Strategies for Managing Credit Card Payments
Strategies for Managing Credit Card Payments
By Ernie Schell
Like many technologies, managing e-commerce credit card payments has become commoditized. With the methods used to manage authorizations and charges now routine and standard, and with hundreds of vendors vying for your business, costs have plummeted to near rock-bottom levels, as well.
Nevertheless, handling credit card payments in any medium is always fraught with its share of challenges—preventing fraudulent charges and theft of credit card data chief among them—and the details, though manageable, require close attention.
The following explanations are simplified, covering the most important details you need to know.
Authorizations vs. Charges
When a customer makes a store purchase, the credit card is used for a "sale transaction," during which the processor verifies the integrity of the card and charges payment against it at the same time. In a "card-not-present" transaction for physical merchandise, such as e-commerce sales, merchants generally do not charge the customer's credit card until the product has been shipped. But they need to "authorize" it before shipment to confirm the card has not been reported stolen and ensure there is sufficient credit available on the account.
The authorization can be handled in real-time as part of the order acceptance process (which is the standard procedure)—in which case your "gateway process" (which transforms data from your Web site into a format your credit card processor can use) will query the processing service bureau to obtain the authorization—or it can be done in "batch" mode. Obviously, real-time interaction gives you the immediate opportunity to request another method of payment if the card is declined.
Once the order is shipped, your order management system needs to communicate with the service bureau, usually in batch mode (via its own gateway or your e-commerce gateway) to confirm that the amount of the order (or the amount for the part of it that has shipped) can be charged.
All charged amounts are deposited into the sponsoring bank's account by the card issuer's bank, and that amount, minus an "interchange" fee (the base rate for processing bank card transactions that is set by the bank card associations), the processor's fee and the gateway fee, is deposited into the merchant's bank a few day's later.
Refunds, Credits and Chargebacks
Into every life some rain must fall. For the merchant, this comes in the form of customer returns, refunds, credits and "chargebacks." Your order management system should automatically generate requests for refunds and credits, which are sent to your service bureau for processing. It's the chargebacks that are a bit trickier.
A chargeback is initiated by the consumer through the card-issuing bank when she receives her credit card statement, and she hasn't received an expected credit or refund, or simply doesn't recognize or remember the charge (it could be a fraudulent charge). The issuing bank will ask you for proof that the original charge was valid and should remain so. It is then the merchant's responsibility to provide order records or copies of communications with the customer.
The banking community hates chargebacks even more than merchants do: If chargebacks exceed more than 1 percent of your monthly transaction volume (or 2.5 percent of dollars charged), you not only will be slapped with penalties ranging up to $100,000 but will end up losing your merchant account privileges! (VISA charges a $5,000 "review fee" for the first five months of over-limit chargebacks, then imposes fines thereafter. MasterCard starts charging $25,000 penalties at month four.)
Avoiding chargebacks is one reason most merchants don't charge the customer's card until after the order has shipped.
There are numerous details of which to beware. Some, briefly:
> Method of order: The bank card interchange protocols now require that any records you transmit for authorization and charges contain a code or "flag" indicating the order originated on the Internet.
> Credit card number maintenance: For the convenience of your customers, maintain a database of the credit card numbers each customer has used. This will facilitate future orders. Your e-commerce software, or the application that maintains your customer database, should provide a method to encrypt all but the final four characters of the number along with the expiration date. The encrypted data will get passed with the order in its encrypted state to the gateway. Customers with secure, password-authenticated access should be able to update the expiration date of a card; if they need to change the card number (for a reissue of a lost card, etc.) they can delete the original card and enter data for a new one.
> Address Verification Service (AVS): As part of fraud prevention, many merchants choose to send the house number of the customer's address and the ZIP code along with authorization and charge data. The interchange party will determine if these match the data on file for the billing address of that card. Use of this AVS data also will reduce your interchange processing fee. (You decide whether a non-match or partial match should preclude shipping the order; you are at liberty to ignore it, although your chargeback fees may be higher if you incur one on a non-AVS-approved charge).
> Credit card ID codes: These are the three-digit and four-digit non-embossed codes printed on credit cards for security purposes (referred to as CCVS, CVC2 or CID). You should request these in your shopping cart, and your gateway and service bureau should be able to pass them on to the interchange party.
> Verified by VISA and Verified by MasterCard Secure Code programs: Both of these allow a customer to enter a password—maintained by the card issuer—to verify identity. If your shopping cart supports this, so should your gateway and service bureau.
> Fraud: In addition to the security codes and password ID programs offered by the card issuers, there are other types of fraud screening you can perform, including: reference to known "high risk" ZIP codes (for bill-to or ship-to addresses); non-standard data in order-entry fields; high-value orders from new customers; different bill-to and ship-to addresses (only sometimes indicative of fraud); and so on. Since you will bear the burden of non-payment for fraudulent orders, it pays to implement some form of fraud-screening program; many gateway systems, shopping carts and payment processors can offer you such capabilities.
> Value-added services: There are also a number of extras a service bureau can offer, such as identifying identical and possibly duplicate transactions within a specified period (which could lead to chargebacks). Some service bureaus, and even some gateways, allow you to manage installment or recurring billing for standing orders. And the more robust gateways can handle a broad range of credit cards that include government-issued cards, debit cards, electronic checks and other specialized methods of payment.
Rates and Reporting
The interchange rate varies depending on how complete the data is for a transaction, whether you use AVS, etc. If the order number is missing from a Web order, for instance, this might result in an increase in your rate (called a "downgrade"). Make sure your processing service bureau can work with you to minimize downgrades.
The types of reports offered by gateway providers and service bureaus vary greatly. Before deciding which providers to use, take a look at their reporting options and capabilities to make sure they suit your needs.
Ernie Schell is author of "The Guide to Catalog Management Software" and president of Marketing Systems Analysis Inc. He can be reached at firstname.lastname@example.org or (215) 396-0660.