Do you take orders over the phone? How can you defend against chargebacks? You’re not going to like the answer I outline below because the burden on merchants is nearly insurmountable.

RULE NUMBER ONE.  You must have a MOTO* merchant account. If you run a card absent transaction on an RETAIL account, you will automatically lose because you won’t be presenting the transaction according to the rules of the merchant account with an in-person signature or pin entry AND card swipe or manual imprint. * MOTO is an abbreviation for mail order / telephone order; Faxed orders fall under this rule as well.

RULE NUMBER TWO: If the payment was made via a web page or ecommerce shopping site, the merchant must have an ECOMMERCE merchant account.

What if you accept credit cards via the internet and MOTO? Ecommerce presentment rules generally include MOTO requirements, but MOTO presentment rules do not include all Ecommerce presentment requirements.  You should read the rules carefully as it applies to your particular situation and NOT rely on this article.

Below are excerpts of the relevant rule from Visa and the condition I most often see cited on merchant chargeback forms. (Other cards have similar language. Please note the Visa International Operations Guidelines book is over 1100 pages so to keep this brief, this is a very narrow look, with text beginning from page 836.  Excerpts may be taken out of context to provide insights and should not be replied upon.

Reason Code 83 Fraud—Card-Absent Environment
Overview: Time Limit: 120 calendar days
Cardholder did not authorize or participate in a Card-Absent Transaction or Transaction was
processed with a Fictitious Account Number or no valid Card was outstanding bearing the Account
Number on the Transaction Receipt.

Chargeback Conditions – Reason Code 83
1. Cardholder did not authorize or participate in a Card-Absent Environment Transaction.

Representment Processing Requirements – Reason Code 83
b. Evidence of Imprint and signature or PIN  (Yes, it really says this under card not present!)
d. For Chargeback Condition 1, compelling evidence that the Cardholder participated in the
Transaction, excluding U.S. Domestic Transactions.

Further,

8. Mail/Phone Order or Electronic Commerce Transactions, if both: This provision applies to U.S.
Domestic Transactions (This only applies in the U.S. Region.)
a. Merchandise was shipped or delivered, or services were purchased (This only applies in the
U.S. Region.)
b. Issuer was not a participant in the Address Verification Service on the Transaction Date and
Acquirer received an Address Verification Service response code “U” (This only applies in the
U.S. Region.)

Additional Information – Reason Code 83
1. “Signature on file” notation is not an acceptable signature.
2. Pencil rubbing of the Card or a photocopy of the Card is not considered proof of a valid Imprint.

CARD ABSENT CHARGEBACK PREVENTION TIPS:

• When a merchant account is opened merchants are issued a metal plate with their required merchant account identifying information to use with imprinting forms.  Don’t toss is into a drawer. Buy an imprinter (about $25 from most office supply stores) and some voucher forms, put your plate in and keep it secured but handy in case you need it.  If you don’t know where your plate is, call your processor and ask for a new one. To mitigate risk, run the form through your imprinter, fill in all the information and then send the form to your customer. They must a) rub a pen across it to simulate as if the imprint mechanism ran across it. b) sign the form. This creates additional burdens to the merchant for PCI Compliance, since the imprint would have to be stored for 180 days, the current allowable chargeback time. But think of the burden of proof trail you’ll be able to produce- the form is sent to the customer address, the card must  pass AVS verify (address on card matches address mailed to), and you have a signature.
• To save time, merchants frequently only partially fill in the form, but this is not sufficient. All fields must be completed and the customer must sign.
• Ship merchandise with signature required, only to addressee.
• Shipping address and billing address must match. (You will lose automatically if they don’t unless you have special supporting document signed by the customer stating their desire to have shipped to a 3rd party address.)

Editors note: This article primarily addresses card absent,  not ecommerce.  A merchant solution to help mitigate risk is Cenpos. Here’s a few ways you can use CenPOS tools:

• Restrict user permissions for transactions.
• Set additional requirements to pass a transaction over merchant defined thresholds.
• Set up email alerts for notification of transactions over thresholds.
• Restrict types of cards accepted and rules for acceptance.

Is a pencil rubbing of the credit card or a photocopy of the credit card OK to defend against chargebacks? Yes, but only if the merchant has an imprint of the card on a credit card voucher form that is fully completed and signed by the customer.

Is a faxed approval form for the charge amount OK to defend against chargebacks? No. The merchant must have an imprint of the card on a credit card voucher form that is fully completed and signed by the customer.

A brief security note for customers using one of our retail solutions.

Do not store passwords and login information on your desk or in any unlocked area.

What if the machine does not recognize the magnetic strip?  If the machine says “re-swipe”, then

• Check to make sure terminal is swiping properly (test any card by swiping without charging)
• Try swiping at a different rate of speed.
• Check for valid card security features (hologram etc, imprinted security code etc)
• If the card appears to be OK, and you have permission to key enter, enter the transaction information and then have the customer sign the printed receipt as usual.
• Verify the signature and card data on the receipt match the actual card.

Note: if the 4 digits do not match- it is ALWAYS a fraudulent card.

If suspicious, hold onto the card and call your Voice Auth phone number. “I have a code 10 authorization request”. Cash rewards up to $1000 are available to merchants and employees for recovered cards, including $100 from Visa for a last 4 digit mismatch, if this procedure is followed.

Do not store card data outside the system for any reason. Use the Repeat Sale button if you need to securely store card data to re-bill at a later date. The encrypted card data is stored on PCI Compliant servers, never at the merchant location, and you can charge the account again with the token that will be issued.

What can a merchant do to prevent losses resulting from the booming black market of identity theft rings buying and selling personal credit card information? The retail card present and ecommerce or MOTO transactions require different preventative measures to block cloned cards.

In the retail environment, the top method is for the cashier to re-enter the last 4 digits. This is a check to make sure the magnetic strip data matches the imprint on the front of the card. Scammers don’t make thousands of unique cards each with matching customer data. They typically are programming the magnetic strip data only.

A skilled con artist may try to get a cashier to key enter the transaction with some story about a problem with the mag strip, before the cashier even swipes the card. Don’t be fooled. Cashiers should never take the customers word for it. They should always swipe first. If the strip is bad, the machine will prompt to re-swipe. This is a critical decision point! If the strip really is bad, what preventative measures do you have in place to protect your company?

• This is a key entered face to face transaction. The signed receipt must be presented to prevent a future chargeback. Can you find them when you need them?
• Do you allow all cashiers to key enter any transactions? How would you know if someone key entered a $5000 transaction? Are you comfortable with that?

In the card not present environment, the top method is to verify CVV also known as the security code. Cloned cards do not have matching security codes because that is not data they can obtain. Address verification may be required to prevent chargeback’s. MOTO and ecommerce requirements do have some variances.

Do you want an alert if a transaction over a certain dollar amount, say $500, is key entered? Do you want to check for address, but only require it for transactions over a certain amount? With our universal hosted payment processing solution, there are hundreds of ways for merchants to manage risk parameters, including setting automated alerts.

A critical difference in our system for retailers is LOGICAL INTELLIGENCE. If the cashier has been given privileges to key enter transactions, then the system will automatically switch from prompting for the last 4 digits to prompting for the zip code. The merchant can control the maximum amount the cashier is allowed to key enter, and whether they want email alerts sent to management. If signature capture terminals are in place, the customer is prompted for the signature, which can be readily retrieved in the event of a chargeback dispute. (Note- all these parameters are controlled by the merchant. For example, if you don’t want to prompt for the last 4 digits, you don’t have to.)

Want to find out more? Read the CenPOS overview and request information.

Visa Marks National Cyber Security Awareness Month with Launch of New Website to Help Consumers Fight Payment Card Fraud

San Francisco, October 4, 2010

Visa Inc. (NYSE: V) marks National Cyber Security Awareness Month with the launch of a new website to help cardholders and small businesses protect payment card account information, avoid payment card scams and resolve unauthorized use of their cards.

Visa is providing cardholders tips with practical know-how for protecting account information, avoiding payment card scams, and resolving unauthorized card use. Visa’s new website, at www.visasecuritysense.com, is available in English and Spanish. Visa also joins the National Cyber Security Alliance’s “Stop. Think. Connect.” campaign to educate consumers about protecting themselves and their personal information online.

“While cardholders using Visa debit and credit cards are protected by Visa’s zero liability policy(1) , many consumers believe that security is a shared responsibility and want to take an active role in managing and protecting their Visa accounts,” said Jennifer Fischer, head of U.S. Payment System Risk, Visa Inc. “Visa’s site is intended to empower cardholders with information to prevent fraud, avoid deceptive marketing practices and learn about important protections and resources available to them.”

A study by Javelin Strategy & Research found more than half of consumers view the responsibility for protecting financial accounts from fraud as shared between themselves and their financial institution(2).

Consumer Tips on How to Stay Safe Online

While the vast majority of Internet shopping purchases go through safely, consumers face hazards ranging from spyware to deceptive marketing practices. Consumers can learn basic tips about navigating the internet safely by visiting the National Cyber Security Alliance’s website at http://www.staysafeonline.org. When it comes to protecting financial information online, Visa offers a few additional tips. More information is available at http://www.visasecuritysense.com.

* Keep current with anti-virus and anti-spyware software, download only from trusted sites, and don’t click pop-up windows or suspicious links in emails, even from people you know. These can all be tricks to install spyware and steal financial information.
* When using a website’s checkout, look for the safety symbols such as the padlock icon in the browser’s status bar and “s” after “http” in the URL, or the words “Secure Sockets Layer (SSL).” These are signs that the merchant is using a secure page for transmitting personal information.
* Activate Verified by Visa to add an extra layer of password protection during online checkout.
* Remember that Visa never calls or writes cardholders for personal account information.
* Do not provide sensitive information unless you initiated the communication. Report requests for personal information to your card issuer by calling the number on the back of your card
* Be wary of “free trial” offers. Take time to read and understand all terms and conditions. Pay particular attention to any pre-checked boxes before you submit your payment card information for an order. Failing to un-check the boxes may bind you to terms and conditions you’re not interested in.
* Finally, monitor card statements or account activity regularly and report any suspicious or unauthorized charges to the financial institution that issued the card. When fraud does occur, Visa cardholders are protected from unauthorized purchases with a “zero liability” policy.

In addition to educational resources for consumers, Visa makes its transaction alerts and notification service available through participating financial institutions. Alerts are sent on behalf of issuers to cardholders directly from Visa’s global processing network, typically within seconds of a transaction occurring. Alerts are triggered when the transaction meets certain criteria the account holder has selected and are delivered directly to the account holder via email or SMS text message. Visa’s transaction alerts let consumers monitor their accounts for unusual activity and take immediate action if they believe a potentially fraudulent transaction is taking place.

“Criminals can be quite resourceful in their attempts to steal cardholder information, but equipped with the right information and tools, consumers can be very effective in preventing fraud,” Fischer concluded.”

For more information, visit www.visasecuritysense.com.

(1)Visa’s Zero Liability policy covers U.S.-issued cards only and does not apply to ATM transactions, PIN transactions not processed by Visa, or certain commercial card transactions. Cardholder must notify issuer promptly of any unauthorized use. Consult issuer for additional details or click here
(2)Javelin Strategy & Research, Gen Y Security Backlash, “Figure 2: Primary Responsibility for Security – by Generation,” April 2009.

Merchant Account and Payment Processing Newsletters, events, and marketing collateral. 3D Merchant shares insights with you. Not all newsletters are posted for public viewing.

3D Merchant news ISSUE 5, 2010: Red Flags Rule, American Express merchant fees, Identity theft risk. (PDF download 2.8 mb)

3D Merchant news ISSUE 4, 2010: PCI DSS Compliance, Tokenization & recurring billing, Preventing Credit Card Fraud. (PDF download 2.8 mb)

3D Merchant news ISSUE 3, 2010: May Madness follows April price increases, Data Security- PCI Compliance, Internal Fraud Prevention, PCI Compliance fees. (PDF download 2 mb)

When a credit card is canceled due to fraud a merchant cannot refund prior transactions back to the same card. What should a merchant do?

Here’s the scenario. A merchant has an online store, auction, or donor site that accepts cards for a digital transaction. No hard goods are delivered. A consumer gets a statement that has a charge they don’t recognize. The consumer doesn’t call the merchant using the information that is on the statement with the transaction. The consumer calls their credit card company, says there is a fraudulent charge and cancels the card.

The merchant gets a chargeback notice with a detailed description of a fraudulent transaction complaint. The merchant didn’t know the charge was fraudulent and wants to refund the charge back to the consumer card. This is not possible because the account is closed.
The merchant should respond to the chargeback with all the relevant information, including whether the transaction passed address verification and or CVV code verification. The merchant should tell the processor their policy is to refund a disputed charge and they would like the consumer account credited. The processor will credit the account opened to replace the closed account; merchant will not be given the credit card information and will get a confirmation the case is closed.

We’re hearing about credit card fraud increasing everywhere, especially restaurants, auto repair, and auto dealers, and wholesale distributors.

What can your business do to protect from getting burned by credit card fraud?

Make sure your POS system or terminal is programmed correctly for prompts and that clerks know how to process correctly.

SWIPED transactions- clerk must manually re-enter the last 4 digits of the credit card number
MOTO- mail order/telephone order- address verification system (also called AVS). AVS compares the numeric portion of the street address and the zip code.
ORBITAL and other proprietary virtual terminal systems- full address match

What happens if you do not perform these minimums? If there is fraud, your business is out the money.