eCommerce Card Processing Guide

eCommerce Transaction Basics

All merchants operating eCommerce businesses:

• Must authorize all transactions. The floor limit for all eCommerce transactions is zero which means that authorization is required for all of them, regardless of the transaction amount. If funds are available in the account and the card is not reported lost or stolen, the transaction will most likely be authorized by the card issuer. It is important that eCommerce merchants understand that an authorization approval does not constitute a proof that the transaction is legitimate and not fraudulent.


For eCommerce transactions the shipment date is considered to be the transaction date. ECommerce merchants have up to seven days to obtain an authorization prior to the transaction date.

• Are subject to the Credit Card Associations’ card-not-present chargeback rules and regulations. ECommerce merchants can be responsible for fraudulent transactions, even if an authorization has been obtained. The reason is that the risk for fraud is greater due to the absence of both the physical card and the cardholder who cannot provide a signature. ECommerce merchants can minimize their fraud exposure by adopting adequate card acceptance procedures and implementing available fraud prevention tools.
• Can participate in Verified by Visa and MasterCard SecureCode. Verified by Visa and MasterCard SecureCode were developed by the Credit Card Associations to improve eCommerce transaction security by authenticating the cardholder and obtaining protection against chargebacks resulting from fraudulent transactions. Additionally, cardholders benefit from the added security.
• Must enter an accurate Electronic Commerce Indicator (ECI) for all eCommerce transactions. The ECI identifies the transaction as eCommerce and is entered as part of the authorization request. This allows the card issuer to make a more informed authorization decision.
• Must be in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS is the result of the joint efforts of the major credit card companies and associations and offers a single approach to safeguarding sensitive personal account data used in credit card transactions.
• Must never store Card Security Codes. Card security codes are the 3-digit codes located on the back of Visa, MasterCard and Discover cards and the 4-digit codes located on the front of American Express cards. Visa calls its codes Card Verification Values 2 (CVV2), MasterCard – Card Verification Codes 2 (CVC2) and Discover and American Express – Card Identification Codes (CID). Merchants should never store card security codes under any circumstances.

Rules and Regulations

All eCommerce businesses that accept credit cards should adhere to the following policies and principles:

• Display on your website the logo of the credit cards that your establishment accepts.
• Accept all credit and debit cards that belong to the brands that you have chosen. The cards should be accepted regardless of the dollar amount of the transaction.
• All required taxes should be included in the total transaction amount. Do not collect taxes separately. Cardholders must have written records of the total amount of their purchase, including taxes.
• Deposit transactions with your merchant bank only for your business. It is prohibited, under any circumstances, to accept card payments for other businesses.
• Deposit transaction receipts within five calendar days of the transaction date. Be advised that, for card-not-present transactions, the transaction date is the shipping date, not the order date. Transactions deposited more than 30 days after the transaction date may be charged back to you.
• Deliver merchandise or services to the cardholder at the time of the transaction. For card-not-present transactions, cardholders should be informed of the delivery method and of the expected delivery date. Transactions cannot be deposited until the merchandise or services have been delivered.
• Make your establishment’s return and credit policies available to online customers through clearly visible links on your website.
• When a delivery is running late, follow these steps to obtain two authorizations:
  • Create two transaction receipts, one for the deposit and another for the remaining balance. Write “Deposit” and “Balance” on the receipts.
  • Obtain an authorization for each transaction receipt on their respective transaction dates and make sure that the authorization code appears on each receipt.
  • Write “Delayed Delivery” on each transaction receipt.
• Never impose a surcharge on a card transaction.
• Never use a card to collect other debts or dishonored checks.

Be advised that card issuers have 120 days from the transaction date to charge back transactions in which the cardholder claims to have not participated.

Transaction Process

In order to understand how eCommerce transactions are processed, merchants need to first know these core processing actions:

• Authorization. Authorization is the process by which the card issuer approves (or declines) a card purchase. The authorization takes place at the time the transaction occurs.
• Authentication. Authentication is the process of verification of the cardholder and the card. During the authorization process the merchant should use fraud prevention services to validate the cardholder’s identity and the card being used.
• Settlement. Once a product has been shipped or a service provided to the customer, the merchant can initiate the settlement of a transaction through their acquiring bank and trigger the transfer of funds into the merchant account.

There are several participants in an eCommerce transaction:

• Card Issuer. Card issuer is a financial institution that issues payment cards and contracts with its cardholders for repayment of transactions.
• Cardholder. Cardholder is an authorized user of payment cards. In order to make an online purchase, the cardholder must use a web browser to interact with the eCommerce website.
• Acquiring Bank. Acquiring bank (also called an acquirer or a merchant bank) is a financial institution that contracts with merchants to accept and process cards for payment of products and services.
• ECommerce Merchant. ECommerce merchant is an authorized acceptor of payment cards for the payment of products or services it provides.
• Processor. Processor is a financial institution that provides authorization, clearing or settlement services for merchants and merchant banks.
• Merchant Services Provider. A merchant services provider is a third party agent that has a direct relationship with a merchant. The merchant services provider processes or transmits card account numbers on behalf of the merchant. A merchant services provider may also provide services such as shopping carts, payment gateways, website hosting, data storage and clearing and settlement messages.
• Credit Card Association. The Credit Card Associations of Visa and MasterCard support the electronic transmission of all of their card authorizations between acquiring banks and card issuers and facilitate the settlement of funds.

The eCommerce transaction process is represented in the graph below.

eCommerce Transaction Cycle

The processing of online card transactions may vary slightly depending on various factors, such as acquiring bank’s procedures, merchant services provider‘s needs, business requirements and system used. However, it follows these steps:

1. Authorization.
   1. The eCommerce transaction process begins with the cardholder ordering products or services from a web-based merchant by entering card payment information into an website form. For merchants participating in Verified by Visa or MasterCard SecureCode, the cardholder authentication occurs prior to the authorization processing.
   2. The transaction information is then encrypted and transmitted via the internet to the merchant website’s server. The payment gateway receives the encrypted information from the merchant website’s server, formats it and transmits it to the acquiring bank.
   3. The acquiring bank then electronically sends the authorization request to the Credit Card Association (Visa or MasterCard).
   4. The Credit Card Association then sends the request to the card issuer.
   5. The card issuer then approves or declines the transaction. The authorization response is then routed back through the same channels.

   
   Real Time vs. Batch Authorization Processing. ECommerce merchants who do not process card transactions in real time typically download their transactions from their server within 24 hours of the purchase request. They then batch the transactions and submit them for authorization using a point-of-sale (POS) terminal or a software program. If the order is declined, the merchant must notify the customer via email or by telephone.

2. Authentication. Authentication is the process of verifying the cardholder’s identity and the validity of the transaction. There are a number of authentication services available to eCommerce merchants and it is their decision which ones to use. Adequate actions can help reduce customer disputes and fraudulent transactions and improve the bottom line. Following are the most effective tools eCommerce merchants can use to verify the validity of a cardholder and a card.
   • Address Verification Service (AVS). AVS enables merchants to compare the billing address provided by a customer to the one on file with the card issuer. The result of the comparison is sent back to the merchant in the form of a result code, providing the merchant with a key indicator that helps verify whether or not a transaction is valid.
   • Card Security Codes. The card security codes are 3-digit numbers located on the back of Visa, MasterCard and Discover cards, in or around the signature panel, and 4-digit numbers located on the front of American Express cards, above the card account number. Card security codes help verify that the customer has a valid card in his or her possession and that the card account is legitimate. The codes are required on all Visa, MasterCard, American Express and Discover cards.
   • Verified by Visa and MasterCard SecureCode. Verified by Visa and MasterCard SecureCode are fraud prevention services developed by the Credit Card Associations to enable eCommerce merchants to validate that a cardholders is the owner of a specific card account before completing a transaction. The services are free to cardholders who can register their account numbers online on the Associations’ or on the card issuers’ websites. During the registration process the cardholder creates a unique password. Once the card is activated with Verified by Visa or MasterCard SecureCode, the card number will be recognized whenever the cardholder shops at participating stores. The cardholder will be prompted to enter his or her password and, upon password verification, the transaction will be completed.
3. Settlement. Settlement is the process through which the card issuing bank exchanges funds with the acquiring bank to complete the transaction. The process may vary slightly from one merchant services provider to another but it follows these steps:
   1. When the merchandise has been shipped or delivered or the service has been provided, the merchant captures the transaction and batches it together with other captured transactions for settlement. The batch is then electronically submitted to the acquiring bank.
   2. The acquiring bank electronically submits the transaction information to the Credit Card Association (Visa or MasterCard) for settlement.
   3. The Credit Card Association electronically submits the transaction information to the card issuer and then facilitates the settlement by paying the acquiring bank for the transaction and debiting the card issuer’s account.
   4. The acquiring bank typically receives its funds within 24 hours. The merchant is usually credited within 48 hours of settlement, unless the merchant agreement stipulates otherwise.
   5. The card issuer posts the transaction to the cardholder account and sends the monthly statement to the cardholder to complete the settlement cycle.

Chargebacks

• What is a chargeback? Chargeback is a transaction that a card issuer returns to an acquiring bank as a financial liability. The acquiring bank may return the chargeback to its merchant that initiate the transaction. A chargeback reverses a sales transaction, as follows:
  • The card issuer subtracts the transaction amount from its cardholder’s account. The cardholder receives a credit and is no longer financially responsible for the transaction amount.
  • The card issuer debits the acquiring bank for the transaction amount.
  • The acquiring bank debits the transaction amount to the merchant’s account. The merchant loses the transaction amount.

  As evident from the above description, for merchants chargebacks can be costly. Merchants can lose both the transaction amount and the related merchandise. Additional costs result from processing the chargeback.

• Chargeback Reasons. The most common reasons for chargebacks are:
  • Customer disputes.
  • Fraud.
  • Processing errors.
  • Authorization issues.
  • Non-fulfillment of copy requests.

  Merchants cannot avoid chargebacks completely but can take actions to minimize or prevent them. Many chargebacks result from easily avoidable errors. Adequate transaction processing procedures and staff training will help greatly reduce chargeback levels. Some chargebacks are beyond the merchant’s control. Errors can be made by acquiring and card issuing banks and cardholders.

• Copy Requests. When cardholders do not recognize transactions on their card statements, they typically contact their card issuer and request a copy of the related sales receipt to determine whether the transaction is theirs. When necessary, the card issuer sends a copy request to the acquiring bank who either fulfills the request or, if unable to do so, forwards the request to the merchant. The merchant must then send the copy request to the acquiring bank who sends it on to the card issuer.Be advised that when a copy request is not fulfilled in a timely manner or if the copy is illegible or it does not contain all of the required information, it almost always results in a chargeback. Merchants should respond promptly to copy requests.
• The Chargeback Cycle. The chargeback cycle is a series of interactions between several participants. Following are the stages of the chargeback process.
  • The chargeback process begins with the cardholder disputing a transaction or contacting his or her card issuer with disputed information.
  • The card issuer electronically returns the transaction (charges it back) to the merchant bank (also called acquiring bank or simply Acquirer) through the respective credit card company (e.g. Discover or American Express) or association (Visa or MasterCard).
  • The credit card company or association reviews the eligibility of the transaction to be charged back and, if appropriate, forwards it to the merchant bank.
  • The merchant bank receives the chargeback and either resolves the issue or, if unable to do so, forwards it to the merchant.
  • The merchant receives the chargeback. If the merchant has a proof that the transaction is valid (e.g. a sales receipt), the proof is submitted (represented) to the merchant bank. If the merchant is unable to produce a proof, the chargeback may have to be accepted.
  • The merchant bank receives the represented transaction and sends it on to the credit card company or association.
  • The credit card company or association receives the represented transaction and, if appropriate, forwards it to the card issuer.
  • The card issuer receives the represented transaction and, if appropriate, re-posts it to the cardholder’s account. If the chargeback issue is not adequately addressed, the card issuer may submit a dispute with the credit card company or association.
  • The chargeback process ends with the cardholder receiving information resolving his or her dispute and may be re-billed for the item or receive a credit.

The chargeback process is represented in the graph below.