Visa recently introduced new rules for e-commerce fraud prevention. This article explains how these rules impact your online business and steps you need to follow to avoid new fees.
Increase in Online Fraud
Consumers are increasingly making purchases online, fueled by changes in shopping habits adopted during the COVID-19 pandemic. And opportunistic fraudsters have followed suit, with e-commerce fraud escalating. A new study from Juniper Research, “Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2021-2025,” reports that the value of losses due to e-commerce fraud will increase 18% to over $20 billion by the end of 2021 from $17.5 billion in 2020.
One of the most common types of fraud is called “card cycling,” a method whereby fraudsters attempt to validate stolen credit card credentials. They write an automated computer script that allows them to quickly cycle through thousands of credit card numbers and test different combinations of security codes and other underlying credentials. Those deemed valid are then used to fraudulently purchase goods for resale, or to sell as verified cards on the dark web.
The Industry Responds
Visa, card issuers and processors recently joined together to implement new measures intended to reduce fraudulent activity, especially as it relates to suspicious cards, such as those that have been canceled or compromised in a breach. Mastercard is expected to follow suit in the near future.
Effective April 1, 2021, Visa has grouped a series of decline codes and classified them as “Category 1” transaction responses with a description “Issuer Will Never Approve.” This subset of decline codes indicates the card is blocked for use (such as a stolen card) or never existed. It signals that there is no circumstance in which the issuer will grant an approval.
Effective April 1, 2022, merchants who reattempt to authorize a transaction after receiving a Category 1 decline will be assessed a non-compliance fee passed on from Visa. The fee for domestic transactions is $0.10, and international transactions will be assessed $0.15.
Payment Processing Demo
Schedule 15 minutes with a payments expert
Get a customized PayJunction product walk-through
Understand requirements and pricing
Determine your SAVINGS!
PayJunction Changes and Merchant Best Practices
PayJunction has implemented the rules on your behalf. No technical changes are required by you and there is no impact on how you process transactions.
Any Visa card that is declined because of Decline Response Category 1 is automatically added to your account’s Blocklist. These include PayJunction decline codes BT, 04, 12, 15, 57, 62, 78, RC. When attempting to charge a card that was added to the blocklist, merchants will see the following message: “Declined FB. This account has been blocked in PayJunction due to Fraud. You can edit this in your block list."
Here are a few best practices to protect your business and avoid the new fees:
Turn on AVS and CVV Matching Requirements
With just a credit card number, fraudsters can put charges on a credit card even if it’s not in their possession. To combat this, businesses can enable Address Verification System (AVS) and Card Verification Value (CVV) to better confirm the authenticity of the purchase.
AVS and CVV numbers are typically harder for fraudsters to get their hands on than card numbers and expiration dates. Simply turning on the option to require this information at checkout will help prevent card testing.
Don’t Unblock Cards
Nobody likes to decline transactions, as there is a risk in turning away good customers. However, in the case of Category 1 codes, merchants should comply with the issuer’s response to “never approve.” PayJunction will automatically add cards with a Category 1 Decline Response to a merchant's block list.
You have the ability to manually unblock the cards; however, we strongly advise not to do so because any subsequent attempt to charge the same card number for any reason will result in non-compliance fees from Visa. These fees can really add up if a fraud bot is attempting card cycling on a stolen card number and making thousands of hits to your website.