10 Best practices for card-not-present transactions
With CNP transactions on the rise, follow these 10 best practices to securely process payments via phone, internet or mobile.
A card-not-present (CNP) transaction is one that is conducted via telephone, internet, mail, or mobile device, whereby the physical card is not presented to the merchant. The following is a robust overview of 10 useful practices for CNP transactions.
- General payment practices
- Avoiding chargebacks
- Interchange, assessments, and fee structures
- Address Verification Service
- Card security checks
- Recurring payments, installment billing, and soft billing descriptors
- PCI Data Security Standard
- Advanced authorization services
- Tokenization
- Negative option marketing
#1 General best practices
In payment processing, most practices are built on the following three principles:
- Presenting information
- Gathering and protecting cardholder data
- Minimizing chargebacks and interchange fees
These three general approaches apply to both card present and card-not-present transactions, to help merchants save money, reduce risk, and improve operational efficiency when processing digital and direct payments.
Presenting information
Contact information: Clearly display your business’ contact information on every page of a catalog, website, on shipping materials, and on all correspondences. If customers can’t reach you about a dispute, they will call their card issuer, which might lead to a chargeback (see #2). Contact information should include a toll-free phone number (digits, no letters) and an email address.
Billing descriptor: This identifies you on the customer’s credit card statement. For example: LNC*EXECUTIVEGADGETS 800-5551212 MA
Use a company name or brand the customer will recognize and include a toll-free telephone number. If your customer doesn’t remember the purchase, they will generally call the number in the descriptor before contacting the card issuer.
Billing descriptors can be truncated by processing systems, causing incomplete phone numbers. Avoid this by confirming your descriptors monthly, making test purchases with various credit cards, and reviewing the descriptions online and on your statement. For detailed information on billing descriptors, see #6.
Email confirmations: Send an immediate email confirmation whenever an order or refund is processed. Always indicate that the card issuer may require a full billing cycle to apply a refund and may not immediately appear on an online statement.
Policies: Post clear policies for billing, returns, shipping, back orders, and privacy. This will provide your credit card processor with additional evidence to fight chargebacks and win representments. Order confirmation emails should include this information in the content or via a web page link.
Gathering cardholder data
Customer information: Obtain the customer’s evening and daytime phone numbers, and email address. This is particularly important if the shipping and billing addresses are different and with high value orders.
Card information: Ask for the name as it appears on the card, the account number, the card type, and the expiration date (make sure it is a future date). Also ask for the CVV/CVC/CID numbers on the back of the credit card to establish the customer’s physical possession of the card. See #5.
Added protection: Online merchants should consider using Verified by Visa or Mastercard’s SecureCode. Ask your processor if these enhanced anti-fraud programs are right for you.
Protecting cardholder data
Credit card fraud remains a major problem that costs merchants, consumers, and financial institutions billions of dollars every year. Many factors are involved in protecting cardholder data, and the risks are different for card present and card-not-present transactions.
While chip-enabled EMV cards have largely delivered on their security promises for card present fraud, chip cards don’t have the same effect on fraud that occurs on card not present transactions. So it’s important to implement other security measures, outlined in the following sections of this article.
The Payment Card Industry Data Security Standards, more commonly known as PCI provides a good overview for protecting cardholder data (see #7 for detailed information on PCI). PCI suggestions include:
- Make sure your company is PCI certified.
- Make sure your payment processor is PCI certified.
- Protect stored data. All merchants must use strong encryption to protect cardholder information stored internally or eliminate storage of actual card data through services such as tokenization (see #9). Web merchants must not store cardholder information on web servers or computers outside of a firewall.
- Encrypt data sent across public networks. Cardholder data sent across public networks must be encrypted. This includes email, FTP, data streams, and phone lines. The most common violation of this practice is cardholder information sent via email. There are hundreds of encryption products available, many of them free.
- Restrict access to data by "need to know." Your call center and chargeback departments will likely need to see cardholder data. Other departments do not. Merchants should work with processors that have online hierarchical role-based access to payments data. Store hard-copy cardholder information (e.g., paper reports from your processor, chargeback mail, and faxes) in a locked room with limited access.
- Partners handling your data must protect your data. If your business partners have access to your customers’ credit card information, it is your responsibility to make sure that they employ adequate protection methods. Partners that typically handle credit card information include fulfillment houses, call centers, and marketing affiliates.
Processing orders
Observing these guidelines can reduce your exposure to chargebacks and can result in lower interchange fees:
- Always conduct an Address Verification System (AVS) check and contact customers for order confirmation on AVS failures. See #4.
- To test card validity prior to deposit, use a "Zero Dollar Verification" (ZDF), also known as an "AVS-only" authorization. Avoid "$1.00 Authorizations", as these may appear in online statements and confuse customers.
- Each deposit should reference one and only one valid authorization. Do not submit deposits without valid authorizations ("forced deposits").
- Ship within seven (7) days of the authorization or obtain a new authorization.
- Submit your deposits to your processor within two (2) days of shipment.
- If supported by your processor, submit your authorization Transaction ID with all deposits and refunds. This prohibits forced deposits and can reduce fraud.
- Use voice authorizations as a last resort. These bypass processors’ systems and cannot be used to refute chargebacks.
#2 Avoiding chargebacks
Chargebacks occur when a customer disputes a charge on a card. The customer contacts his/her card issuer and initiates the process through your payment processor. Your processor will likely charge you a fee for each chargeback you receive. You often have the right to fight the dispute in a process called representment, where you must substantiate the charge by providing verification of the sale. Generally, if you cannot substantiate the sale, you will have to reimburse the customer.
Chargebacks can be costly, time consuming, and can threaten your merchant account. Depending on the card type, chargeback rates exceeding 0.5% or 1.0% (by sale count) can result in substantial fines and excessive rates can cause your merchant account to be terminated with the possibility of card brand banishment. Even a small number of chargebacks demonstrates that you have some unhappy customers.
Three common reasons for chargebacks
Three common chargeback reasons for merchants that accept card not present transactions are:
- "Unauthorized Use" chargebacks occur when consumers claim their cards were used without their knowledge or permission. In some cases, this will reflect actual fraud and may require the issuing bank to close the account. Asking the consumer for additional card information like the CVV/CVC/CID code (see #5) at the time of purchase can greatly reduce this form of chargeback.
- "Authorization Not Obtained" chargebacks occur when the card issuer believes that a valid authorization was not obtained for a deposit. The merchant may have attempted a forced deposit, used an invalid authorization, or obtained a voice authorization. This type of chargeback often occurs when multiple partial deposits are made against single authorizations. A combination of sound procedures and proper exception handling by your processor can eliminate these chargebacks.
- "Recurring Transactions" chargebacks occur when a consumer believes they have been billed after cancelling a subscription, membership, or multi-payment billing series (e.g., continuity program or installment payments). Using clear and explicit billing descriptors will help you avoid these types of chargebacks for card not present transactions (see #6). Be certain to quickly acknowledge and record any correspondences with customers regarding changes or cancellations. This should include keeping records of all phone calls.
Suggested Actions to avoid these common chargeback reasons | Unauthorized Use (Products) | Unauthorized Use (Services) | Authorization Not Obtained | Cancelled Recurring Transaction |
Always conduct an AVS check. Only process orders with a valid AVS response | ●● | ●● | ||
Obtain evidence of receipt of goods (i.e., signed shipping receipt). | ●●● | |||
Web sales: Consider using Verified By Visa or Mastercard's SecureCode. This provides card ownership and enhances the merchant's position on chargeback representment. | ●● | ●● | ||
Required card identification numbers like CVV (Visa), CVC (MC), and CID (AX). See approach #5. | ●● | ●● | ||
Process refunds as quickly as possible. | ●● | ●● | ●● | ●● |
Notify consumers in writing by email and/ or mail when a refund has been issued or a membership cancelled. Provide them with the date the transaction was submitted and a reference number. | ●● | ●● | ●● | |
Always provide a clear billing descriptor with a phone number so the consumer can contact you directly rather than calling their bank to discuss any dispute. | ●● | ●● | ●● | |
Always provide a contact phone number and an email address on your website so consumers can contact you directly. | ●● | ●● | ●● | |
State the terms and conditions of the sale or service clearly and in plain view. All correspondences should include this information in the message or via a link to a web page. | ●● | ●● | ●● | |
Use email to notify consumers of the details of sales and to indicate that their cards will be charged. | ●● | ●● | ||
Obtain written or electronic signatures from cardholders giving you permission to charge their cards on a regular basis for monthly fees or recurring payments. See approach #6. | ●● | ●● | ||
Make it very easy for members or subscribers to cancel - have a "no-questions-asked" policy. | ●● | ●● | ||
Authorizations must always be done for every deposit. | ●● | ●● | ||
Deposits must not exceed the amount you have authorized. | ●● | ●● | ||
Authorizations must be "positive." | ●● | ●● | ||
Avoid using voice authorizations. | ●● | ●● | ●● | |
If you are setting a transaction with an authorization more than 7 days old, you must reauthorize the transaction. While the authorization might still be valid, you will likely receive a better interchange rate. See approach #3. | ●● | ●● |
#3 Interchange, assessments, and fee structures
Interchange
Interchange is a fee mandated by Visa and Mastercard that the merchant’s acquiring bank (often represented by a payment processor) pays to the card issuing bank on each sales transaction. Acquirers or their processors pass this fee along in some form to the merchant. Interchange was developed as an income incentive for banks to issue Mastercard and Visa cards. Today, there are hundreds of distinct rates based on transaction and industry type. Interchange also typically represents the largest portion of a merchant’s total fees.
Assessments
While interchange is paid to the card issuers, assessments are paid directly to Visa and Mastercard and typically offset the brands’ costs to operate and regulate the networks. These fees are also passed along in some form to the merchant and generally represent the smallest portion of a merchant’s total fees.
A processing fee example
The following chart depicts the typical fees a merchant might incur for a given card-not-present transaction. It introduces another fee, which is the fee your payment processor charges for sponsoring you into the Visa and Mastercard networks. This example is based on a $100 purchase from an online merchant and uses the Visa "CPS/Card-Not-Present" interchange rate.
Fee | Interchange
(I) | Assessments
(A) | Processor Fee
(P) | Total
(D) |
Published | 1.80% + $0.10 | 0.11% | $0.25 | 1.91% + $0.35 |
Expressed as $ | $1.90 | $0.11 | $0.25 | $2.26 |
Expressed as % | 1.90% | 0.11% | 0.25% | 2.26% |
Generally, interchange rates are charged as a percentage of the sale, plus a fixed fee. This structure allows the card brands to protect themselves with respect to very large and very small transaction values. Assessments are mostly expressed as a small percentage only. Payment processors may structure their fees at their discretion and can vary widely. In this example, we use a fixed per-transaction charge.
Fee structures
Many payment processors use a bundled "discount" rate. That is, they present the merchant with a flat percentage rate that blends all of the fees described above. This idea can be expressed in a formula using the abbreviations in the chart: D = I + A + P. In this case, the payment processor would charge the merchant 2.26% for each qualifying transaction.
While simple to understand, this type of pricing can hide the true cost of doing business from the merchant. The processor will normally present the merchant with a tiered discount structure consisting of "qualified," "mid-qualified," and "non-qualified" discounts. The latter two rates are typically higher than the quoted rate and represent downgrades. Bundled rates can become even more complicated as many processors will add a fixed, per transaction fee on top of the flat percentage rate.
Some processors offer a "pass-through" model. Also known as the "Cost Plus" model, the processor reports on all of the constituent components, "I," "A," and "P" as separate fee areas. While more complex, this style of billing is transparent and can help reduce downgrades and optimize interchange.
Downgrades and interchange optimization
To obtain the best interchange rate, a sale transaction must conform to certain rules established by the card brands. The following example depicts three Visa rates applicable to card-not-present transactions:
CPS/ Card-Not-Present | 1.80% + $0.10 |
Electronic Interchange Reimbursement Fee (EIRF) | 2.30% + $0.10 |
Standard Interchange Reimbursement Fee | 2.30% + $0.10 |
The second and third rates are undesirable downgrades. You can llikely get the best interchange rate (1.8% + $0.10) for card not present transactions by:
- Conducting an Address Verification System (AVS) check
- Shipping product within 7 days of the authorization
- Including the original authorization ID from your authorization in your settlement transaction
- Providing an order number in the settlement transaction
- Settling the transaction no longer than 7 days after the authorization date
- Settling the transaction no longer than 3 days after the completion of the sale
In today’s interchange landscape, some downgrades are unavoidable. Merchants have been particularly hard hit, for example, by higher rates associated with rewards cards. These higher rates help pay for the cardholders’ points and perks.
Interchange rates are usually updated twice a year, so it’s important to work closely with your processor to avoid downgrades and optimize your overall interchange exposure. You should also select a processing platform with reporting capabilities that let you review interchange qualification regularly. Rate reviews and optimization strategies should occur at least quarterly.
For more information, please refer to the published rates on Visa and Mastercard’s websites.
Avoiding the refund trap
What happens to interchange when you process a refund? According to Visa and Mastercard regulations, the card issuer should return the interchange to the merchant. In practice, the issuer returns the interchange back to the payment processor, and in some cases the payment processor keeps the returned interchange.
If your refunds average more than 5% of sales, the missing rebates can add up. If your processor charges a 2.3% discount rate and is not rebating interchange on returns, that 2.3% can become an effective rate of 3% or higher. Of course, average ticket price must be considered in the calculation, but you can see the potential for this hidden cost.
Ways to help avoid hidden fees
- Negotiate a pass-through fee arrangement with your processor
- Establish benchmarks and work with your processor to develop interchange reduction programs
- Understand published interchange rates and how they apply to you
- Develop the mathematical foundation for analysis, auditing, and oversight of your payment processing costs
#4 Address Verification Service
Address Verification Service (AVS) is an automated fraud prevention service designed to reduce the risk associated with card not present transactions.
AVS helps minimize fraudulent transactions by verifying the cardholder’s billing address with the card issuer. The merchant must initiate the AVS check by providing the proper data in each transaction. Verification results help the merchant decide whether to accept a particular order or take follow-up action.
AVS uses two pieces of extra information in the authorization request you send to your payment processor: the numeric portion of the cardholder’s address and the ZIP code. Your payment processor compares this information against information at the cardholder’s issuing bank, along with other factors (card number, expiration date, etc.) and issues an AVS Response Code.
How to use AVS
Address Verification Service is transparent to your customer and applies to payments using Visa, Mastercard, American Express, and Discover cards.
To use AVS for card-not-present transactions, a merchant should:
- Ask the customer for the billing address as it appears on their monthly statement
- Submit the required alpha/numeric portions of the address with the authorization request
- Research all AVS partial matches; a "partial match" indicates that the billing address being compared has the same ZIP code or the same numeric values in the street address, but not both. A "no match" response indicates that neither part of the billing address matches your data
- Evaluate AVS "no match" responses carefully, as they are typically a strong indicator of fraud. Because not all AVS "no match" responses necessarily indicate fraud, it is a signal that the merchant must take further steps to authenticate the order
- A "no match" response does not automatically result in the authorization being declined
Examples of AVS response codes*
AVS Result Code | Description |
00 | 5-Digit ZIP and address match |
01 | 9-Digit ZIP and address match |
10 | 5-Digit ZIP matches, address does not match |
11 | 9-Digit ZIP matches, address does not match |
12 | ZIP does not match, address matches |
20 | Neither ZIP nor address match |
30 | AVS service not supported by issuer |
31 | AVS system not available |
32 | Address unavailable |
33 | General error |
34 | AVS not performed |
* The AVS codes listed above are numeric; processors may use alpha or numeric characters.
How to handle most common results
"ZIP does not match, address matches" or "ZIP code (5 or 9 digit) matches, address does not match" Establish a dollar threshold that puts these orders in an AVS Hold report for special processing. Look for these suspicious attributes:
- Larger than normal orders
- Several units of the same item
- Overnight shipping
- Orders shipped to an address other than the billing address
"Neither ZIP nor address match"
This is a strong indicator of fraud, but an AVS failure may be legitimate. Example: A customer has recently moved but has not notified their bank. Follow up by:
- Calling the customer to verify the telephone number, billing address, and home address
- Contacting the cardholder’s issuer to determine whether the name, address, and telephone number match those in the issuer’s file
- Using directory assistance or internet search tools to contact the individual at the billing address and confirm that he or she initiated the transaction
"AVS Service not supported by issuer"
This is a typical response to an international order which AVS does not support. One solution is to fax a credit card slip to the customer, requesting a faxed signature to verify the order. This may not be the most cost-effective means for all international orders, so a dollar threshold should be established to determine which orders must be validated.
Why is AVS important?
- A positive AVS response is one way to remedy many "Unauthorized Use" and "Non-Receipt of Merchandise" chargebacks; without a positive AVS response, merchants that process card not present transactions have no dispute rights
- Visa transactions using AVS are given a better interchange rate than those that do not, even if the AVS fails; AVS is not foolproof and should be combined with your internal and external fraud detection tools such as CVV, CVC, CID (see #5), Verified by Visa, and SecureCard
#5 Card security checks
To help reduce fraud for card-not-present transactions, the major credit card companies implemented authentication systems to ascertain if the credit card used in a transaction is actually in the possession of the owner. Knowledge of the card security value – known as CVV/ CVC (Card Verification Value/Code), CMID (Card Member ID), and CID (Card Identification Number) by Visa, Mastercard, Discover, and American Express respectively — proves that the purchaser has seen the card, or has seen a record made by somebody who saw the card. In many countries it is now mandatory to provide this code when the cardholder is not present during the transaction.
What are CVV, CVC, CMID, and CID?
The diagram below shows the location and number of digits used by each major card brand. Visa, Mastercard, and Discover use a three-digit code in the signature strip, while American Express uses a four-digit code on the front of the card. When collected, submitted, and substantiated during the authorization process, the security value significantly increases the probability that the person placing the order is in possession of the credit card. In combination with an AVS check (see #4), the card security value is a useful tool to minimize fraud from stolen card numbers and counterfeit cards.
How CVV, CVC, CMID, and CID work
- A merchant asks the customer for the card security code and sends it to its processor as part of the authorization request
- The merchant’s processor – working through the card brands – checks the code against the card issuer’s database to determine its validity and then sends a Response Code back to the merchant along with the authorization
- The merchant evaluates the Response Code, taking into account the authorization decision and any other relevant or questionable data, like the AVS response
Common response codes
Result | What it Means | Suggested Action |
M - Match | The cardholder's number matches the number stored at the issuing bank. | Complete the transaction (using anti - fraud tools such as AVS to supplement the decision to approve). |
N - No Match | The number the card holder submitted did not match the number at the issuing bank | View the "No Match" as a sign of potential fraud. Examine the authorization response. |
P - Request Not Processed | Processor is unavailable. | Resubmit the authorization request. |
U - Issuer Does Not Support Feature | The issuing bank is not registered with the credit card company to use this secured feature. | Use other anti - fraud tools to determine whether to process the transaction or investigate further. |
Things to know
- Merchants should always obtain and include the card security value in the authorization. Some card issuers do not support the code and by regulation automatically lose chargeback rights for card not present transactions.
- Merchants cannot store CVV, CVC, CMID, or CID codes in their customer databases or record once an authorization transaction has been completed. Codes must be requested for each unique transaction. Unless the customer is contacted each time, the codes should not be used for recurring transactions. Storing codes improperly could result in fines to the merchant.
- Merchants must register with American Express to use CID. American Express will automatically decline the authorization requests with CID failure (with no letter result response).
- Card security values can only be found on the card. They are not contained in the magnetic stripe data, nor do they appear on sales receipts or statements.
- Although widely implemented, not all payment processors support these codes. You must check with your processor to see if this service is available.
Why are CVV, CVC, CMID, and CID important?
Better fraud protection
CVV, CVC, CMID, and CID can help merchants differentiate between good customers and criminals. For example, these security codes can prevent fraud from cards obtained via "trash diving" or "skimming" techniques. CVV, CVC, CMID, and CID enable the merchant to make a more informed decision before completing a CNP transaction.
Reduced chargebacks
Using card security values potentially reduces fraud-related chargeback volume, particularly for card not present transactions. While it does not eliminate the risk of fraud, this additional security feature is designed to protect merchants by verifying that the card is present during the purchase. Reduced fraud chargebacks translate into retained revenue.
#6 Recurring payments, installment billing, and soft billing descriptors
Annual consumer spending through recurring payments is consistently growing. Merchants too have embraced recurring payment models because they make products more affordable and can generate larger, more predictable cash flows.
Recurring payments and installment billing
Recurring payments
Recurring payments are used when a consumer agrees to pay for a product or a service at specific intervals over a certain period of time. For example, health club memberships, insurance premiums, utility bills, and subscription fees occur predictably over time. The recurrence may be fixed with pre-determined renewal periods (e.g., magazine subscription) or perpetual (e.g., telephone bills) and can occur monthly, quarterly, or annually. The periodic payments may be equal or may vary based on the characteristics of the sale. Recurring payments can increase payment timeliness, reduce processing costs, and lower the risk of error due to manual entry.
Installment billing
Payments made on installment billing plans are popular. On these plans, the period is fixed and the payments are typically identical. Payments are generally made monthly, with between 3 and 10 installments. The direct response television (DRTV) industry is a good example of where installment billing is used routinely, e.g., "three easy payments." Because the payments are smaller, merchants can sell more product with fewer chargebacks.
Important tips for using and processing recurring payments
- On the first billing transaction, ask the cardholder for their billing address as it appears on their statement. Obtain the "ship to" address if it is different from the billing address.
- Provide cardholders with a toll-free phone number to cancel services. Disclose all terms, conditions, and fees at the time of sale and on all correspondences.
- Process credits promptly. State clearly that credit posting dates depend on the card issuer.
- For internet transactions, require cardholders to click an "Accept" button on the disclosure statement to confirm that they have read your terms and conditions. Consider asking for an electronic signature acceptable under the E-SIGN act.
- On the first transaction, use fraud protection tools including AVS, CVC, CVV, and CID. Never store this data after obtaining the initial authorization.
- Use soft billing descriptors to help cardholders identify charges on their statements. A full treatment of soft billing descriptors is provided on the following page.
Billing descriptors
Static billing descriptors
Billing descriptors are line items that appear on cardholder statements describing their purchases. Billing descriptors are typically static by default. They remain the same for different products sold by the same entity.
To obtain better interchange rates, most card companies require that card-not-present transactions use billing descriptors with a company’s name and customer service phone number. Static billing descriptors, such as the one below, are generally sufficient for companies offering a limited number of products:
Acme Industries 888-555-1234 . . . . . . . . . . . . . . . . . . . $14.95
Soft billing descriptors
Soft billing descriptors allow the merchant descriptor information to be modified on a per transaction basis (sometimes referred to as a "dynamic billing descriptor"). Certain direct marketing merchants (MCCs 5966, 5968, 5967, 5969, and 5962) are required to represent their company name with a three-letter prefix followed by a more detailed description of the product or service. Note that this field is typically limited to 25 characters (excluding the phone number). Not all processors support this feature, so be sure to choose a processor with this capability in case you need it in the future.
ACM* Great TV Hits 1 of 9 800-555-1234 . . . . . . . . . . $14.95
Why use soft billing descriptors?
Soft billing descriptors are powerful tools. They enable merchants to more clearly identify transactions on cardholder statements. They are especially useful for installment billing where a cardholder’s payment progress can be noted in each statement. Dynamic billing descriptors are especially beneficial to merchants who sell multiple products or services through multiple companies or affiliates. Soft billing descriptors have been proven to enable customers to keep more accurate buying records, reduce chargebacks, and improve customer satisfaction.
#7 PCI Data Security Standard
The Payment Card Industry Data Security Standard, commonly known as "PCI-DSS" or "PCI" for short, is a standard across the major global card brands Visa, Mastercard, American Express, Discover, and JCB to address cardholder account security. PCI was developed to safeguard the personal information of cardholders while in the possession or use of merchants, payment processors, and other entities that store, process, or transmit payment card information.
Understanding the basics of PCI, defining your merchant level, and understanding your validation requirements are critical. Failure to adhere to these requirements may result in significant fines for merchants and potential cancellation of their merchant accounts by the payment brands.
The basics of PCI
PCI is a series of security requirements for all companies that handle cardholder information. The following is a high-level list of the current PCI "Control Objectives."
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and regularly update anti-virus and software on systems subject to attack
- Develop and maintain secure systems and applications
- Restrict access to data on a need-to-know basis
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Fines for non-compliance
Merchants may be subject to potential fines from the card brands of up to $500,000 per incident if the merchant is compromised and not PCI compliant at the time of the breach. Additionally, the merchant may also be responsible for other systemic costs or losses such as:
- Fraudulent use of the compromised account numbers from the date of compromise forward
- The cost of any additional fraud prevention/detection activities required by the card brands associations (i.e. a forensic audit)
- The costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity)
- Reimbursing all card-issuing banks for the cost of reissuing any compromised cards
Merchant level definitions for PCI validation
Some aspects of PCI, including merchant classification, differ between card brands. The following chart illustrates how Visa, Mastercard, Discover, and American Express classify their merchants.
Visa | Mastercard and Discover | American Express | |
Merchant Level 1 | Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2; Compromised entities may be escalated at regional discretion | Greater than 6 million Mastercard and Maestro transactions OR Discover annually Any merchant suffering an attack resulting in an account data comprise Any merchant meeting the Level 1 criteria of another payment brand Any merchant Mastercard, in its sole discretion, determines should meet the Level 1 Merchant requirements to minimize risk to the system | 2.5 million transactions or more per year, or any merchant American Express otherwise deems a Level 1 Merchant |
Merchant Level 2 | Merchants processing 1 million to 6 million Visa transactions annually (all channels) | Merchants processing 1 million but less than 6 million Mastercard and Maestro OR Discover transactions annually Any merchant meeting the Level 3 criteria of Visa | 50,000 - 2.5 million transactions per year |
Merchant Level 3 | Merchants processing 20,000 to 1 million Visa e-commerce transactions annually | Merchants processing 20,000 e-commerce transactions annually but less than 1 million e-commerce Mastercard and Maestro OR Discover transaction annually Any merchant meeting the Level 3 criteria of another payment brand | Less than 50,000 transactions per year |
Merchant Level 4 | Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually | All other merchants | N/A |
PCI validation requirements by merchant level
Annual On - Site Review | Annual Self - Assessment | Quarterly Security Scans | |
Merchant Level 1 | Required by Qualified Security Assessor | N/A | Required use of Approved Scanning Vendor for external IP addresses* |
Merchant Level 2 | N/A (MasterCard - at merchant's discretion) | Required annually ** | Required use of Approved Scanning Vendor for external IP addresses* |
Merchant Level 3 | N/A | Required annually | Required use of Approved Scanning Vendor for external IP addresses* |
Merchant Level 4 | N/A | Required annually (compliance validation at acquirer discretion) | Required use of Approved Scanning Vendor for external IP addresses* (Compliance Validation at Acquirer Discretion) |
#8 Advanced authorization services
Over the last decade, the major card brands have introduced many new products targeting specific population demographics. Well-known examples include rewards cards, prepaid cards, gift cards, and electronic benefit transfer (EBT) cards. These product lines have introduced significantly more data elements into the payment stream.
The flood of new data creates challenges and opportunities in managing authorizations for sustained and growing profitability. Now is an important time to have a payment processor with the technology to capitalize on the opportunities and mitigate the challenges.
New data and its role in modern payments
To support these new cardholder data streams, the major card brands developed robust and descriptive data sets that better describe cards, cardholders, and purchases. The card brands pass some of this information along to payment processors in the purchase authorization response, although not all processing platforms are able to capture and report the data. As data (payments intelligence, specifically) becomes an important differentiator in how some businesses sustain and build customer relationships, smart businesses see payments data as key to their success.
Payment processing platforms that are capable of passing the data in the authorization response often enable their merchants to implement better merchandising strategies, prevent customer churn, and increase revenue. There are three specific data sets that can have an immediate impact on merchants:
- Affluence indicators
- Prepaid indicators
- Account updater services
Affluence indicators and their role in merchandising
Credit card companies target affluent households with premier card programs such as Visa Signature cards and Mastercard World cards. When these types of cards are used, both Visa and Mastercard provide payment processors with an "Affluence Indicator" in authorization responses. The indicators denote two levels of affluence:
- Mass Affluent – Cardholders with an income greater than $100K
- Affluent – Cardholders with an income greater than $100K, who also spend more than $40K per year on the card
Merchants who have this information at the time of authorization can adjust their sales approach to the needs and spending patterns of the consumer, potentially generating additional sales. By storing and analyzing this data, merchants can plan future targeted marketing campaigns to this valuable cardholder demographic, which typically spends more often and tends to purchase more expensive items. These cardholders are also more likely to have higher or unlimited spending limits, providing higher authorization rates.
Increasing authorization rates using prepaid indicators
Card-branded prepaid cards represent one of the fastest growing card segments. These include non-reloadable cards like gift cards, rebate cards, and employee incentive cards, as well as reloadable cards like payroll cards, government EBT cards, and teen cards. Authorization responses on prepaid cards can also provide valuable data including:
- Visa, Mastercard, Discover, and American Express all return an indicator that identifies the card as prepaid.
- Non-reloadable Visa and Mastercard prepaid cards also return the available balance.
- Some Visa and Mastercard issuers provide balance information for reloadable cards.
Many merchants process card-not-present transactions with prepaid cards the same way they process credit and debit card payments. For merchants who use recurring payments or installment billing this presents obvious problems, as prepaid cards are more likely to become balance-depleted at some time during the billing series. Since prepaid cards can represent anywhere from 10-40% of authorization volume for many CNP merchants, a predefined strategy as to how to manage prepaid cards is advised.
In contrast, if a merchant knows that a card is prepaid and can determine the remaining balance, it creates opportunities to accept payments or make other adjustments. For example:
- Instead of offering recurring or installment billing, merchants can offer the product or service on a fixed-term basis with an attractive one-time payment
- Merchants processing prepaid card sales originating from affiliates can adjust the way they pay commissions based on the authorization response
Increasing revenue with account updating advances
Businesses that bill on a recurring or installment basis know that card changes — the result of data breaches, issuing bank portfolio swaps, card upgrades, or expiration date changes (among other reasons)— can interrupt the billing series and potentially sever the customer relationship forever.
Over the past decade, the major card brands have introduced account updater services that allow merchants, via their processors, to submit card data on file to the networks for updating and correcting stale information.
These services have been well received by all parties involved: merchants retain more customers; customers enjoy uninterrupted service; the networks maintain sales volume; and card issuers see increased account balances. However, traditional updater systems can have some shortcomings:
- Merchants are required to build and maintain an IT infrastructure to support the system
- Added processes intrinsically introduce inefficiencies to the merchant’s operations
- Transmission of credit card data presents the merchant with additional risk it may wish to avoid
A second generation of account updater has emerged that removes these burdens from the merchant. Payment platforms supporting this option effectively offer account updating as an automated, managed service. Benefits of this approach may include:
- No need to invest in IT infrastructure, coding, or data transmission
- Elimination of the file-based update process, resulting in faster, more secure, and more efficient processing
- Refreshed card information is stored in the cloud for future use
Some merchants may still want to maintain the updated credit card information in their systems. If so, they should make sure their processor offers the option to return updates in the authorization response. Additionally, as merchants consider the significant security benefits offered by an automatic account updater service, they should ensure that the solution they select is fully integrated with available data security solutions such as tokenization (see #9).
#9 Tokenization
Data breaches are occurring more frequently than ever. Data thieves don’t discriminate — both merchants and processors, regardless of size, are victims. Many breaches are particularly insidious because they go undetected for months, or longer, after an initial incursion. Some victims are PCI compliant, proving that such compliance doesn’t provide guarantees. New technologies are emerging that, when combined with other PCI approaches and standards, significantly bolster data security while lowering costs.
The cost of protecting yourself
Protecting yourself against a data breach can be an expensive endeavor. Merchants encounter direct expenses for both compliance and liability. Insurance can mitigate any financial costs associated with a breach, but it often does nothing to protect the company’s reputation and valuable customer base. Using emerging technologies that lessen the likelihood of a data breach can lower the costs associated with compliance, liability, and brand damage.
PCI, E2EE, and tokenization
PCI
PCI (see #7) has been promoted by the card brands and industry as the leading defense against card data breaches. Compliance is mandated for any merchant that accepts payment cards. In addition to complying with PCI, merchants are advised to augment their protection. Two technologies have emerged to combat the problem: end-to-end encryption and tokenization.
End-to-end encryption
End-to-end encryption is a methodology that addresses security when the card data is in transit or at rest. PCI compliant companies employ some level of encryption as they are required to encrypt the data during transmission and protect it when it is stored. Most often this protection is in the form of encryption. In this scenario, the data has to be decrypted for processing and encrypted before being stored or transmitted. End-to-end encryption provides point-to-point security but has some vulnerability when the data is decrypted for processing.
Tokenization
Tokenization is a methodology that addresses security when the card data is in transit, at rest, and while in use. Tokenization replaces card account information with "tokens" generated by a third-party service provider. In this manner, the merchant is not required to store any card data. These tokens are designed so they can be used in place of card numbers by all of the merchant’s systems. The additional security afforded during token usage usually means that tokenization is a more secure solution for merchants. Tokenization reduces the costs associated with having to encrypt, decrypt, and re-encrypt data each time access to credit card information is required.
A closer look at tokenization
In a tokenized environment, cardholder data is transmitted a single time and is stored by a third-party data vault, not locally by the merchant. Upon registering a card-based account number, a token is returned and used in all subsequent transactions. A merchant may store a token locally, but its card equivalent is stored by the third-party vault provider.
Tokenization is increasingly popular and is now available through more payment processors and other third parties. Every implementation is different, so it is important to choose a vendor with features that provide the most security and require the least amount of IT investment. Some features and things to consider:
- Tokens should take on the general format of credit cards so they can flow through the merchant’s systems like ordinary card numbers without significant programming changes.
- Tokens should only be valid for the merchant to whom they are registered. This renders them totally useless to unauthorized parties.
- Tokens should be usable by any authorized individual that is in your organization.
- It should be possible to use tokens in place of card numbers for all successive payment transactions including authorizations, deposits, refunds, and chargebacks.
- Select a vendor that allows you to retain absolute ownership of the tokenized data in case you wish to move to a different solution or processing platform at a later date.
Another consideration
With basic tokenization, there is a small window of vulnerability. That window is when the customer first enters his or her card data at the merchant’s site and the data is transmitted through the merchant’s systems to the processor for tokenization. Robust tokenization solutions offer a web service that allows point-to-point security during this stage. The vendor provides embeddable "payment page" code that interacts with the processor for tokenization. When the consumer enters payment card information, it is replaced with a registration key. Upon completion of check-out, the merchant uses this key to obtain a token representing card data already stored at the processor.
While tokenization itself will not completely eliminate the need for PCI compliance and liability insurance, it can significantly reduce costs, better protecting your brand.
Complete documentation on tokenization can be obtained from the PCI Security Standards Council via this URL: www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf
#10 Negative option marketing
Do your customers consent in advance to purchase recurring products and/or services until they cancel? If you use this type of marketing, known as negative option or continuity marketing, especially via e-commerce, you are continually on the radar of lawmakers and government regulators, both at the state and federal level.
We’ve developed the following practical approaches for using negative option marketing, which include regulatory considerations as well as those by the major card brands.
Advertising
Merchants should be able to substantiate any performance claims shown on their websites. Performance claims include, but are not limited to guaranteed results, false cures, weight loss promises, etc.
- Media logos are prohibited without written consent from the media outlets (MSN, CNN, etc.)
- Images and endorsements of celebrities are prohibited without their express written consent
- Merchants should be able to substantiate testimonials shown on the website
- Websites cannot create a false sense of urgency for purchase (e.g. countdown clock, limited time only, offers expires today, check availability, etc.)
- If clinical trial information is displayed, the entity conducting the trial should be identifiable and unrelated to the organization selling the product or service
- Use of "Free Trial" or "Risk-Free Trial" is prohibited if at the conclusion of the trial the consumer is charged full price for the initial trial
If there are qualifications for trial they should follow preset logic. Consumers who don’t meet qualifications should be disqualified and not allowed to receive trial. Qualifications include, but are not limited to age, sex, race, weight, height, etc.
Terms and conditions should:
- Be at least 12-point font (or the same size as all other font on the payment page) with no confusing color contrast
- Be clearly disclosed on the payment page, either adjacent to the submit button or directly above the submit button
- Include details regarding the trial period, the renewal period, trial start/end period, and the cost for trial and renewals
- Have a billing period per cardholder equal to once a month (30 days)
- Include an "I agree to the terms" checkbox on the payment page
- Prohibit the use of pre-checked boxes
- Disclose the cancellation policy directly on the payment page
Customer service Suggestions:
- There should be a "Contact Us" link on the website
- "Contact Us" should include a toll-free phone number, email address, and hours of operation
- Average hold time should not be more than 2 minutes
- Customer service hours of operation should be reasonable for the region in which the product is sold. Example: Target Market - USA. Customer Service hours: 8:00am ET to midnight ET should be a minimum
- A purchase confirmation email should be sent to the consumer via email. The email should restate terms, including length of trial periods, renewal terms, information on how to cancel, and customer service contact information.
- Ensure billing descriptors are consistent with website name, marketing materials, and confirmations sent to the consumer
Billing Tips
- CVV should be implemented — the merchant should collect and decline all transactions when CVV is "No Match"
- AVS should be implemented — the merchant should perform an AVS check and decline all transactions where AVS response is "ZIP Code Does Not Match"
- If shipping insurance is offered, this should not be auto checked. The consumer is required to opt into any additional insurance.
- Shipping and handling charges cannot be billed separately from monthly recurring charges
- Shipping and handling charges associated with the trial should be charged as one transaction
- When a customer is issued a refund, the merchant should cancel all future billing events
- Full refunds should be given on all merchandise including shipping and handling for consumer satisfaction
- Mandatory up-sells are prohibited, the consumer should opt in to all up-sells
- Products up-sells should be owned by the company that owns the website. Consumer’s credit card data cannot be shared or passed to a third party. All up-sells should be for a single charge as recurring up-sells, even with the consumer’s acceptance, are prohibited.
- The terms and conditions of the up sell should be clearly displayed either adjacent to or above the "I Enroll" or "Upgrade My Order" etc.
Distribution
- Merchant cannot capture the deposit transaction until the product has actually shipped
- Shipping should occur within 48 hours of purchase, or be clearly stated if the timeframe is going to be longer than 48 hours
- Tracking information should be sent to the consumer via email
Have questions about card not present transactions? We can help. Contact Worldpay today for information on card not present transactions.
*Internet accessible **Effective June 30, 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered training programs (currently Internal Security Assessor [ISA] training and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternately, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
Related Insights
You may also like
Business guide to mobile wallets
What is a digital wallet and is it right for your business? Get answers in our digital wallet guide for small businesses.
5 Advantages of mobile payments acceptance
Today's technology allows businesses to turn everyday devices like smartphones and tablets into powerful POS terminals.
Apple Pay Vs. Samsung Pay Vs. Android Pay
The smartphone has transformed how we pay for goods and services.