A practical guide of chargeback and fraud management for e-commerce merchants
Each merchant accepting credit or debit cards, as a method of payment, needs to follow various rules imposed upon them by card associations. The two biggest associations (i.e. Visa and Mastercard) have a comprehensive set of rules for whichever situation involving either card present or card absent transactions. In this post, I will review chargeback and fraud monitoring programs, established by Visa and Mastercard. These monitoring programs are aimed at the elimination of fraud and controlling disputed transactions (also called chargebacks). Card schemes have established certain thresholds upon exceeding which, merchants will be obliged to pay additional fees and penalties. The penalties in question are monthly fines and additional fees, which must be paid until chargebacks and/or fraud levels are reduced below thresholds.
Visa monitoring programs
For the past couple of years, Visa was continuously lowering the thresholds for an acceptable number of chargebacks and fraudulent transactions. In Europe, Visa has two separate monitoring programs: Visa Fraud Monitoring Program (VFMP) and Visa Chargeback Monitoring Program (VCMP) which apply to both e-commerce and traditional merchants. In their core, they are similar as they are pursuing the same aim – the reduction of unwarranted transactions. However, the programs impose different thresholds upon exceeding which, merchants become responsible to pay up. For merchants, based in the US, EU, Canada, Australia, and Brazil, the monthly totals for transactions are calculated on the aggregation of the average of domestic transactions. For merchants outside of these territories, calculus additionally takes into account cross-border transactions.
While evaluating whether a specific merchant has to be placed on either of these programs Visa takes into consideration two criteria, both of which must be met or exceeded:
- The total number of payments that have been disputed (Dispute Count for VCMP) / the value of the amount of the disputed payments (Dispute Amount for VFMP); and
- The ratio of disputed payments counts to the total number of payments for the same month (Dispute Rate).
Prior to placing a merchant on the monitoring program, Visa will inform the merchant regarding the risk of such an occurrence. It does so to allow pre-emptively to resolve the issues and to help merchant continuing with the business as usual, without the imposition of any additional costs. At this point, it is worth noting that all communication with the merchant is not done by Visa itself, rather it is carried out through the acquirer, which opened a merchant account. The acquirer in this sense is acting as an intermediary supervising the merchant and helping to resolve issues of the rising number of chargebacks or fraud.
Currently, Visa has three thresholds (1) early notification, (2) standard, (3) excessive. Whenever merchant reaches any of the established thresholds during a given month, it is responsible to pay up fines and follow up with the reduction in accordance to the plan, which we will outline further in more detail. In this regard, it is worth noting, that a merchant in a high-risk category (i.e. merchant category codes: 5962, 5966, 5967, 7995, 5912, 5122) after reaching even a standard chargeback/fraud threshold will be deemed to have reached the excessive threshold.
Prior to January 2016 merchants were placed on standard monitoring program upon incurring Dispute Rate equalling or exceeding 2% and Dispute Count of 200. From January 2016 the threshold was lowered to Dispute Rate of 1% and Dispute Count of 100. Visa also implemented early notification policy per which acquirers being informed by Visa regarding the merchant approaching the threshold whenever merchant reached Dispute Rate of 0.75% and Dispute Count of 75. Excessive chargeback threshold was placed at Dispute Rate of 2% and Dispute Count of 500.
In February 2019 Visa issued a statement contemplating lowering these thresholds even further starting from October 2019. According to these new thresholds, the merchant will be placed on the standard monitoring program and seen as exceeding allowed limits upon equalling or exceeding Dispute Rate of 0.9% and Dispute Count of 100. The early warnings for merchants will be lowered as well to Dispute Rate of 0.65% and Dispute Count of 75 during an accessed month. Under new changes, excessive chargeback threshold will be set at Dispute Rate of 1.8% and Dispute Count of 1000.
From January 2016 merchants, equalling or exceeding Dispute Rate of 1% and Dispute Amount of 75,000 USD were placed on the standard monitoring program. Merchants were receiving an early warning upon reaching the threshold of Dispute Rate of 0.75% and Dispute Amount of 50,000 USD. Merchants which were reaching Dispute Rate of 2% and Dispute Amount of 250,000 USD were placed on excessive merchant program.
As of October 2019, a merchant will be placed on the standard monitoring program upon reaching Dispute Rate of 0.9% and Dispute Amount of 75,000 USD. The early warning will be issued upon merchant reaching Dispute Rate of 0.65% and Dispute Amount of 50,000 USD. The excessive threshold will be established at Dispute Rate of 1.8% and Dispute Amount of 250,000 USD.
The following table illustrates differences between the thresholds prior to and after 1st of October 2019 for both programs:
What are practical implications for merchants exceeding thresholds?
Merchants exceeding outlined thresholds are triggering notification period during which they may redeem themselves by lowering the disputed transaction. If they fail they will face a Non-Compliance Assessment, which is, in fact, a fine. Whenever a merchant reaches the early warning threshold, notification is sent to both acquirer and merchant. It is done in order to prevent further escalation and allow identifying the root cause before there is a breach. During 4 months after notification merchant must correct itself and force chargeback/fraud below acceptable thresholds. At this time, no penalty imposed upon the merchant.
After the merchant exceeds the standard threshold, it will have four months to lower the chargeback/fraud levels. If during these four months merchant fails to make progress and continues to exceed the thresholds it will enter the enforcement stage during which fines and additional fees will be applicable.
VCMP standard enforcement period (starting from 5th and ending on 12th months) triggers higher fees for each chargeback for a merchant. This period can be split into three different sub-periods, first starting on 5th month and ending on 7th, second starting on 8th and ending on 9th, third starting on 10th and ending on 12th. During first sub-period merchant must pay 50 USD for each chargeback, during second and third it must pay 100 USD. Additionally, during third-period merchant is liable to pay a one-off 25,000 USD review fee.
VCMP Standard timeline:
Whenever merchant exceeds VCMP excessive threshold or is a high-risk merchant exceeding the standard threshold, it is immediately subject to the Non-Compliance Assessment. Under excessive threshold there are two periods of enforcement for the first 6 months and for the remaining 6; during whole this period merchant is obliged to pay 100 USD per chargeback. In the second period (i.e. after the initial 6 months) merchant must also pay a one off 25,000 USD review fee.
VCMP Excessive timeline:
After exceeding VFMP standard threshold and entering enforcement period (i.e. from 5th month) during which it has no possibility of rebutting a chargeback with the reason code 93 fraud, regardless of the circumstances of the case. Therefore, any fraud related chargebacks must be automatically accepted and settled.
VFMP Standard timeline:
Whenever low-risk or medium-risk merchant reaches VFMP Excessive threshold or when high-risk merchant reaches standard threshold it instantly becomes subject to enforcement, from the first month of the program. The enforcement is total of 12 months which can be divided into four smaller periods each lasting three months: first ranging from 1st to 3rd month, second ranging from 4th to 6th month, third ranging from 7th to 9th month and fourth ranging from 10th to 12th month. During whole 12 months, the merchant cannot dispute any fraudulent transactions with code 93 and must automatically accept all such chargebacks. Apart from it, merchant incurs substantial fines: first period 10,000 USD, second period 25,000 USD, third period 50,000 USD, and fourth period 75,000 USD.
VFMP Excessive timeline:
If a merchant which was placed on whichever of these programs fails to reduce the Dispute Amount or Dispute Count and Dispute Rate it will be eligible for disqualification (i.e. no longer will have possibility to accept Visa cards) and may incur a fine (25,000 USD in case of the VCMP and 75,000 USD in case of the VFMP). Therefore, it is of due importance for whichever merchant not to become subject to the enforcement period and even more important not to exceed them in both of these programs.
Redress comes whenever merchant, who was placed on one of the programs, has lowered its level of fraudulent transactions or chargebacks below the standard threshold within the period of three consecutive months. Meaning that merchant under monitoring cannot exceed thresholds even once. If during this period the threshold is exceeded, the program will be initiated from the month of the breach. In this regard, it should be noted that merchant which reached excessive threshold will be in it until it lowers its Dispute Rate and Dispute Count/Dispute Amount. After merchant manages to stay below the standard threshold for three months the requirement to pay any penalties disappears.
Mastercard monitoring programs
Mastercard has developed Excessive Chargeback Program (ECP) for monitoring merchants having a high number of chargebacks. There are a total of three thresholds which are differentiated by applicable penalties and remediation timelines. As well, Mastercard distinguishes by the type of merchant which is placed on one of the programs; the first type is Chargeback-Monitored Merchants (CMM) and the second is Excessive Chargeback Merchant (ECM). Merchants falling under the definition of CMM are receiving early notifications, whereas merchants classified as ECM are subject to enforcement. Like VISA, Mastercard considers chargeback count and chargeback ratio, albeit calculation method is different. In its calculus, Mastercard considers the number of chargebacks for a given month and the number of transactions from the previous month. Interestingly, Mastercard converts ratio into chargeback basis points, which are further used while calculating fees which are due from a merchant. These points are represented in the following manner: 100 points equal to 1% ratio; 150 points equal to 1.5% ratio and so on. Overall, while evaluating whether merchant must be placed on a monitoring program Mastercard takes into account:
- The total number of payments that have been disputed (Dispute Count); and
- The ratio of disputed payments to all payments from the previous month (Dispute Rate).
For monitoring of fraudulent transactions, Mastercard has only one program – Mastercard Global Merchant Audit Program (GMAP) applicable to merchants exceeding thresholds for fraudulent transactions. Differently, from CFMP, GMAP takes into account three conditions for a merchant to be placed on a monitoring program:
- The number of payments that are identified as fraudulent (Dispute Count);
- The total fraud amount more than the established threshold (Dispute Amount); and
- Fraudulent transactions to sales ratio (Dispute Ratio).
Now let’s look closer into these programs in order to outline from what merchants must refrain from in order not to be placed and how they can exit whenever placed on one.
Chargeback-Monitored Merchants (CMM)
Merchant classified as CMM is notified as soon as it has chargeback to transaction ratio of more than 1% and chargeback count of more than 100 during a given month. After such notification merchant is closely supervised and has the responsibility to submit monthly reports regarding occurred chargebacks. Differently, from early notice under VCMP, there is no timeline during which merchant must become compliant, it simply must stay below the ECP enforcement threshold. Notably, under CMM program there is no issuer reimbursement, no violation, nor reporting penalties. There is only one additional fee of 5,000 USD for each month that a specific CMM report is overdue, the report must be submitted within 45 days from the end of the month. If a merchant fails to submit one report for 2 months, it will need to pay a penalty for such failure equal to 10,000 USD. The table below illustrates the payments which may be due from a merchant under such circumstances:
Excessive Chargeback Program (ECP)
Under ECP merchant is classified as tier 1 ECM whenever it exceeds 1.5% Dispute Rate and has more than 100 Dispute Count for a period of two consecutive calendar months in a row (also called “trigger months”). Within 30 days from the end of the second trigger month, the merchant must submit, and on a monthly basis thereafter, an ECM report instead of CMM report. As well, the price equal to 100 USD must be paid to Mastercard for review of each such report.
Mastercard calculates the issuer reimbursement fees in the following steps 1, 2, and 3 while calculates the violation assessment in step 4.
- Calculate the chargeback ratio for each calendar month that the ECM exceeded the ratio of 150 basis points (1.5% or 0.015).
- From the total number of chargebacks in the above chargeback ratio calculation, subtract the number of chargebacks that account for the first 150 basis points of the ratio. This amount is equivalent to 1.5% of the number of monthly sales transactions used to calculate the ratio. The result is the number of chargebacks above the threshold of 150 basis points.
- Multiply the result from step 2 by 25 USD. Here ends the calculation of issuers reimbursement.
- Adjust the result in step 3 to reflect the extent that the acquirer has exceeded the 150 basis points threshold by multiplying the value in step 3 by the ratio in equivalent basis points. Divide this result by 100. This amount is the violation assessment.
Repeat steps 1–4 for each calendar month (other than the first trigger month) that the ECM exceeded a chargeback ratio of 150 basis points or 1.5%.
Example: The acquirer for merchant ABC acquired Mastercard sales transactions and chargebacks over a six-month period as follows:
February and March are the trigger months, as these are two consecutive months where the chargeback ratio exceeded 150 basis points. At the end of July, Merchant ABC was no longer an ECM as its ratio was below 150 basis points for two consecutive months. Mastercard calculates assessments and issuer reimbursements for each of the months March through July. For example, the assessment for April (using March sales transactions and April chargeback volumes) is calculated as follows:
- The chargeback ratio = April chargebacks/March sales transactions = 1,556/95,561 = 0.01628 or 163 basis points (rounded)
- The number of chargebacks in excess of the 150 basis points is determined by subtracting 1.5% of the March sales transactions from the number of April chargebacks. 1.5 percent of the March sales transactions (95,561 x 0.015) is 1,433. 1,556 – 1,433 = 123 chargebacks
- The issuer reimbursement for April is 123 x USD 25 = USD 3,075
- The violation assessment is (USD 3,075 x 163)/100 or 501,225/100 = USD 5,012.25 Using this methodology, the issuer reimbursement fees and assessments for the acquirer for merchant ABC are as follows, in the table below.
In the above scenario merchant successfully has exited ECP and did not become tier 2 ECM.
After merchant was classified as a tier 1 ECM for longer than 6 months (consecutive or not), it becomes classified as a tier 2 ECM under the ECP. With respect to tier 2 ECM, Mastercard may:
- Advise the acquirer to complete ECP- Action Plan and on other measures which acquirer should take to reduce the chargebacks;
- Require the merchant to undergo Global Risk Management Program Customer Risk Review (it is a program by which Mastercard identifies, analyses, evaluates, responds to, and monitors risks to which customers and service providers may be exposed on an ongoing basis).
After 12 months of the merchant being classified as ECM (consecutive or not) merchant, in addition to the fees described prior, is subject to noncompliance assessments of up to USD 50,000 per month after the twelfth month that the merchant remains an ECM. As well, if the assessment is carried out while the merchant is in tier 2, he may be terminated in accordance to instructions received from Mastercard and may be put on Member Alert to Control High-Risk Merchants (MATCH) list, which in fact is a blacklist among acquirers.
The GMAP is a compliance program that establishes whether a merchant reaches or exceeds an established level of fraud in any single month based on program criteria using a rolling period of six months’ fraud data. Important to note that if the merchant has more than one location (or outlet), the program criteria apply to each location independently. There is a total of three different thresholds under GMAP as is outlined in the table below:
Mastercard will notify the acquirer whenever merchant is classified as tier 1, tier 2 or tier 3 through Merchant Online Status Tracking (MOST) tool. GMAP classifications are provided for information purposes only when it concerns tier 1 and tier 2 and do not require any action. The response is required only in cases when the merchant is identified as tier 3 after what Mastercard initiates a tier 3 special merchant audit.
During tier 3 special merchant audit acquirer may decide to either terminate the merchant and add it to MATCH list or supply compelling reasons to Mastercard to the contrary by outlining exemptional circumstances and fraud control measures in place. In case of acquirer deciding not to terminate the merchant, Mastercard at its sole discretion may decide to:
- Grant exclusion for merchant identification;
- Provide the opportunity to implement additional fraud control measures (“the fraud control action plan”), as directed by Mastercard;
- Assign chargeback responsibility to the merchant without the right to dispute, for a period of at least six months and a maximum of twelve months.
Tier 3 Special Merchant Audit Sample Timeline:
Normally, tier 3 special merchant audit lasts 6 months as outlined above, albeit this timeline may be increased to 12 months. Mastercard does not supply details of specific fines however a continued violation will fall under what Mastercard describes as “Category A noncompliance”. Category A noncompliance occurs when a merchant affects payment system integrity. Mastercard has the authority to impose monetary noncompliance assessments for Category A noncompliance, again at its sole and absolute discretion. Therefore, it is of due importance for each merchant not to fall under the review of Mastercard as it may lead to substantial fines.
Why is it important to consider programs established by more than one card association?
Even in cases where the merchant does not exceed the applicable thresholds in overall calculations, it can exceed such threshold for a specific association. Neither Visa, nor Mastercard when looking at the number of chargebacks take into account transactions processed by other networks, they don’t even have access to such information. Therefore, whenever establishing whether the merchant is violating rules imposed upon them and exceeding the limits all associations will look only at transactions processed by the cards which were issued under their brand.
We can illustrate it by looking at the chargeback ratio. As its name implies, a chargeback ratio compares the number of chargebacks filed against the merchant in a given month against a total number of transactions in the same period. That seems simple at first glance, but it is tricky when looking at how those figures are calculated.
For the sake of simplicity let’s take a standard ratio for total transaction volume equal to 1 % for both Visa and Mastercard (as it stands prior to 1st October 2019). Even though it is the same threshold, the merchant does not have just one chargeback ratio. Instead, the merchant has a different figure for each individual card association. It’s possible to be under the threshold for one, while breaching your threshold on another.
Why staying just under the thresholds is not an option?
Even if the merchant has a transaction ratio just below the thresholds established by the card associations, it still can incur troubles from the acquirer, which opened a merchant account. The reason for it lies in the fact that merchants are not paying penalties themselves to cards associations, rather the acquirers pass them through. Therefore, acquirers are strongly incentivised for all their merchants to always stay below the established limits. Acquirers are allowed and some of them are imposing even lower thresholds than those of card associations. Such acquirers may decide to cease working with the merchants, which are constantly near the breaching point if they are causing more trouble than derived revenue is worth. In such cases, acquirers may terminate the account of the merchant and even place him/her on a MATCH list.
What merchants can do to avoid being placed on the monitoring programs?
As outlined above, merchants can incur substantial expenses and disruption to the business if not staying below thresholds established by card associations. Apart from it, each chargeback accompanies a variety of fees which range somewhere around 20 USD- 100 USD. Therefore, it is in the interests of each merchant, accepting card payments, to reduce the number of disputed transactions. Further, I will outline the best practices which can help pre-emptively reduce the number of chargebacks:
Better customer engagement (customer service/ more information)
When considering the reduction of chargebacks and fraudulent transactions merchant’s top priority is the provision of correct information to the customers and good customer service. It is the cornerstone for any type of business as it helps to minimise returns or questions around the goods and services the merchant has provided. A detailed explanation is crucial as it provides certainty for the customers and establishes a higher level of satisfaction with supplied services and products.
Such information should be provided not only on the webpage or in the store, but also through easily accessible customer support, which would answer relevant questions. So, it is important to establish a dedicated person or team in place to deal with purchase queries and returns. This way, instead of initiating a chargeback immediately, the customer can contact a merchant first to resolve any issues before a chargeback procedure is initiated.
Risk management tools
Reduction of chargebacks can be achieved through the establishment of secure identification of the person performing a transaction and secure authorisation. It can be achieved through the employment of transaction acceptance tools and risk screening filters. The key components of risk management are as follows:
- Address Verification System (AVS) – AVS requires a customer to enter their billing details along with the card information when executing a transaction. The address is when compared to bank records and gets assigned a code based on how close the address entered matched with the bank record. Merchant then can decide whether to proceed with the transaction or not, based on the varying degree of similarity.
- Card Verification Code (CVC/CVV2)- Card Verification Code is a three-digit security code which is listed on the back of the card. In order for whichever transaction to come forward, it must be entered exactly as is imprinted on a card.
Apart from these two standard tools, it is advisable to employ additional checks for the execution of whichever transaction. Such fraud prevention filters should specifically consider: High-risk IP address checks, Email scanning, Post-query analysis, GeoIP address location checks, Third party risk monitoring such as MaxMind or Ethoca Any combination of risk filters such as block BINs, BIN countries, PANs, IP addresses, velocity filters, and so on and so forth.
Designated transactions confirmed with 3D secure
Merchants which are selling goods/services with a higher price, let’s say more than 100 USD, should implement a 3D Secure confirmation for the execution of transactions above such threshold. 3D Secure stands for 3rd Domain Server, there are third parties adding additional security – in this case, issuing banks that are involved confirming the identity of the cardholder and the transaction. The scheme is a collective of Verified by VISA (VBV) and MasterCard Secure Code (MSC). It is one of the most effective fraud prevention initiatives that are available at the moment.
On the checkout page, the cardholder has to enter card details, acquirer triggers an inquiry to the issuing bank, which initiates confirmation of the transaction by the cardholder by entering a passcode tied to the card in question. This feature allows acquirers to confirm with the issuing bank the identity of the cardholder while buying goods and services. Whenever validating transactions with the 3D Secure, customer needs to additionally enter an authorisation code, sent to him/her by the issuing bank. Such a solution is adding an extra layer of security and subsequently certainty that transaction indeed was authorised by the cardholder.
Unambiguous name and properly formatted statements
A higher number of chargebacks arises in cases of incorrect descriptors (merchant name setup in Visa/Mastercard systems). Very often cardholder does not recognise the executed transaction due to the discrepancy between a brand/trade name and legal name of the merchant’s company.
Particularly vulnerable to such issue are e-commerce merchants, which often operate under the online store domain name, which is different from the legal entity in whose name merchant and bank accounts are opened. In such an instance, the customer may simply not recognise the transaction and request the refund. Therefore, it is advisable for each merchant to have a consistent brand name across all sales channels.
In addition to the above-outlined solution, the merchant should be notifying customer on how the charge will appear on the card statement. It can be realised through providing a statement of the executed transaction after checkout, or by sending a confirmation email with the details of the transaction. As well, it is advisable for such statement to use a dynamic descriptor, which will automatically add the number of the order to the main descriptor of the merchant.
Use shipping tracking numbers
For merchants, selling physical goods, it is crucial that shipment tracking numbers are provided. Clients should not only receive the confirmation of the acceptance of the order but should receive a tracking number allowing to monitor the entire journey of the package. The level of tracking, such as requiring signature confirmation, is largely up to the merchant’s discretion. However, if implemented, the customer should as well be notified whether the package was successfully delivered as to avoid any further claims for not receiving the goods.
Cross-reference shipment and billing address
The higher probability of chargebacks arises in cases where goods are ordered to a different address than was the billing address. Therefore, it is advisable to compare the address to which goods were ordered against that one which is entered as a billing address. In case of a huge discrepancy between the two (e.g. different countries), merchants should cancel the transaction. It allows to avoid frauds with the stolen cards and minimise chargeback arising from such practices.
Offer easy refunds
The refund policy should be comprehensive and each client wishing to perform such should have a precise understanding of steps, which are required to be undertaken. Customers should not incur more hardship whilst filing a request for a refund than while making a purchase, it should be even easier. Request for a refund should be processed in a reasonable time and customer should be clearly informed when to expect money on their card. Additionally, it is important that refund would be issued to the same card that made the transaction, as to avoid any disputes on receipt of funds.
Originally published at https://www.dmitrijusapockinas.com/2019/02/trends-in-electronic-commerce-that_47.html on 12th of March 2019