Part 5: Preventing Chargebacks with Security and Verification
In part 4, it was stated that chargeback management isn’t all about security codes and PCI protocol, while this is true, they are still a pivotal piece of the chargeback management puzzle. While the tips in the last post were designed to help reduce chargebacks related to customer complaints, these tips will help reduce fraud related chargebacks. This post will discuss security and verification best practices that will help to keep your systems secure and your customers’ information safe.
The best way to prevent fraud related chargebacks is to ensure that the person purchasing your product or service is using a payment method that actually belongs to them. This can be done in a number of ways, all with varying levels of customer involvement.
The first, and most prevalent, is requiring the card security code. This is the 3-digit code on the back of Visa (CVV2), MasterCard (CVC2), and Discover cards (CMID), and a 4-digit number on the front of American Express Cards (CID). If a fraudster has stolen an individual’s credit card number, but does not have the card security code, then your organization can prevent this fraudulent transaction from taking place.
Another customer verification technique that offers more protection against fraudulent transactions that lead to chargebacks is Address Verification Service (AVS). When AVS is active, the billing address that your customer inputs must match the address on file with their credit card company, or the transaction will be declined. AVS is offered free by many processors and gateways, including those partnered with CBOSS.
3D Secure is a relatively underutilized fraud prevention tool offered by all the major credit card brands under various names (Verified by Visa, MasterCard SecureCode, Discover ProtectBuy, and American Express Safekey). The 3D Secure platform involves adding an extra step to online transactions. This extra step is in the form of entering a predetermined PIN that has been issued by the credit card company. While 3D Secure is arguably the strongest form of fraud prevention, many merchants do not use it as they do not want their customers to see the checkout process as an unnecessary hassle. While an extra step may be seen as a hassle, utilizing 3D Secure can greatly reduce the number of fraudulent transactions for your business.
Protecting sensitive cardholder information is key to maintaining a good standing with the credit card companies, giving your customers a sense of safety, and preventing fraud and chargebacks for everyone. This is why there are minimum data security standards that must be met in order to accept credit card payments, but there are a few steps that go beyond what is required in order to fully protect customer data.
The Payment Card Industry Data Security Standard is a framework designed to protect sensitive payment information and ensure consistent data security measures are followed. PCI compliance can be costly, time consuming, and changes constantly to keep up with the latest data security standards. In order to reduce the risks associated with collecting payments in your system, a PCI compliant payment gateway (like CBOSS) is your best option to collect payments and protect your customers’ data. Selecting a secure gateway is only one piece of the puzzle when it comes to PCI compliance, however. Your business is still required to fill out a Self-Assessment Questionnaire (SAQ) every year and follow PCI regulations in regards to accepting credit card payments.
EMV stands for Europay, MasterCard, and Visa, the organizations responsible for creating the technology. EMV cards are crebit/debit cards that contain a small chip that looks like your phone’s SIM Card. The purpose of EMV cards is to secure against counterfeit cards. The EMV chip in your card generates a unique code that cannot be copied, which tells the processor that the card is legitimate. If you have an EMV card and your card number is stolen, fraudsters cannot create a duplicate card to use in POS devices. EMV devices are also important for disputing chargebacks. While the policy has not been fully rolled out yet, credit card companies will not allow merchants to dispute POS chargebacks related to fraud if they are not using EMV capable devices in their stores.
Point to Point Encryption encrypts payment information immediately, within the payment terminal. This prevents malicious software within the POS system from grabbing sensitive information, whether it is swipe, EMV, or NFC (Phone app payments such as ApplePay). The idea behind P2PE is to encrypt sensitive payment information as soon as possible so that it is protected throughout the entire payment process. P2PE card readers are generally EMV capable, and are becoming the standard for retail applications. Although they are not required for PCI compliance, they are highly recommended in order to fully protect your customers’ data.
Tokenization is an important form of data security that prevents sensitive payment information from being stolen once it has traversed the entire payment process and needs to be returned to and stored in the merchant’s system. In short, tokenization replaces a customer’s real credit card number with a non-sensitive number (token) that the merchant can store and use for refunds, voids, recurring payments, etc. The processor and/or gateway associates this token with the customer’s actual credit card number when they receive a request from the merchant to perform one of these functions. Tokenization allows merchants or portals to store card data, without really storing card data.
In order to prevent chargebacks related to fraudulent transactions, a holistic approach of solid internal practices combined with an external service is the best method and offers the most protection.
There are several steps your organization can take to help minimize acceptance of fraudulent transactions.
Merchants operating in high risk markets or who currently have problems with chargebacks may want to consider utilizing a chargeback prevention service. These services compare your organization’s transactions against robust databases that help identify fraudulent transactions that most businesses would never be able to pick out on their own. These services generally include a transaction warranty that transfers financial liability for fraud related chargebacks to the service provider. While these services can be costly, and definitely are not necessary for everyone, they can be vital to the success of high risk businesses that cannot keep up or high volume businesses with too many transactions to manually monitor.
This post and its predecessor have provided a lot of advice on how to prevent chargebacks in your organization, but what happens when you receive one anyway? That will be addressed in the next post, which will help merchants navigate the arduous process of chargeback disputing and re-presentment.