Credit Card Testing Explosion Hurts Merchants Profits

Posted on May 5, 2017 by Christine Speedy

If you accept payments online, have you hardened security to protect from card testing? Card testing is a big criminal business. They’re sophisticated and use hardware and software that can send thousands of stolen credit card data in less than an hour to your payment portal or ecommerce shopping cart before you even know you’ve been hit.

Brute-force authorization attacks can be very expensive for merchants. For every attempted authorization, merchants pay a payment gateway fee, plus a fee to the merchant services processor (acquirer).

Example:

$.30 per transaction gateway
$.10 per transaction processor
20,000 cards tested @$.40= $8,000

There’s no getting back the $8,000. The gateway and processor passed the data you gave them. In the event orders are approved, there’s the additional cost of lost product shipped and the associated chargeback fee. Then there’s the cost of damaged brand reputation from cardholders who voice on social media, where it lives on forever, how their card was used unauthorized.

How can merchants protect online payments from card testers? Google reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA can prevent bots from submitting a transaction that you’ll pay for. For most shopping carts, it’s the payment gateway that must support reCAPTCHA. If the integration does not include reCAPTCHA or similar service, merchants might want to review if their gateway is compliant with current rules acceptance in general.

Protecting against both bots and fraudulent transactions is tricky.

Fifteen percent of all cardholders have had at least one transaction unnecessarily declined in the previous 12 months, according to a 2015 study by Javelin.

Unnecessary declines are also called False Positives. Cardholder authentication is a layer of security to protect against fraudulent purchasing, increasing approvals and reducing False Positives. 3-D Secure is a global XML protocol for Cardholder Authentication; The card brands each has their own name- Verified by Visa, Amex Safekey, MasterCard SecureCode. Benefits of 3-D Secure include automation, shifting liability to card issuers without manual review of orders, increased approvals, and sometimes reduced Visa and MasterCard interchange fees.

Which payment gateways support recaptcha and Cardholder authentication?

reCAPTCHA is easy to implement, just check with your payment gateway provider or web developer. 3-D Secure is quick, easy and requires a few steps:

Confirm your payment gateway is 3-D Secure certified for your credit card processor (merchant services provider or acquirer). Ask which are certified: Verified by Visa, Amex Safekey, MasterCard SecureCode. Some have certifications, some don’t.
If there’s an application such as a shopping cart or e-invoicing, confirm the payment gateway integration will support 3-D Secure.
Contact your acquirer and ask them to register your merchant account for 3-D Secure. Some can, some can’t. It’s usually done in a day.
Turn on 3-D Secure in the payment gateway.

FAQ

Is there a cost for reCAPTCHA? No, it’s free from Google. If your payment gateway supports reCAPTCHA, it may just need to be activated on your account, no programming needed. Contact your payment gateway support or check their FAQ to find out.

Is there a cost to register for 3-D Secure? That’s up to the individual company doing the registration. Costs start at $0.

Is there an ongoing cost to use 3-D Secure? Yes, and it’s up to the individual company offering the service. Costs typically range from $.075 to $.30 per attempted authorization.

If hit by a card tester, can I negotiate to reduce fees? It’s unlikely because services were delivered as per your agreements.

Christine Speedy, authorized CenPOS reseller, provides universal payment processing solutions, including reCAPTCHA and 3-D Secure cardholder authentication, to maximize merchant profits and mitigate risk across multiple sales channels. Contact Christine at 954-942-0483.

Stolen Credit Card Number Testing Increases 200 Percent in 2017 Proving eCommerce Fraud is set to Explode

Posted on May 1, 2017 by Christine Speedy

Alarming new data from Radial warns retailers of the urgency to manage fraud without compromising revenue or customer loyalty.

01 May, 2017, 09:00 ET

KING OF PRUSSIA, Pa., May 1, 2017 /PRNewswire/ — Just released data from Radial’s leading eCommerce Fraud Technology Lab adds another alarming statistic for retailers to contend with when delivering a seamless customer experience. To date in 2017, data shows a 200-percent increase in credit card testing, a tactic used by fraudsters to test stolen credit card numbers with small incremental purchases before making large-dollar purchases on the card, compared to the same quarter in 2016. Fraud also is up 30 percent year over year, proving to already struggling retailers that this is just the beginning of online fraud in the post-EMV world.

Managing fraud continues to be a double-edged sword for retailers. Many either apply tools that over-reject orders, but in the process decrease their customer transaction approvals and lose valuable revenue in return. Or, retailers build their fraud teams in-house, which often lack the historical data and rules to catch subtle card testing tactics like the ones identified by Radial. Card testing leads to more eCommerce fraud as it’s easily identifiable when a retailer is allowing these types of fraudulent transactions through.

“Our data adds another alarming statistic for retailers who may be unprepared to manage fraud activity in eCommerce. We know fraudsters won’t stop looking for opportunities to monetize their stolen data and will even automate this process once they have a card that appears to be working,” said Stefan Weitz, chief product and strategy officer at Radial. “This results in quick, large volume purchases that leave retailers vulnerable. When retailers miss card testing, they’re contributing to future card attacks. Fighting card testing is complicated, but can stop millions of unanticipated fraud attacks if tracked and managed efficiently.”

The fraud landscape is rapidly changing and presents pervasive and growing threats for eCommerce merchants. Radial’s Fraud Technology Lab and a team of data scientists use their robust fraud platform to uncover how trends in fraud can drive down retailers’ bottom lines and increase their risk. According to Radial’s analyses, since August 2016, the market segments of electronics, entertainment, jewelry, and sporting goods experienced the highest increases in online fraud during the 2016 peak season.

“Increasing revenue has never been more important for retailers. They cannot afford to be slammed with fees that stem from missing fraud activity and must count on each good order getting approved,” said Weitz. “More retailers claim they are combatting fraud, but underestimate the other areas they’re endangering – like revenue and customer loyalty – when they don’t use the types of data sets Radial has to increase transaction approval and take on full liability of combatting fraud.”

About Radial

Radial is the leader in omnichannel commerce technology and operations, enabling brands and retailers to profitably exceed retail customer expectations. Radial’s technical, powerful omnichannel solutions connect supply and demand through efficient fulfillment and transportation options, intelligent fraud detection, payments, and tax systems, and personalized customer care services.

Hundreds of retailers and brands confidently partner with Radial to simplify their post-click commerce and improve their customer experiences. Radial brings flexibility and scalability to their supply chains and optimizes how, when and where orders go from desire to delivery. Learn how we work with you at www.radial.com.

VISA FRAUD DISPUTE RULES CHANGES IMPACT CARD NOT PRESENT

Posted on April 21, 2017 by Christine Speedy

April 5, 2017—This alert contains critical information regarding new and revised Visa card acceptance rules effective now and coming in the future for merchants. Business to business companies may be at higher risk of associated chargeback losses or declines due to the average size of order. Effective April 22, 2017, Revisions have been made to split the “Other Fraud” Dispute condition under Enhanced Dispute Resolution into separate conditions for Card-Present and Card-Absent Transactions, and to incorporate changes to the payment flow related to Disputes.

Christine’s Analysis: Merchants need to support both EMV chip for Card-Present and Verified by Visa for card not present. Verified by Visa is their brand for 3-D Secure, a global security protocol for cardholder authentication across all card brands. For example, a cardholder might be asked to enter a PIN number or answer some other type of authentication question. Cardholder authentication for Card-Absent Transactions shifts liability for “it wasn’t me” disputes to the issuer. This card-absent cardholder authentication process requires cardholders self-initiate payments, eliminating collecting card numbers via phone or paper credit card authorization forms. Merchants are rewarded for using cardholder authentication with reduced interchange rates and increased approvals.

Christine’s TIP: Per Visa rule 5.4.2.5, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. Replace paper forms with digital, PCI Compliant forms and online payment solutions with cardholder authentication ASAP.

Online payment solutions include a hosted pay page like the one shown below.

A hosted pay page empowers customers to make secure payments online using a 3rd party provider (Payment Gateway also known as a Payment Facilitator.)

Other solutions include pushing out payment requests, such as via a text or email. With new and revised rules impacting the entire payment ecosystem including issuer, acquirer, gateway, merchant, and potentially other software like ERP’s and ecommerce shopping carts, merchants should verify all parts their payment ecosystem supports them. Desktop terminals are not capable of supporting all the rules for card absent needs; a cloud-based payment gateway is required whether non-integrated, or integrated ecommerce shopping cart, ERP or other software.

Does your online payment solution support Verified by Visa, or do you need a solution? Contact Christine Speedy at 954-942-0483 for a fast and easy solution, compatible with your existing credit card processor.

What is Auth Code 14, declined?

Posted on April 19, 2017 by Christine Speedy

A credit card processing response of Auth Code 14, is a decline for Processor Declined, Fraud Suspected. Why does this happens for recurring billing, including unscheduled recurring billing using a stored credential, also known as a token on file? The method used to store the first transaction, and process subsequent transactions can impact authorization approvals.

For example, a merchant has successfully processed unscheduled transactions using a token on file since 2016. However, in 2017, declined for Auth Code 14 appeared.

Why would a previously stored and working card decline now? Look at the AVS, ZIP, and CVV response above. Compare to the example below.

For the second receipt, AVS match Y= address and 5 digit zip match, Zip match Y=Address and 5 digit zip match, CVV = match X, cannot verify CVV. Because CVV was verified a match on the initial zero dollar authorization it’s not required to be presented on subsequent transactions.

The first example is returning that information does not match, thus the reason for suspected fraud. Without looking at the very first authorization when token was created, several possibilities exist, including cardholder issued a new chip card with same number but other changes occurred in the interim; cardholder address changed or was never validated.

Merchants are at risk of issuer initiated chargeback if authorization rules are not followed. Refer to Visa Product and Service Rules, Table 5-21: Requirements for Prepayments and Transactions Using Stored Credentials for more information. With recent rules changes, and more coming October 2017, merchants need a cloud based solution that can automate compliance. Not all of them have that intelligence. For example, some cloud based payment gateways enable merchants to perform prohibited transaction requests that put the authorization at risk of chargeback for non-compliance.

Due to many recent and upcoming changes for card absent and recurring billing with stored credentials, merchants are advised to review processes to include empowering customers to self-manage adding cards on file, and using cardholder authentication. Visa requires Verified by Visa for cardholder authentication in a card not present environment; without it, expect increasing declines.

Disclaimer: The rules of card acceptance are very complex and change typically twice a year, sometimes with interim bulletins regarding more changes. Merchants should read the manual for complete details regarding card acceptance for your business type.

Christine Speedy, authorized CenPOS reseller, provides universal payment processing solutions, including cardholder authentication, to maximize merchant profits and mitigate risk across multiple sales channels. Contact Christine at 954-942-0483.

What is CAVV Authentication Verification Value?

Posted on November 8, 2016 by Christine Speedy

Cardholder Authentication Verification Value, or CAVV, are potential responses for customer initiated Visa debit and credit card transactions where the Verified by Visa, or Vbyv, authentication method is used. E-commerce, online payments, and Electronic Invoice Presentment & Payment (EIPP or EBPP) are all solutions in which a customer can participate in self-authentication.

How does CAVV impact interchange rates, the bulk of credit card processing fees?

To qualify for CAVV interchange rates, merchants must register for Verified by Visa through their merchant services provider, and must use a payment gateway that supports the service as part of the transaction process. In addition, other rules apply such as settlement time and more; the latter part can be managed automatically with an intelligent payment gateway.

The best Visa Card Not Present Key entered transaction credit rate is 1.80%.
The same Visa transaction as above, but with a valid CAVV response is 1.70%.

How does CAVV impact fraud risk?

If a passed validation response is returned, then fraud risk shifts to the card issuer. Responses other than ‘fail’ may warrant additional scrutiny as part of a layered approach to mitigate fraud risk.

CAVV Transaction Response Code Values:

“ ” – Blank CAVV or AEVV Not Present
0 – CAVV or AEVV Not Validated due to erroneous data submitted
1 – CAVV or AEVV Failed Validation – Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV.
2 – CAVV or AEVV Passed Validation – Authentication Transaction
3 – CAVV or AEVV Passed Validation – Attempted Authentication Transaction. (Determined that the Issuer ACS generated this value from the use of the Issuer’s CAVV/AEVV key[s]).
4 – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV. (Determined that Visa generated this value from the use of CAVV/AEVV key[s]).
5 – Reserved for future use – NOT USED
6 – CAVV or AEVV Not Validated – Issuer not participating in CAVV/AEVV validation. This value is generated when an Issuer requests the “do not verify” flag to be established for its BINs. This parameter enables an Issuer to temporarily stop CAVV/AEVV verification while resolving CAVV/AEVV key issues. VisaNet processes this value as a valid CAVV/AEVV.
7 – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV. (CAVV/AEVV generated with Visa Key)
8 – CAVV or AEVV Passed Validation – Attempted Authentication Transaction. (CAVV/AEVV generated with Visa Key)
9 – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV (CAVV/AEVV generated with Visa Key – Issuer ACS unavailable)
A – CAVV or AEVV Passed Validation – Attempted Authentication Transaction. (CAVV/AEVV generated with Visa Key – Issuer ACS unavailable)
B – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV. (CAVV/AEVV generated with Visa Key)
C – CAVV or AEVV Not Validated – Attempted Authentication Transaction. Issuer did not return a CAVV/AEVV results code in the authorization response. VisaNet will treat this as valid CAVV/AEVV if the Issuer approves the authorization.
D – CAVV or AEVV Not Validated – Authentication – Issuer did not return a CAVV/AEVV results code in the authorization response. VisaNet will treat this as valid CAVV/AEVV if the Issuer approves the authorization.
I – Invalid Security Data
U – Issuer does not participate or 3-D Secure data not utilized.
Default space filled

Note, other card brand authentication terms are AEVV, American Express Verification Value and MasterCard Universal Cardholder Authentication Field (UCAF^™). All of these, including VbyV, use the global standardized 3-D Secure XML security protocol. Payment gateways can implement 3-D Secure in different ways, which can potentially impact profits and risk.

For CenPOS solutions to enable customer cardholder authentication, including payment gateway, contact Christine Speedy today. Not all solutions work alike, contact an expert.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Category Archives: fraud protection