Page 38 - GS180102
P. 38
Education
Time to change force-post rules The system forces the original au-
thorization and capture, and that
By Ken Musante information is submitted into inter-
change, regardless of whether it was
Eureka Payments LLC authorized. Later, if that transaction
is disputed, and if the authorization
he thought of force posts takes me back to my issuing-bank days. is not valid, the issuer may initiate a
Paper warning bulletins were sent weekly to all merchants. If mer- chargeback, and the merchant will
chants wanted to accept transactions above a specific dollar amount not have recourse.
T (called the "floor" amount), they had to either electronically autho-
rize or manually check the warning bulletin to ensure the cards being used Fraudsters can exploit force posts
were not listed; otherwise they would be subject to chargebacks. Through the years, as merchants
have migrated to electronic authori-
Today with electronic authorizations, the floor limit for nearly all merchants zations and shortened delivery time,
is zero, and every transaction is electronically authorized. So I thought it the need to force post transactions
appropriate that Visa is set to change this practice. In the Dec. 14, 2017, issue has radically diminished, yet acquir-
of Visa Business News, Visa outlines its requirements to minimize merchant ers still set up all merchants with
access to force-post functionality in an article titled "Acquirer Requirements to that functionality. Most merchants
Control the Use of Force-Post Transactions." do not even realize what a force post
is, and fraudsters have leveraged that
Most merchants never need to force post an authorization with a sale. Force fact. Specifically, they have used the
posts allow merchants to manually enter a previously obtained authorization force-post process to perpetrate fraud
and then force route the transaction through clearing and settlement. At the through the following schemes:
time the authorization is posted or forced with the sale, it is not validated. This
means that whatever code is entered is accepted, and funds are debited to the • Gain control of a merchant ac-
issuer and credited to the acquirer. count and then force post trans-
actions. If the transactions are
not noticed, the funds can be
accessed from the connected de-
posit account. This can be from a
fraudulently obtained merchant
account or one involving a coop-
erating merchant.
• Deceive merchants by present-
ing a forged bank letter that au-
thorizes "offline" (force-posted)
transactions to pay for large
sales orders or by convincing the
merchant the fraudsters have an
authorization code that must be
entered into the system. Some
merchants do not question the
letter's authenticity and release
the goods, as they see the trans-
action in their terminal.
• Process extremely large force-
post transactions with offset-
ting credits from different card
numbers. The batch totals are
not out of balance, but the force
posts disguise the credits from
detection. These schemes are
sometimes done over a holiday
weekend and from foreign card-
holder accounts. Consequently,
obtaining verification from the
cardholder is impractical and
the risk staff might be less atten-
tive.
38
38
