WALMART ANTI TRUST SETTLEMENT Acceptors from 10/25/92-6/21/2003

‘ve researched the class action and here’s my findings. This is a very famous suit in our industry. Walmart was the leader because when debit cards first came out the rates were the same as regular cards and there were no options for PIN pads. The MC/Visa pirates and their member banks ripped merchants off big time. It covers the time period you were accepting between 10/25/1992 and 06/21/2003. The first point is you are entitled to money The second point is you should make a claim as it’s easy and free (except for the in place lawyer fees). Many merchants are receiving their claim forms. If you have not received yours or have misplaced it no problem just go to http://inrevisacheck-mastermoneyantitrustlitigation.com/

The rule of thumb is you are entitled for up to $20 for every $100,000 of MC/Visa sales you had in 2002. So if you did $4,000,000 in 2002 you may have $800 coming.
Contact me if you need information as to how to file your claim.
Bill

Merchants can still file claims to receive claims in class action Walmart suit

Merchant claims still accepted, feds to receive over $7 million

Eligible merchants can still file claims to receive their fair share of the settlement in the class-action “Visa Check/MasterMoney” antitrust case, according to Lloyd Constantine, Partner with the law firm Constantine Cannon, the lead counsel for the plaintiffs.

Also called the Wal-Mart suit for its lead plaintiff, the case, which concluded in 2003, threw out the card Associations’ honor-all-cards rules. It also established a settlement fund with nearly $3 billion in damages from the card Associations.

The law firm has not yet decided when to close the class. “If and when it’s our recommendation to the court that we end that, we will give public notification well in advance,” Constantine said in an interview.

U.S. merchants who accepted cards from Visa U.S.A. and MasterCard Worldwide between October 1992 and July 2003 are eligible for an award.

Making a federal case out of it

In recent weeks, the law firm has mailed checks to most class members (see “Industry Update” in this issue) and reached a settlement with the federal government.

In early 2006, the Justice Department sought to become a member of the merchant class. The government estimated its signature debit, credit and PIN debit claims at up to $11 million.

Counsel for the merchants asserted the government could sue the card Associations on its own behalf and had no standing in the merchant class. Negotiations led to the following compromise in December:

The merchant settlement fund will pay approximately one-third the amount ($3.7 million), Visa and MasterCard will pay about one-third, and the government has agreed to forego about one-third. Visa will pay $2 million and MasterCard will pay $1.5 million.

The compromise was the best course, Constantine said, because the government’s claim was 1) not a significant portion of the proceeds, and 2) hampering efforts to award funds to class members.

“While this dispute was pending, it was … casting a shadow over the settlement fund,” he said. The government’s claim prevented the fund from making final estimations of awards.

Given that the U.S. District Court had not ruled on the government’s claim, a compromise was preferable to waiting out the estimated two-year appeals process that would have followed a court decision.

Facing the music

As part of their 2003 settlement with merchants, Visa and MasterCard agreed to label debit cards as such on their face. The deadline for complying was Jan. 1, 2007. Member banks have re-issued their more than 250 million Visa- and MasterCard-branded ATM/debit cards with the word debit on the front.

“I was pleased to see that [issuing banks] were ahead of schedule in doing that,” Constantine said. Banks appear to have fully complied, but the firm has issued advisories to consumers asking them to report any failure to distinguish debit cards from credit.

Also part of the 2003 settlement: Merchants accepting the brands would now be allowed to ask for another form of payment when either type of card is offered for payment.

The card Associations agreed to pay $250 million annually into the settlement fund for 10 years.

From this, the fund will pay new claimants and, in 2007, make a major distribution to class members who accepted PIN debit during the period covered by the lawsuit.

Although merchants have generally been given one-time payments of all damages to which they are entitled, any money left over at the end of the fund’s life will be distributed as residual payments.

The court agreed in December to Constantine Cannon’s proposal that the 35,000 claimants who were owed less than $5 apiece be paid amounts of approximately $12 each.

The larger payment compensated them in full for any future residual distributions, to avoid sending checks for miniscule amounts at a later date, Constantine said. Those checks were part of the most recent distribution.

Article published in issue number 070102

Online Brokerage Fraud

Robbery on the Electronic Highway
ONLINE BROKERAGE FIRMS:
THE NEWEST TARGET


by Joel Rosen

The age of electronic information, for all of its upside, does have a downside – it takes something extremely valuable and turns it into something incredibly portable. This makes electronic information not only the best thing to happen to business since the telephone, it also makes it the perfect target for thieves. Information theft, particularly identity theft, is a fast-growing problem that affects millions of people around the world. It takes many forms, from “phishing” schemes targeting individuals with online shopping accounts, to mass information theft from large databases where sensitive consumer information is stored. But there’s a new game in town for information thieves – a sophisticated fraud scheme that has been targeting some of the world’s largest online brokerage firms.
In recent months, overseas hackers broke into customer accounts at major U.S. online brokerages and made trades worth millions of dollars. Ameritrade Holding/TD Ameritrade, the third largest online broker, reported that this new form of online fraud cost them $4 million in Q3 2006. E*Trade Financial Corp, the fourth largest online broker, reported that fraud losses increased by $18 million in that same quarter. Both companies reimbursed customers for losses despite the fact that brokerage accounts are not protected by the Federal Deposit Insurance Corporation (FDIC) and other rules that protect banking customers. The Federal Bureau of Investigation (FBI), National Association of Securities Dealers (NASD) and the U.S. Securities and Exchange Commission (SEC) are working to determine the cause of the fraud, which is being classified as a “pump and dump” scheme – one of the several increasingly popular information theft scams, often initiated from locations like Eastern Europe and Thailand.
In a pump and dump scheme, information thieves steal passwords for victims’ online brokerage accounts, then use this information to purchase stocks using the hijacked accounts. In recent cases, thieves purchased a large number of shares of small-cap low-volume stocks using an existing brokerage account, then liquidated the assets of the hijacked account and used the proceeds to purchase the same small-cap stocks. This drove up the price of the original shares so that the thieves made a profit when they sold the previously purchased stock. Not only was this very profitable for the thieves, it was a clean theft since the stock market essentially laundered the proceeds. In addition, pump and dump schemes may go unnoticed at the brokerage firms because funds are not withdrawn; they’re used to purchase stocks.
Regulators say they’ve seen an increase in pump and dump schemes over the last few months, along with another type of brokerage scam where thieves fraudulently obtain a customer’s log-in credentials, liquidate the account and wire the proceeds to offshore banks.
The experts believe that in recent cases, the passwords were acquired by installing keystroke-logging software on public-access computers, located at Internet cafés or hotels, or by tricking users into installing keystroke-logging software on their own computers. Once the software was installed, the thieves waited until the user typed their user name and password. The software then sent the information to the thieves via the Internet.
Thieves are also obtaining passwords and other sensitive personal information by using “screen-scraping” software. This technology captures whatever is on the screen and sends it to the perpetrator. “Phishing” is another popular method for obtaining account information. It uses e-mails that appear to be from trusted institutions to get users to visit bogus Web sites, where they are encouraged to log in, thus revealing sensitive information. Thieves will also use phishing scams to encourage people to unknowingly download keystroke-logging software.
With the number of incidents rising over the last year, it’s clear that this problem is only getting worse. At an industry conference in Phoenix on October 5, John Walsh, chief counsel in the SEC’s office of compliance inspections and examinations, publicly recognized this growing trend and acknowledged that hackers’ attacks have grown in sophistication.
While brokerage firms are responsible for protecting the sensitive information in their care, some of the responsibility for keeping personal account information safe lies with consumers. According to John Gannon, vice president of investor education for the NASD, consumers should be monitoring their accounts for any unauthorized trades. It’s likely that consumers will start feeling some of the heat generated by these fast-growing crimes as the industry may be looking to consumers to share the burden of protecting their sensitive information.
There are several things consumers can do to help keep thieves out of their online accounts. The SEC has published a guide called Online Brokerage Accounts: What you Can Do to Safeguard Your Money and Your Personal Information. You can find it online at www.sec.gov/investor/ pubs/ onlinebrokerage.htm. This guide provides helpful information on scams and how to avoid them, and includes tips on how to protect yourself online and how to know if your identity has been stolen.
But while consumers are the first line of defense, they are not the only factor in preventing online fraud. Although the online brokerage firms have demonstrated exemplary behavior towards their customers over the last few months – reimbursing them for the losses they incurred – it’s obvious from the attacks that the fraud monitoring systems that these firms have in place can be circumvented.
Fortunately, there are a host of security technologies, including new data activity monitoring and behavioral analysis solutions, that can be added to the lines of defense already in place at many firms to identify suspicious activity. It’s safe to say that reputable online brokerage firms will do everything in their power to avoid future mishaps. Breaches such as these are very expensive. Beyond the obvious losses they incur when they reimburse millions of dollars to customers affected by fraud, this is also a customer-retention and a brand equity issue.
Ultimately, the solution to brokerage fraud lies in consumers and institutions working together to address the problem. Consumers must stay informed and take the necessary precautions to protect account information and passwords, as well as closely monitor the activity in their accounts. Institutions must make sure that the layers of technology are in place to know what’s really going on with the valuable assets in their care. There will always be bad guys to be dealt with where valuables are concerned, but despite malicious hackers and information thieves, the upside of the electronic information age still far outweighs the downside.


Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Attorneys specializing in credit card/payment processing

Article published in Issue Number: 070101

Forum

Merchant needs counsel

I’ve been a subscriber of your magazines since I began in the processing industry, and I have a question. What attorney can you recommend to defend a merchant in a large chargeback dispute?

Thanks, Bill Hoidas Matrix Payment Systems

Bill,

The Green Sheet Inc. does not recommend individuals or companies. However, following are some attorneys we know of (listed alphabetically by last name) who specialize in payments industry-related issues:

Adam Atlas
514-842-0886
atlas@adamatlas.com

Theodore F. Monroe
310-694-8161
monroe@tfmlaw.com

Anthony L. Ogden
661-775-8527
tony.ogden@bankcardlaw.com

Paul A. Rianda
949-261-7895
paul@riandalaw.com

Holli Targan
248-727-1460
htargan@jaffelaw.com

Editor

Payments 2006: A tumultuous, tantalizing mix


FFrom a temblor-like shakeup of card Association foundations to an enigmatic, grand-scale security breach, 2006 relandscaped the payments world.

As the card Associations shed old habits, national merchants and consumers alike tested new payments modi operandi: card waving instead of swiping; lattes bought on credit; Google as a payment vehicle; and loyalty cards multiplying like rabbits in wallets.

Changes were apparent in terminology, too. MasterCard International became MasterCard Worldwide and morphed into a corporation by taking itself public in May.

In October, Visa International said it would follow suit, announcing plans to unify its continentally partitioned organization and dissolve its current member-bank structure to become a corporation. Once this occurs, the term “Association” will be industry history.

Bleak house of bankcards

A class-action lawsuit filed by a coalition of convenience stores, drug stores and community grocers against card Association interchange fees lurched along. Pumped into action, Congress heard merchants’ complaints and convened committees. But lacking the political will to legislate interchange controls, representatives and senators simply harrumphed their views on rate-setting.

A sparsely attended post-Valentine’s Day House subcommittee session on interchange was anything but a love-in. “The success of the banks’ legally suspect practices has given them tremendous market power,” said Edmund Mierzwinski, Consumer Program Director at U.S. Public Interest Research Group.

Expressing the contrary view, lobbyists for the Electronic Payments Coalition and others urged lawmakers not to impose rate controls.

In July, bipartisan members of the Senate Judiciary Committee messengered engraved invitations to the legal counsels of Visa and MasterCard for a hearing on interchange policies.

Senators expressed displeasure with merchants’ powerlessness over bankcard acceptance terms and then held the attorneys’ feet to the fire.

While no legislative action was forthcoming, Congress’ sudden interest in rate-setting had the desired effect: The Associations did an about-face on some policies, making their interchange rates public shortly thereafter.

The long, unwinding road

In April, merchants added debit cards to their class-action lawsuit against Visa and MasterCard credit card interchange fees.

The Associations see unwinding their member board structures as a way to preempt future liability from merchant lawsuits. They will then strive for shareholder profits over bank revenue, liberating rate-setting in the process.

While most ISOs looked for cover in the spat between retailers and the card Associations, a few championed the former. In September, Bill Hoidas Sales Manager and Director of Product Development for Matrix Payment Systems http://paymentconsulting.net/ is one of the crusaders.

Some have suggested in a public forum that investors petition the card Associations “to drop interchange immediately.”

Meanwhile, merchants waited to learn whether the federal government will devour a chunk of their $3 billion proceeds from the Wal-Mart suit, settled in 2003. It threw out the card Associations’ “honor all cards” rule. Negotiations between the plaintiffs and the government, which filed a claim at the beginning of 2006, were set to conclude Dec. 22.

Approximately 1 million settlement checks have been sent to date, but many of those were divvied up among multiple merchants, such as franchisees, according to Lloyd Constantine, Lead Counsel for the plaintiffs.

Payouts averaged $1,000 per recipient, he added. Some have received millions of dollars, and 35,000 merchants are expected to receive less than $5 apiece. The actual number of merchants involved could be as high as 2 million.


Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Fraud Update

Fraud
update


PCI compliance is a problem for more than 85 percent of merchants, according to Paul Giardina, Senior Vice President for marketing for Protegrity, Stamford, CT, a company that provides data protection technology.
Giardina, who discussed these security issues at the 2006 Teradata Partners Conference, in late September in Orlando, Fl, says that companies should pursue “defense in depth,” adding different layers of security as risk and the value of the data to be protected increases.
PCI is one of several new laws that businesses have had to concern themselves with the last few years, according to Giardina. It incorporates some of the elements of Canada’s PIPEDA, HIPAA, several state laws and other international regulations.
Even though Visa and MasterCard have required the compliance for more than 18 months in order for merchants to protect themselves from fines in the event of a data breach. But less only 15 percent had met PCI standards by January, according to a Visa survey. A Protegrity survey showed similar results.
According to the Protegrity survey, less than 5 percent of merchants had passed the PCI assessment and a little more than 30 percent had started their assessment. Nearly 20 percent failed their initial PCI assessment, about the same percentage that said they were just starting the PCI compliance process. Fully one-quarter of merchants had yet to start their PCI compliance process.
Even the percentage from Visa’s survey has doubled in the last nine months; the large majority is still short of the standard, which includes 12 different steps (for more information, see www.pcisecuritystandards.org/pdfs/ pci_dss_v1-1.pdf).
Giardina recommends prioritizing projects based first on which security holes present the highest risk to the company (i.e., adding firewalls for personal computers) and then using ease of implementation as a secondary prioritizing factor.
So firms should first test themselves for each of the 12 PCI requirements and rate the risk factor from 1 (low) to 5 (high), and do the same thing for the difficulty of fixing the security deficiency. “Go for the low-hanging fruit,” Giardina says.
Following this approach also shows that a firm is taking a methodical approach to data security, one of the factors that different regulatory authorities use in determining the liability of an organization.

Visa USA and the U.S. Chamber of Commerce recently listed the following as the five top causes of data breaches and protection solutions:

Storage of magnetic stripe data

The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card’s magnetic stripe in violation of the PCI Data Security Standard. This can occur because a number of POS systems improperly store this data, and the merchant may not be aware of it.

Missing or outdated security patches

In this scenario, hackers are able to penetrate merchant or service provider’s systems because they have not installed up-to-date security patches, leaving their systems vulnerable to intrusion.

Use of vendor supplied default settings and passwords

In many cases, merchants receive POS hardware or software from outside vendors who install them using default settings and passwords that are often widely known to hackers and easy to guess.

SQL Injection

Criminals use this technique to exploit Web-based applications for coding vulnerabilities and to attack a merchant’s Internet applications (e.g. shopping carts). According to Protegrity’s Giardina, (see above item) SQL injection is one of the new popular security intrusion methods that hackers are using today.

Unnecessary and vulnerable services on servers

Servers are often shipped by vendors with unnecessary services and applications that are enabled, although the user may not be aware of it. Because the services may not be required, security patches and upgrades may be ignored and the merchant system exposed to attack. As part of its effort to help businesses keep their data secure, the U.S. Chamber is distributing the Visa security alert to its full membership of small and mid-sized businesses nationwide. In addition, the chamber will also be working with its national network of local chambers of commerce to further ensure this valuable information reaches as many businesses as possible. The Visa alert along with helpful answers to data security questions can be found at the Chamber’s web page www.uschamber.com/sb/security.

The Global ATM Security Alliance and the ATM Industry Association recently released “Best Practices for Protecting the Customer’s Personal Bank Account and Identity.” This international manual brings together best practices for both multichannel security for financial services and the prevention of identity theft. The publication represents the minimum security guidelines for fraud management within the retail banking environment.
The idea for the best practices arose when cross-channel fraud increased markedly last year, with compromises at one delivery channel, whether on POS devices or during Internet banking, leading to fraud committed at, say, the ATM. In 2005, for example, well over 50 percent of ATM fraud in the US originated in POS compromises.

It’ 2007 (Almost) Is Your Data Secure Yet?

It’s 2007
(Almost.)
Is Your Data Secure Yet?


by Heather Mark

From a security and privacy perspective, the payment services industry has seen a number of dramatic changes this year. From a new iteration of the Payment Card Industry Data Security Standards and the creation of the Payment Card Industry Security Standards Council to the increasingly active enforcement on the part of the Federal Trade Commission, the industry has had a number of new developments with which to contend. From a security practioner’s perspective, perhaps one of the most significant changes, if not the most apparent, has been growing focus on information privacy, rather than on security alone. The issue of information privacy has been prominently featured in the headlines of 2006. According to the Privacy Rights Clearinghouse (www.privacyrights.org/ar/ chrondatabreaches.htm), more than 93 million records containing personal data have been exposed since the beginning of 2006. The types of data compromised run the gamut from research study results to customer records.
Privacy of personal data has garnered so much media attention that one might be led to believe that data privacy is an issue completely removed from more traditional conceptions of privacy. As Justice Brandies defined it in 1890, the right to privacy is the “right to be let alone”. That definition has been further refined throughout the years to include, among other aspects, control over personal information. The issue of controlling personal information, though, has been a long-standing tenet of privacy, deriving from case law dating back to the late 19th century. The advent of technologies such as the internet and e-commerce has sped the proliferation of personal information and made the control of such information far more problematic than in years past.
In addition to the technological innovations that have made the sharing and dissemination of information easier, the development of new business models, affiliations, partnerships, joint marketing agreements and similar arrangements have made the sharing of customer information far more desirable than it may have been previously.
The terms information privacy and information security are frequently, and erroneously, used interchangeably. A previous article (April 2005) expanded on the differences between the two concepts. To reiterate the main differences security is largely concerned with the appropriate access to data using administrative, technical and physical protections, while privacy is primarily concerned with the appropriate uses of data given the circumstances. Certainly the two are related: one cannot have comprehensive privacy practices without a sound information security program to form the foundation. To use the terms interchangeably, however, is to potentially expose your company to extensive liability.
Just as ensuring security of information does not ensure privacy, securing the Primary Account Number (PAN) does little to ensure the protection of privacy. The Payments industry has made great strides in recognizing their obligation to protect sensitive data such as credit card account numbers. But that component may be only one facet of the sensitive information that is collected and stored by companies throughout the industry. Consider gift cards and loyalty programs. The amount of personal data that is stored in order to facilitate those programs goes beyond an account number. Frequently, service providers hold not just the account number, but name and address as well. That data must also be protected from unauthorized use and disclosure.
Most companies are by now familiar with the questions to ask to determine their level of security. Those same companies, though, may be much less familiar with the questions to ask to determine the level of privacy afforded by their information practices. Following is a brief list of questions that one can ask to gauge corporate privacy practices.
What data is collected and stored? Surprisingly, though many companies have addressed their PCI compliance obligations, they are still unsure as to the extent of personal information that resides within their network. Understanding exactly what data is stored is essential to ensuring the privacy of that data.
Is this data strictly necessary for the provision of services or products? Many companies collect more data than is strictly necessary to facilitate the business relationship. Though this may be convenient to enabling market research, direct marketing efforts and other secondary uses, it may expose the company to liability if that data should be compromised.
Who has access to the data in question? This question is essential to both security and privacy. Again, access to data should be granted only on the basis of “need-to-know.” Many companies have been negatively impacted by disgruntled employees that had been granted privileges that were not commensurate with their roles and responsibilities. In addition, employees should be trained on both security and privacy policies with respect to the data in question. There should be no ambiguity regarding their specific responsibilities to the data.
How does the data flow within my organization? Understanding your data flow can help you identify and remediate potential points of “data leakage,” or points at which unauthorized disclosure or access is most likely to occur.
With whom is the data shared? In today’s environment, companies have developed all manner of relationships with other companies. Inherent in those relationships is some level of data-sharing. Before sharing data with affiliates and partners, though, companies should contractually ensure that their partners will ensure a comparable level of security and privacy. If possible, companies should understand the roles and responsibilities of the individuals within those companies that will have access to the data. Does the publicly available Privacy Policy match actual practice? Most companies have posted a privacy policy on their website. It is vitally important that those policies match the actual practice of the company. In order to achieve a privacy policy that is consistent with the company’s practices, cooperation among all the teams that access and use the data is of paramount importance.
The above list is certainly not exhaustive, but does provide a starting point to begin evaluating privacy practices. In addition to asking these questions, and those in the same vein, a Privacy Impact Assessment may also be appropriate.
A Privacy Impact Assessment (PIA), according to the e-Government Act of 2002 which makes PIAs a requirement for government agencies, is defined as “an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.” Privacy Impact Assessments, though mandated for government agencies, can also be extremely useful in the private sector.
A PIA can help companies understand both their current privacy practices and be used to determine the impact of changes to the system. A PIA not only assures organizations as to the impact of change on their privacy practices, but through conducting a PIA organizations ensure that they have formalized a comprehensive privacy program. A typical PIA may include the following elements:

  • Responsibility for the data
    What roles and individuals are responsible for the systems containing private information? (i.e. Chief Privacy Office, Security Manager, IT Manager, etc.)
  • Information about the systems
    What are the methods and applications used to collect and store the information? What business functions or departments are supported by these systems?
  • Description of the types of information held
    Does it pertain to customers, employees, or other individuals? Does the individual have the ability to “opt-out” of the data collection? Are the requirements to opt-out reasonable?
  • Description of the controls used to protect data
    This includes a description of the security controls that are in place to protect against a breach of the data.
  • Access to the data
    Which individuals or applications have access to the data and why? How is the access determined (i.e. role-based access controls)? What other agencies or entities have access to the data and why?
  • Attributes of the data
    Is the data accurate, timely and reliable? Is the data relevant?

Increased privacy awareness on the part of the consumers is going to have an immeasurable impact on the information practices of those companies in the payments industry. In 2007, companies should expect to look on privacy the same way that they have looked upon data security for the past several years. Helping your customers ensure consumer privacy can become an important competitive differentiator. I’ve stated previously that the focus on security denoted an important paradigm shift for the industry as a whole. That shift, rather than being disrupted, is only complemented by the focus on privacy. In fact, the focus on privacy is a logical conclusion to the shift. Marrying the concepts of security and privacy is a business and regulatory inevitability.

The skinny on chargebacks and disputes – Part III

By Ross Federgreen

When a company receives a chargeback or a dispute, a record of this event is maintained within the payment system. Many merchants do not realize the ratio of disputes and credits is also monitored.

Contracts today often contain the 1-3-7 rule. This means over a given period – usually one month – the percentage of chargebacks cannot exceed 1%; the percentage of disputes cannot exceed 3%; and the percentage of credits cannot exceed 7% of a merchant’s total transactions during that period.

Visa U.S.A. guidelines recommend that merchants continually monitor and track these and other ratios. Specifically, Visa suggests taking the following steps in monitoring chargebacks: 1) Track chargebacks and re-presentments by reason code; 2) include initial chargeback amounts and net chargebacks after re-presentment; and 3) track card-present and card-not-present chargebacks separately.

The orderly approach

The key to helping merchants successfully respond to chargeback notices is organization. Strongly encourage merchants to treat each notification seriously. As we discussed in the first part of this series, each response is driven by a specific time element. In addition, for each chargeback, merchants should know the jurisdiction responsible for the notification, the specific dispute code, the specific issuance bank and the specific request being made.

Here are 15 steps to take when looking at a chargeback notification:

  1. Verify that the notification is addressed to the correct merchant.
  2. Identify the jurisdiction.
  3. Note the due date.
  4. Note the case number.
  5. Note the adjusted transaction amount.
  6. Note the reason code.
  7. Note the dispute type.
  8. Review the case summary.
  9. Note the issuance bank.
  10. Review the original transaction detail information.
  11. Review all attachments, including affidavits.
  12. Determine if you have responded previously to the inquiry or taken action.
  13. Decide if you want to accept or contest the adjustment.
  14. Review required actions.
  15. Complete the chargeback response.

Merchants should keep data organized so they can discern patterns and trends. The point is to reduce future chargebacks and disputes by analyzing the information to recognize emerging patterns. Issues that might surface include problems with fulfillment, problems with issued credits, customer service difficulties and a multitude of other concerns, including the possibility of fraud.

The analytical angle

Trend analysis is critical. It provides merchants a view of not only a single chargeback in isolation but also, more importantly, an overview of the status of merchants’ specific operations. Frequently updating trend information with the knowledge of specific circumstances, such as seasonal variations, will provide merchants with a growing platform of reference data.

At the very minimum, merchants should track and understand the implications of the following on a monthly basis:

  1. Number of chargebacks/total number of transactions
  2. Number of chargebacks per card brand/total number of transactions per brand
  3. Number of chargebacks per month
  4. Number of disputes/total number of transactions
  5. Number of credits.

Why bother with trend analysis? By establishing baselines of behavior you can more readily recognize aberrations. It’s far better to take action related to a predicted increase in chargebacks than react to a situation identified by an outside source.

Many merchants will ask you if there are resources that will provide these services. The short answer is yes. But you, as the ISO or merchant level salesperson, must be well informed about the quality of the provider.

The diligent defense

Do not rely entirely on information provided by a given merchant’s processor/acquirer. The information these entities provide doesn’t account for the critical needs of a successful chargeback defense. The issuance bank is focused on accounting for the specific dispute or chargeback code or identifying specific credit cards that have been used to defraud the merchant in question.

A number of innovative programs have been developed in recent years that attempt to help merchants respond appropriately to chargebacks. Crucial to success is the development of custom responses, which are tied to three variable factors: the specific dispute code, the issuance bank and the specific elements the merchant can use when responding to the chargeback.

For example, it does no good to develop a response that requires merchants to use proof of delivery in the MO/TO or e-commerce space if they, for whatever reason, cannot do so. However, it’s always important to provide this type of information so the most-informed business decisions can be made.

The reliable response

Merchants ask many questions about chargeback and dispute regulation. The primary concern is consequences: What happens if they fail to respond or do not respond in a timely manner?

The simple answer is that all merchants should be taught to respond to all requests. Failure to respond is not prudent, except in cases in which the merchant accepts the account adjustment given in the chargeback notification.

Many merchants ask if there is a criminal component to a chargeback. Chargebacks are not, in themselves, evidence of criminal activity. However, patterns of chargebacks can lead to criminal prosecution after an investigation.

Reasons include evidence of the following: intentional failure to deliver product, delivery of banned items, intentional failure to issue refunds or other illegal activity.

The rules that govern chargebacks are set and governed by the card Associations. Through their corporate governance, new rules can be set or existing rules and regulations can be modified. This process is normally driven by the evolution of payment modalities due to the development and modification of platforms.

The arguable advantage

As an ISO or MLS, it behooves you to be knowledgeable about the chargeback process and its governing rules and regulations. You can enjoy a very significant competitive advantage if you offer your merchant base meaningful and knowledgeable assistance in this area.

A word of caution: Do not offer advice if you are not familiar with the subject. Help your merchants obtain qualified help instead. Remember, if your merchants cannot get paid, they cannot survive.

Conquering chargebacks

Last month I wrote about the importance of merchant education, emphasizing that proper merchant training can reduce chargebacks .Remember that a card issuer must meet all requirements for the MasterCard Worldwide and Visa U.S.A. chargeback reason code it is using.

Otherwise, the chargeback can be re-presented by the merchant or acquirer, shifting the burden of loss back to the card-issuing bank or cardholder. You may find the examples below helpful in further understanding the chargeback process and certain chargeback reason codes.

MasterCard Reason Code 4860

A card issuer initiated a chargeback for MasterCard Reason Code 4860 (credit not processed) after receiving a letter from a cardholder who was dissatisfied because a merchant issued her an in-store credit for returned merchandise.

The cardholder stated she had no use for the in-store credit and was not advised of the merchant’s in-store credit policy at the time of purchase. She wanted a credit on her card account.

The card issuer processed the chargeback because 1) the in-store credit confirmed the merchant’s acceptance of the returned goods, and 2) the credit was not issued in accordance with MasterCard’s disclosure requirements.

The requirements allow merchants to impose specific transaction terms by printing them on an invoice or sales draft near the cardholder signature line before presenting it to the cardholder for signing.

Transaction limitations may also be disclosed by other means, such as signage or literature, provided they are sufficiently prominent and clear to cardholders. Examples of allowable wording for transaction limitations are “exchange only,” “in-store credit only,” and “original packaging required for returns.”

In this case, the merchant would lose because he did not give the cardholder proper notice of his in-store credit policy. Reason Code 4860 is applicable only if the merchant accepts returned merchandise or service cancellation and issues an in-store credit (or partial credit) without proper disclosure, as specified under the rules. If you help to properly set up your merchants, this chargeback situation can be prevented.

Visa Reason Code 85

The card issuer initiated a chargeback for Visa Reason Code 85 (credit not processed). It attached a copy of the cardholder’s statement with a circle drawn around the merchant’s $59.95 transaction and “canceled” written next to it.

In this case, the merchant can have his ISO re-present this chargeback because the card issuer failed to indicate the reason for cancellation. Reason Code 85 requires the card issuer to provide: 1) the date the merchandise was returned or the services were canceled; 2) proof that the cardholder made an attempt to resolve the dispute; and 3) a reason for the cancellation or return.

Many credit-not-processed chargebacks can be re-presented due to failures to meet these three requirements. I usually find merchants are not even re-presenting chargebacks in situations in which they have already issued credits/returns to cardholders.

Merchants should check every incoming chargeback to see if a credit has already been issued. It’s easy to re-present a chargeback for credit issued.

Visa Reason Code 53

The card issuer initiated a chargeback for Visa Reason Code 53 (not as described or defective merchandise) in which the cardholder attempted to return merchandise purchased at an auction.

At the time of the transaction, the merchandise was represented as a genuine, signed memorabile, but it was actually only a laser copy.

The ISO’s chargeback department re-presented the chargeback with a merchant letter stating the merchandise was clearly described, the cardholder had the winning bid and the cardholder agreed to the merchant’s terms and conditions.

The merchant also provided a signed agreement that stated he would not accept the return of disputed merchandise and all sales were final.

The merchant won this chargeback for three reasons: 1) The language in his paperwork reduced chargeback exposure; 2) the cardholder failed to prove the merchandise sold was not as described; and 3) the cardholder failed to provide documentation from the merchant that guaranteed the merchandise’s authenticity.

These examples show that by paying close attention, a merchant and his ISO’s chargeback department can lessen the cost of chargebacks.

Many issuing banks have large chargeback centers that send improper chargebacks to the same merchants routinely. They will continue to do so for as long as they get away with it. When they know a merchant re-presents invalid chargebacks, they are much more careful about sending chargebacks to that merchant.

Visit the card Associations’ public Web sites for more chargeback resources: usa.visa.com and www.mastercard.com You’ll be better able to serve and properly set up your merchants. You can also provide much card Association information directly to targeted merchants; with e-mail it’s easy to distribute new and updated materials.

David H. Press is Principal and President of Integrity Bankcard Consultants Inc. Call him at 630-637-4010, e-mail dhpress@ibc411.com or visit www.ibc411.com