VISA FRAUD DISPUTE RULES CHANGES IMPACT CARD NOT PRESENT

April 5, 2017—This alert contains critical information regarding new and revised Visa card acceptance rules effective now and coming in the future for merchants. Business to business companies may be at higher risk of associated chargeback losses or declines due to the average size of order. Effective April 22, 2017, Revisions have been made to split the “Other Fraud” Dispute condition under Enhanced Dispute Resolution into separate conditions for Card-Present and Card-Absent Transactions, and to incorporate changes to the payment flow related to Disputes.

Christine’s Analysis: Merchants need to support both EMV chip for Card-Present and Verified by Visa for card not present. Verified by Visa is their brand for 3-D Secure, a global security protocol for cardholder authentication across all card brands. For example, a  cardholder might be asked to enter a PIN number or answer some other type of authentication question. Cardholder authentication for Card-Absent Transactions shifts liability for “it wasn’t me” disputes to the issuer. The card-absent cardholder authentication process requires cardholders self-initiate payments, eliminating collecting card numbers via phone or paper credit card authorization forms. Merchants are rewarded for using cardholder authentication with reduced interchange rates and increased approvals.

Christine’s TIP: Per Visa rule 5.4.2.5, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. Replace paper forms with digital, PCI Compliant forms and online payment solutions with cardholder authentication ASAP.

Online payment solutions include a hosted pay page like the one shown below.

hosted paypage online payments

A hosted pay page empowers customers to make secure payments online using a 3rd party provider (Payment Gateway also known as a Payment Facilitator.)

Other solutions include pushing out payment requests, such as via a text or email. electronic invoice presentment and payment eippWith new and revised rules impacting the entire payment ecosystem including issuer, acquirer, gateway, merchant, and potentially other software like ERP’s and ecommerce shopping carts, merchants should verify all parts their payment ecosystem supports them. Desktop terminals are not capable of supporting all the rules for card absent needs; a cloud-based payment gateway is required whether non-integrated, or integrated ecommerce shopping cart, ERP or other software.

Does your online payment solution support Verified by Visa, or do you need a solution? Contact Christine Speedy at 954-942-0483 for a fast and easy solution, compatible with your existing credit card processor.

What is Auth Code 14, declined?

A credit card processing response of Auth Code 14, is a decline for Processor Declined, Fraud Suspected. Why does this happens for recurring billing, including unscheduled recurring billing using a stored credential, also known as a token on file? The method used to store the first transaction, and process subsequent transactions can impact authorization approvals.

For example, a merchant has successfully processed unscheduled transactions using a token on file since 2016. However, in 2017, declined for Auth Code 14 appeared.

auth code decline 14

Why would a previously stored and working card decline now? Look at the AVS,  ZIP, and CVV response above. Compare to the example below.

token billing

For the second receipt, AVS match Y= address and 5 digit zip match, Zip match Y=Address and 5 digit zip match, CVV = match X, cannot verify CVV. Because CVV was verified a match on the initial zero dollar authorization it’s not required to be presented on subsequent transactions.

The first example is returning that information does not match, thus the reason for suspected fraud. Without looking at the very first authorization when token was created, several possibilities exist, including  cardholder issued a new chip card with same number but other changes occurred in the interim; cardholder address changed or was never validated.

Merchants are at risk of issuer initiated chargeback if authorization rules are not followed. Refer to  Visa Product and Service Rules, Table 5-21: Requirements for Prepayments and Transactions Using Stored Credentials for more information. With recent rules changes, and more coming October 2017, merchants need a cloud based solution that can automate compliance. Not all of them have that intelligence. For example, some cloud based payment gateways enable merchants to perform prohibited transaction requests that put the authorization at risk of chargeback for non-compliance.

Due to many recent and upcoming changes for card absent and recurring billing with stored credentials, merchants are advised to review processes to include empowering customers to self-manage adding cards on file, and using cardholder authentication. Visa requires Verified by Visa for cardholder authentication in a card not present environment; without it, expect increasing declines.

Disclaimer: The rules of card acceptance are very complex and change typically twice a year, sometimes with interim bulletins regarding more changes. Merchants should read the manual for complete details regarding card acceptance for your business type.

Christine Speedy, authorized CenPOS reseller, provides universal payment processing solutions, including cardholder authentication, to maximize merchant profits and mitigate risk across multiple sales channels. Contact Christine at 954-942-0483. 

4 Credit Card Processing Tips for Consultants & Accountants

profits Following several years of regulatory and technology credit card processing changes, 2015 has been another big year of changes. As we close out 2015, what are you advising clients to maximize profits? Every consultant to distributors, especially for building materials, including lumber and millwork, electrical, marble & stone, and plumbing supply, needs to update their merchant services knowledge. These businesses tend to have both a retail and a ‘to the trade’ component, making old solutions potentially outdated, risky, and costly.

  1. EMV liability shift October 2015, shifted liability for counterfeit card, and sometimes lost and stolen card, transaction losses from the issuer to the merchant, if the merchant does not support EMV chip card acceptance. Since businesses never saw this fraud, the financial risk is unknown, but guesses put it in the 1-2% of sales range. The first acquirer (Vantiv) announced penalties effective January 1 if a retail operation does not support EMV chip card transactions. These fees will grow throughout the payment chain in 2016, and be passed down to the merchant. If profit margins are important, EMV compliance is not optional. Between growth in credit card fraud losses and new penalties, distributors need to make the change ASAP.
  2. EMV terminal selection. Retail Distributors fall into two categories: Those who use countertop terminals, and those who use anything else, including mag swipe reader or signature capture terminal. Only the latter are even capable of supporting level 3 data, critical for qualifying for level 3 interchange rates, which makes up more than 95% of credit card processing, or merchant, fees. Yet, the vast majority of recommended EMV solutions are incapable of level 3, and or there is no certification for it. While updating, add NFC for ApplePay and newer payment methods, and P2PE, which encrypts at the terminal head, further mitigating data breach risk.  The best EMV terminal selection for distributors may reduce merchant fees an average of 32% and mitigate data breach risk. Conversely, the wrong choice will directly reduce profit margins. 
  3. PCI Compliance. Internal and external data breaches are a serious growing problem (Lowes and Home Depot both admitted), and best practices are being shared among peers that are ‘risky’ at best. Top areas of concern are paper credit card authorization forms and electronically storing card data (without certified compliant tokenization such as a payment gateway). Both should be eliminated. Online pay pages and other technology solutions have negated the need for employees to ever have access to credit card data, not even for a minute. Has your own company eliminated them?
  4. Quickbooks. For operations that used Intuit Merchant Services because there was no other integrated choice, that’s no longer an issue. Third party integrations empower businesses to use any acquirer. Look for one that supports all payment methods needed (ACH, check, wire, credit card etc). If processing more than $500k annually, fees may drop up to 50%.

CHRISTINE’S RECOMMENDATIONS FOR CLIENT ADVICE TO DISTRIBUTORS:

  • Implement EMV ASAP to avoid penalties and fraud losses.
  • Only implement an EMV solution certified for level 3 processing to maximize profit margins.
  • Get PCI 3.0 Compliant to mitigate risk of financial losses from a data breach- Replace all practices that include credit card access by any employee, even for a minute, with a technology solution.
  • Replace Intuit Merchant Services to maximize profit margins.

Note: this advice is applicable to any business that has a customer base which includes some business to business and retail, even if retail is a small part of the overall payment types accepted.

Debit Fraud Surges in 2015 – Cost of Fraud Study for Merchants

2015 LexisNexis® Risk Solutions True Cost of Fraud Study: Merchants Contend with Increasing Fraud Losses as Remote Channels Prove Especially Challenging

September, 2015 report examines the cost of retail, mcommerce, ecommerce fraud, and offers recommendations for risk mitigation across all sales channels. Good report for merchants and those studying trends.

Key fraud trends for merchants:

  • They lost an average of 1.32% of revenue to fraud and fraud related costs, an increase of 94% over 2014
  • In-person fraud is trending up, with increased number of fraudulent transactions, at the same time more transactions were prevented
  • While merchants prevented more MOTO and online fraud, they found it 7x harder to prevent compared to retail
  • Buy online, pick up in-store, contributed heavily to shrink
  • Mcommerce and international merchants consistently take greatest hit from fraud
  • The average value of successful fraudulent transactions is about the same, while unsuccessful value increased
  • Debit card fraud nearly doubled to 30%
  • Alternative payment fraud (Paypal, Google Checkout, Bill me Later) grew about 70%

Click here to get the full 2015 fraud report from Lexis Nexis.