The Money Flow - Fraud Library

The Fraud Practice eCommerce Fraud Consulting Services

What does money flow and credit cards have to do with fraud prevention? In a cash society a merchant never cared about who the consumer was. With the introduction of credit cards the merchant took on new responsibilities for authenticating consumers, showing proof of sales and providing service and support after the sale.

For most merchants having to authenticate the consumer before taking their cash, or having to worry about a bank coming back after the sale and taking the money bank, was a foreign concept. The concept of fraud went from just physically securing their shops to having to spot fraud in the money flow.

Enter your search terms Submit search form

Web www.fraudpractice.com

Understanding where the money goes with eCommerce Credit Card Transactions

To understand the money flow you need an understanding of the business processes and steps an order goes through for money and goods to exchange hands. With cash the consumer hands a merchant cash, the merchant performs checks to make sure it is not counterfeit, and calculates the change. With that done the consumer is on their way. If a consumer returns the goods, the merchant simply has to pay the consumer back in cash. There are no third parties in the process — everything occurs between a merchant and consumer.

With credit cards we introduce new complexities into processing an order:

• Do you accept the card? With a cash transaction the merchant can immediately see if the currency the consumer is trying to use is a currency they accept. If you are in the United States and a consumer tries to make a purchase with Euros the merchant will tell them they don’t accept Euros. With credit cards, there are also a lot of different credit card types, and as a merchant you need to know which ones you can process. Your acquiring bank will only support a certain group of these cards, and you need to make sure you can process the card prior to accepting them from the consumer.
• Is the card real? With cash, most people are very familiar with how it looks and feels. There are a number of things a merchant can do to see if the cash is counterfeit, but, in general, everyone knows what a one dollar bill is. For credit cards, there are different brands, different logos, colors, and names on them. To make it even more difficult, banks and associations change these looks often. Likewise the credit card only has a set of numbers across the front of it — how do you know these numbers aren’t just gibberish?
• Does the consumer have money available on the card? When you take cash you know immediately if the consumer has enough money to pay for the purchase. With credit cards, there is no “value remaining” indicator on the card. With credit cards a merchant has to go out and ask if the consumer has money remaining.
• Is this consumer authorized to use this particular credit card? When a credit card is used, there is no magic check occurring on the names authorized to use the credit card. If the credit card says John Smith, how do you know this is really John Smith?
• Have you delivered the goods or services? If not, you cannot ask for your money. This is because with credit cards there are rules about when you can request to have funds paid to you, and how you have to handle customer service complaints. With cash you can have consumers pre-pay for special orders, split shipments and delay shipments, but you cannot do these things with credit cards.

Now instead of a transaction occurring between a merchant and consumer, there can be up to seven entities (merchants, consumers, issuing banks, acquiring banks, payment processors, gateway services, card associations) involved in a transaction. As a merchant you have to rely on third parties to make sure the consumer can pay for the transaction, and to authenticate that the consumer is authorized to make the purchase.

Having so many more entities involved in a transaction means there are more steps a merchant has to go through to collect their money on a transaction.

1.       The consumer contacts an issuing bank and opens a credit card account. They are issued a credit card with a unique account number and a credit line (which is how much they are allowed to spend on the account).

2.       A consumer goes to a merchant and selects goods or services to be purchased. He or she provides the credit card information to pay for the transaction.

3.       The merchant takes the credit card information provided by the consumer and attempts to validate it through tests and checks and sends it to the acquiring bank to find out if the consumer has money available on the credit card to make the purchase. How the information is routed to the acquiring bank depends on the merchant’s decision to use a gateway service or payment processor. Remember a gateway service and payment processor operate as a middleman in the transaction giving value-added services to the merchant. The merchant could be using any of the following methods to get their credit card orders out to the acquiring bank:

a.  Directly connect to the acquiring bank

b.  Connecting to a payment processor that connects out to an acquiring bank

c.  Connecting to a gateway service that connects out to an acquiring bank

d. Connecting to a gateway service that connects out to a payment processor that connects to an acquiring bank

e.  Connecting to a payment processor that offers acquiring bank services directly

4.       The acquiring bank routes a request through the card association physical network to the issuing bank to see if funds are available on the consumer’s credit card.

5.       The issuing bank checks the consumer’s credit line and if funds are available they will set aside the amount of money that the order requires for payment. This money is “reserved” only — it has not changed hands, and is not the merchant’s money yet. At this point a reply is sent back through the card association network to the acquiring bank, then back to the merchant to let them know the status of the request for funds.

All of this has gone on, and all we have done is determine that the card is a valid credit card and that the consumer has enough money available on their credit card to make the purchase. There are seven major steps associated with processing a card-not-present  credit card purchase. The previous graphic and example depict only the first two steps in that process. The merchant still hasn’t gotten paid for their goods or services. Additionally the merchant has to worry about the “reserve” on their funds expiring, credits and potential bad transactions, called “charge-backs.”

The remainder of this section will discuss each of these seven steps in more detail, but let’s take a brief look at the seven steps in processing a credit card transaction to get you familiar with the big picture.

In the Step View graphic I highlight two major areas in grey that represent two conceptual phases in the credit card process: pre-payment (1) and post payment (2). The pre-payment phase shows all of the steps that can happen on a consumer’s order before the merchant receives money from their credit card. The post-payment phase shows all of the steps that can happen on a consumer’s order after the merchant has received money.

• Card Authentication– Validate the credit card number the consumer gave you to verify that it’s actually a real credit card number and not just a bunch of random numbers. If the consumer fails this test, no sale. If the consumer passes this test, the order moves to authorization.
• Authorization – Check for and “reserve” funds on the consumer’s credit card for the order.
• Authorization Reversal – Contacting the issuing bank to “un-reserve” funds on a consumer’s credit card if they decide not to make the purchase.
• Settlement – Request for physical payment of funds from the consumer’s credit card.
• Credit  – The return of physical payment of funds back to the consumer’s credit card.
• Charge-back – A request from the issuing bank to provide additional documentation on a consumer’s order to prove the consumer made the purchase. These requests can be based on customer service issues or suspected fraud.
• Represent – The presentation of additional documentation to the issuing bank to prove the consumer made the actual purchase.

Remember not all seven steps will occur with every transaction. The Step View graphic provided a quick overview of the seven steps and the major objective of each step. Even with the data you will receive in the remainder of this section, make sure you work with your acquiring bank to get more detailed information on the policies and procedures they have in place for these steps.

Card Authentication

Before you can check to see if the consumer has money available, you need to make sure the card number they gave you is a valid credit card number, and you do this by doing a “card authentication.” This is where you check to make sure the card number you were given by a consumer could even possibly be a credit card number and not just a random set of numbers. The card authentication check is not trying to see if the account is real, or what money is available on it — it is just making sure the numbers the consumer gave you fit the normal credit card pattern and range.

Card authentication is typically accomplished by using a test called a MOD 10 check. This check is built into many payment systems, and is typically found on the buy page of a website. This will catch things like too few, or too many, digits or an incorrect arrangement of the digits. If you have made a purchase online, you may have added an extra digit and had an error message asking you to check your credit card number. This is most likely the MOD 10 check. The MOD 10 Check is discussed in detail in the Mod 10 Check Section.

If you think about it, the need to authenticate a credit card number is not unique to the card-not-present space. It is a more pronounced issue for the card-not-present space, but the card-present world also has to do the same check. For example when a consumer comes to a store and hands the merchant a credit card, they really have no idea if it is valid credit card. Counterfeit cards are a serious problem in the industry, and credit card associations and issuers are constantly looking for new ways to prevent counterfeiting.

The difference between the card-present and card-not-presentworld is that in a store the consumer gives the merchant a credit card they can swipe through a card reader to perform the card authentication. Assuming the card is not damaged the machine can then check to make sure it is a real card and start the payment process. If it is damaged, or fake in some cases, it may not swipe and the merchant will have to key it in to get the process started.

But think about the card-not-present credit card transaction. You can ask for all kinds of information from the consumer, but you cannot swipe a card for them. They give you a number and say “this is my credit card number.” But how do you know this is a valid credit card number? Valid means it potentially could be a credit card number, not just a random set of numbers they made up. Creditcards today have between 13 and 16 numbers, with 16 being the most used standard. Would your staff still try to process an order if the credit card number they got was 20 digits?

Authorization

Assuming the card number passed the card authentication check, now you need to find out from the card issuer if the consumer has enough money available to make the purchase. You do this by requesting an “authorization.” When you do this your request goes through the acquiring bank to the issuing bank, where they are responsible for checking the consumer’s credit card number for authorization.

In the card-not-present transaction when you request an authorization the request goes back to the issuing bank where they will see if the credit card account is an active account, if sufficient funds are available and, if you request it, and provide the address information, they will perform an “address verification.” The address verification check provided in this process compares the billing address provided by the consumer with the billing address on record with the issuing bank. Address verification has a dedicated section for more information.

Some things to keep in mind about authorizations:

• Authorizations commit funds only, no money exchanges hands. With an authorization no money has exchanged hands, it has only been committed. For example, when you check into a hotel and they swipe your card when you arrive they are trying to get an authorization for what they estimate the total bill to be. This will commit that amount of money on the consumer’s credit card to pay the merchant when the merchant processes a settlement transaction. The settlement transaction cannot be processed until the goods or services have been shipped to the consumer.
• Authorizations are cumulative. Every time a merchant requests an authorization on a card you are using up some of the consumer’s credit line. If you make mistakes in your order process and re-run an authorization, you are committing more of the consumer’s credit line. Likewise if you process an authorization for a consumer, and they cancel the order before a settlement is processed or goods are shipped, the authorization you processed does not go away unless you reverse it or it expires. Even though no payment will ever be made on these authorizations, the consumer’s credit line can be gobbled up with these commitments and they will not be able to make any purchases until the authorizations expire or are reversed by the requesting merchant. Merchantsthat don’t try to clean up these authorizations, or who process multiple authorizations on a consumer can cause another merchant to get a decline on an order when money is really available. This is a good way to piss-off a consumer, no one likes to get declined only to find out a store they went to screwed them up. For example a consumer with a credit line of $5,000.00 going in to purchase a new computer finds the one they like, and starts the checkout process. The clerk runs the authorization for $3,000.00 and gets an approval. Later that same day the consumer finds an even better deal with the same computer and a flat screen monitor from another merchant. The consumer decides they just have to have a new flat screen monitor to go with this new computer. So they call and cancel the original order and place a new order with the second merchant for $3,000. The original merchant hadn’t shipped any goods yet, and simply canceled the order in their system. They don’t process authorization reversals. When the issuing bank gets this request from the second merchant they will still have the other pending authorization for $3,000 and with new request for $3,000 the consumer is now at $6,000. The consumer looks like they are one grand over their limit, and the issuing bank will decline the authorization.
• Authorizations expire on their own. Authorizations don’t last forever — they expire. The amount of time you have on an authorization may be different from card type to card type. Typically they last a week. If an authorization expires before you process a settlement you may have to process a re-authorization. A re-authorization is where you take an expired authorization and reprocess it to re-commit the funds.
• The authorization must be the amount you expect to settle on. When you request an authorization, by rule from the card associations you are supposed to be requesting an authorization of the amount you expect to settle on. If you get an authorization for $100 you cannot process a settlement of $500 against it. The amounts don’t have to be exact — the association has built-in variances to account for industries like food service in which tips are added after an authorization is requested. These variances are percentage amounts over or under an authorization amount the bank will still process a settlement on.

Authorization  Reversal

As you can see, you can get in trouble with authorizations under certain conditions, so a good tool to use is the “Authorization  Reversal.” The authorization reversal is what you would process when you are not going to process an order to settlement, in order to free up a consumer’s credit line. Sounds great, right? Well the fact is most merchants don’t use this process, as it can be complicated to integrate into their systems, and the number of times a consumer’s credit line is tapped out by authorizations is generally rare because the authorizations do expire.

If you do implement authorization reversals, be aware that not all payment processing solutions, providers and/or issuers support this process. In short you could have this set up in your system and your payment processor could support this, but the consumer’s issuing bank may not support it. In this case you are out of luck — the only way to get rid of this authorization is to let it expire or call the issuing bank directly.

More than likely you will never have to deal with this, but if you sell high dollar goods or services you better be prepared to deal with it.

Settlement

So the card is good, and the consumer has money, so how do you ask for your money? You do this by processing a settlement request. A settlement is where money actually changes hands. You request a settlement through your acquiring bank who pulls it from the issuing bank.

You typically cannot submit a settlement request for payment until you have shipped the goods or services to the consumer. So for orders that have split shipments, delayed shipments or backorders are in play, you have to wait to settle until you have shipped each of the goods.

Generally speaking if you deliver your goods or services electronically, such as software downloads, subscriptions or content viewing you can immediately request a settlement when you request the authorization. If you have physical products then you have to wait until the product is shipped to the consumer. In some cases, if your inventory is back-ordered or you are awaiting the products yourself, the authorization may expire before you can process the settlement. In these cases you will have to re-authorize the transactions prior to processing a settlement.

Credit

So what happens when the consumer returns the goods to you? You had processed an authorization and a settlement and the money has been handed over, and now you have to refund money back to the consumer. This is done by processing a credit. When you do this your acquiring bank will pass money back to the consumer’s credit card.

When a consumer requests a refund, only refund back to the same method of payment they used to pay you originally. This is an easy scam from fraudsters to purchase goods with credit cards and request credits in cash.

Charge-backs & Represents

The final part of the money flow is not a merchant’s favorite, and it has to do with what are called “charge-backs.” Charge-backs are what occur when the consumer goes back through their issuing bank to say that they didn’t place an order or they didn’t get what they were supposed to get.

There are two general categories of charge-backs. Fraudulent charge-backs, in which the consumer says they did not place an order, and did not receive goods or services. Then you have “customer service charge-backs,” in which the consumer admits they placed an order, but disputes the charges for any of a number of reasons such as, they didn’t receive the goods or services, or they returned them to the merchant, or they didn’t get what they ordered.

Charge-backs  are coded by type, and each card association and acquiring bank is a little different on how they present them to a merchant. But the process is basically the same: they will present the charge-backs to the merchant with a request to “represent” the order with supporting documentation to prove the order was valid.

Remember from earlier in the section, I wrote that when it comes to who pays for fraud, the merchant does in the card-not-presentspace. One of the things that makes catching fraud so difficult is that charge-backs can take up to 90 days to be processed and sent back to a merchant. By that time a fraudster could have already maxed out a credit card at your site, if you are not doing anything to stop them.

The charge-back is coming from an issuing bank, and the “represent” request will be coming from a merchant going through the acquiring bank back to the issuing bank. When you “represent” an order you are trying to prove that the order was from the consumer who is disputing it and was completed in accordance with the association policies and procedures. In the card-present world a merchant would send a copy of a signed register receipt. In the card-not-presentworld there is no signed receipt. Here you are relying on the billing and shipping information provided and the signed delivery receipt, if you have one.

Charge-backs are nasty little buggers, as they have associated fees with processing them. In other words, every time a merchant gets a charge-back request from an issuing bank, they are charged a charge-back fee. Charge-backs and liability are discussed in greater detail in follow on sections.

 

Property of The Fraud Practice, all rights reserved, no unauthorized duplication, reproduction or distribution without the express written permission of The Fraud Practice.