Information on Merchant Accounts,
Ecommerce and Credit Card Processing

March 16th, 2016 by MSI Newsletters

What do you get for your Statement Fee ??

Filed in: Monthly Newsletters |

You have probably noticed one to two little fees on your merchant account statement that would range anywhere from $5.00 to $30.00. This little monthly fee has many names such as account fee, account on file, mailing, processing, statement, internet, access and even just plain monthly fee. All of these pretty much pertain to this charge that is generated from the processing company and can be lumped together as a statement fee. The charge began when merchant accounts first came out back in the 70’s and covered the bank’s cost of mailing statements and overhead pretty much like the monthly fee for a checking account. Over time this monthly fee still covers the mailing of the statements and has become a profit source for some processors. Most processors charge a statement fee even if the statement is online or emailed to the merchant and some even charge a second fee for the privlege of an online statement.

For most merchants they will get something that looks like this for their money:

This statement will have your basic information from the previous months. Very much like a bank statement, it will have your monthly volume, broken down by card type and your daily deposits from your credit card processing. Your statement will also have the fees you paid for your credit card processing from the previous month. Hopefully your processor is breaking down your fees down to your discount rate, transaction fee, and any monthly fees associated with your merchant account. So basically this statement is a receipt for the fees that you have paid for processing credit cards.

At The Merchant Store, our statement fee covers a lot more than just the mailing of a standard statement. Our fee covers an Online service called Access One. This is an Online portal that is included with your merchant account to give you the abilities that up to now were only available for an additional fee or for very large companies and nationwide chains.

First, when you log in you will have a dashboard that gives you a snapshot of the the current batch, month to date and year to date processing. The dashboard gives you a 13 month rolling history of your processing. This information is broken down by card type, gross sales, returns, and net sales after any returns or charge backs.

Not only do you have access to your current statement but you will have every statement you have ever had available to you any time that you need it.

Access One gives our merchants access to the following information and reports:

With this system you will be able to see your batches, deposits and all voids/declines or returns. This is a way to double check your returns on a daily basis and make sure they are all approved.

A very cool feature is the transaction search feature where you can find any transaction that ran through your system:

Our Access One system goes way beyond a statement receipt for our merchants. This is a tool you can use to keep abreast of your current processing as well as the past history of your statements, transactions as well as batches and deposits. Access One also enables you to open customer service questions while you are in the system that will be answered in expedited way.

Make sure you have a system working for you, get the Access One system included with your merchant account.


February 16th, 2016 by MSI Newsletters

Who is PCI and why is he charging me every month???

Filed in: Monthly Newsletters |

If you are like a lot of merchants when you take a close look at your credit card processing statement you will see a $20 to $35 monthly fee for PCI non-compliance. PCI or actually “PCI DSS” stands for Payment Card Industry Data Security Standards and is a list of requirements for all companies that process, store, or transmit credit card information. These standards were created in 2004 to focus on improving payment security. Then in 2006 PCI DSS 1.0 was released and businesses accepting credit card payments were required to be compliant. Version 1.0 was the first time all of the card brands supported one security standard for card payments. Unfortunately, less than 25% of small businesses have become compliant, and processors charge the rest a “non-compliance” fee until they go through the procedures to become certified.

In this article we will go over some details about PCI and shed light on a topic that many merchants feel is unnecessary and many never go through the certification process.

Most small business owners see PCI as an added expense both in time and money, but the truth is the costs are quite low when compared to the potential risks. Many small business owners think they are too small for an attacker to spend time going after them or that since they don’t process online transitions that they are safe from data breaches. That being said as a business owner you may be more vulnerable than you think. Small businesses are far more likely to have unresolved system vulnerabilities making them much easier targets. In fact, it could take an attacker weeks or months to beach a large target, but many small businesses can be breached in a matter of minutes. Not just talking about e-commerce businesses either, in Verizon’s 2015 Data Breach Investigations Report one of the most affected industries for POS intrusion was retail. The PCI requirements are designed to teach you about data security and help you secure your business. Below are some key points pertaining to compliance and your business.

Self-Assessment Questionnaire:

We get many complaints from merchants that say the self-assessment questionnaire (SAQ) defeats the entire purpose. They say things like “what keeps people from just filling it out in a way that says they are complaint”, and I get their point, however I think this is the wrong way to look at it. The SAQ isn’t about a business saying they are secure; it’s about becoming more secure. On a conference call a couple years ago, a leading PCI security vendor made a good point. He said every business should treat the PCI requirements as a way to learn about securing their business and they should use it as a tool to make incremental changes each year. The card brands and PCI Security Council know credit cards are not going to be 100% secure no matter what they do, however continually putting the security standards in front of businesses helps to teach people how to best secure card data. Having worked on many of our own SAQs we know how frustrating it can be, however it is important. Start it early and do a little bit each day comparing the questions to your business and be prepared to make changes to operations to better protect yourself and your customers.

Vulnerability Scans:

As I said before, the card brands know they can’t make sure every transaction is handled securely, but vulnerability scans are a good way to at least alert a business to a known issue with their network. While this additional step is not required for every business, it’s an important step to securing many businesses. For small businesses that don’t have a team of IT people, this might be the only amount of system security verification that occurs. Most small businesses are connected to the Internet, and many of those are using household grade network appliances that are using out of the box configurations and don’t get normal security updates. According to Verizon’s figures in the 2015 Data Breach Investigations Report, 99.9% of exploited system vulnerabilities were compromised more than a year after they were published. What that means is most, if not all, of those breaches could have been prevented just by doing regular security updates. A vulnerability scan should catch most of those vulnerabilities and alert the business owner of the potential risks. Keep in mind the vulnerability scan from the PCI security vendor is only going to be able to scan the side of your network that touches the Internet. It is not able to test your internal computer systems so it’s good practice to make sure those are updated and properly maintained as well.

PCI Costs:

PCI fees vary from processor to processor but it’s pretty standard to be charged $90 to $150 per year for PCI Services. Some processors will charge this as an annual fee and some will charge it on a monthly basis. In addition to this service fee you may also see PCI non-compliance fees which normally run about $20 per month. The non-compliance fee is easily removed from your account by proving that you meet the PCI requirements. If you are using your processor’s PCI compliance service, the fee is usually automatically removed once you are shown to be in compliance. If you are using a third party you will be required to send them proof of compliance, normally in the form of a certificate which is obtained from your PCI vendor.

I suggest staying away from processor provided PCI insurance, unless it’s included at no additional cost. Hypothetically it’s “insurance” that covers your costs if you do have a breach, in reality it may or may not help. If you have some sort of fee for PCI insurance it would be a good idea to contact your processor and ask for the policy details, and maybe even how to remove the fee altogether as you may be paying for something that would not help at all. I am sure some processors have legitimate insurance they are providing, however you need to know what is covered and in what circumstances those things are covered. It’s likely there are many scenarios where the processors one size fits all insurance isn’t giving your business any real coverage.

Breach Costs:

If you are unfortunate enough to experience a data breach, the costs of both time and money add up very quickly. The PCI DSS requires that if a merchant even believes they have been breached they are to have a third party conduct a forensic examination to determine if a breach has occurred. This can last weeks or months, and during this time they require your point of sale be shut down. It’s estimated that a small business examination costs between $20,000 and $50,000.

Then there are those potential fines which start at $5,000 and can exceed $50,000. It’s true that many small businesses are not assessed a fine for their first breach, however the ongoing PCI requirements for those merchants become much greater and fines can and have been assessed to those businesses that failed to become and maintain compliance.

Other Potential Beach Costs:

Notification of Customers: This cost can vary; however, it’s going to require you to send letters to anyone who did business with you around the time of the breach. You’re going to have to be sending multiple communications so you’re probably looking at a cost of at least $2.50 per customer.

Card Replacement Costs: You could be required to pay back the card issuers for having to reissue new credit cards to their customers. These fees can range from $3 to $10 per card.

Credit Monitoring: You may be required to provide each customer affected by your data breach with credit monitoring services for a year.

Liability for fraud charges: Your business may be held liability for any fraudulent charges on any card associated with your breach. For large breaches, the liability in this situation is practically unlimited.

Non-Monetary Costs: Your business may be required to contact past customers and explain that you breached their credit card data. You may end up with a spot on the evening news. These things add up to much more than just lost sales and time. It also puts you at risk of not being able to accept card payments any more as the card association may choose to no longer allow you to accept their cards

Conclusion:

The costs to be PCI compliant are negligible compare to the costs of even a potential breach. Becoming PCI complaint helps you better protect yourself and your customers, and if there ever is a breach, your penalties are likely to be significantly less than had you not been compliant. The next time you see that your PCI compliance certification is due, look at it as a way to secure your business and customers against fraud.


January 16th, 2016 by MSI Newsletters

IRS and Taxes

Filed in: Monthly Newsletters |

Happy new year!

In this edition, we wanted to give a quick reminder about processing fees and how they affect a business’s taxes, have a few quick fraud tips for online merchants, and are introducing a limited time new year special. This month we are featuring the Salon Scheduler Clover POS application for salons and other businesses who have to manage customer appointments.

Happy new year and many more,
from all the staff at The Merchant Store

IRS and Taxes

Processing fees and costs are business expenses and are often overlooked by business owners filing their taxes. Make sure to, or have your accountant, deduct applicable processing fees when you file your taxes this year.

1099K / TIN Reporting

In 2008, buried in the middle of the Housing and Economic Recovery Act was a provision that had nothing to do with housing but was a new requirement that banks and credit processors must now report payments to the IRS. The rule, which took effect in 2012, was meant to “improve voluntary tax compliance” by business taxpayers to help the IRS determine whether their tax returns are correct and complete. This is where the 1099-k was born.

Merchants are now required to complete a W9 form for their credit card processor, if in the prior calendar year, they received payments:

  • from payment card transactions (e.g., debit, credit or stored-value cards), and/or
  • in settlement of third-party payment network transactions above the minimum reporting thresholds of –
    • gross payments that exceed $20,000 AND
    • more than 200 such transactions

Merchant’s now receive a 1099K statement from their processor detailing the gross sales that they accepted during the previous calendar year. Keep this statement for your tax records.

The amount being reported on the 1099K is very likely to be different than the actual net amount that a merchant processes throughout the year. This is due to the complexities in how the money is reported and that processors generally do not account for voided or canceled transactions, tips, refunds, and other non-sale transactions. We strongly suggest not using the amount directly from the 1099K for reporting actual revenue to the IRS, unless it matches a merchant’s actual sales amount. Instead, use processing receipts or the actual income recorded by your accounting procedures.

Important tips

For legal advice involving reporting your sales on your tax return, we strongly suggest speaking with a qualified CPA or tax attorney.

Merchant who do not file a W9 or the processor is unable to match the submitted information with what the IRS has on file may be subject to 28% withholdings by the IRS. 28% withholding is on gross sales, and occurs when the processor receives a withholding notice from the IRS.

If money is held at any point during the year, the only way to recover it is on the following year’s tax return. If you do have money held by the IRS, keep track of any applicable documentation, and make sure to report the money being held on your tax return. If a business owes taxes at the end of the year, the withheld money is normally applied against the amount owed to the IRS.

If you change your business structure, business name, EIN, or other information required to file your taxes, make sure to notify your processor so they can file the proper paperwork with the IRS. At any time, if the IRS deems that the information your processor has on file is not matching the IRS database, it is possible to be flagged for backup withholding.


December 16th, 2015 by MSI Newsletters

Chargebacks

Filed in: Monthly Newsletters |

Chargebacks are something that almost all merchants who accept credit cards will have to deal with at one time or another. In our experience, there is often a lot of bad information about how the chargeback system works and what parties are involved in the chargeback process. We want to briefly overview how the chargeback system works and how this can affect merchants who receive a chargeback from a customer.

Chargebacks can be a costly surprise for the unsuspecting business owner and even more so for merchants in certain higher risk industries, where chargebacks are often a constant burden. Some consumers even know how to use the chargeback system so well, they commit a type of fraud called friendly fraud using the chargeback system.

What is a chargeback?

To begin, a chargeback is essentially a dispute made by a customer or the bank that issued the credit card to the customer. This dispute could be for a number of reasons but essentially they are disputing the validity of a transaction with their card card and a merchant who accepted it. The terms may vary by the type of card and how a transactions is processed, but the ability to request a chargeback is a fundamental protection that comes with all credit and debit cards. Once a chargeback is initiated, it is important for merchants to quickly respond to the chargeback claim, as they will lose the money they had previously received for the transaction if they do not respond.

The chargeback process

A chargeback is initiated when a card holder or their bank feel that a transaction was not valid, for the amount, service, quality of goods that a merchant sold, or a number of other reasons. One of the most common types of chargebacks is simply if a card holder’s credit card number is stolen and used by a thief. Some other common reasons for chargebacks are : defective goods or goods are not as described, non-authorized sale, key data points missing from point of sale system, delay in batching transaction, duplicate transaction or credit not issued and non-delivery of sale item. Unfortunately many of these chargebacks reason codes such as defective or goods not as described can be very subjective and the issuing bank tends to rule heavily in favor of their customer. Also, issuing banks will sometimes initiate a chargeback if the transaction is outside of the normal behavior pattern of the customer, and we’ve seen these types of chargebacks actually happen 3 to 4 months later. If you receive one of these issuing bank chargebacks, it’s a good idea to check with your processor because we have found that in rare cases you’re better off not responding. But, this is only in rare situations so make sure your processor has given you this advice otherwise, you’re guaranteed to lose the chargeback.

When a chargeback is requested, the card issuer files a chargeback request with the merchant’s processor. That processor immediately withdraws the funds for the transaction from the merchant. These are held in a reserve account pending the outcome of the chargeback investigation.

The merchant is then notified by their processor that they have received a chargeback and asked to provide proof that the transaction accepted by the merchant was legitimate. The merchant has 14 days to respond to this request or the issuer will automatically rule against them. Proof for a retail merchant is often a signed receipt and evidence that the card was swiped through a terminal or POS system. Now with the advent of EMV terminals we are seeing more and more chargebacks initiated by card issuers for non-EMV terminals. For Online and other non-retail merchants, proof is often showing tracking numbers and a delivery signature, but in any case it is much more difficult to prove the legitimacy of a transaction where the customer’s card was not electronically captured. Even if a merchant has a signed receipt or invoice, this is not proof of delivery for a non-swipe environment such as a phone or Internet order.

The processor then sends whatever information received from the merchant to the card issuer.

The card issuer then makes a decision on the validity of the transaction, and either returns the collected money back to the merchant, or releases it to the cardholder, depending on which side they rule in favor of.

If the issuer rules in the favor of the cardholder, the merchant may still has an opportunity for arbitration over the validity of the transaction, but there is significant, and irrecoverable, cost to the merchant if they wish to go to arbitration. The cost is $500 to take the case to arbitration and most processors won’t take the case to arbitration unless the merchant has paid the $500 and they feel the merchant has a very good chance of success. The arbitration process then takes another 45 days to complete.

Important points

  • Chargebacks can generally be made for 120 – 180 days after a transaction is considered settled. This is important because in the event of custom, recurring, or prepaid products or services, the liability for a chargeback is often considered beginning on the date the transaction and service is considered complete, which may not be the initial date of the sale itself, but the date of the final payment. If the transaction is for a future deliverables the time frame for a chargeback can go up to 540 days.
  • Here is a brief description of chargeback time limits:
    • In cases that involve delayed delivery or performance of goods and services, the period is 120 days from the date the goods and services were supposed to be provided.
    • In cases that involve interrupted services that were immediately available, then the 120 days begins when the services cease and the chargeback cannot exceed 540 days from when the services started.
  • If you do receive a chargeback, make sure not to refund the transaction! The money from the original transaction is already going to be reversed from your account. Refunding after a chargeback has been initiated can result in losing the recaptured chargeback funds money and not being able to recover the refund you just made. If a chargeback is in process, let the process play out even if the customer is requesting a refund directly.
  • It’s important to understand that the card issuer is the one making the decision on whether a transaction was valid or not. The processor acts as an intermediately between the card issuer and the merchant, but they do not have any say in how the issuer rules. They will however help the merchant if there is specific technical information requested by the issuer, such as proof that a transaction was swiped, as well as offering customer support through the chargeback process.
  • It may not be obvious as to the processor’s entire role in the payment process, but because of the risk of chargebacks, processors are actually acting as a guarantee and lender to a merchant accepting credit card transactions. The processor is completely labile for the cost of a chargeback if the merchant is unable to repay it. So in essence, a processor is issuing a loan to a merchant, every time they accept a card from a customer. It is only after a period of months when the risk of a chargeback goes to zero, that the money actually guaranteed to the merchant.
  • Merchants who receive excessive chargebacks can be terminated by card associations, and in some cases are prohibited from accepting cards again in the future, both personally and the business that received the chargebacks. Card associations will levy hefty fines for merchant who continually exceed allowable chargeback levels. Most processors have their own limits but MasterCard will start fining a merchant if they have chargebacks and refunds over 2% or a total of 150 chargebacks in one month period.

Friendly Chargebacks

A type of fraud that has become increasingly common over the past 10 or so years is called friendly fruad. Friendly fraud is where a legitimate customer requests a chargeback to avoid paying for a good or service while at the same time having no plan on returning the product back to the merchant. Because of certain chargeback protections that favor the consumer, this is still something that many businesses experience. In the case of frindly fraud, if a merchant loses the chargeback, they can use the legal system. either by filing a police report, or can use the small claims or regular court system in effort to try and recover either the payment or the goods that were provided. This can be costly in itself, so it’s a good idea to be 100% sure that friendly fraud has occurred and the cost of goods is worth the time and effort to try and recover.

Retrieval Requests

Before initiating certain chargebacks, the issuer may require a copy of the electronic data or copy of the draft associated with a transaction to substantiate a chargeback. If proper documentation is not given to the issuer, the retrieval request will then move into a chargeback status, and depending on the reasoning behind the retrieval request, the merchant may not be able to win if they didn’t reply to the initial request. Treat retrieval requests like chargebacks if you ever receive one.

LINK TO TIPS ON FIGHTING CHARGEBACKS

http://www.nasdaq.com/article/8-steps-to-fighting-chargeback-fraud-cm478603

http://www.merchantequip.com/information-center/articles/prevent-chargebacks-10-tips/


November 17th, 2015 by Jamie Estep

Credit Card Terminal Videos: Update Date and Time on Verifone VX520’s

Filed in: Credit Card Equipment, Videos |

We’re going to start publishing a series of videos on how to accomplish routine functions on credit card terminals, payment gateways, and other processing equipment. The first video in our series is simple but often requested: How to update the date and time on Verifone VX520 Credit Card Terminals. Additionally, this should work on most other VX model credit card terminals by Verifone.


September 11th, 2015 by Jamie Estep

PIN debit ≠ EMV

Filed in: Merchant Accounts |

We’ve been receiving a substantial number of enquiries to add PIN debit to existing merchant accounts. We wanted to clear up what is looking to be a new misconception about different types of cards and acceptance methods.

PIN debit is not EMV!

To briefly summarize, being able to accept PIN debit transactions has absolutely nothing to do with accepting EMV transactions.

We are unsure how this concept is getting traction, but suspect it has something to do with EMV being referred to as Chip and PIN in non-US countries. It also may be due to an older pricing scenario where PIN debit was cheaper to accept than debit run as a credit transaction.

Disregarding the cost of obtaining and encrypting a PINpad, which typically runs from about $100 – $500 depending on the equipment, PIN debit and signature debit were regulated by congress several years ago and now carry the same cost to accept, no matter how the debit card is processed. Additionally, when congress regulated the debit industry, they also allowed debit networks, such as Star or Pulse, and others, to charge monthly fees for processing a transaction over their network. What this means is that unbeknown to a merchant, they may end up with a monthly fee for accepting a PIN debit transaction if it is processed over one of these networks, which the merchant has zero control over. In short, it is likely more expensive to accept PIN debit now than prior to the congressional regulation. PIN debit still does carry the benefit of substantially reduced risk of receiving a chargeback, but most retail merchants rarely see chargebacks on debit transactions, so for most this benefit will be negligible.

If you want to accept PIN debit transactions, by all means accept them. Just know that accepting PIN debit is not going to satisfy any requirement relating to EMV migration and there’s a very good chance that PIN debit will cost slightly more in the form of monthly fees from debit networks.


September 10th, 2015 by Jamie Estep

Fraud Prevention Tips

Filed in: Chargeback Tips, Fraud, Merchant Accounts |

Previously we talked about a few of the lesser known fraud types that many small businesses encounter.

fraud-lockPart 2 of our series on fraud, covers some tips to help identify and prevent the damages from fraud. Many forms of fraud can be prevented by proactive policies and often with common sense. While some schemes are so well planned that even seasoned professionals have a hard time identifying it, many types of fraud follow recognizable trends and can often be prevented. Here are some tips to help identify, prevent, and mitigate fraud.

General (applies to all business types)

  • Create a payment acceptance guide / poster for all employees and keep it readily available. This should be a short, easy to read, list of how payments should be accepted. Anything that is outside of these guidelines should be considered against company policy without approval from a knowlegeable supervisor. Keep this as short and concise as possible, it should be something an employee can review in 20 seconds or less. Most fraud will require an employee to deviate from the normal method of accepting a transaction, and this is meant to immediately prevent the lowest hanging types of fraud.
  • Talk to your employees about fraud and encourage them to notify you or a supervisor of anything suspicious or simply out of the ordinary with regard to accepting payments. This will keep everyone on the same page, and can help you and your employees develop better practices and a higher understanding of potential threats.
  • Do not ever accept an authorization number from a customer or their bank. Only accept authorization numbers generated when you process a transaction or if you manually call into your credit card processor’s authorization line.
  • Don’t allow issuing cash refunds on any credit or debit transaction that was processed as a credit card, and do not allow issuing a refund to any card other than the one used to make a payment. Basically, unless the customer entered a PIN number on a PINpad, only credit back to the original card used to make a purchase.
  • Be especially vigilant of customers requesting refunds, credits, or abnormal transactions involving prepaid gift cards. Prepaid gift cards work differently from normal credit and debit cards and some issuers have been known to have large security and functional holes in their authorization and funding systems.

Card Present

  • If available at your processor, use a terminal that supports EMV, chipped, cards. EMV eliminates fraud occurring from cards that have been electronically stolen and copied to another card. Businesses with unattended card readers such as gas stations will see the greatest benefit from EMV.
  • Make sure a supervisor is required for any returns or credits to a credit or debit card. A very large portion of fraud is committed by employees and customers in the form of issuing credits. The money issued during a credit can be difficult to impossible to account for without vigilant bookkeeping practices. Credits should always be strictly controlled.
  • When the card is present, always check the back of the credit card for a signature, before asking for ID. If no signature is present ask the card holder to sign the back of the card, then ask for their ID and see if the name and signatures match.
  • Although card brands do not permit requiring an ID as condition of accepting a payment, you can still always ask for one to verify the purchaser is the person standing in front of you and whose name is on the card.
  • Be especially vigilant of cards that appear to be damaged, potentially altered, or cards where the beginning numbers don’t match the type of card being offered (Generally beginning with 4 for Visa, 5 for MasterCard, 3 for American Express, and 6 for Discover). After printing a receipt, you can also verify the printed card numbers on the receipt match the numbers on the actual card. When thieves make copies of stolen cards, they often encode them onto cards with a completely different number or an entirely different type of card than the one the numbers were stolen from.
  • Be critical of situations where a customer’s payment isn’t typical, such as trying to pay with a series of cards that keep declining, refusing to show an ID, refusing to sign their card, etc.

Card Not Present

  • Requesting the CVV code helps ensure that the buyer has physically has the card in hand, or at least had it in their hand at one point. Electronically copied cards will not have the CVV number. While not a guaranteed method, it’s a good step to help protect your business.
  • Always use the Addresses Verification System (AVS). AVS verifies that the billing information matches what the card issuer has on file by matching both the street number and the zip code. However, AVS does not work with most international cards, so this may not be as useful to merchants who have a large percentage of customers paying with non-US issued cards.
  • Any shipments to the customer should be shipped to the billing address when possible, and shipments with a high dollar value should require a human signature with the carrier. While this can sometimes cause convenience problems, it is the best way to protect your business and guarantee that at least a human was there to receive your shipment.
  • Only use shipping services, such as UPS or Fedex, that allow you to cancel or reroute an item after it has been picked up. The only thing worse than taking a loss on fraud, is identifying a transaction as fraudulent and not being able to prevent the package from being delivered after it has been shipped.
  • Orders requesting expedited or overnight delivery should be scrutinized more than orders requesting ground or other economy shipping. It is common for customers to want their items quickly, but thieves also want to get products in their hands as quickly as possible, and will almost always pay for the fastest possible shipping method no matter the cost. Anecdotally, in more than 15 years of operating ecommerce sites, we’ve never seen a confirmed fraudulent order shipped anything less than 2nd day air, the vast majority are shipping the fastest and most costly method possible, which is typically Next Day AM or equivalent.
  • Searching the shipping address of an order in a search engine can often reveal if the order is being shipped to a forwarding address, an empty or for-sale property, or sometimes even just a vacant lot. All of these situations are a major red flag for potential fraud, and should require further review before fulfilling an order.
  • Be especially cautious of orders where the buyer changes the shipping address after ordering. This is a common method used to circumvent AVS and other address based screening methods of identifying fraud.
  • Online or phone orders where the buyer is indiscriminate about the cost of shipping or cost of the products being ordered should be considered highly probable for fraud.
  • Additionally, any customer asking for a catalog and price list when you have everything on a website should be considered suspect as well. Unsolicited requests for prices, product lists, and what payment methods a business accepts, are often nothing more than electronically generated emails from scammers scraping emails off ecommerce sites.

Additionally, take a look at our 30 second fraud checklist for ecommerce merchants.

The information above is to give you a better idea of what you can do to help protect your business from fraud. Training yourself and your staff can go a long way to protecting your business, especially if you continue to keep that training up to date as your business moves forward. New technologies may help businesses limit their risk in some ways while opening the door to other possible threats, so it important that you keep up with, and understand, the relevant practices of fraudsters. Make sure you implement standard operating procedures within your organization so that you have a baseline to judge potential threats against. Fraudsters are not in the business of getting caught, so if they see a business operating in a manner that is not conducive to their success they will often move to another target.


August 18th, 2015 by MSI Newsletters

Fraud Prevention Tips

Filed in: Monthly Newsletters |

Previously we talked about a few of the lesser known fraud types that many small businesses encounter.

Part 2 of our series on fraud, covers some tips to help identify and prevent the damages from fraud. Many forms of fraud can be prevented by proactive policies and often with common sense. While some schemes are so well planned that even seasoned professionals have a hard time identifying it, many types of fraud follow recognizable trends and can often be prevented. Here are some tips to help identify, prevent, and mitigate fraud.

General (applies to all business types)

  • Create a payment acceptance guide / poster for all employees and keep it readily available. This should be a short, easy to read, list of how payments should be accepted. Anything that is outside of these guidelines should be considered against company policy without approval from a knowlegeable supervisor. Keep this as short and concise as possible, it should be something an employee can review in 20 seconds or less. Most fraud will require an employee to deviate from the normal method of accepting a transaction, and this is meant to immediately prevent the lowest hanging types of fraud.
  • Talk to your employees about fraud and encourage them to notify you or a supervisor of anything suspicious or simply out of the ordinary with regard to accepting payments. This will keep everyone on the same page, and can help you and your employees develop better practices and a higher understanding of potential threats.
  • Do not ever accept an authorization number from a customer or their bank. Only accept authorization numbers generated when you process a transaction or if you manually call into your credit card processor’s authorization line.
  • Don’t allow issuing cash refunds on any credit or debit transaction that was processed as a credit card, and do not allow issuing a refund to any card other than the one used to make a payment. Basically, unless the customer entered a PIN number on a PINpad, only credit back to the original card used to make a purchase.
  • Be especially vigilant of customers requesting refunds, credits, or abnormal transactions involving prepaid gift cards. Prepaid gift cards work differently from normal credit and debit cards and some issuers have been known to have large security and functional holes in their authorization and funding systems.

Card Present

  • If available at your processor, use a terminal that supports EMV, chipped, cards. EMV eliminates fraud occurring from cards that have been electronically stolen and copied to another card. Businesses with unattended card readers such as gas stations will see the greatest benefit from EMV.
  • Make sure a supervisor is required for any returns or credits to a credit or debit card. A very large portion of fraud is committed by employees and customers in the form of issuing credits. The money issued during a credit can be difficult to impossible to account for without vigilant bookkeeping practices. Credits should always be strictly controlled.
  • When the card is present, always check the back of the credit card for a signature, before asking for ID. If no signature is present ask the card holder to sign the back of the card, then ask for their ID and see if the name and signatures match.
  • Although card brands do not permit requiring an ID as condition of accepting a payment, you can still always ask for one to verify the purchaser is the person standing in front of you and whose name is on the card.
  • Be especially vigilant of cards that appear to be damaged, potentially altered, or cards where the beginning numbers don’t match the type of card being offered (Generally beginning with 4 for Visa, 5 for MasterCard, 3 for American Express, and 6 for Discover). After printing a receipt, you can also verify the printed card numbers on the receipt match the numbers on the actual card. When thieves make copies of stolen cards, they often encode them onto cards with a completely different number or an entirely different type of card than the one the numbers were stolen from.
  • Be critical of situations where a customer’s payment isn’t typical, such as trying to pay with a series of cards that keep declining, refusing to show an ID, refusing to sign their card, etc.

Card Not Present

  • Requesting the CVV code helps ensure that the buyer has physically has the card in hand, or at least had it in their hand at one point. Electronically copied cards will not have the CVV number. While not a guaranteed method, it’s a good step to help protect your business.
  • Always use the Addresses Verification System (AVS). AVS verifies that the billing information matches what the card issuer has on file by matching both the street number and the zip code. However, AVS does not work with most international cards, so this may not be as useful to merchants who have a large percentage of customers paying with non-US issued cards.
  • Any shipments to the customer should be shipped to the billing address when possible, and shipments with a high dollar value should require a human signature with the carrier. While this can sometimes cause convenience problems, it is the best way to protect your business and guarantee that at least a human was there to receive your shipment.
  • Only use shipping services, such as UPS or Fedex, that allow you to cancel or reroute an item after it has been picked up. The only thing worse than taking a loss on fraud, is identifying a transaction as fraudulent and not being able to prevent the package from being delivered after it has been shipped.
  • Orders requesting expedited or overnight delivery should be scrutinized more than orders requesting ground or other economy shipping. It is common for customers to want their items quickly, but thieves also want to get products in their hands as quickly as possible, and will almost always pay for the fastest possible shipping method no matter the cost. Anecdotally, in more than 15 years of operating ecommerce sites, we’ve never seen a confirmed fraudulent order shipped anything less than 2nd day air, the vast majority are shipping the fastest and most costly method possible, which is typically Next Day AM or equivalent.
  • Searching the shipping address of an order in a search engine can often reveal if the order is being shipped to a forwarding address, an empty or for-sale property, or sometimes even just a vacant lot. All of these situations are a major red flag for potential fraud, and should require further review before fulfilling an order.
  • Be especially cautious of orders where the buyer changes the shipping address after ordering. This is a common method used to circumvent AVS and other address based screening methods of identifying fraud.
  • Online or phone orders where the buyer is indiscriminate about the cost of shipping or cost of the products being ordered should be considered highly probably for fraud.
  • Additionally, any customer asking for a catalog and price list when you have everything on a website should be considered suspect as well. Unsolicited requests for prices, product lists, and what payment methods a business accepts, are often nothing more than electronically generated emails from scammers scraping emails off ecommerce sites.

The information above is to give you a better idea of what you can do to help protect your business from fraud. Training yourself and your staff can go a long way to protecting your business, especially if you continue to keep that training up to date as your business moves forward. New technologies may help businesses limit their risk in some ways while opening the door to other possible threats, so it important that you keep up with, and understand, the relevant practices of fraudsters. Make sure you implement standard operating procedures within your organization so that you have a baseline to judge potential threats against. Fraudsters are not in the business of getting caught, so if they see a business operating in a manner that is not conducive to their success they will often move to another target.


August 18th, 2015 by Jamie Estep

Credit Card Fraud, Now Serving Small Business

Filed in: Fraud, Merchant Accounts |

This is the first of a 2 part series on common but under-reported and often unknown types of fraud that many merchants experience. Part 1 will consist of specific example scenarios and types of fraud that merchants experience often without knowing it. Part 2 will consist of ways to prevent, minimize, and identify types of fraud that may be occurring.

Credit card fraud gets talked about a lot, but most of the time the focus moves to card holder protection or a large data breach.  We hear little about the credit card scams that fraudster’s use against the small business owner because it’s hard to sensationalize one business who had a little bit of fraud. In this article we are going to go over some common approaches fraudsters use to go after business and ways your company can protect itself.

Pre-authorized transactions

If I hear about a card holder telling a merchant that they called their bank and got prior approval for a large transaction it immediately sets off my internal fraud alarm. For many people, this statement makes sense, we have all had one of our cards turned down for a completely legitimate transaction, so why wouldn’t a card holder call their issuer if they know they are about to process an abnormally large transaction. Also as a small business owner, a large sale can be a great thing and so it’s easy to get enticed by the sale and want to comply with the customer to make sure it happens.

Whatever you do, don’t take an authorization code from anyone other than your processor.  EVER!!!

I can’t stress this enough, EVER!  You need to control how the authorization code is obtained. Normally your point of sale (POS) transparently takes care of this for you during the transaction process, and rarely, you may need to contact your processor’s voice authorization system for approval. In both of these scenarios there is an electronic trail from your merchant account, through your processor, to the card issuer and back again.  An authorization code will not be valid unless there is a trail connecting your sale to the authorization code.  I also want to highlight that if you call the number on the back of the credit card they should not ever issue approval codes to you. The only authorization code you should ever trust is one obtained through your credit card terminal or POS system or if you call into “your” processor and obtain one over the phone.

So what do you do when presented with this scenario?

Taking any form of payment at this point is a likely business risk. I strongly advise you only accept cash from that customer if anything at all. You can simply tell the customer that your store policy states all authorizations have to come electronically from the terminal/POS (this should be your policy anyway). If you do decide to accept a credit card for the transaction and process it in a normal manner, there is still a measurable chance that the customer is still trying to defraud you. Know that there will be a substantially increased chance of receiving a chargeback. At the very least, make absolutely sure that the customer is the person who’s name is on the card and make sure to swipe the card through your terminal, get a signed receipt, and make sure it matches the signature on their card if there is a legible one. This is such a red flag for a deliberate fraud attempt, it would usually be appropriate to simply turn you customer out the door. The chances are better than not they are attempting to defraud you.

I need to return this

How often do you have a customer who wants to do a return for a refund?  If the original purchase was made on a credit or debit card, without using a PIN number, then you should only refund to the card that was used to make the purchase.  I hear from merchants quite regularly about someone coming to do a return but want cash instead of a credit to their card.  Many times the customer says they just don’t have the card on them, or that it was a gift and if it gets refund to the card, then the cardholder will know their gift was returned. The unfortunate truth is sometimes you get this request its coming from a fraudster.

It’s a simple scam, the merchant takes back the product, gives the customer their cash refund, and the customer then calls their card issuer and disputes the charge saying the business refused to give them a refund. Of course the business will receive the chargeback notice, and respond that they gave a full cash refund, but there won’t be any electronic proof for that refund. The card issuer is basically forced to side with the card holder and the merchant will usually lose. It will then be on the merchant to take legal action against the fraudster. To make matters worse, the merchant’s loss is essentially twice the sale amount. They lose the chargeback, and they lose the money they gave for the refund.

This scenario only applies to credit based transactions.  When you run a PIN debit transaction things are a little different.  Some processors will allow you to do a debit return, however you are going to have to swipe the original card, and the customer will need to re-enter their PIN number to complete the transaction.  Alternately as long as the card has a Visa, MasterCard, Discover, or Amex logo you can do you a normal credit return, without needing the card or the cardholder present.  If the card does not have a major card brand logo on it, you only remaining option is a cash refund.  Keep in mind that card holders can still dispute a PIN debit transaction, however it’s much more difficult.

To hedge your risk, you can offer an in-store credit to the customer. This allows the business to retain the money from the original purchase so if there is a dispute you are not losing a return and chargeback.  If the card holder has not used their in-store credit you can revoke it or any remaining portion.  Unfortunately if they used all of their remaining credit you will have lost the chargeback and a product, however your hard cost on that product will hopefully be less than having issued them a refund and paying for a chargeback.

A really large order

Let’s say you have a small hardware store, and you have a customer walk in and say I need 5,000 chainsaws. Your first thought might be something along the lines of “Cha Ching!”, and sometimes the idea of such a large sale clouds your vision as you have a quick dream of the vacation you will finally take when all that money comes in. Well come back down to earth and get your guard up as this should be the Chernobyl of red flags.
You need to start asking yourself some questions like the following, and try to look at them as an unbiased third party.  Here are just a few quick examples.

  • Why does this guy need 5,000 chainsaws?  This is an abnormal purchase for just about anyone.
  • In your experience does anything feel off about this customer?  Let your gut feel be your guide.
  • Do they seem to care about price?  When people buy in bulk they expect the price to drop, if they don’t, something probably is not right.  If they don’t even ask about price, or are willing to pay a premium, it’s even more of a red flag.
  • Why is he/she wanting to buy them from me?  This can be a hard question to not show your bias.
  • Are there more oblivious, easier, cheaper, etc. ways for this customer to obtain what they want?   This is more of an extension of the previous question.
  • Can my business survive if this sales turns out to be fraud?  Make sure you don’t take on more risk than your business can handle.
  • Are they asking for the quickest shipping method possible?
  • Are they shipping to a forwarding or foreign address?
  • If I were going to legitimately purchase 5,000 chainsaws as a consumer, is this the way I would do it?

Admittedly this example sounds to be on the ridiculous side of things, but this actually happened to a small hardware store. Things that sounds too good to be true usually are. These questions will help keep a realistic view of the situation, and will give ideas as to what questions you want the customer to answer.  If you are not comfortable with the situation you should probably not continue with the sale, or if you do, make sure you only accept cash or equivalent method that protects you from later disputes. I have seen businesses that refused to take this advice, and accepted credit card payment even after being specifically told by their processor not to. Sometimes the loss to the business is so bad, they had to close their doors after their transactions charged back.

Stay tuned for the next edition where we further discuss how to identify, prevent, and minimize the losses from certain types of retail fraud.


August 16th, 2015 by MSI Newsletters

Credit Card Fraud, Now Serving Small Business

Filed in: Monthly Newsletters |

Credit Card Fraud, Now Serving Small Business

This is the first of a 2 part series on common but under-reported and often unknown types of fraud that many merchants experience. Part 1 will consist of specific example scenarios and types of fraud that merchants experience often without knowing it. Part 2 will consist of ways to prevent, minimize, and identify types of fraud that may be occurring.

Credit card fraud gets talked about a lot, but most of the time the focus moves to card holder protection or a large data breach.  We hear little about the credit card scams that fraudster’s use against the small business owner because it’s hard to sensationalize one business who had a little bit of fraud. In this article we are going to go over some common approaches fraudsters use to go after business and ways your company can protect itself.

Pre-authorized transactions

If I hear about a card holder telling a merchant that they called their bank and got prior approval for a large transaction it immediately sets off my internal fraud alarm. For many people, this statement makes sense, we have all had one of our cards turned down for a completely legitimate transaction, so why wouldn’t a card holder call their issuer if they know they are about to process an abnormally large transaction. Also as a small business owner, a large sale can be a great thing and so it’s easy to get enticed by the sale and want to comply with the customer to make sure it happens.

Whatever you do, don’t take an authorization code from anyone other than your processor.  EVER!!!

I can’t stress this enough, EVER!  You need to control how the authorization code is obtained. Normally your point of sale (POS) transparently takes care of this for you during the transaction process, and rarely, you may need to contact your processor’s voice authorization system for approval. In both of these scenarios there is an electronic trail from your merchant account, through your processor, to the card issuer and back again.  An authorization code will not be valid unless there is a trail connecting your sale to the authorization code.  I also want to highlight that if you call the number on the back of the credit card they should not ever issue approval codes to you. The only authorization code you should ever trust is one obtained through your credit card terminal or POS system or if you call into “your” processor and obtain one over the phone.

So what do you do when presented with this scenario?

Taking any form of payment at this point is a likely business risk. I strongly advise you only accept cash from that customer if anything at all. You can simply tell the customer that your store policy states all authorizations have to come electronically from the terminal/POS (this should be your policy anyway). If you do decide to accept a credit card for the transaction and process it in a normal manner, there is still a measurable chance that the customer is still trying to defraud you. Know that there will be a substantially increased chance of receiving a chargeback. At the very least, make absolutely sure that the customer is the person who’s name is on the card and make sure to swipe the card through your terminal, get a signed receipt, and make sure it matches the signature on their card if there is a legible one. This is such a red flag for a deliberate fraud attempt, it would usually be appropriate to simply turn you customer out the door. The chances are better than not they are attempting to defraud you.

I need to return this

How often do you have a customer who wants to do a return for a refund?  If the original purchase was made on a credit or debit card, without using a PIN number, then you should only refund to the card that was used to make the purchase.  I hear from merchants quite regularly about someone coming to do a return but want cash instead of a credit to their card.  Many times the customer says they just don’t have the card on them, or that it was a gift and if it gets refund to the card, then the cardholder will know their gift was returned. The unfortunate truth is sometimes you get this request its coming from a fraudster.

It’s a simple scam, the merchant takes back the product, gives the customer their cash refund, and the customer then calls their card issuer and disputes the charge saying the business refused to give them a refund. Of course the business will receive the chargeback notice, and respond that they gave a full cash refund, but there won’t be any electronic proof for that refund. The card issuer is basically forced to side with the card holder and the merchant will usually lose. It will then be on the merchant to take legal action against the fraudster. To make matters worse, the merchant’s loss is essentially twice the sale amount. They lose the chargeback, and they lose the money they gave for the refund.

This scenario only applies to credit based transactions.  When you run a PIN debit transaction things are a little different.  Some processors will allow you to do a debit return, however you are going to have to swipe the original card, and the customer will need to re-enter their PIN number to complete the transaction.  Alternately as long as the card has a Visa, MasterCard, Discover, or Amex logo you can do you a normal credit return, without needing the card or the cardholder present.  If the card does not have a major card brand logo on it, you only remaining option is a cash refund.  Keep in mind that card holders can still dispute a PIN debit transaction, however it’s much more difficult.

To hedge your risk, you can offer an in-store credit to the customer. This allows the business to retain the money from the original purchase so if there is a dispute you are not losing a return and chargeback.  If the card holder has not used their in-store credit you can revoke it or any remaining portion.  Unfortunately if they used all of their remaining credit you will have lost the chargeback and a product, however your hard cost on that product will hopefully be less than having issued them a refund and paying for a chargeback.

A really large order

Let’s say you have a small hardware store, and you have a customer walk in and say I need 5,000 chainsaws. Your first thought might be something along the lines of “Cha Ching!”, and sometimes the idea of such a large sale clouds your vision as you have a quick dream of the vacation you will finally take when all that money comes in. Well come back down to earth and get your guard up as this should be the Chernobyl of red flags.
You need to start asking yourself some questions like the following, and try to look at them as an unbiased third party.  Here are just a few quick examples.

  • Why does this guy need 5,000 chainsaws?  This is an abnormal purchase for just about anyone.
  • In your experience does anything feel off about this customer?  Let your gut feel be your guide.
  • Do they seem to care about price?  When people buy in bulk they expect the price to drop, if they don’t, something probably is not right.  If they don’t even ask about price, or are willing to pay a premium, it’s even more of a red flag.
  • Why is he/she wanting to buy them from me?  This can be a hard question to not show your bias.
  • Are there more oblivious, easier, cheaper, etc. ways for this customer to obtain what they want?   This is more of an extension of the previous question.
  • Can my business survive if this sales turns out to be fraud?  Make sure you don’t take on more risk than your business can handle.
  • Are they asking for the quickest shipping method possible?
  • Are they shipping to a forwarding or foreign address?
  • If I were going to legitimately purchase 5,000 chainsaws as a consumer, is this the way I would do it?

Admittedly this example sounds to be on the ridiculous side of things, but this actually happened to a small hardware store. Things that sounds too good to be true usually are. These questions will help keep a realistic view of the situation, and will give ideas as to what questions you want the customer to answer.  If you are not comfortable with the situation you should probably not continue with the sale, or if you do, make sure you only accept cash or equivalent method that protects you from later disputes. I have seen businesses that refused to take this advice, and accepted credit card payment even after being specifically told by their processor not to. Sometimes the loss to the business is so bad, they had to close their doors after their transactions charged back.

Stay tuned for the next edition where we further discuss how to identify, prevent, and minimize the losses from certain types of retail fraud.