E-commerce merchants do not have the benefit of interacting with consumers face-to-face, which increases the risks of processing fraudulent transactions. It also presents communication challenges that brick-and-mortar merchants do not face. In order to minimize fraud risks and to promote customer satisfaction, all e-commerce organizations must adhere to the following policies and principles:
- Authorize all transactions. The floor limit in e-commerce transactions is always zero, which means that all transactions must be authorized. An authorization approval ensures the merchant that there are enough funds in the account and that the card has not been reported lost or stolen. Yet, an approval is not a proof that the true cardholder is making the purchase or that a legitimate card is used.
- Comply with the Associations’ card-not-present chargeback rules. Because of the greater fraud risks involved in a card-not present environment, even if a transaction has received an authorization approval from the card issuer, the merchant may still be liable for afraudulent transaction. Web-based merchants need to build adequate risk managementsystems to counteract these risks.
- Enter an accurate Electronic Commerce Indicator (ECI) for all online transactions.The ECI must be included in the authorization and settlement message and it identifies the transaction as “e-commerce.”
- Comply with the Payment Card Industry (PCI) Data Security Standard (DSS). PCI DSS is a is a worldwide information security standard, created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. Compliance with the standard is mandatory for all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.
- Never store the card security codes. Card security codes are the 3-digit numbers placed on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards and the 4- digit numbers on the front of American Express (CID) cards. These codes are used as an additional way to verify that the customer is in a physical possession of the card at the time of the transaction.
- Display on your website the logo of the credit card brands that your organization accepts.
- Accept all credit and debit cards that belong to the brands you have elected to honor. The cards should be accepted regardless of the dollar amount of the transaction.
- Include all applicable taxes in the total transaction amount. You should not collect taxes separately. Cardholders must have written records of the total amount of their purchase, including taxes.
- Deposit transactions with your processing bank only for your business. It is prohibited, under any circumstances, to accept card payments for other businesses.
- Deposit transaction receipts within five calendar days of the transaction date. Be advised that, for card-not-present transactions, the transaction date is the shipping date, not the order date. Transactions deposited more than 30 days after the transaction date may be charged back to you.
- Provide customers with the expected delivery date. For card-not-present transactions, cardholders should be informed of the delivery method and of the expected delivery date. Transactions cannot be deposited until the products or services have been delivered.
- Make your organization’s return and credit policies available to consumers through clearly visible links on your website. Placing these links in your website’s footer or header will usually make them present on all pages.
- When a delivery is running late, follow these steps to obtain two authorizations:
- Create two transaction receipts, one for the deposit and another for the remaining balance. Write “Deposit” and “Balance” on the receipts.
- Obtain an authorization for each transaction receipt on their respective transaction dates and make sure that the authorization response code appears on each receipt.
- Write “Delayed Delivery” on each transaction receipt.
- Never impose a surcharge on a card transaction. You are allowed to offer a discount if your customer selects a different payment method, e.g. cash or check.
- Never use a card to collect other debts or dishonored checks.
Be advised that card issuers have 120 days from the transaction date to charge back transactions in which the cardholder claims to have not participated. In card-not-present environment, the transaction date is the shipment date, not the date when the order is placed.