Online Banking

The most common reasons for chargebacks include; customer disputes, fraud, processing errors, authorization errors, nonfulfillment of copy requests (only if fraud or illegible).

Although you probably cannot avoid chargebacks completely, you can take steps to reduce or prevent them.  Many chargebacks result from easily avoidable mistakes, so the more you know about proper transaction-processing procedures, the less likely you will be to inadvertently do, or fail to do, something that might result in a chargeback.

Of course, chargebacks are not always the result of something merchants did or did not do.  Errors are also made by merchant banks, card issuers, and cardholders.

When you do receive a chargeback, you may be able to resolve it without losing the sale.  Simply provide your merchant bank processor with additional information about the transaction or the actions you have taken related to it.  For example, you might receive a chargeback because the cardholder is claiming that credit has not been given for returned merchandise.  You may be able to resolve the issue by providing proof that you submitted the credit on a specific date.  Send this information according to the instructions given on the chargeback notice in a timely manner, normally within 10 days. 

Timeliness is also essential when attempting to remedy a chargeback.  Each step in the chargeback cycle has a defined time limit during which action can be taken.  If you do not respond during the time specified on the request you will not be able to remedy the chargeback. 

Although many chargebacks are resolved without the merchant losing the sale, some cannot be remedied.  In such cases, accepting the chargeback may save you the time and expense of needlessly contesting it. 

Cardholder Data in Transit - First Quarter 2009

Packet sniffers, memory parsers and other malware pose serious risks when installed on critical systems because they can allow criminals to penetrate the cardholder data network and gain entry into merchants systems.  Once network intruders gain entry, they can steal cardholder data and identification of the incident s difficult to detect.  These threats underscore the urgency of maintaining compliance with all PCI DSS requirements.

Signs of a Suspected Breach

Although detecting can be difficult to identify, any sign of suspected security incident requires that Visa clients and their merchants take immediate action to investigate the incident, limit the exposure of cardholder data, notify Visa and report investigation findings.  Instructions for these procedures can be found in Visa's What to Do if Compromised document.  Signs of an incident include the following, but are not limited to:

*  Failed log-in attempts in system authentication and events logs

*  Unexplained modification or deletion of data

*  Presence of unexpected IP addresses on merchant networks, including wireless

*  Unknown or unexpected user accounts, services or applicatins

*  Presence of compressed or uncompressed files (e.g., .zip, .rar, .tar, .log) containg cardholder data

Recommended Mitigation Strategy

To minimize the possibility of a dat security breach and mitigate the risk of a data compromise, merchants should maintain PCI DSS compliance and, at a minimum, take the following actions:

*   Implement a firewall to permit network traffic only where there is a defined business need and deny all other network traffic.

*   Use and securely implement PA-DSS compliant applications and update all systems routinely with current security patches.

*  If use of remote access products is necessary, implement the latest security patches and configurations and ensure strong authentication is required for log in.

*   Ensure antivirus, anti-spyware and anti-malware software are up-to-date.

*   Contact product vendors for more information on how to secure their products.

CARD-ABSENT TRANSACTIONS - Third Quarter 2008

The growth of the mail order, telephone order (MO/TO), and internet markets means increasing number of merchants are now processing transactions in situations where the card and cardholder are not present - and fraud may be especially difficult to detect.  Of necessity, card acceptance procedures for these transactions are different from procedures for card-present transactions, but must still allow merchants to verify - to the greatest extent possible - the cardholder's identity and the validity of th purchase.

Fraud Prevention for Card-Absent Transactions

Visa has established a range of fraud prevention policies, guidelines, and servics for card-absent merchants.  Using these tools will help protect your business from fraud-related chageback and losses.  MO/TO and Internet merchants should strongly consider developing in-house fraud control policies and providing appropriate training for their employees.

The following sections outline basic fraud prevention guidelines and bes practices for card-absent merchants.

Authorize All Card-Absent Transactions

Authorization is required on all card-absent transactions.  Card-absent transactions are considered as zer-floor-limit sales.  Authorization should occur before any merchandise is shipped or service performed.

Ask for Card Expiration Date

Whenever possible, card-absent merchants should ask customers for their card expiration, or "Good Thru", date and include it in their authorization requests.

Including the date helps verify that the card and transaction are legitimate.  A MO/TO or Internet order containing an invalid or missing expiration date may indicate counterfeit or other unauthorized use.

Ask for CVV2

The Card Verification Value 2 (CVV2) is a three-digit security number printed on the back of credit cards to help validate that a customer is in possession of a legitimate card at the time of an order.

Studies show that merchants who include CVV2 validation in their authorization procedures for card-absent transactions can reduce their fraud-related chargebacks, and should use CVV2 as a fraud reduction tool.

CVV2 Processing

To ensure proper CVV2 Processing for card-absent transactions, merchants should:

• Ask card-absent customers for the three numbers in or beside the signature panel on their credit cards.
• If the customer provides a CVV2, submit this information with other transaction data (i.e., card expiration date and account number) for electronic authorization.
• Evaluate the CVV2 result code you receive with the transaction authorization and take appropriate action based on all transaction characteritics.

CVV2 RESULT CODE	RECOMMENDED ACTIONS
M - Match	Complete the transaction, taking into account all other transcation characteristics and verification data.
N - No Match	View a "No Match" response as a sign of potential fraud, which should be taken into account along with the authorization response and any other verification data.  You may also want to resubmit the CVV2 to ensure a key-entry error did not occur.
P - CVV2 request not processed	Resubmit the authorization request.
S - CVV2 should be on the card, but the cardholder as reported that it is not.	Follow up with the customer to verify that the correct card location has been checked for CVV2.
U - card issuer does not support CVV2	Evaluate all available information and decide whether to proceed with the transaction or to investigate further.

A cardholder's CVV2 may never be stored as part of order information or customer data.  The storage of CVV2 is strictly prohibited subsequent to authorization.

Verify the Billing Address with AVS

The Address Verification Services (AVS) is an automated fraud prevention tool that allows card-absent merchants to check a cardhlder's billing address as part of the electronic authorization process.  Studies have shown that perpetrators of fraud in card-absent transactions often do not know that correct billing address for the account they are using Verifying the address can, therefore, provide merchants with another key indicator of whether or not a transaction is valid.

AVS Processing

To use AVS, simply ask card-absent customers for their billing address a it appears on their montly statement.  This information is then submitted with other transaction data for electronic authorization.  Address verfication and authorization occur simultanously -in a matter of seconds- and you will receive an AVS response code with the authorization.

You should evaluate the AVS response code and take appropriate action based on all transaction characteristics and any other verification information received with the authorization (i.e., expiration date, CVV2, etc.) An authorization response always takes precedence over AVS. Do not accept any transaction that has been declined, regardless of the AVS response.

If you complete a transaction for which you received an authorization approval and an AVS response of "U" (unavailable), and the transaction is later charged back to you as fraudulent, your merchant bank may represent the item.  U.S. issuers must support AVS or lose their right to fraud chargebacks for card-absent transactions.  Issuers also lose fraud chargeback rights for "U" responses  CVV2 request situations.

MERCHANT SERVICES GENERAL PROGRAM GUIDE - Second Quarter 2008

It is important for you to understand and abide by the following rules and regulations set forth by Visa and MasterCard:

• Honor all Visa and MasterCard cards.  Check the expiration date to be sure it is a valid card.  Compare the signature on the sales slip with the signature on the back of the credit card.
• A merchant must inspect the card for alterations or signs of counterfeiting.
• If fraud is suspected, the merchant must place a Code 10 call.
• A merchant may not give out cash advances.  Per your merchant agreement, the merchant must only sell merchandise or services.
• A merchant must process sales slips from their business only.  Merchants may not process slips from another business as a favor or for a percentage of their sales.  This is called laundering, or factoring, and it is illegal.
• Visa and MasterCard regulations prohibit merchants from setting minimum and maximum purchase amounts. If a merchant accepts credit cards for payment, they must accept them for all sales amounts.
• A merchant may not charge the account holder an additional surcharge in order to accept Visa or MasterCard sales.
• When a merchant enters into a merchant agreement, they assume the expense of the discount rate.  The merchant cannot pass this charge on to their account holders in the form o an extra fee.
• A merchant must include all applicable sales taxes in the total transaction amount.  Taxes cannot be collected separately using an alternate form of payment.
• A merchant must prepare one sales receipt per transaction, using the full transaction amount, when a single cardholder account is presented.  A merchant is prohibited from splitting the cost of a single sale between multiple sales receipts.
• A merchant cannot discriminate against or discourage the use of MasterCard or Visa in favor of any other competing card brand they also accept.
• A merchant is prohibited from providing cash refunds for returned merchandise origially purchased with a Visa or MasterCard card.  In this situation, a credit to the Visa or MasterCard card must be processed.
• If a merchant restricts refund privileges, they must write the policy on each sales slip approximately 1/4 inch above or below the account holder's signature.
• A merchant must deposit their Visa and MasterCard transaction receipts within five calendar days of the transaction date to help avoid possible chargebacks.
• If a merchant accepts a bad check, they cannot collect those funds through the use of a Visa or MasterCard card.
• A merchant cannot sell, purchase or exchange an account holder's name, account number or personal information to anyone other than the merchant's agents for the purpose of processing that sale.  Account holder information must be kept confidential.
• A merchant cannot request additional account holder identification to write on a sales slip.
• If an account holder presents an unsigned card to the merchant, the merchant must: (1.) Review positive identification, for example, a drivers license or passport; (2.) Require the accout holder to sign their card immediately
• For restraurant transactions, a merchant must only authorize the Visa or MasterCard for the known amount of the transaction, not the known amount, plus an estimated tip.
• A merchant must deliver the purchased goods and/or services at the time of the transaction unless other delivery arrangements have been made.
• In a delayed delivery scenario, a merchnt must obtain two authoriztions: one for the initial deposit amount and one for the balance amount due upon delivery.

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD/VISA CARDHOLDER INFORMTION SECURITY PROGARM - First Quarter 2008

High profile security breaches are making National Headlines on an almost daily basis and consumers are placing increased pressure on businesses to ensure the security of their personal data. Visa and MasterCard have issued an approach to safeguarding sensitive data for all card brands: namely the Payment Card Industry Data Security Standard (PCI DSS). 

The Visa Cardholder Information Security Pogram (CISP) requires Mifflinburg Bank & Trust Company to ensure that our merchants maintain compliance with the PCI DSS.  As part of the CISP, Visa has established risk-prioritzed merchant validaion requirements based on the volume of transactions and several other factors that introduce potential risk into the payment system.  In order to comply with CISP, Mifflinburg Bank's Merchant Card Services Department will ask our merchants that have been identified as medium-low risk to high risk to complete a brief questionnaire.  

More information regarding PCI DSS, CISP, and other educational information can be viewed on the following websites: www.visa/cisp and http://www.pcisecuitystandards.org/