Fighting Friendly Fraud
One of the biggest challenges facing ecommerce and card not present merchants in today’s credit card processing environment is the steady rise of “Friendly Fraud.”, also known as the “I didn’t do it” or “It wasn’t me” chargeback. Friendly fraud occurs when a cardholder makes a legitimate purchase either online or over the phone, receives the goods or services, and then decides to chargeback the sale claiming that they did not authorize the transaction. Cardholders do this for a variety of reasons: to get something for nothing, to reduce their account balance, or because they can’t make the minimum payment on the credit card at the end of the month. Over time, issuing banks have made the chargeback process easier and easier for their cardholders, leading to greater and greater instances of friendly fraud.
Friendly fraud is a huge problem for merchants because the transactions in question are in fact authorized and legitimate. It is very difficult for the merchant to prove that the cardholder is being untruthful about authorizing the transaction. In many cases, it boils down to the cardholder’s word against the merchant’s and in most cases the issuing banks side with the cardholder and the merchant is stuck footing the bill for chargeback fees, time and effort to dispute the chargeback, cost of the goods or services, and the cost of acquiring the sale/lead/customer in the first place.
In the ecommerce environment, Payer Authentication programs, like Verified by Visa and MasterCard SecureCode can help merchants to reduce chargebacks and losses due to friendly fraud. Participating in these programs can create a chargeback liability shift from the merchant and the acquiring bank to the cardholder’s issuing bank. The cardholder can still commit friendly fraud, but it is no longer the merchant’s problem: the issuing bank is responsible for the chargeback.
When using Payer Authentication there are three possible scenarios for every transaction:
1. The issuing bank is participating in the program and the cardholder is enrolled in the program. In this scenario, the cardholder is prompted to enter a password to authenticate the sale. An ECI flag is attached to the transaction string which gives creates chargeback liability shift to the issuing bank. When the cardholder charges back as unauthorized, the ECI sends the chargeback to the issuing bank, not the merchant’s acquiring bank. In effect, the issuing bank is guaranteeing that the transaction is authorized.
2. The issuing bank is participating in the program and the cardholder is not enrolled in the program. This scenario can have two outcomes. The issuing bank can force enroll the cardholder in order to complete the sale or the issuing bank can do nothing. If the issuing bank does nothing, there is no request for a password, but merchant still gets liability shift on chargebacks even though the cardholder did not enter a password. Basically, the merchant has done their part by requesting authentication, if the issuing bank doesn’t want to make their cardholder authenticate, then they carry the chargeback liability.
3. The issuing bank is not participating in the program. In this scenario, there is no password request and no liability shift and the transaction occurs as a regular ecommerce sale.
Using Payer Authentication can result in a loss of conversions because in scenario 2 the cardholder might drop out of the sale rather than be force enrolled, but this is usually more than counterbalanced by the merchant’s overall processing costs being lower due to the reduction in chargebacks and their associated fees, costs, employee time and effort, etc.
Some processors maintain negative databases of card numbers that have been associated with friendly fraud. BIN blocking identifies these cards via the Bank Identification Number or Issuer ID contained within the credit card number and blocks the transaction.
Shipping Physical Product
Physical product should only be shipped to the billing address of the credit card. Always use the Address Verification System (AVS) to confirm that the billing address provided matches the address on file with the cardholder's issuing bank. Use a delivery service or courier that requires signature on delivery and provides order tracking and delivery confirmation. Always require the signature of the cardholder only upon delivery. Getting the cardholder’s signature on delivery at the billing address of the credit card can reduce the cardholder’s ability to dispute on a claim of an unauthorized transaction.
CVV2 is a credit card security measure consisting of 3 or 4 digit number appearing on the back of the card or on the front of the card after the card number. It is used in Card Not Present transactions to validate that the actual credit card is present and not just the credit card number. Valid CVV2 checks can help card-not-present merchants to win friendly fraud chargeback disputes.