Paynetsecure Blog

Business with high risk processing accounts frequently ask questions about chargebacks.

Most high risk processing accounts know that the card brands consider chargeback percentages over 1% to be excessive.  Other elements that are considered when examining chargebacks are the number of chargebacks in a single month and the total chargeback volume.

Payment processing chargebacks are computed by dividing the number chargebacks into the total number of card transaction in a month.  The dollar volume of chargebacks are calculated by dividing the amount of chargebacks into the volume of processing for the month.

Excessive chargebacks can put high risk merchant accounts at risk.  In addition to fines, high risk merchants can face termination of processing rights.

Therefore, it is wise for all high risk merchants to carefully mange chargebacks.  Using the fraud protection tools that are available in a high risk gateway can go a long way in mitigating chargebacks and automate the processes.

In addition, high risk merchants should always fight chargebacks.  While the business won’t always win, it can be successful in many cases.  Fighting chargebacks also indicates that a company believes in its business and is proactive in responding to negative responses to customers.

A secure payment processing gateway goes a long way in protecting merchants security breaches in payment processing.  But, merchants must also take great care in protecting security from the inside of the the business operations as well.

Most businesses simply do not have the expertise or budget to adequately protect themselves from the ever increasing risks of security breaches.  Therefore, companies are outsourcing security protection to outside vendors.

It’s vital to remember that ultimately security protection responsibility lies with the company, not the outsourced vendor.  If and when security breaches occur it, the company bears the consequences.

Consider the following when moving to security outsourcing.

1. Consistently monitor the vendor.  Executives should appoint knowledgeable staff that has a thorough understanding of the correct procedures and technologies.
2. Have multiple departments overseeing the outside vendor.  This helps prevent an insider colluding with an outside vendor.  Naturally, be sure the departments communicate with each other and with top company executives.
3. Read the contracts.  Check limitations and exclusions. Know exactly what is covered.
4. Have a clear and immediate response plan in place in case there is a breach.
5. Verify that the vendor is compliant with all relevant legislation and follows best practices procedures.
6. Retain the ability to monitor and independently audit the vendor to verify performance.
7. Track contractor performance through statistics such as number of incidents, time taken to respond to incidents, etc

Hotels and resorts are the biggest targets of criminals intent on stealing card data. Trustwave released a 2010 Global Security Report which contains information drawn form the company’s investigations of over 200 security breaches in the past year.

For a period of time, restaurants were the most frequently targeted industry segment for criminals on the prowl for card data. Restaurants were particularly easy targets because card information was being stored on old point of sale systems. Restaurants are still targets of attacks, and account for 13% of breach investigations. Financial-services companies account for 19% of breaches, followed by retailers with 14.2%, business services at 5%,and technology companies at 4%.

But, hotels and resorts led the pack with 38% of card hacking investigations. Hackers commonly use what is know as remote-access application attacks. These attacks are targeted at vulnerability in internet channels. IT software for hotels and resorts which combines business and card data frequently are not strongly defended from external attacks. For example, many of the software programs being used by the hotels and resorts had weak password or no password protection at all, making it easy for a sophisticated cybercriminal to exploit holes in the system. Hackers also use other methods of accessing the applications.

Third-party connectivity can exploit data networks which are linked by physical telecommunications lines. And SQL injection is used to insert malicious code into the databases of software applications. Third-party vendors were involved in 81% of the security breaches. This demonstrates the need for companies to keep a close eye on all vendors and have internal security systems to protect against unscrupulous behavior.

Merchants should use a high risk payment processing gateway to add to protection against hackers.

McAfee’s latest research paper called, “Inside the Password-Stealing Business: The Who and How of Identity Theft”, reveals startling facts on cybercrime. For instance, there was a 400% increase in malware designed to steal passwords in 2008. For the first 6 months of 2009, new malware surpassed the entire amount created in 2008.

Malicious software is sneaky and users have no indication of infection. Malware can be downloaded from bad email attachments or can be stealthily injected onto a computer by trusted websites that have been hijacked by cyber-criminals. It can also be sent automatically through social networks or games or by friends’ systems that have been infected.

Amazingly, gaming passwords are the most targeted logins for theft. There is a huge black market for gaming goods and currencies. , In fact, theft of gaming logins surpasses banking logins. Cybercriminals use the stolen passwords to sell off gamers’ virtual goods and gaming currencies for real money.

A good high risk payment processing gateway can guard against cybercrime.

It’s sad, but true.  When it comes to chargebacks, the credit card companies are most often on the cardholders side, not the merchants.

There is a certain segment of cardholders know how to work the chargeback system in their favor.  Merchants can do everything correctly, follow all card association regulations and recommendations to the letter, and still get zinged big time for chargebacks.   Business segments classified as high risk merchants are more prone to chargebacks than others.

The card companies monitor all merchant chargeback activity on a monthly basis and alerts merchant banks in writing when any of their merchants has excessive chargebacks.  Chargebacks of 1% or higher are considered excessive.

The card companies consider the first notification of excessive chargebacks for a specific merchant a warning.  The banks impose large fines to merchants who do not take action within an appropriate period of time o return chargeback rates to acceptable levels.

Working with a high risk payment gateway can help control chargebacks.

The length of time merchants are given to comply almost never exceeds 3 months. By the 3^rd month card assess escalating fines to the banks beginning at $50 per chargeback.  Additionally, The banks are accessed an initial $5,000 review fee plus spiraling additional fines.  All fines are passed on to the merchant.

The bank can be audited by the card companies and may lose their acquiring  status.  With so much at risk, it’s no wonder that the banks will almost always terminate the merchant before they complete the 3^rd month of monitoring.

Once merchants are terminated, it’s very difficult for them to get another merchant account.  Any bank opening a new account for the merchant assumes the previous liability associated with that merchant.

The moral for this sad story is that merchants must do whatever it takes to keep chargebacks low.  A good payment gateway can help.