White Paper: Managing merchant processing risk - Pt. 1 By ETA Risk & Fraud Management Committee
2005 - 2006 ETA Risk & Fraud Management Committee
- Mary Dees Griffith (Chair)
President
Creditranz.com
- Jeffry Beene (Vice Chair)
Executive Vice President/Chief Compliance Officer
- Pipeline Data Processing Inc.
Barrie Berman VanBrackle Partner
Manatt, Phelps & Phillips LLP
- Mark Cook
Vice President, Risk Management
TransFirst LLC
- Jeffrey D. De Petro
Vice President, Credit, Risk & Chargebacks
EVO Merchant Services
- Stephanie Gibbons
Fraud Manager
Authorize.Net
- Laurie LeBoeuf Novacek
Senior Vice President
Merchants' Choice Card Services
- Eduardo Perez
Vice President, Corporate Risk & Compliance
Visa U.S.A. Inc.
- Steven Peisner
Vice President
Acquiring Solutions International
ETA Staff Liaison
- Rob Drozdowski
Senior Director
Editor's note: ETA published this white paper April 17, 2006. It is reprinted with permission. Because of limited space, we have divided the document into two parts. Look for Part II in a future issue of The Green Sheet. You can also download the white paper at www.electran.org/info/white_papers.asp1. Executive summary cquirers are at financial risk from merchant performance in several ways. While many industry initiatives are focused on fraud and identity theft, a significant percentage of the financial loss associated with credit and debit payments comes from organized fraud, business failures, unfunded chargebacks and inadequate monitoring of merchant accounts.
Acquirers need to focus on the performance and financial strength of their merchants as part of their overall risk strategy.
One of the key areas of focus for any merchant acquiring risk management program should be the subset of accounts that can cause the most harm. The higher-volume processing accounts, low volume/high-ticket retailers, merchants who are prone to chargeback activity and merchants who provide future delivery of products and services can create larger losses if they incur financial difficulties.
Acquirers need to have an effective review of their existing merchants on a regular basis, in addition to a thorough due diligence process for new merchants.
2. Managing merchant processing risk
Developing an effective merchant processing risk program is more art than science, along with a bit of intuition and good luck. There is no one set algorithm or methodology that can be used to manage transaction risk. Discovering transaction fraud may simply be the result of a hunch, and at other times it may be based on years of risk management experience.
Each organization's risk profile is unique, depending on many factors including merchant type, transaction volumes, technological resources and other criteria. Moreover, any effective risk program must be dynamic and adaptable in order to combat the latest criminal tactics.
Many risk management professionals suggest adopting a Sherlock Holmes-attitude when managing risk: the theory of deduction, or common sense. One such informal approach for risk reviews and investigations can be thought of as the 50/50 rule, where 50% of the conclusion is determined by the merchant explanation, transactional data and transaction documentation, while common sense determines the other 50%.
For example, does it make sense that a merchant who sells used computers at a flea market is now contracted with a major cable company to install its entire network? However, when you have a merchant who sells glow-in-the-dark light sticks, and he/she indicates that the company received a government contract to provide this product to the troops overseas, this may seem reasonable.
3. The shape of fraudulent activity
There are many ways in which merchants and consumers attempt to commit credit card fraud. Consumers may attempt to cheat merchants, and merchants may try to cheat consumers and acquirers. In addition to deliberate criminal activity, there are many scenarios in which merchants and acquirers are victimized by consumer activity, such as consumers unable or unwilling to pay their credit card invoice when received, i.e. so-called friendly fraud.
The next few sections outline some common ways in which acquirers might be victimized and some preventive measures that can be used to mitigate fraud risk:
3.1. Bait-and-switch criminal fraud: Criminals may assume the temporary identity of legitimate merchants and enter acquiring relationships for the sole purpose of committing criminal fraud. They bait the acquirer by appearing to operate as trouble-free merchants for the first several months of their relationship, with the intent to fool the acquirer into thinking they are legitimate so that the acquirer will lessen its scrutiny.
After a time, the merchant begins to process all types of fraudulent transactions, including illegally obtained card numbers, and card numbers submitted by friends, employees or collaborators with plans to chargeback the transactions. The merchant will receive the funds and disappear, leaving the acquirer to suffer the loss from chargebacks.
Preventive measures: Prevention of this form of fraud is aided by careful underwriting before an account is approved, including reviewing records of the merchant's previous processing history with other acquirers, obtaining references from the merchant from other vendors and conducting a thorough company background investigation. If the merchant is new, setting proper contingency reserves is an important risk management strategy.
However, payments professionals need to exercise caution, as fraud will often appear before a significant amount of reserved funds have been accrued. In addition to the investigation before signing the merchant, careful ongoing monitoring might detect sudden changes in transaction patterns.
Some examples of potential early indicators of fraud include earlier than normal chargebacks, higher credits, negative daily settlement amounts, or an increased difficulty in reaching the merchant by phone.
3.2. Business format change: Merchants who cannot get approved to sell certain types of high-risk services or merchandise, or who might be denied a merchant account because they operate using a business format that is risky (such as multilevel marketing), often obtain merchant accounts by lying about the nature of their product or their business practices. They are classified by the acquirer as one type of merchant, but then engage in a different business than what they indicated on their application.
Sometimes the difference is subtle, such as a travel agent who begins selling certificate travel programs, or an online newsletter publisher who starts to sell financial service products. Other times, the change is quite stark - from saying that they are selling a newsletter for pool owners to suddenly operating an adult site.
Preventive measures: The fraud could be detected via random customer contacts and "ghost" shopping. Additionally, transaction monitoring techniques that analyze average transaction values, transaction patterns, chargeback reason codes, and chargeback volume/timing are effective at combating this type of fraud.
For example, if a merchant typically sells a variety of merchandise, the value of the tickets should be varied by product price and quantity. If the transactions soon become smaller, say $29.95 and these occur on cardholder records once a month, it may indicate a subscription or time payment has been sold, possibly for an adult Internet site.
Depending on the product they are truly selling, look out for monthly processing that exceeds expected sales or an increase/decrease in returned sales (credits). As in many of these fraud scenarios, one of the most effective means of detection is random interviewing of cardholders and for risk managers to pose as customers to see if the merchant is selling what he said he would (ghost shopping).
3.3. Merchants never ship: Merchants may process transactions and never ship the merchandise, or ship deliberately defective or incomplete products. The merchant may not honor a chargeback request and leave the acquirer to take the loss.
Preventive measures: The most effective means of detection is random interviewing of cardholders to see if they have received the product/service and that they are satisfied with the merchant. Risk managers can also pose as customers to see if the merchant is selling what he said he would. Also, in some cases, it is necessary to ask the merchant randomly for receipts from shipping companies proving delivery.
3.4. Factoring: Merchants sometimes accept transactions from a third-party vendor. They do this because the third-party vendors cannot otherwise obtain a merchant account on their own. Typically, the other vendor offers to compensate the legitimate vendor if he allows his merchant account to be used to process transactions.
The transactions have not been consummated with the original merchant, nor do the cardholders know or realize who the original merchant is, as they are only familiar with the third-party vendor. Either or both the merchant and vendor may be fraudulent.
Preventive measures: This form of fraudulent activity is specifically prohibited by the card company operating rules. Detection is possible by careful underwriting and risk monitoring, which should reveal different ticket amounts than expected and different patterns of purchases. Random customer calls, reviewing cardholder chargeback documentation and ghost shopping are methods that should reveal the fraud.
3.5. Two-card refunds: A merchant sometimes runs a debit on one card, then credits for a dollar amount slightly less than the original amount on another card. This is one method that can be used for laundering money. It also is a method used to defraud acquirers since the merchant would be paid for the processing and then, through the friendly third party's cards, also receive the credits.
Until recently, this practice was most typically associated with credit card transactions; however, today, credit is also being provided through offline debit cards. The third party then withdraws the funds via a bank or ATM, making the reversal/return of the fraudulent credit difficult.
Preventive measures: This can be prevented, in part, by establishing a policy of no credits back to a card other than the card originally debited. In addition, risk managers may be able to detect and monitor accounts for an unusual increase in credit amounts.
3.6. Long-term liabilities: The greatest losses most acquirers experience are from long-term liabilities created by a merchant. For instance, a merchant who provides Internet access for $100 per year and, after only providing three months of service to its customers, disappears. Because the life of the service was for a year, the cardholder can charge back the transaction in the fourth month, since part of the service that they paid for will never be fulfilled. The merchant has received the funds from the sale, leaving the acquirer to take the loss.
Preventive measures: This can be prevented, in part, by establishing a policy that restricts merchants to a maximum 90-day product/service billing cycle (i.e., billing a cardholder $25/quarter instead of $100/year). This strategy also minimizes the exposure due to the reduced transaction size.
3.7. Fraudulent cards: Consumers and/or merchants may attempt to defraud acquirers by knowingly submitting transactions using fraudulent credit cards.
Preventive measures: One way to detect this type of fraud is by monitoring the number of authorization attempts. When an authorization is not obtained for a specific dollar amount, a second attempt will often be done for a dollar amount less then the original amount, and so on until an authorization is obtained.
Additionally, multiple transactions to the same card are an indicator of potential fraud. The time between transactions can also be a potential fraud indicator. For instance, if a sale is processed for a camera at 1:00 p.m., a second sale is made at 1:15 p.m. and then another at 2:00 p.m., this may be an indicator of consumer or merchant fraud.
How are the multiple sales explained? Many fraudulent merchants will say that the consumer left the store and came back to purchase more merchandise. This is suspect behavior that should be investigated by requesting copies of the sales draft.
3.8. Stolen card numbers: Criminals occasionally get a hold of a valid card or card number and use it before it is reported as stolen by the legitimate cardholder. The criminals often first attempt a transaction for a small amount to see if the sale goes through.
Once it does, they will continue to run sales, each for a higher amount than the last until they are unable to obtain an authorization or someone catches on. Additionally, the valid card may be shared among multiple perpetrators, each using it to run transactions.
Preventive measures: This kind of fraud sometimes can be caught during the authorization process, or by comparison of the numeric address (ZIP code and numerals of the address) submitted by the card user against the known address information on file at the card's issuer - i.e. Address Verification Service (AVS).
Also, it may be possible to detect the use of fraudulent cards by noting repeated uses of the same card, sale amount patterns and other pattern recognition techniques.
3.9. Authorized but unissued card numbers: There are millions of card numbers that are assigned to an issuing bank in certain sequences, which have not been issued to a cardholder. If submitted for authorization, these card numbers will appear valid - as they are not listed as lost or stolen - and may receive an authorization through one of the credit card networks unless the card record is submitted for full credit authorization to the issuing bank.
Additionally, there are software programs that use an algorithm to generate numerous authentic card numbers in a sequence. Once obtained, the numbers are attempted until a valid number is accepted. Many times, the criminals will use a computer program to automatically submit card numbers to a merchant until they find numbers that will survive the merchant's authorization process. These card numbers are then used by the criminals themselves, or sold/traded for cash.
Preventive measures: This form of fraud can be difficult to detect and can result in substantial losses unless sophisticated, computerized pattern-recognition algorithms are utilized. Such fraud may also be detected by risk management procedures that examine card number submission patterns, including noting the frequency of submissions from the same geographic area, phone number and other factors.
In some cases, the criminal is careless and submits card numbers with the same BIN numbers repeatedly. Risk managers should also be on the lookout for the use of sequential patterns that can be easily spotted, as the last few numbers will differ only slightly.
3.10. Forced sales: If a merchant cannot receive a valid authorization for a sale of a certain amount, say $500, because the cardholder appears not to have enough credit available, he may attempt to resubmit the sale repeatedly, at ever lower values, until the sale is authorized ... $450, $400, $350 and so forth.
Or, the merchant might wait several days or weeks to resubmit the transaction, hoping that he will find a moment when the credit balance has been restored to the card. The problem with these transactions is that the cardholder did not agree to the sale amount and could dispute the charge when invoiced.
Preventive measures: This form of merchant fraud sometimes is detected by automatically screening transactions for multiple authorization attempts on the same card.
3.11. Resubmitted transactions: If a merchant has transactions that are declined because they are fraudulent or otherwise blocked by fraud screening (for instance, if the AVS does not match), he might attempt repeatedly to resubmit the card over a period of days, weeks or even months, until he finds a moment when the card might slip through the system.
Preventive measures: This form of merchant fraud sometimes is detected by automatically screening transactions for multiple authorization attempts on the same card.
3.12. Other suspicious patterns include:
- Average tickets exceeding the maximum ticket allowed
- Daily/weekly deposit amounts exceeding maximum limit
- Multiple authorizations to a card exceeding maximum
- Number of declined authorization attempts exceeding maximum
- An unusual pattern of duplicated card numbers appearing in batches
- An unusual frequency of same dollar-amounts appearing in batches
- Same card-number appearing over a period of time in both swiped and keyed transactions
- An unusual frequency of even dollar-amounts appearing in batches
- The batch is in an even-numeral dollar-amount
- Credits exceed debits in the batch
- There are an unusual number of voids and credits in batches.
|