A guide to chargebacks - Part III of III
Posted on Tuesday, September 25, 2007 by Bryan Johnson
III. Second Chargeback and Second Reversal Phase (MasterCard only): Once a Reversal (and the subsequent debit) is received back at the Issuing Bank, they will then forward the "Merchant's Letter" back to their Cardholder for a response. If the Cardholder wishes to pursue the dispute further, they then send in a "Rebuttal Letter" back to the Issuing Bank and if the Issuing Bank feels that their response is valid, will submit a Second Chargeback.
A Second Chargeback functions just like a First Chargeback, except a Chargeback fee is not assessed and the disputed amounted is immediately debited out of the Merchant's business checking account. The Merchant is sent another letter explaining what, if any, documentation is required to pursue this dispute further.
This "Second Chargeback" phase of the dispute is then considered "Resolved to the Merchant" and will remain closed until the Merchant responds back to the letter sent to them. If the Merchant does indeed respond to the letter sent to them a "Second Reversal" phase of the dispute is opened. An Acquirer Chargeback Analyst will then review the letter and one of two scenarios will occur:
1. If the Chargeback Analyst deems the Merchant's response as invalid, they will close out this phase as "Request Denied" and will mail a letter to the Merchant explaining why the Chargeback cannot be pursued further at that time. 2. If the Chargeback Analyst deems the Merchant's response as valid, they will submit a "Pre-Arbitration" letter directly to the Issuing back advising that the Acquirer believes the Merchant's claim is valid and that Acquirer will request MasterCard to make an Arbitration ruling on the dispute if the Issuer disagrees with the Merchant's claim.
a. If the Issuing Bank agrees with the Merchant's claim, they will simply forward the funds back to the Acquirer and the Acquirer will then credit the Merchant's business checking account accordingly. The dispute at this point is considered "Successful" and cannot be re-opened. b. If the Issuing Bank disagrees with the Merchant's claim, they will send a letter back to the Acquirer advising of such. The Acquirer will then send a form to the Merchant requesting that they sign the form which makes the Merchant liable for Arbitration filing fees. (When MasterCard makes an Arbitration ruling, it assesses a $400.00 filing fee to the loser of the dispute) If the Merchant does not agree to the fees, the Acquirer simply closes out the Second Reversal phase of the case as "Unsuccessful". If the Merchant does indeed agree to the fees and submits the signed form, the Acquirer then submits an Arbitration Request to MasterCard directly.
i. If MasterCard rules in the Merchant's favor, the Issuer is immediately debited and the Acquirer is credited for the amount in dispute and forwards the credit to the Merchant's business checking account. The Issuing Bank is also assessed the $400.00 in filing fees and the Acquirer closes this phase of the dispute as "Successful". ii. If MasterCard rules in the Merchant's favor, the Issuer is immediately debited and the Acquirer is credited for the amount in dispute and forwards the credit to the Merchant's business checking account. The Issuing Bank is also assessed the $400.00 in filing fees and the Acquirer closes this phase of the dispute as "Successful".
A guide to chargebacks - Part II of III
Posted on Tuesday, September 25, 2007 by Bryan Johnson
II. First Reversal Phase:
If the merchant does indeed respond with a “Merchant Letter” back to the Acquirer, a “Reversal Phase” of the dispute is opened and a Chargebacks Analyst will review the Merchant Letter and will see if the merchant’s response and the overall dispute qualify to be “Reversed” back to the Issuing Bank. At this point, one of two scenarios will occur:- If the Chargebacks Analyst deems the Merchant’s response as invalid, they will close out this phase as “Request Denied” and will mail a letter to the Merchant explaining why the Chargeback cannot be reversed back to the Issuing Bank at that time.
- If the Chargeback Analyst deems the Merchant’s response as valid, the Acquirer “Reverses” the Chargeback back through the Association and eventually back to the Issuing Bank along with a debit for the disputed amount. The Acquirer is then credited for the amount in dispute and in turn credits the Merchant’s business checking account. The Chargeback fee remains on the Merchant’s account as this is a fee charged by the Associations as a cost for processing the Chargeback. This “First Reversal” phase of the dispute is then considered “Resolved To the Issuing Bank” and will remain closed unless the Issuing Bank initiates a “Pre-Arbitration” notification (Visa) or a Second Chargeback (MasterCard).
A guide to chargebacks - Part I of III
Posted on Tuesday, September 25, 2007 by Bryan Johnson
Most everyone who has a merchant account understands that a chargeback results when a customer successfully disputes a sale that has been paid by credit card. A customer can initiate a chargeback with their issuing bank based upon a wide variety of things. There are about 35 reasons why a chargeback can be initiated by a consumer. Examples include improper or broken goods, product not received, and services not as described, cardholder did not authorize transaction, error in amount, and incorrect transaction date.
What most merchants don't understand is how exactly the chargeback process works. In a three part post, I'll include the details of how a chargeback is handled by the issuing bank, Acquirer, and Association (Visa & MasterCard) from start to finish.
I. First Chargeback Phase: A Cardholder writes a letter or fills out a "Dispute Resolution Form" and submits it to their Credit Card Issuing Bank. The Issuing Bank then processes a chargeback along with the "Chargeback Documentation" (i.e. Cardholder letter) through the corresponding Association (Visa or MasterCard) and is then credited the disputed transaction amount. The Acquirer or "Merchant Bank" then receives notification of the Chargeback upon receipt of the "Chargeback Documentation" and is subsequently debited for the disputed transaction amount. At this point the Acquirer's internal database assesses the Merchant a "Chargeback fee". Acquirer's systems then run the Chargeback through a series of simple filters to check to see if the Merchant issued credit and for certain technical errors. At this point one of two scenarios occurs:
1. If, via the filters, the Chargeback is deemed invalid, Acquirer "Reverses" the Chargeback back through the Association and eventually back to the Issuing Bank along with a debit for the disputed amount. The Acquirer is then credited for the amount in dispute. The Chargeback fee remains on the Merchant's account as this is a fee charged by the Associations as a cost for processing the Chargeback. This "First Chargeback" phase of the dispute is then considered "Resolved To the Issuing Bank" and will remain closed unless the Issuing Bank initiates a "Pre-Arbitration" notification (Visa) or a Second Chargeback (MasterCard).
2. If, via the filters, the Chargeback is deemed valid, the Merchant's business checking account is immediately debited for the amount in dispute and a letter is sent to the Merchant the same day advising of the debit and explaining what, if any, documentation is required to "Reverse" this Chargeback. This "First Chargeback" phase of the dispute is then considered "Resolved to the Merchant" and will remain closed until the Merchant responds back to the letter sent to them.
HBR Case Study:How to deal with a credit card security breach
Posted on Monday, September 17, 2007 by Bryan Johnson
In the September 2007 issue of the Harvard Business Review, Eric McNulty writes an article Boss, I Think Someone Stole Our Customer Data. This is a must-read for any executive or business owner whose company accepts credit cards. Mr. McNulty does a great job at clearly framing out PCI Compliance, data security, and potential responses and ramifications of a security breach. The author included in the article four expert opinions regarding the case study. It includes James Lee, SVP of ChoicePoint; Bill Boni, Corporate Information Security Officer at Motorola; John Coghlan, former President and CEO of Visa USA; and Jay Foley, Executive Director for Identity Theft Resource Center. All offer valuable insights.
TJX cost of security breach: $150MM
Posted on Friday, September 14, 2007 by Bryan Johnson
I wrote about this breach a few months ago and wanted to follow up with fallout. I got this update from Computer World. The key take away: in storing credit card and other sensitive customer data, it's cheaper to protect than it is to clean up.
The company in January acknowledged that 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions Inc., making the TJX compromise the worst ever involving the loss of personal data. The Framingham, Mass.-based discount retailer Tuesday reported after-tax charges of $118 million in its second quarter ended July 28 to cover potential losses because of the data breach. The charge includes $11 million in costs incurred during the quarter and a reserve of $107 million to cover potential future losses related to the breach. The reserves reflect the company's best estimation of probable future costs stemming from litigation, cash liabilities, investigations and other claims, the company said. Deven Bhatt, director of corporate security at Airline Reporting Corp., said the rising costs related to the TJX breach should help him convince management of the importance of heavy security investments.
While this breach has dominated the headlines there other recent breaches that were also pretty significant. The Card Associations like Visa and MasterCard have really been pushing hard on processors and merchants to comply. They are worried that if the industry can't succcesfully tame this, someone like Big Brother may want to get more closely involved.
The fundamental problem I see is that even when a company becomes PCI compliant, it doesn't necessarily mean that they are secure. They are two different things. PCI efforts will certinaly make breaches more difficult, but they won't prevent them. It's a steped process and perhaps both will come in the same package down the road.
10 simple ways to reduce credit card fraud
Posted on Thursday, September 06, 2007 by Bryan Johnson
Managing Credit Card Fraud is a growing concern for most merchants. Here are some helpful hints on how you can reduce the number of fraudulent transactions in your business. These suggestions are more geared towards smaller businesses that don't have more robust fraud and risk solutions. Larger companies implement much more sophosticated rule based fraud and risk managment tools that automate a lot of this and detect suspecious activity in many more ways.
- Train operators to pay particular attention to anything suspicious in the way the caller speaks or responds to questions. One simple tip-off is a long pause or a hesitant answer. Make it a policy to request the name of the credit card issuing bank for any sale over a pre-set amount. If the caller doesn't know the bank's name, chances are he or she is using a stolen credit card number.
- Always ask for the cardholder's billing address. Ask for the cardholder's day and evening telephone numbers "in case there's a question." Orders with a "ship to" address that is different from the cardholder's billing address can be a danger sign. If you are suspicious, attempt to contact the cardholder on a second phone to verify the order. If your system lets you, compare the "ship to" and "bill to" addresses with the catalog's "mail to" address.
- Develop and maintain a "negative file" of fraudulent names, addresses, zip codes, credit card numbers and companies you come across. Compile a zip code listing that spotlights areas in which you've experienced high fraud. An ongoing good rule of thumb is to decline "ship to" to prisons.
- If the address is a P.O. box in a large city, further checking is suggested, especially if the order is from a new customer. Mail delivery services require a street address and will not ship to P.O. boxes.
- Carefully examine a "rush" order request from a new customer. Be especially alert when the caller appears ready to order whatever merchandise is in stock, regardless of size or style.
- Carefully examine any order with an unusually high dollar amount or which involves an out-of-the-ordinary situation.
- For American Express and Optima customers, ask for the 4-digit, non-embossed CID number printed on the front of the card (on the right border of all American Express Cards; on the left border of Optima Cards).
- For Discover Card customers, ask the name of the bank on the back of the card. It should always be Greenwood Trust Company. If the customer can't identify the bank, chances are the customer is attempting a fraudulent purchase.
- For Visa cards, ask for the non-embossed number which appears above the first 4 digits. It should match the first 4 digits of the credit card number. Ask the caller to describe the embossed symbol (CV on Visa Classic, BV on Visa Business and PV on Visa Gold cards) to the right of the expiration date. Also, ask about the repetitive pattern of the Visa wordmark throughout the signature panel.
- For MasterCard, ask for a non-embossed 3-digit code on the back of the card following the card number. It should match the card validation code (CVC2). Also, ask for a description of the security character -- a stylized MC embossed on the line next to the valid dates on the face of the card.
California's State Assembly looking to make retailers liable for security breaches
Posted on Friday, August 31, 2007 by Bryan Johnson
California’s State Assembly’s Committee on Appropriations voted 12 to 3 today on bill AB 779 which would make California the second state to codify PCI Security Standards AND make retailers liable for losses incurred from a data breach. The bill now moves forward to be reviewed by the full Assembly which will vote by June 8th.
The legislation would also require retailers to notify consumers if a data breach occurs and shifts the responsibility of sending out notices and card reissuance campaigns from financial institutions to merchants.
Online data security for ecommerce
Posted on Friday, August 31, 2007 by Bryan Johnson
I read a great article today written by Steve Mott of Better By Design that was published in Digital Transactions about online security for ecommerce merchants. It provides a nice historical overview of online security and outlines the debate that is currently going on between issuing banks, credit card processors, and merchants. It also provides some needed context to my previous post Verified by Visa is not working.
Go back to 1995, when buying on the Web really got under way, to see how logic got stood on its head. That's when the bank card associations worked closely with the key Internet infrastructure providers and an assortment of security firms to come up with a protocol that would provide substantive digital identification and verification of all parties to an online credit card transaction. The result was the much ballyhooed but quickly jettisoned Secure Electronic Transaction (SET) protocol. SET proved to be overkill-too slow and expensive for most consumers to use. So the first generation of e-commerce went on its merry way without it.
The bank card associations didn't give up, however. Several years later, a stripped-down version of SET emerged, called 3-D Secure. 3-D means "three domains," that is, the card- issuing bank, the acquiring processor, and the merchant all required extra digital security, but the consumer did not. All the consumer had to do was register the card and validate himself with an additional log-on each time it was used to make a purchase online.
Most didn't bother. So the bank card industry decided to pre-register millions of their cards to nudge them along. When those consumers went online, they were forced to confirm the pre-registration process before they could use their cards. Not surprisingly, consumers abandoned those transactions in droves, and early-adopting e-commerce retailers quickly unhooked the troublesome 3-D Secure deployments.
Meanwhile, bank card marketers touted "zero liability," letting even the most negligent or irresponsible consumers off the hook for any fraud or mishaps, whether real or intended. As many bank card veterans will attest, the vast proportion of chargebacks and so-called friendly fraud is done by a relative handful of recidivists. A zero-liability policy lays out a welcome mat for them. And it teaches the vast body of responsible consumers not to care.
Today's online merchants use a combination of old techniques (e.g., manual review of transactions, cardholder verification numbers, etc.) and new (e.g., IP address screening, geo-locator services, etc.) to pull this off. And guess what? Responsible consumers go along!
Then came the FFIEC-an acronym that rolls off tongues in the data security industry these days as easily as, say, NBA, or MLB, or NFL. The Federal Financial Institution Examination Council, a collection of bank regulatory agencies, mandated that banks have a plan in place for a second authentication factor for online banking sessions by the end of 2006. While by some accounts as many as one-third of regulated banks did not quite meet this admittedly modest first step in online authentication, and those who did struggled a bit with somewhat clumsy deployments, it was a decidedly good start. Indications of consumer resistance were few and far between.
Good, Isn't it time for the bank card industry to finally rid itself of the one-size-fits-all mentality that ensures that merchants treat a new 16-digit BIN number and expiration date coming in from a Latvian IP address the same way they do credit card transactions from consumers who have done hundreds of transactions with them over the years? Isn't it time to quit holding the industry hostage to its relatively few bad actors-whether they be bad consumers or bad merchants?
The evidence is steadily mounting that moving to a known-customer paradigm where good consumers and good merchants can identify (and protect) each other online (and via mobile devices) is the only way for e-commerce to go-even if it has to leave the bank card industry behind to get there.
Verified by Visa is not working
Posted on Thursday, August 30, 2007 by Bryan Johnson
Verified by Visa is a payer authentication program that allows cardholders to sign up at their issuing banks website and create a password to be used for online transactions. Once enrolled, when buying items online, buyers will be prompted to enter their password prior to completing the transaction. The merchant has to also be participating in the program otherwise you won't be prompted for your password. It's designed to be a consumer's digital signature and help curb credit fraud losses.
I've always found this program interesting because in the first place, since 2002, Visa card holders get automatic fraud protection. From Visa's site: "Use your Visa card to shop online, in a store, or anywhere, and you're protected from unauthorized use of your card or account information. With Visa's Zero Liability policy1, your liability for unauthorized transactions is $0-you pay nothing." So without any downside, why sign up? Visa's effort to get both merchants and consumers to sign up hasn't been very successful to date despite trying to offer fraud protection incentives to merchants who use it and marketing it to consumers. Online merchants have been reluctant to add any more steps to the checkout process and jeopardize a sale. Visa has been trying to tweak the rules and incentives to generate interest but I wouldn't hold my breath. Buyer authentication is a hot area right now and there are a lot of promising technologies. I just don't think that password authenication is going to cut it.
Alternative payment providers see opportunity
Posted on Tuesday, August 28, 2007 by Bryan Johnson
Capitalism is alive and well in the payment processing industry. Since 1949 when Diners Club issued the first credit card, the credit card issuing world has been highly lucrative. It's become even more lucrative considering that in the past six years the fees that issuing financial institutions banks charge on every credit card transaction, known as Interchange, have increased an amazing 117%. That increase of profits has come directly out of the bottom line of every merchant who accepts credit cards a form of payment.
Those profits have also lured in quite a few players who want a piece of the action. Companies like PayPal, Google Checkout, Amazon, Tempo, Bill me Later, and Gratis Card are just a few who are trying to capture a small part of the pie. Others like Dream Play Ventures have been trying to squeeze themselves into the value equation by offering valued added services on top of processing like targeted advertising.
The opportunity for these companies is that Visa and MasterCard, which collectively account for something like 70% of all processing volume, represent over 20,000 financial institutions that are fat and happy making a lot of money with their current revenue model. They've unilaterally been able to raise their fees and dictate their terms for years now. They've created a lot of animosity in the process and left the door wide open for new entrants.
Each of the alternative payment providers has a different value proposition for merchants. Companies like Gratis Card and Tempo are making a play for lower cost interchange which offers merchants a reprieve in their credit card processing fees. Their focus is also primarily on swiped merchants like restaurants and retailers. Other providers, who are focused on ecommerce, like Bill Me Later, PayPal, Google Checkout have created value propositions that include higher conversion rates, customer convenience and accommodating buyer security fears and preferences.
There is certainly a land grab going on right now as all of these providers are working both sides of the demand and supply equation. They need consumers to demand the service from merchants and merchants need the demand to justify the option. PayPal and Google obviously see this and have been trying to buy market share to secure a top 1, 2 or 3 position. There are many more entrants that what I've listed and their not all going to make it. Unlike the current boom in social networking where new entrants can be successful by carving out a vertical, payment providers including alternative payment types will have to achieve some level of critical mass to remain viable. If they don't, they'll end up like Peppercoin, a micro payments provider, who raised over $10MM and then got swept up for something probably substantially less than that.
