accepted or declined.
CARD SCHEMES
CARD ISSUER
The transaction process: 1. A customer enters their credit card details on the website and clicks to confirm their payment. 2. The transaction makes a call to the payment gateway (the online payment system integrated with the retailer’s site). 3. The payment gateway is the secure link that the transaction passes through for authorisation.
6
4. The payment processer (that is integrated into the internet merchant account) then receives the payment and passes it through to the card issuer. 5. The cardholders issuing bank receives the transaction and puts it through a number of checks and places a call back to the payment processor with an authorisation request. 6. They then pass the authorisation request back through the secure gateway and forward it back to the merchant’s website with an authorisation confirmation. 7. This should all happen in real-time.
Requests for Information (RFI) and Chargebacks In certain circumstances a card holder may wish to dispute a transaction. This can happen for a number of reasons but typically cardholder disputes fall into 3 categories: • • •
They claim not to have made the transaction Genuine processing errors, such as order not arrived/incorrect order arrived Dissatisfied with the goods or level of service provided
When a transaction is disputed, the card issuer and the acquiring bank operate according to clearly defined and well-established procedures to resolve the dispute. These procedures are designed to establish whether the merchant should receive (or retain) the disputed payment or whether the funds should be returned to the card holder. The process of returning the funds to the card holder
is known as a chargeback. To reduce the number of chargebacks it is essential that merchants and acquiring banks carefully monitor disputed transactions and respond promptly to retrieval requests. A retrieval request is also known as a “first request”, a “Photocopy Request (PCR)” or a “request for information” (RFI). A retrieval request is made when a copy of the sales receipt is needed by the card issuer for a particular transaction, typically when a card holder does not recognise a specific transaction on their credit card statement. If a merchant is receiving a large percentage of disputed transactions they are required to take corrective action to prevent further disputes from arising, or they may face fee assessments from the card schemes. These are explained further in the section titled ‘Visa and MasterCard Fraud and Risk Programs’.
7
How the chargebacks/retrieval request process works 1. The card holder queries the transaction debited to their account. 2. The card issuer requests information about the card holder’s transaction from the acquiring bank, this is known as a retrieval request. When raising a request, issuing banks do not state the reason for the request and they are not required to confirm whether the information provided is
the required time scale, they have the right to charge the transaction back due to non-receipt of documentation. 5. The acquirer sends defences to the card issuer. The card issuer examines the case and determines whether the information was returned in the correct time frame and whether it satisfies the card holder’s query. If the
sufficient for the card holder. A chargeback may or may not subsequently be raised.
transaction is no longer disputed, the process stops here.
3. The RFI is communicated to the merchant either via email notification or through the acquirer’s online portal. The exact process is dependent on which individual acquiring partner the merchant is contracting with.
6. If the transaction information does not satisfy the cardholder’s query in accordance with the rules, or the supporting documentation fails to arrive in the specified time frame, the card issuer will raise a chargeback on behalf of the card holder. The details of the chargeback will then be sent to the acquirer and, where applicable, onto PayPoint.
4. The merchant is required to respond to the retrieval request by sending all necessary information relating to the transaction, back to PayPoint or directly to the acquirer, depending on your agreement. If the issuing bank does not receive a copy of the transaction receipt within
Please note this is a basic guide to the RFI/chargeback process and the communication steps between all those involved. The way in which chargebacks are communicated will vary dependant on acquirer. This process can be provided separately.
8
Further chargeback stages 2nd Chargebacks and Pre-arbitration Should the first stage of representment against the first chargeback not be accepted by the issuing bank, and the bank still wish to uphold the chargeback, then further stages come into play. The necessary actions to take will be determined by each card type:
In cases whereby the cardholder or Visa feels that there is not enough proof to validate the transaction, a Pre-Arbitration is created. This means there is a second opportunity to provide details that the transaction, beyond any doubt is genuine. Additional documents would be required, further to those provided the first time round. These documents should be strong enough to prove that the cardholder received the goods or services. It is important to note that Arbitration carries a significant fee to be paid by the losing party. Visa Operating Regulations override all other Terms & Conditions and, should the acquirer lose the case with Visa using the evidence provided by the merchant, then the merchant will be obliged to remunerate the cardholder as well as being charged a fee for each case by Visa. Alternatively both the chargeback and the Pre-Arbitration can be accepted and, in this instance only the chargebacks will be debited.
Where the first defence fails and is not accepted, a second chargeback can be raised, doing so will result in a second chargeback fee being applied. A second defence can be sent and in this instance, it is the acquirer that would raise a Pre-Arbitration (contrary to the issuer in the Visa example). Should the merchant lose the case, they will be obliged to pay the cardholder as well as being charged a substancial fee by MasterCard. Alternatively the chargeback can be accepted and only the amounts of the chargebacks will be debited. In both cases (Visa and MasterCard), unless there is proof that the transaction is valid, it is suggested that the chargeback should be accepted after the first failed defence due to the possible fees incurred.
NOTE: Given the risk of the fees involved, not all acquirers will offer the opportunity to go to Arbitration and so these will be automatically accepted. This does not mean that it is not possible to raise a concern when a defence has failed. This will be dealt with on a case by case basis.
Turn the dial up on mobile Tap into a new audience by allowing your customers to pay on the move Find out how
MAX
9
Timescales
10
TYPE
DESCRIPTION
WHO
TIMESCALE
RFI
Calculated from one of two dates: 1. The date the transaction is processed by the card scheme, 2. The date of expected receipt of services (e.g., for travel services, the expected date of travel).
The Cardholder/ Issuing bank
The issuing bank typically has up to 120 days from this day to raise the chargeback
Defence/ RFI response
The information sent by the merchant in order to defend a potential chargeback
The Merchant/ Acquiring Bank
The acquirer has 45 days to provide the information/merchant defense back to the issuer. Different acquirers will give merchants different time scales to respond so that they can work on the defense before submitting. Typically 15 or 21 days.
Pre-arbitration or 2nd Chargeback
Timescale in which the issuer can raise a Pre-Arbitration or 2nd chargeback (depending on scheme)
The Issuing Bank
30 Days- (Visa) For the issuer to raise Pre-Arbitration 45 Days- (MasterCard) For the issuer to raise 2nd chargeback or for the Acquirer to raise a Pre-Arbitration following the 2nd Chargeback.
How could a chargeback affect my business? Having the revenue from a completed transaction reversed from your merchant account and returned to the cardholder is an unwelcome penalty, particularly if tangible goods or quantifiable services have been provided for that purchase. In many cases an administration fee will also be added to these charges in order to cover the costs of all parties involved in the process. This will result in you incurring a net loss on any transaction that is subject to chargeback. In addition to reducing your profit margin, there is more serious long term consequences should the level of chargebacks on your merchant account alert either MasterCard or Visa. Typically, any business receiving in excess of 100 chargebacks
in any one month will cause each respective card company to review your trading activity. If in that month you exceed the accepted maximum chargeback rate* of 1% there is a strong possibility that your payment processing services will also be discontinued and your merchant account suspended, preventing any further trading. This is covered in more detail in the section covering scheme chargeback programmes. It is also likely that the respective schemes will apply significant fines for the breach.
*Chargeback rate in a given period is number of chargebacks divided by number of transactions submitted
Chargeback Reason Codes There are many reasons a cardholder may wish to raise a chargeback and Visa and MasterCard classify these differently. You must be aware that each card scheme uses a different “reason code� to charge a transaction back. For a full list of reason codes split between schemes, see appendix A.
11
Responding to chargebacks Some chargebacks can be resolved easily without the merchant having to lose the sale. This can be done by simply providing additional information about the transaction or about specific actions taken during the transaction. The key here is to always supply as much information as possible to us or direct to your acquirer in order to help them remedy the chargeback. Consider these guidelines to ensure you have a system in place. • Know your representment rights to avoid unnecessary losses for your business. • Act promptly when customers with valid disputes deserve credits. • When cardholders contact you directly to resolve a dispute, issue the credit on a timely basis to avoid unnecessary disputes and associated chargeback processing costs. • Immediately inform cardholders of the impending credit. • Respond to a chargeback as quickly as possible. • Address all of the cardholder’s pertinent claims.
12
• Be sure to supply “compelling” information to prove an authorised cardholder participated in the transaction, received the goods or services, and benefited from the transaction.
Compelling Evidence As of 20th April 2013, Visa Europe and Visa Inc extended the use of compelling evidence as an opportunity for acquirers to rebut a dispute resolution case. Compelling evidence will allow merchants to provide additional types of evidence to try and prove the cardholder participated in the transaction, received the goods or services, or benefited from the transaction. Effective for representments processed on, or after 20 April 2013, merchants will have a representment right to provide compelling evidence for the following chargeback reason codes:
Reason Code 30
Services Not Provided or Merchandise Not Received
Reason Code 53
Not as Described or Defective Merchandise
Reason Code 81
Fraud – Card-Present Environment
Compelling evidence includes information and/ or documentation that attempts to prove that the cardholder participated in a transaction and received goods or services. If such evidence is provided, issuers are expected to review and address the supplied information and documentation with the cardholder. For a full list of compelling evidence that can be used, please see appendix B. The introduction of new compelling evidence representment rights for merchants requires that issuers provide this information to their cardholders. For representments processed on or after 20 April 2013, should the compelling evidence be provided by the acquirer with the representment, issuers should pass on the new information to their cardholders. Issuers will be required to provide proof that they attempted to contact the cardholder to review the compelling evidence using the Electronic Documentation Transfer Method. It is however suggested that should you have compelling evidence, it is submitted with your defence marked clearly as ‘compelling evidence’. Prior to filing an arbitration case with Visa, should the issuer refute the compelling evidence provided with the acquirers representment (effective on
or after 20 April 2013) the issuer must initiate a pre-arbitration case prior to filing arbitration with Visa. If the issuer files an arbitration case with Visa without initiating a pre-arbitration first, the issuer will receive an unfavorable arbitration ruling. In all cases only documents written in English Language and printed in black and white are accepted. The document must contain no web-pages/photo’s, unless being used as identity evidence. ** Please note that the above does not indicate that there is any change in the liability shifts for transactions taken that are not 3D Secure***
Benefits of representing with compelling evidence • It gives more scope to acquirers and merchants to demonstrate cardholder participation in a disputed transaction. • Issuers and cardholders: a dispute could be resolved with information provided by the merchant.
13
What should I do if I don’t have supporting documentation? You should still provide whatever information you have and ensure that you do not ignore the request. If a refund was made before the chargeback is debited then you should still provide details of this to ensure no further debits are made if the refund is missed. In addition, you may also choose to contact your customer directly to address the issue. To help us respond effectively on your behalf, we would recommend sending us all supporting documentation you have relating to the transaction, which may include one or more of the following: • Proof of delivery signed by the cardholder • An invoice showing a detailed description of the goods or services supplied; including the cardholders billing address • Proof of the cardholder’s identity • Customer transaction history • Proof of refund
• Last login date and activity (Cancellation of continuous authority) • A copy of the terms and conditions (if applicable and relative to the chargeback reason) • Any customer correspondence to show they confirm using the service, the chargeback raised was an error or any other discussion that may be relevant.
Do all chargebacks start with a retrieval request? No. Issuing banks are not required to submit retrieval requests for most chargeback reasons.
What is an auto-representment? Some chargebacks may be automatically represented as they may be deemed disputable. For example, if a transaction had previously been refunded.
14
This chargeback process may differ slightly depending on the acquiring partner that you are contracted with. All acquirers will follow the same chargeback rules set out by the schemes, but the reporting of chargebacks and the process of defending will change. This will be communicated separately.
Cancellation of Continuous Authority Following an FCA review, carried out in 2012 assessing how difficult it was for customers to cancel Continuous Payment Authorities (CPAs), a new scheme rule was implemented to try to make it easier for consumers to cancel these recurring payments. This essentially means that the card holder can now cancel these repeat payments direct with their bank. This should be a familiar practice for a customer who, if they cannot or do not wish to cancel directly with the merchant will contact their bank to cancel. This has affected many merchants and we have seen a large increase in the number of chargebacks raised for this reason code, 4841/41. This chargeback reason is very difficult to defend. Firstly we would recommend merchants to have a process in place that allows the customer to easily cancel the service that you are offering. This should help decrease the chances of receiving a chargeback for this reason code. It is advisable to keep the timescales on cancellations short to ensure the repeat instruction does not get debited again. A CPA may be defendable if it can be shown that the cardholder used the service after the time the cancellation was made. If for example the cardholder goes direct to the bank to cancel the authority while the merchant is not aware, they may continue to use the service until their account is closed. This activity can be used as evidence to defend the chargeback. In all cases the best form of defence would be to contact the cardholder and discuss the cancellation with them. They may either withdraw the chargeback or claim that they did not make the request. This communication can also be provided as evidence in an attempt to avoid the chargeback. REMEMBER the card holder has the right to cancel continuous authority payments direct with the card issuer and are not required to inform the company, even though they are recommended to do so. This overrides what is stated in your terms and conditions and subsequently will not be an acceptable defence regardless of what the customer agreed to on sign up.
15
How can a chargeback be avoided? To mitigate your risk there are two main objectives:
1
To ensure, with our help, that you do not process orders for any fraudulent transactions.
2
To ensure that genuine orders are handled in such a way that the cardholder will not have any grounds to dispute the transaction.
PayPoint provide a range of tools designed to detect and prevent fraud. These are there to help you reduce the risk of chargebacks against your account. However, it is the merchant that must take the ultimate responsibility for transactions placed with their business. For this reason, a transparent, robust order and fulfilment process, backed up by visible and timely customer services are vital to reducing chargeback risk. As part of the compliancy process undertaken during the issue of a merchant account, we may contact you to advise of necessary and suggested changes to your website, in order to achieve these aims. Ongoing steps which can be taken in order to protect against chargebacks include the following:
Avoiding Fraud: • Regularly monitor your transactions and look out for any unusual purchasing patterns or cardholder details. • If a transaction appears fraudulent, refund the purchase before it can turn into a chargeback. • Operate sensible fulfilment and do not ship to unconfirmed addresses that differ from billing address. • COMMON SENSE COMMERCE • Ensure a consumer is clear on the final cost and the content of their order before processing. • Ensure a consumer is clear on any relevant fulfilment times and aim, where possible, to meet this. • Where any fulfilment is affected or delayed, communicate clearly to the consumer and offer alternatives.
• WEBSITE BEST PRACTICE • Regularly review your full order process and integration with our payment services. • Provide visible and accessible contact details for customer services and other relevant departments. • Provide visible and accessible terms & conditions, return and cancellation policies. • OUTSTANDING CUSTOMER SERVICE • Monitor all customer service queries and respond promptly, typically within a maximum of 48 hours. • Aim to resolve any issue directly with the customer – never give them reason to initiate a chargeback. • Regularly review customer service queries and identify any issues which may require improvement. • Preventing the risk of chargeback should be prioritised in order to operate your business successfully.
16
What are PayPoint doing to help me? PayPoint provide one of the most comprehensive and powerful fraud prevention toolkits on the market. Here is a list of the services available designed to minimise merchants exposure to fraud: • Fraud Guard – scores, highlights and blocks transactions based on a range of fraud metrics
• Pre Authorisation – allowing you to authorise a card without billing, free from risk of chargeback
• Country Blocking – allowing you to prevent or allow consumers from a range of countries
• Full Banking Links – all authorisations are carried out direct with the bank using CV2***
• Card Blacklisting – allowing you to block a cardholder that is a chargeback nuisance • IP Address Blacklisting – allowing you to block specific computer locations from transacting • BIN* & Luhn** checks – preliminary verification methods that ensure the card details supplied are both genuine and accurate
security code checks • Dedicated Account Management – reviewing your transactions and warning of potential dangers • 3D Secure – optional support for ‘Verified by Visa’ and ‘Mastercard Securecode’ protection
Further details of some of these services are detailed in the following pages. PayPoint are also committed to ongoing negotiation with banking institutions in order to encourage increased support for merchants in the chargeback process, and more consideration from card issuers in closing such disputes. *BIN- Bank Identification Number, the first six digits of any card number – determines card type and card issuer ** Luhn- named after Hans Peter Luhn (1896-1964), an algorithm to validate the accuracy of a credit card number *** CV2- Card Verification Value number, a security code from the reverse of a card which can never be recorded
Authentication & Verification PayPoint currently provides various services for authenticating credit and debit cards:
3D Secure (Verified by Visa & MasterCard SecureCode)
Card Verification Value 2 (CVV2)
Address Verification Service (AVS)
17
3D Secure 3D Secure is the encompassing term used to cover two scheme authentication services provided: Verified by Visa (Visa) SecureCode™ (MasterCard and Maestro) Online e-commerce transactions have historically involved higher risks than standard high-street payments. This is mainly due to the merchant being unable to positively identify both the card and cardholder at the time of the transaction taking place. In the event of the transaction being disputed by the cardholder, the card issuing bank will charge the transaction back to the acquiring bank. If a chargeback is received by the acquiring bank, evidence will be requested in order to defend the dispute that has been raised. Under these circumstances, it is typical for a merchant to be able to prove that the transaction took place, but not that the genuine cardholder was present at the time of payment. If this is the case, the card issuing bank will charge the transaction back to you, resulting in a loss of service, the transaction amount being recalled and a handling fee from the acquiring bank being charged. With the introduction of the card scheme authentication services, you now have the ability to prove that it was the genuine cardholder initiating the transaction. These authentication services help shift the liability back to the card issuer. Within the two schemes, you will find three types of authentication, these are as follows:
Full authentication: This is when the cardholder successfully enters their personal 3D Secure password within the pop-up box provided by the card issuer at the time of the transaction.
Cardholder/issuing bank not enrolled for authentication: In this example, you would be fully prepared for 3D Secured cards however, either the cardholder is not yet enrolled on the scheme, or the card issuing bank has not yet provided the option to the customer.
Whether you will be provided with a liability shift depends on varying factors such as where the card was issued and the level at which authentication was gained (above). Any liability shift is subject to strict adherence to the 3D Secure protocol. The information overleaf provides a summary.
18
Cardholder authentication not available: Authentication services were not available at the time of the transaction being processed. The level of protection for this transaction response varies depending on the card scheme.
Full global cover (Intra and Inter Regional) for fully authenticated and successfully attempted authentication. European Region cover for both full and successfully attempted authentication Global cover for both full and successfully attempted authentication Global cover for full authentication Successfully attempted authentication for UK domestic transactions if both the card issuer and the merchant are situated in the UK
In order to use this service, you must have a valid Merchant ID Number (MID), registered on the scheme. This is why it’s always best to request this service at the time of your application being made. With regards to integration, there are currently two methods available depending on the account type selected with us: Hosted Payment Page: All integration will be dealt with by PayPoint once the request has been made and the account has been setup. Freedom Payment Page: A small amount of integration will be required by your website developers within the code of your URL in order to make 3D Secure available on your payment page. Our integration guide for this can be found here.
The benefits of 3D Secure For the merchants • Reduced fraudulent transactions, resulting in fewer chargebacks • May increase profitability as a direct result of reduced costs fewer disputes • An Increase in cardholder confidence may lead to an increased sales volume • Minimal impact on existing checkout process • Can be readily integrated into existing e-commerce systems • Provides a better payment guarantee for authenticated transactions
For the customer • Greater protection against unauthorised use of their cards for online purchases • Increased confidence and trust when shopping online • Comfortable online shopping – the 3D Secure facility fits neatly into the familiar online buying process • Easy to use – no special software required for PCs or browsers • The ability to quickly identify merchants who are 3D Secure participants
19
Card Verification Value (CV2) A card verification value is a three-digit code printed on the signature panel of bank cards. The CV2 code helps assure both banks and merchants that the cardholder is making a purchase with a genuine card that is linked to a legitimate account. All cards must contain a CV2 code. Studies by Visa have indicated that CV2 is an effective deterrent to fraud in the ‘cardholder not present’ environment and can reduce fraud in some environments by more than 60%.
20
CV2 number
Address Verification Service (AVS) The Address Verification Service (AVS) helps merchants validate elements of the cardholder’s billing address with the card issuer. It is a significant service that can help you when determining whether a transaction is valid In the countries that it is used, it has proven to be an effective inhibitor to fraud, especially in the ‘card not present‘ environment.
CVV2 Approved AVS Approved
Yes Postcode matched, address matched
Used in combination, CV2 and AVS can help merchants reduce fraudulent transactions. The UK is the only European country currently using AVS.
21
Hosted cashier Hosted Cashier is a fully hosted payment solution that offers hassle free, no compromise next generation functionality. Hosted Cashier also eliminates many of the burdens that come with PCI compliance whilst integrating seamlessly with your brand. If you would like to find out more about our Hosted Cashier, please click here to find out more.
Cashier API Our Cashier API solution is a fully flexible payment solution that gives you ultimate control of your payment experience. The platform is completely secure and best of all, can be made fully PCI compliant using our CardLock plug-in. If you would like to find out more about our Cashier API solution, please click here to find out more
22
CardLock CardLock is an easily integrated solution that helps those using an API payment solution reduce their PCI responsibilities by up to 66%. Achieved by a process of tokenisation, merchants can increase their payment conversions by fast card storage, minimise costs associated with PCI and remove the risk of online security breaches and reputational damage. If you would like to find out more about our CardLock solution, please click here to find out more.
23
FraudGuard Providing merchants with every opportunity to combat fraud is something PayPoint takes seriously. It is for this reason, we created the FraudGuard system. This is a comprehensive fraud prevention tool integrating many facilities into one, easy to use system. This service is effective in real time, before a transaction has processed, allowing our merchants full control over their payment processing activitiy.
FRAUDGUARD 4.0 Fraud Scoring
Detailed analysis of data to produce a customer profile, risk score and assessment.
FraudGuard Screening
Instant controls to manage acceptable risk levels and automate declines / reviews
Territory Management
Ability to build global acceptance business rules interactively on a world map
Rules Engine
Point-and-click rules engine to profile specific customer groups and set targeted controls
Blacklist and Whitelist
Ability to block or fast-track transactions from certain cards, IPs, emails and billing addresses
FraudGuard Reporting
Colourful, visual risk analysis reporting and interactive review queue management
FraudGuard’s proven real-time risk management tools offer best-in-class usability – including controls for scoring, screening, territory management and custom rules.
24
Key Features
Key Metrics
•
Point & Click Real Time U.I
•
IP Geo-location
•
Transaction Scoring
•
BIN & Issuer Data
•
Territory Management
•
Card & ID Velocity
•
Automated Screening
•
4D Profile Morphing
•
Automated Quarantine
•
ID Keying Analysis
•
Automated Settlement
•
Open/Anonymous Proxies
•
Black/White Listing
•
Operator Data Sharing
•
Flexible Rules Builder
•
New/Existing Customer
•
Tailored Reports/Queues
•
Chargeback Data
•
Run Standalone or Inline
•
3D Secure (where inline)
Introducing FraudGuard 5.0 We have recently worked with an innovative risk and data analytics company to achieve new levels of real-time data processing, that performs complex, multi-dimensional analysis to detect potential fraud.
FRAUDGUARD 5.0 Morphing Anomalies
Analysing the level of morphing in customer data points in order to uncover unusual or suspicious buyer behaviour
Velocity Variance
Measures velocity by data point across a set of time ranges and shows unusual spikes
Customer Familiarity
Highlights ‘previously seen’ customer data in both merchant and PayPoint history
Morphing Detection
Rules to control against the level of morphing and permitted changes to known user profile
FraudGuard API Data
Providing all data and online analysis, via an API for use in merchants’ systems and processes
Features include:
The latest iteration of our proven risk management solution runs on big data:
•
Use of larger data sources help to identify merchant-wide and market-wide trends
•
•
Clear anomaly detection to highlight statistically unusual consumer behaviours
FraudGuard 4.0 already provided clear real-time measures and controls for velocity. 5.0 can now control morphing – how often a profile changes as it cycles through cards, IPs, addresses etc
•
Like 4.0 before it, FraudGuard 5.0 aims to automate as many processes as possible. However, if you do have to review a payment, FraudGuard proves that speed and clarity of insight is vital.
•
Our new velocity curve enhances risk reports with clear visual comparisons on the frequency of each customer identifier against rolling client averages – highlighting unusual spikes or user dormancy.
•
Complex velocity and identity morphing analysis and automated threat detection
•
Customer linking to show known data associations, merchant and market-wide
•
Comprehensive fraud data output via API, for integration with in-house systems
25
VISA AND MASTERCARD FRAUD AND RISK PROGRAMS This section will outline:
26
•
The rules that govern both the MasterCard and Visa fraud and chargeback programs;
•
The practicalities of the MasterCard and Visa fraud and chargeback programs;
•
The potential fines that can be levied if fraud and chargeback problems are not rectified in a timely manner.
It should be noted that PayPoint does not work directly with MasterCard or Visa in relation to the fraud and chargeback programs. In most cases PayPoint works with its Acquiring partners who then deal with MasterCard and Visa directly. We are providing this information to ensure you have sufficient knowledge to avoid issues and additional costs related to these fraud and chargeback programs. There are five different scheme programs related to fraud and/or chargebacks:
PROGRAM
MINIMUM THRESHOLDS
POTENTIAL FINES
MasterCard Excessive Chargeback Program
• •
CTR* in excess of 1%; and at least 100 chargebacks in 1 calendar month.
•
MasterCard Global Merchant Audit Program
• •
3 fraudulent transactions; and At least $3,000 in fraudulent transactions; and A fraud to sales dollar volume ratio minimum of 3% and not exceeding 4.9%
•
$25,000 for not submitting a special merchant audit questionnaire.
Visa Global Merchant Chargeback Monitoring Program (GMCMP)
•
• •
•
The number of international chargebacks in a single month is more than 200; and the ratio of these chargebacks to the merchant’s international transactions in the same month is more than 2%.
$100 per chargeback $200 per chargeback if the merchant has not implemented procedures to reduce chargebacks (after month 4)
Visa Global Merchant Fraud Program
• • •
$25,000 of reported fraud; and 25 fraud transactions; and 2.5% fraud-to-sales ratio
• •
1st: $5,000 Another $5,000 added for every month on or above the performance thresholds
Visa Regional Merchant Fraud Program
• • •
$15,000; and 15 fraud transactions; and 7.5% fraud to dollar sales ratio
•
No financial penalty only chargeback window
•
•
$25 per chargeback above the allowable threshold; and A large Violation element based upon the Issuer recovery element and basis point score above the accepted thresholds for that month.
*
CTR= Chargeback to transaction ratio
Each of the above programs are broken down and further explained in the following section.
27
Visa and MasterCard Fraud and Risk Programs
MasterCard Excessive Chargeback Program Chargeback ratios are closely monitored by the schemes. Every month, both PayPoint and their acquiring partners track every merchant’s MasterCard chargeback to transaction ratio (CTR). The chargeback ratio is calculated by MasterCard as the number of MasterCard chargebacks received for a merchant in a calendar month divided by the number of the merchant’s MasterCard sales transactions in the preceding month Here is an example if we were calculating the CTR for February:
CHARGEBACK MONTH
28
FEBRUARY
# of February chargebacks
1000
# of January settled transactions
50000
February CTR (1000/50,000)
2.00%
MasterCard monitors two types of merchant’s as set out below:
PROGRAM
THRESHOLDS
Chargeback Monitored Merchant (CMM)
• •
CTR in excess of 1%; and at least 100 chargebacks in 1 calendar month.
Excessive Chargeback Merchant (ECM)
• •
two consecutive calendar months (the “trigger months”) the merchant has a minimum CTR of 1.5%; and at least 100 chargebacks in each month; and this designation is maintained until the merchant’s CTR is below 1.5 % for two consecutive months
• •
29
Visa and MasterCard Fraud and Risk Programs
Chargeback Monitored Merchant Reporting Requirements:
Excessive Chargeback Merchant Reporting Requirement:
Each calendar month, a separate CMM report must be submitted to MasterCard in case the merchant qualified as a CMM for the previous calendar month. The report must be submitted no later than 40 days from the end of the calendar month.
Within 30 days of the end of the second trigger month, and on a monthly basis thereafter, the acquirer must submit a separate ECM report if their CTR is below 150 basis point for two consecutive months.
Each CMM report submitted carries a fee levied by MasterCard to the acquirer for $50. The CMM reporting must continue until the merchant is no longer identified as a CMM for two consecutive months.
Each ECM report submitted carries a fee levied by MasterCard to the acquirer for $100. A monthly report must be until the merchant is no longer identified as an ECM for two consecutive months. If the merchant is identified in the CMM report during those months, then the following CMM reporting requirements will apply;
1. Potential Fines 2. An Excessive Chargeback Merchant could face other potential MasterCard fines which are calculated taking into consideration two components; 3. An Issuer Recovery element ($25 per chargeback) and 4. A Violation element, calculated after taking into account the Issuer recovery element and the basis point score.
30
MasterCard has established a tiered structure for merchants identified as ECMs:
1
Tier 1 ECM This is where a merchant is identified as an ECM for the first month and up to six months. This does not have to be consecutive months.
2
Tier 2 ECM This is where a merchant continues to be an ECM for seven months through to twelve months.
Additional Tier 2 ECM Requirements After a merchant has been an ECM for twelve months, whether this is consecutive or nonconsecutive, the acquirer may be deemed to be in violation of MasterCard rule 5.11.7. This may mean the acquirer must undergo a Fraud Management Program (FMP) Level 3 Customer review or an audit by a third party, both at their own expense. In addition to the standard ECM issuer reimbursement and violation assessments, the acquirer may be subject to a noncompliance assessment of up to $50,000 per month for each month after the twelfth month that the merchant remains an ECM. Due to the cost of potential fines and exposure to the Acquirer if a merchant is identified as an ECM, it is likely that a merchant would face termination after three months if they remain in the Mastercard Excessive Chargeback Programme, either as a CMM or ECM.
31
Visa and MasterCard Fraud and Risk Programs
MasterCard Global Merchant Audit Program The Global Merchant Audit Program is based on a tiered structure which is dependent on a number of variables as laid out below. A rolling six months of data is used to identify merchants that in any calendar month meet the criteria as set out. Note: The fraud figures are related to when the transaction occurred, not when the fraudulent transaction was reported
A MERCHANT LOCATION IS CLASSIFIED IN THE FOLLOWING GMAP TIER....
IF IN ANY CALENDAR MONTH, THE MERCHANT LOCATION MEETS THE FOLLOWING FRAUD CRITERIA…
Tier 1 – Information Fraud alert
• • •
3 fraudulent transactions; and At least $3,000 in fraudulent transactions; and A fraud to sales dollar volume ratio minimum of 3% and not exceeding 4.99%
Tier 2 – Suggested Training alert
• • •
4 fraudulent transactions; and At least $4,000 in fraudulent transactions; and A fraud to sales dollar volume ratio minimum of 5% and not exceeding 7.99%
Tier 3 - High Fraud alert
• • •
5 fraudulent transactions; and At least $5,000 in fraudulent transactions; and A fraud to sales dollar volume ratio minimum of 8%.
PayPoint will work together with their merchants to determine whether sufficient fraud rules and processes are in place. Should a merchant fall into tier 3, MasterCard would typically issue an audit of the merchant which means that a questionnaire will need to be completed outlining what steps are being taken to stop the fraud problem. If the response is not deemed sufficient by MasterCard then they will require the merchant to create and implement a fraud control action plan within 90 days of being placed in the Global Merchant Audit Program. MasterCard may revoke the right for the merchant to accept MasterCard payments if the fraud issues are not resolved by the action plan put in place.
32
Visa and MasterCard Fraud and Risk Programs
Ecommerce is
BOOMING but so is online fraud.
33
Visa and MasterCard Fraud and Risk Programs
Visa Global Merchant Chargeback Monitoring Program Visa separately monitors international and country-to-country chargebacks. An example of an international transaction would be when a UK based merchant sells goods to a shopper with a Spanish issued credit card. A country-to-country chargeback is when a UK merchant receives a chargeback from a shopper with a UK issued card. Visa measures the chargebacks received in a single month against the number of transactions received in the same month. Here is an example if we were calculating the CTR for March:
34
CHARGEBACK MONTH
MARCH
# of March chargebacks
250
# of March settled transactions
7500
March CTR (250/7500 x 100)
3.33%
A merchant will fall into an Visa Excessive Chargeback Program if: •
The number of chargebacks, which are international or country-tocountry, reaches more than 200 in a single month; And
•
The CTR is more than 2% in the same month.
Merchants that have been placed in this program will be granted a three-month remediation period to reduce excessive Chargebacks. If placed in a Visa program a merchant will be looking at potential fines of between $100 and $200 per chargeback. This will be at Visa’s discretion. Fines could increase should a merchant stay in the program for excessive time periods. A termination of the merchant agreement is also at risk if the time period exceeds three months. Important Notes to also consider:
1
2
For the purposes of administering Merchant compliance under the Global Merchant Chargeback Monitoring Program, if a merchant submits transactions for a single Merchant location using multiple names, Visa Europe may group the Merchant activity performed under the multiple names.
If Visa Europe determines that an Acquirer or its Merchant modified the Merchant name or Merchant data in any way to circumvent the Global Merchant Chargeback Monitoring Program, Visa Europe may: •
Initiate fines up to $10,000 per Merchant, per month, to the Acquirer;
•
Permanently disqualify the Merchant and its principals from participating in the Visa program.
35
Visa and MasterCard Fraud and Risk Programs
Visa Global Merchant Fraud Performance Program This program applies if the card is issued in another region to where the merchant is located. An example of this would be if a merchant was based in Europe and the card was issued in Africa. There are two categories in this program:
PROGRAM
THRESHOLDS
Minimum Fraud Performance
• • •
$25,000 of reported fraud; and 25 fraud transactions; and 2.5% fraud to sales ratio
Excessive Fraud Performance
• •
$250,000 of reported fraud; and 2.5% fraud to sales ratio
For those merchants who fall into the minimum fraud performance thresholds remediation consists of:
1
Workout period There is a three month workout period to remedy the fraud problem. PayPoint will work with the merchant during this time. No financial penalties will be imposed at this time.
2
Enforcement Period If the merchant does not reduce fraud to below the accepted thresholds, they can become liable for chargeback liability and fines following the workout period. Continued noncompliance can lead to the revoking of the merchant’s right to accept Visa payments.
For those merchants who fall into the excessive fraud performance thresholds remediation consists of;
36
An enforcement period only as there is no workout period. The merchant will be subject to chargeback liability for fraudulent transactions. In the beginning of month three, fines are applied in addition to chargeback liability. Continued noncompliance can lead to the revocation of the right to accept Visa payments.
Visa Regional Merchant Fraud Performance Program The Visa Regional Merchant Fraud Performance applies to transactions where the Card was issued in the same region as the merchant is located, i.e. European Issued card with a European located merchant. The Program parameters are set out below:
PROGRAM
THRESHOLDS
Workout Parameters
• • •
$15,000.00 15 fraud transactions; and 7,5% fraud to sales ratio
High Risk Parameters
• • •
$40,000.00 20 fraud transactions; and 20% fraud to sales ratio
For those merchants who fall into the regional fraud performance thresholds remediation consists of:
1
Workout period There is a three month workout period to remedy the fraud problem. PayPoint will work with the merchant during this time. No financial penalties will be imposed at this time.
2
High Risk Period If the merchant does not reduce fraud to below the accepted thresholds, they can become liable for chargeback liability and fines following the workout period. Continued noncompliance can lead to the revoking of the merchant’s right to accept Visa payments.
37
EXCESSIVE AUTHORISATIONS
38
Visa Excessive Authorisations Each month Visa Europe monitors authorisation levels to identify any merchants that are generating excessive levels of authorisation requests through the Visa Europe system. This program is defined in the Visa Europe Operating Regulations Volume 1, section 4.9.B.11.
Last month, Merchant ABC submitted 100,000 authorisation requests via its acquirer to Visa Europe. Of the 100, 000 authorisation requests, only 10,000 were approved. Using the threshold above, this merchant has qualified for the first part of the threshold (i.e. 100,000 authorisation requests exceeds the threshold of 20, 000). The second part of the threshold also requires that the merchant’s total authorisation request volume (100, 000) is more than 8 times the approval volume (8 x 10, 000 = 80,000). Since 100,000 exceeds 80,000, the second part of the threshold is also satisfied.
The monthly program thresholds apply to all Visa Europe acquired merchants and are defined as: •
Minimum authorisation request volume: 20,000 and;
•
Authorisation request volume is greater than 8 times the approval volume
Should a merchant breach these thresholds, after an initial warning letter, there are some steep fines applied;
The following example has been put together to illustrate how the program will identify merchants who are in breach of the program thresholds.
Full details of the Visa fines can be found in Appendix C.
MasterCard Customer Performance Enhancement Program (CPEP) MasterCard also have standards in place to prevent excessive authorisations on a card. MasterCard has become aware of instances in which merchants, upon receiving a decline response to a card-not-present transaction authorisation request, repeatedly resubmit the request until an approval is received. This practice is considered abusive and not operating within the spirit of the authorisation process. Effective 1 October 2013, MasterCard modified the rules applicable to U.K. domestic MasterCard®, Debit MasterCard®, and Maestro® transactions to specify that a merchant is allowed four cardnot-present declined authorisation requests on the same PAN in any calendar day. The fifth attempt and any subsequent attempts in the same calendar day will qualify the merchant as noncompliant. All authorisation attempts on the PAN, regardless of amount, will count toward the maximum.
Multiple declined authorisation levels will be managed by the CPEP, which will identify, monitor, and report on declined authorisation levels on a regular basis and contact those acquirers that have unacceptably high rates. •
A €2,500 charge will be applied per noncompliant merchant per acquirer entity.
•
A follow up review will be conducted three months after the initial date to determine the effectiveness of the rule and identify those merchants who continue to be noncompliant. Details will be confirmed before the effective date.
•
The most severe sanction would be to consider denying noncompliant merchants access to the MasterCard global network.
39
GLOSSARY & APPENDIX
40
Glossary of Key Terms Card
A payment card, device or any other electronic or virtual product or account, which is capable of completing a payment transaction and is issued by a Member or a Customer for use in connection with the Visa Enterprise and bears a Licensed Mark.
Cardholder
The consumer who purchases goods or services from you.
Continuous Payment Authority
The ability for merchants to repeat bill on customers cards.
Card issuer
The bank with whom the cardholder has his account, i.e. Barclaycard, MBNA etc.
Card-Absent Environment
An environment where a transaction is completed under both of the following conditions: • Cardholder is not present; and • Card is not present.
The Acquiring Bank
The bank that transact the process and collect funds on our behalf.
Merchant
You as the business with whom the cardholder is transacting.
Card scheme
A card brand who set the rules for chargeback procedures, i.e. Visa, Mastercard etc.
Disputed transaction
This is the original transaction that the cardholder has now queried.
Chargeback
A transaction where funds are withdrawn from your account and repaid to the consumer.
RFI (Request for Information)
This is an email which outlines the transaction detail and the reason for the dispute. It is a request for information that may help defend the dispute and prevent a chargeback and your associated loss of funds.
3-D Secure
The Authentication Method that is the global authentication standard for Electronic Commerce Transactions.
Card Verification Value (CVV)
A unique check value that is calculated from the data encoded on the Magnetic Stripe using a secure cryptographic process and is used to validate Card information during the process of obtaining Authorization.
Card Verification Value 2 (CVV2)
A unique check value printed on the back of a Card, which is generated using a secure cryptographic process.
Transaction
The act between a Cardholder and a Merchant or an Acquirer that results in a Transaction Receipt.
Recurring Transaction
Multiple Transactions processed pursuant to a Recurring Transaction Agreement.
41
ix d n e
A
p
Ap
REASON CODE
DESCRIPTION
VISA
42
30
Services/Merchandise Not Received
41
Cancelled Recurring Transaction
53
Not as Described or Defective
57
Fraudulent Multiple Drafts
60
Copy Illegible
62
Counterfeit Transaction
70
No Verification/Exception File
71
Declined Authorisation
72
No Authorisation
73
Expired Card
74
Late Presentment
75
Cardholder Does Not Recognise
76
Incorrect Transaction Code or Incorrect Currency Code or Domestic
77
Non Matching Account Number
78
Service Code Violation
80
Processing Error: Incorrect Amount or Account
81
Fraudulent Transaction - Card Present Environment
82
Duplicate Processing
83
Fraudulent Transaction - Card Absent Environment
85
Credit Not Processed
86
Altered Amount/ Paid by Other Means
90
Non-Receipt of Cash or Merchandise
93
Merchant Fraud Performance Program
96
Transaction Exceeds Limited Amount Terminal
REASON CODE
DESCRIPTION
MASTERCARD 4801
Requested Data Transaction Not Received
4802
Requested/Required information Illegible or Missing
4807
Warning Bulletin File
4808
Requested/Required Authorisation Not Obtained
4812
Account Number Not on File
4831
Transaction Amount Differs
4834
Duplicate Processing
4835
Card Not Valid or Expired
4837
No Cardholder Authorisation
4840
Fraudulent Processing of Transactions
4841
Cancelled Recurring Transaction
4842
Late Presentment
4846
Correct Transaction Currency Code Not Provided
4847
Requested/Required Authorisation Not Obtained and Fraudulent Transaction
4849
Questionable Merchant Activity
4850
Credit Posted as a Purchase
4853
Cardholder Dispute - Defective/Not as Described
4854
Cardholder Dispute - Not Elsewhere Classified (U.S. Region Only)
4855
Non-receipt of Merchandise
4857
Card-Activated Telephone Transaction
4859
Services Not Rendered
4860
Credit Not Processed
4862
Counterfeit Transaction Magnetic Stripe POS Fraud
4863
Cardholder Does Not Recognise-Potential Fraud
43
ix d n e
B
p
Ap
APPLICABLE CHARGEBACK REASON CODES
44
PERMITTED COMPELLING EVIDENCE
30, 53, 81, 83
Documentation to prove a link between the person receiving the merchandise and the Cardholder or to prove that the Cardholder disputing the Transaction is in possession of the merchandise.
30, 81, 83
For a Transaction in a Card-Absent Environment in which the merchandise is collected from the merchant’s location, any of the following: • Cardholder signature on the pick-up form. • Copy of identification presented by the Cardholder. • Details of identification presented by the Cardholder
30, 81, 83
For a Transaction in a Card-Absent Environment in which the merchandise is delivered to a cardholder, documentation (evidence of delivery and time delivered) that the item was delivered to the same physical address for which the merchant received an Address Verification Service (AVS) match of “Y” or “M” (if applicable). A signature is not required as evidence of delivery.
30, 81, 83
For an Electronic Commerce Transaction representing the sale of digital goods downloaded from a website, one or more of the following: • Purchaser’s IP address. • Purchaser’s e-mail address. • Description of the goods downloaded. • Date and time goods were downloaded. • Proof that the Merchant’s Website was accessed for services after the Transaction Date
APPLICABLE CHARGEBACK REASON CODES
PERMITTED COMPELLING EVIDENCE
30, 81, 83
For a Transaction in which merchandise was delivered to a business address, documentation to show that the merchandise was delivered and that, at the time of delivery, the Cardholder was working for the company at that business address. A signature is not required as evidence of delivery.
30, 81, 83
For a Mail/Phone Order Transaction, a signed order form
30, 81, 83
For a Transaction at a passenger transport merchant, any of the following: • Proof that the ticket was received at the Cardholder’s billing address. • Documentation to show that the ticket or boarding pass was scanned at the gate. • Details of frequent flyer miles claimed, including address and telephone number that establish a link to the Cardholder. • Documentation of the following additional Transactions related to the original Transaction: purchase of seat upgrades, payments for extra baggage, or purchases made on board the passenger transport.
81, 83
For a Transaction in a Card-Absent Environment, documentation to show that the Transaction uses an IP address, e-mail address or address and telephone number, that have been used in a previous, undisputed Transaction.
81, 83
Evidence that the Transaction was completed by a member of the Cardholder’s household or family.
45
ix d n e
C
p
Ap
VISA GLOBAL MERCHANT PERFORMANCE PROGRAMME
46
First violation of rule
Warning letter with specific date for correction and US $500 fine
Second violation of same rule in a 12-months period after date of correction specified in the notification of first violation
US $5000 fine
Third violation of same rule in a 12-months period after date of correction specified in the notification of first violation
US $10000 fine
Fourth violation of same rule in a 12-months period after date of correction specified in the notification of first violation
US $25000 fine
Five or more violation of same rule in a 12-months period after date of correction specified in the notification of first violation
At Visa Europe’s discretion
If the 12-month period is not violation-free and the fines total US $25000 or more
Additional fine equal to all fines levied during that 12-months period
47
Summary Paypoint will always work with its merchants to decrease their fraud and chargeback levels, however it is important that merchants have their own monitoring processes to ensure they are on top of fraud and chargeback levels. The fraud settings and business practices should be adapted accordingly to ensure levels are kept to a minimum and PayPoint are happy to assist in any rule settings, advice or guidance in regards to any topic covered in this guide. For further information on anything you have read in this guide please contact risk@paypoint.com or completesupport@paypoint.com