Payment Acceptance, Processes & Security
What is an Acquiring Bank?
Acquiring Banks are registered members of the card schemes, Mastercard & Visa, and accept (or acquire) transactions on these debit and credit card networks on behalf of a merchant. The card schemes connect acquiring banks to issuing banks (banks that issue credit cards), so that a customer transaction can be verified.
What is 3D Secure?
3D Secure is a tool developed by Visa (Verified by Visa) and Mastercard (ID Check) to provide ecommerce merchants with greater security for their payment card transactions when the cardholder is not present in person. With 3D Secure, the card issuer authenticates the cardholder online and thus protects Internet retailers against fraud-related chargebacks. Where fraud occurs, if an Internet shop is registered for 3D Secure at the time of the transaction, the card issuer is liable for the fraud and not the merchant.
3D Secure is launched through your website and interacts with both the cardholder and their card issuer. When your customers are checking out, a window appears asking them to enter a unique, personal code that has been registered with their bank or card issuer. The bank then authenticates the cardholder and provides the shop with evidence of the online purchase
How is 3D Secure verified?
3D Secure is verified by Visa as 'Verified by Visa™' and Mastercard as 'Mastercard ID Check™'.
When a payment request arrives at the merchant or payment gateway, the Merchant Plug In (MPI) component is activated. The MPI talks to Visa or Mastercard to check if the card is enrolled for 3DSecure. If the card is not enrolled, this means that either the bank that issued the card is not yet supporting 3DSecure or it means that the card holder has not yet been registered for the service.
If the card is enrolled, the MPI will redirect the card holder to the 3DSecure authentication web page for the issuing bank; the card holder will then identify himself. The MPI will evaluate the reply from the bank and, if successful, allow the transaction to proceed for authorization. The transaction could still fail for lack of funds or other reasons but is more likely to be approved because of the authentication.
What does 3D Secure stand for?
3D Secure stands for 'Three Domain Model'. The three main domains are:
- Acquirer Domain (the merchant and the bank to which money is being paid).
- Issuer Domain (the bank which issued the card being used).
- Interoperability Domain (the infrastructure provided by the card scheme to support the 3-D Secure protocol). The Interoperability Domain includes the Internet, Access Control Servers, Merchant Plug-in providers and other software providers.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of standards for the payment card industry that is designed to protect cardholder data.
Which entity does PCI DSS apply to?
It applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
Questions about Chargebacks
What is a Chargeback?
A chargeback occurs when a credit cardholder contacts their credit card-issuing bank to initiate a refund for a purchase made
on their credit card. Chargebacks arise for a variety of reasons but generally they are the result of a cardholder changing their
mind, being dissatisfied with their purchase or a case of fraud. The fraud can result from the unauthorised use of their credit
card (stolen card) or the cardholder purposely seeking to dispute a legitimate purchase they made ("friendly fraud").
Why are chargebacks bad?
Visa and Mastercard have strict guidelines for the acceptable number of chargebacks a merchant can receive. If an account is not properly monitored and chargebacks exceed the schemes predetermined threshold(s), the consequences and penalties can be severe.
If the chargeback rate continues to breach these thresholds, you run the risk of having your merchant agreement terminated and being placed on a Terminated Merchant File with the card schemes. This can hamper your ability to secure the services of another Acquirer.
Can I prevent Chargebacks?
Understanding the reasons why your customer is disputing a transaction can help identify the main cause and provide you with valuable information on where you need to make changes or consider adopting a new approach within your business. Possible reasons for chargeback's include:
- Customer did not receive a product or service
- Customer does not recognise the charge or business name on their card statement
- Customer believes the product or service was defective, damaged or not as it was described
- Customer was a victim of fraud; card was stolen or used without consent
- Customer refund was not processed in a timely manner
What is the Chargeback Process?
- The chargeback process involves many parties: the customer, the issuing bank, the payment network (for example, Visa or Mastercard), the acquirer/processor (such as eCOMM Merchant Solutions) and you, the merchant.
- If a customer disputes a transaction, the issuing bank will credit their customer for the amount in dispute and the chargeback process begins. The disputed amount is debited from your merchant account as part of the process.
- If you provide documentary evidence and successfully challenge the chargeback in the necessary timeframe, the funds will be returned to you. If you do not submit documentation in time, or you are unsuccessful in challenging the chargeback, the funds will not be returned to you.
Why do customers dispute transactions?
One of the main reasons behind a chargeback is poor customer service. If a customer purchased a product from you and for some reason decides they want a refund, they might request a chargeback. If a customer cannot directly contact a Merchant they will normally file a chargeback – for example if you do not process refunds in a timely manner.
How does Fraud affect Chargebacks?
Fraud is one of the most common reasons for chargebacks. This is typically where the customers' financial data has been stolen and this information is used to make a purchase. The customer did not authorise this purchase and disputes the transaction by claiming fraud has occurred.
See eCOMM's Tips on Fraud Prevention.
What is friendly fraud?
This is where the actual cardholder has authorised the transaction, but, after receiving the goods or services, tries to get his or her money back by calling the credit card issuer to claim that the transactions were not authorised, or that the products were never received. Just like in other fraud scenario’s described above, if you, as a merchant, cannot prove that the cardholder received the goods or services, then you will likely lose the dispute and end up paying for the chargeback.
How can you detect fraudulent transactions?
The Card Schemes have a list of tips published on their websites to help merchants identify potentially fraudulent transactions and reduce the risk of becoming a fraud target. According to the list, there are 12 fraud indicators that you should keep your eyes open for. If more than one of the following indicators are present, fraud may be involved:
- First-time shopper: Criminals are always looking for new merchants to defraud.
- Larger-than-normal orders: Because stolen cards or account numbers have a limited life span, criminals need to maximize the size of their purchase.
- Orders that include several varieties of the same item: Having multiples of the same item increases a criminal's profits.
- Orders made up of "big-ticket" items: These items have maximum profit potential.
- "Rush" or "overnight" shipping: Criminals want their fraudulently obtained items as soon as possible for the quickest possible resale, and aren't concerned about extra delivery charges.
- Shipping to an international address: A significant number of fraudulent transactions are shipped to fraudulent cardholders outside of Canada/U.S.
- Transactions made with similar account numbers: May indicate the account numbers used have been generated using software available on the Internet.
- Shipping to a single address, but transactions placed on multiple cards: Could involve an account number generated using special software, or even a batch of stolen cards.
- Multiple transactions on one card over a very short period of time: Could be an attempt to "run a card" until the account is closed.
- Multiple transactions on one card or a similar card with a single billing address, but multiple shipping addresses: Could represent organized activity, rather than one individual at work.
- In online transactions, multiple cards used from a single IP address: More than one or two cards could indicate a fraud scheme.
- Orders from Internet addresses that make use of free e-mail services: These e-mail services involve no billing relationships, and often neither an audit trail nor verification that a legitimate cardholder has opened the account.
These are good indicators of fraud with the exception of number 12. Free email addresses from sites such as Gmail, Hotmail, Yahoo, Live, etc. are now extremely common, as many people do not want to be tied to the email address supplied by their ISP. For that reason, merchants should not worry about a transaction where the customer uses a 'free' email address.
Another common fraud indicator to add to the list is when the customer has input information which is incomplete, uses a fictitious/famous names, the use of capital letters or the use of "C/O" or "PO Box" addresses on the order form. This often coincides with a shopper IP address that does not match the country where the credit card was issued.