Merchant Best Practices

To learn more about how to avoid problems as a credit card merchant, we suggest you review the following information:

How to Minimize Chargebacks
Best Practices for Web Security

How to Minimize Chargebacks

Visa®/Mastercard® and its card issuers and acquirers have in place an efficient dispute resolution process. As part of this process, it is highly critical that all merchants respond swiftly to copy requests and chargebacks.

A copy request (also known as a retrieval request) is made by the card issuer to your acquirer when a copy of the sales receipt is needed for a particular transaction.

A chargeback is the reversal of the dollar value (financial liability), in whole or in part, of a particular transaction by the card issuer to the acquirer, and usually, by the merchant bank to the merchant. Chargebacks arise for many reasons, primary among which are customer disputes, fraud, processing errors, authorization issues, an non-fulfillment of copy requests. For the merchant business, chargebacks can be costly. You may lose both the dollar amount of the transaction being charged back and the related merchandise. You also incur your own internal handling costs to process a chargeback.

Before the Sale:

1. Properly Disclose the Refund Policy

• Mail Order merchants must include a disclosure of their refund policy on the order form, invoice, contract, website and in any catalogue or advertisement.
• Use your .com website address as your Doing Business As (DBA) name so customers can easily contact you if they have a problem or want a refund. Prominently display your phone number (800#) on website and all receipts.
• The return policy may include a requirement that customers return products prior to being issued a refund. Provide a tracking method for returned items.
  

2. Approximate product delivery time should be posted on website.

3. Protect against fraudulent transactions with Authorize.Net's "Fraud Detection Suite"

• Set sales volume, dollar amount, and country limitations.
• The monthly fee for activating the Fraud Detection Suite on your merchant account is based on your monthly transactions and is defined as follows: $8.00 for 1-100 transactions, $15 for 101-1000 transactions, and $50 over 1001 transactions.
• Click here to learn more about our Fraud Detection Suite.

During the Sale:

1. Do not complete a transaction if the authorization request was declined. Do not repeat the authorization request after receiving a decline.

2. Use AVS (Address Verification Service). Inputting complete and accurate information helps prevent chargebacks. Incomplete fields or erroneous fields could trigger an AVS mismatch and protect you from a possible fraudulent transaction. If AVS is not used, you virtually have no protection against chargebacks.

After the Sale:

1. Promptly issue refunds/returns to customers.

2. Improve Operations – Operational problems often lead to chargebacks

• Failing to send out merchandise in a timely manner
• Sending the wrong merchandise
• Taking orders for backlogged items and failing to fulfill them
• Missing promised delivery dates
• Double billing
• If items are to be shipped after 30 days, don't process transaction until it's shipped.
  

3. Representations for a chargeback should include proof of delivery to the customer and the order form documentation that shows the refund policy.

Best Practices for Web Security

Practice Pay Solutions is committed to helping you proactively protect yourselves and your customers from being victimized by fraud. Learn more about what you can do to increase information security and protection from fraud.

Help Prevent Identity Theft. Identity Theft occurs when someone steals and uses another person's or business's identity for personal gain. You can help yourself and your clients from identity theft by following the practices below.

• Collect information in a secure manner with a good level of encryption. Avoid potentially sensitive information sit unattended on the fax, and collect sensitive information such as social security number and driver's license number only when necessary.
  
  *Our gateway services (Virtual Terminal) powered by Authorize.Net utilizes the latest 128-bit encryption. Additionally, our shopping cart, Professional Cart Solutions, uses the same level of encryption.
   
• Use strong security measures if you store client information on your computer systems. Lock up any hard copy documents containing sensitive information.
   
• Restrict access to your merchant or customer data on a need-to-know basis and regularly change passwords, especially after employee turnover.
   
• Be sure all electronic and paper documents containing merchant or customer information is permanently deleted, shredded, or otherwise rendered unreadable.
   
• Distribute information securely. Never send sensitive information via email. Do not leave detailed voicemail messages involving sensitive information.
   
• Implement industry standard computer systems security and keep virus detection, firewall, and other prevention solutions updated. Only download software and files from sources you trust. Files from the internet might include spyware or viruses that can compromise your security. Keep your external mailbox empty. Never leave outgoing or incoming mail in boxes overnight.

You can learn more about protection yourself against identity theft by visiting the Federal Trade Commission's Web site at http://www.consumer.gov/idtheft or the Identity Theft Resource Center at http://www.idtheftcenter.org.

Adhere to Industry Security Standards. The Payment Card Industry (PCI) Data Security Standard is a security initiative designed to standardize industry security requirements for storing, transmitting, and processing cardholder data. By complying with PCI standards, you can be assured that cardholder data is being processed according to the highest payments standards.

We highly recommend that you become PCI compliant regardless of the size of your business or transaction volume. To support your efforts to increase security, Authorize.Net has partnered with AmbironTrustWave, a leading data security and compliance services provider that offers convenient and affordable PCI compliance tools. AmbironTrustWave will advise the level of PCI compliance required for your business. For more information, please visit https://authorizenet.trustkeeper.net. You will need to register in order to log in.

Use Strong Passwords. One of the easiest and most significant ways you and your merchants can increase information security is to use and securely store strong passwords. The following guidelines will help you select strong passwords:

• Choose passwords that are at least seven characters in length and include a combination of uppercase and lowercase letters, numbers and symbols.
   
• Do not use dictionary words either forward or in reverse, or that include numbers only at the beginning or end.
   
• Avoid using dictionary words with a common symbol for letter substitutions, for example "$" for "s".
   
• Never use a payment gateway login ID as part of a password.
   
• Do not use blank passwords nor reuse previous passwords.
   
• Never use personal information that can be easily discovered or guessed (i.e., license plate number, child's name, birth date, middle name, etc.)
   
• Never write passwords down and never share them with anyone.
   
• Do not enable settings that allow a Web browser to "remember" passwords. Change passwords on a regular basis, especially when employee turnover occurs.

Use Advanced Fraud Tools. The Authorize.Net Payment Gateway includes integrated fraud tools as standard features of every account, such as Address Verification Service (AVS) and Card Code Verification (CVV/CVC2/CID) that provide merchants with general protection from fraud. However, to proactively fight and prevent fraud, it is highly recommended that you employ the use of advanced fraud detection tools that are designed to single out fraudulent transactions.

The Fraud Detection Suite (FDS) is composed of several filters and tools that work together to evaluate transactions for indications of fraud. Their combined logic provides a powerful and highly effective defense against fraudulent transactions. Practice Pay Solutions is dedicated to your security and stands behind that you pay our cost for Authorize.Net's advanced Fraud Detection Suite. For our existing customers, click here to learn more.

Implement Strong Security. Make sure you employ at least 128-bit Secure Socket Layer (SSL) technology which is compliant with industry-leading encryption and security protocols to safeguard customer information. In addition to this protection, there are several security guidelines you can implement in your daily business to avoid e-commerce fraud.

• Set network parameters that block or filter unwanted files such as adult content, spam, pop-ups, spyware, viruses, and illegal downloads.
   
• Monitor employee use of the internet, including excessive use of bandwidth, personal surfing, and inappropriate viewing and downloading.
   
• Use propwer hardware to enable a sufficient firewall and encryption capability.
   
• You should always use virus protection software and keep operating system patches up to date.
   
• Talk to your web developer about optimizing the security of your payment gateway integration code. If you are hosting your own payment form, implement controls to restrict its use to one authorization per order session. Also, use POST instead of the GET method when submitting forms so that hidden fields are not exposed.
   
• Use a payment gateway certified shopping cart solution such as that offered by Professional Cart Solutions to submit transactions securely without having to upgrade Web systems and security by yourself.

Beware of Scams. Large and small businesses fall victim to a variety of scams perpetrated by internet con artists. These fraudsters use masked Inter Protocol (IP) addresses, high-jacked computers, phony addresses, and bogus companies to defraud U.S. businesses and consumers every day. You and your merchants can decrease your vulnerability to scams in the following ways.

• Be cautious when researching or following up on business development or sale leads from unfamiliar or foreign entities.
   
• Scrutinize any transactions that are out of the ordinary, especially those on behalf of foreign individuals.
   
• Be cautious when providing accounts for U.S. citizens who are planning to manage an Authorize.Net or other payment gateway account as part of a condition for a business arragement, partnership, or employment.
   
• Never operate a financial account in your name or your business's name as part of a condition for a business arrangement, partnership or employment.
   
• Only do business with companies you know and trust. Be wary of out-of-the-ordinary business deals.
   
• Understand the offer. Ask questions until you understand all of the terms and vocabulary.
   
• Get all the details and promises in writing. Never sign documents with blank spaces.
   
• Check all bills and invoices carefully. Look for unusual amounts. Don't pay until you understand and agree to all items listed.
   
• Guard your financial or other account information. Don't provide it to anyone unless there is a legitimate reason to do so as part of a transaction.
   
• Educate your employees and merchants about avoiding scams. Make sure they understand their roles and responsibilities.
   
• Pay extra attention to international business deals. Encourage your merchatns to validate orders before shipping to different countries.
   
• Do not respond to emails or phone calls requesting sensitive financial information. Remember that legitimate businesses and organizations will never request sensitvie information via email or a link outside of a secure Web site. Call your internet service provider, bank, credit card company, or other vendor who may be sending the email to confirm the request.

To educate yourself more about the different types of scams used against businesses today, look at the National Fraud Information Center's Web site at http://www.fraud.org/scamsagainstbusinesses/bizscams.htm.