Chargeback Limits Pt 2 - The Gameplan
Updated: Jun 26, 2021
Welcome back to the second part of our series on Credit Card Processor Limits. In this series, we cover what happens when the number of chargebacks a seller receives surpasses the threshold set by card processors. In our last article, we documented what could cause a warning letter to be triggered as well as what steps a merchant should avoid doing after receiving a warning letter.
Now, let's cover what should be done in order to ensure that compliance with the card processor chargeback threshold. Keep in mind that this list is not exhaustive but these are the most common, easiest, and most effective methods that could be used to keep your chargeback levels under control.
This is Part 2: the Gameplan
As any project manager or operational efficiency guru will tell you, jumping into solution mode before investigating the root cause of the problem is a recipe for disaster. The first step in fighting back against excessive chargebacks is to answer a simple question - why are chargebacks being filed? The answer to this question will require a bit of insight and a lot of effort on our part.
Different organizations will have different methods of answering questions. Some will use the chargeback reports issued by processors and classify the reasons broadly into generic categories like “unauthorized transaction” / “stolen card”. Other companies (with a larger or a larger budget) might opt for a more granular approach. They could review each chargeback to determine the root cause and look for a smoking gun.
A smoking gun is any obvious evidence of fraud. These are disguised to look legitimate at first glance but with time and effort, can easily be unveiled to be fraudulent. For example, the email address firstname.lastname@example.org might sound slightly strange but totally plausible. Maybe Dr.Ogo owns a company selling the most technologically advanced way to grow kale? The reality is that this email address does not exist. What’s worse is that the domain does not exist as well. This email is what is known as a disposable email address. These disposable email addresses allow users to provide a fake email address that only works for 10 minutes. All emails sent to that email address popup in an onscreen inbox. After 10 minutes, the email address dies.
The smoking gun is part of a fraudster's modus operandi (way of doing something) and understanding that is key to be able to stop it. However, not every organization will have the time and resources to embark on such a long/tedious process. For those organizations, the investigation should start by simply compiling all the chargeback data into one master list. Ideally, this is done in Excel rather than using physical copies.
The name of the game here is to highlight as many common denominators across the chargebacks as possible. This exercise will enable the merchant to develop a clear and concise course of action as they will have an understanding of what type of fraud they are trying to fight.
At this stage, the merchant can start thinking about solutions. For example, they could find that the most common denominator across all chargebacks is that fraudsters used credit cards that originated in the USA. While this bit of insight might seem actionable, the merchant should then try to drill down a bit more by asking probing questions like; are most of the USA card fraud targeting the same seller? Do the buyers share an IP address? Do the buyers share a postal address or PO Box? Do they use the same fake domain as we covered above?
The answer to these questions will enable the merchant to develop a more balanced risk mitigation strategy. Once the investigation has been complete, the merchant can finally move on to taking action to bring their fraud rates under control.
The merchant will now be armed with more than enough information to enable them to make an informed decision about what method to fight the fraud. There are two distinct methods that a merchant can use.
First is the scorched earth method. As the name suggests, this is when a merchant decides to take a blanket approach to fight fraud. The merchant could find one common denominator and decide to act on that one bit of information alone. For example, the merchant that found that most frauds involved cards that originate from the USA would decide to just block all cards from the USA. The upside to this is that the merchant would have effectively Stop the most common MO that fraudsters could use against them. The downside of course is that the merchant will lose business as not every person that uses a US-based card will be a fraudster. Having said that, If the merchant calculates that more than 60% of all US-based transactions are it might make financial sense for them to just block US-based cards.
If the merchant does not want to employ the scorched Earth policy the merchant could use a more targeted and scientifically designed method. In order to achieve this, the merchant must find as many common denominators across all observed fraud. For example, they could find that US-based cards represent 30% of all chargebacks. The merchant could find that a certain percentage of the US based fraud involves the use of fake email domains. Let's assume that fake domains represent about another 20% of all fraud. Individually this might not be sufficient to reduce the fraud by a significant amount. However, if the merchant wants to combine these two things they would be able to reduce fraud by 50%.
The targeted approach would require a merchant to study the details of each transaction down to the granular level. The merchant would need to pay attention to almost every data field that is captured. This will enable the merchant to create rules that will only impact the fraudsters that use specific MOs. This means that good customers will not be impacted nor will fraudsters that use MOs that the merchant has not created a rule to block.
In order to create rules, we must come to the third and final part of the action stage, the technology.
By now, the merchant is most likely aware of their requirements in terms of fighting fraud. If the merchant is a large merchant that is able to spend a decent amount to purchase a risk engine, they could invest in a real-time, AI-backed risk and fraud detection engine. If the merchant is looking for a more budget-conscious solution, they might want to consider a post-authorization risk engine. These engines are often dismissed as outdated and too manual as they would require a merchant to examine the transactions highlighted by the engine and refund any transaction that the system feels is suspicious.
This solution might not be applicable for a merchant that makes thousands of transactions a day but for a merchant that is willing to spend the time to manually review each suspicious transaction, this solution will get the job done.
Once the merchant has settled on a risk engine, they can start to build the relevant risk rules in their engine to stop the fraud they have highlighted. This process is not easily done and it is possible that the merchant would require some guidance and/or training on how to get the most out of their engine.
The merchant could request the company for some guidance or they could book an hour with Dicorm and we will guide them through all the processes mentioned above and more!
Join us again next month as we cover the monitoring and tweaking stage.