Credit Card Chargebacks: Merchant Guide

Credit Card Chargebacks 101 for new (Shopify) Merchants

Accepting credit card payments adds considerable convenience, cost effectiveness and even a more professional image for your business. However, chargebacks are the dark side of credit card payments. Since chargebacks are, by default, always geared in the customer's favor, it is prudent for you to learn about chargebacks and most importantly, how to avoid them, even before you start to process credit card payments. Failing to do so can more easily leave you at the mercy of anyone who wishes to benefit from your consequent relative disadvantage as a merchant. This post discusses what credit card chargebacks are, their common causes, the chargeback process (for Shopify merchants) and how merchants may avoid chargebacks.

What is a chargeback & why it is necessary to prevent it?

A chargeback is a form of protection for credit card holders by their issuing bank. It usually allows credit card holders up to 6 to 24 months to dispute a transaction that appears fraudulent to them. This involves reversing the payment transaction, even before the process has arrived at a conclusion.

--

--

Beware; merchants generally lose most chargeback requests. The implication of this is that, not only can a chargeback be costly (because processing fees apply) but, having too many claims against you can hurt your business' reputation. In some cases, you can even have your merchant account revoked.

These risks are even greater during periods that are preferred by merchants, like Black Friday, Cyber Monday and Christmas and or sell for high risk items like pricier and fad items.

Although chargebacks are considered mostly in terms of fraud against customers, specifically identity theft and the unauthorized use of a credit card. However, merchants also face 'chargeback fraud' aka 'friendly fraud' at the hands of customers. Friendly fraud occurs when the customer places orders with his own credit card and then requests a chargeback after receiving the purchased goods or services.  

Before advancing this discussion, here are some keywords associated with credit card chargebacks.

• The issuing bank is the bank that issued the credit card to your customer
• The merchant's sponsoring bank is the bank you use as a merchant to host your business current account
• A sale draft is a document that records a transaction. A sale draft is produced at the end of a credit (or debit) card payment and is considered to be a legally binding agreement between you as the merchant and your customer. 
• A retrieval request is a request by the issuing bank and or customer for the sale draft and or other documentation as proof that a transaction actually happened. Other documents often include an invoice and some form of written agreement. Among other things, details sought from documents usually include the cardholder's name, card number, transaction amount, transaction date, authorization number, merchant name and location.  Emails, even those originating from the cardholder and delivery confirmations from courier services (like UPS) or the postal service, will not clear your name as a merchant. This request is the initial part of the chargeback process and requires your response within a limited time frame (of usually 10 days).

Why do chargebacks occur?

Here are some of the most common reasons for credit card chargebacks.

• transactions were not authorized by the card holder. NB merchants are always held responsible for this situation. For this reason, it is wise to assume the responsibility of verifying the legitimate use of your customers' credit cards.
• items were not received. For this reason, it is prudent to use delivery services with tracking features.
• charges that occurred even after the credit card was declined
• refunds for returns were not paid
• human error
• technical problems between the customer's issuing bank and your bank that created a false duplicate transaction

--

--

The chargeback process 

1. The customer requests the chargeback from his issuing bank. If his issuing bank sees a potential error in charges to his credit card account, the bank issues the customer a provisional credit. The funds are deducted from your merchant account to fund this credit, even if this forces your account in overdraft.
2. Your merchant sponsoring bank (or Shopify if you are a Shopify merchant) notifies you of a pending chargeback request and investigation. 
1. Shopify uses the 'orders' section of your admin account to notify you when a chargeback request has been filed. You will be prompted to follow a link that produces an automatic chargeback response with all the sales draft details required by the bank. 
2. Although the automatically generated response can be sent and might suffice in your defense as is, resist any temptation to be hasty. That may be imprudent since the Shopify merchant account option offers you only one chance to respond via Shopify, ie outside of speaking directly with the customer and asking him or her to withdraw the request. Mentally prepare yourself to collect details for creating a concise but solid response that you will review multiple times before finally sending.  
3. Which of the following potentially useful details do not appear in the automatic response? If they can create a case for your defense, add them to the automatic response document.
1. fulfilment details: copy and pasted courier tracking details like the tracking number, date and time of delivery and signature receipt (very important)
2. if applicable, state that there is proof of delivery since the customer's signature was collected upon receipt by the courier service
3. copy and pasted contents of relevant customer service emails
4. proof of any relevant refunds and or replacements associated with that customer and or order. Example have you already refunded the customer? If the customer has a history of making unwarranted chargebacks, refund requests and so on, include these details to demonstrate this pattern of misconduct
5. customer IP address and country 
6. product details (title, variants, quantity)
7. state suspicions of technical problems between the customer's issuing bank and your bank that created a false duplicate transaction
8. NB you will not be allowed to include images. Furthermore, banks will not review hyperlinks and there is therefore no perceived usefulness in including them.
3. The following happens in these outcomes
1. if the chargeback is deemed invalid, your bank will decline the claim and notify you and your customer's issuing bank and you will be refunded
2. if the chargeback is deemed valid; any further refunds are sent to the card issuing bank

How to prevent chargebacks

In light of the above, it makes sense to avoid chargebacks at all cost. Note however that, although the following list can prevent chargebacks, it is never possible to entirely eliminate the risk. Afterall, 'friendly chargebacks' occur regardless, ie customers can place legitimate orders and even have those orders verifiably fulfilled before requesting a chargeback. This can happen if the customer changes his mind about the order but wishes to avoid paying your company's restocking fees.

• Keep records of sales for up to 2 years
• Sales records include the sales draft and all relevant additional details listed above in the 'chargeback process' section.
• Use a business name that makes it easy for customers to recognize transactions on their credit card statement. This is especially the case if the website address and popular brand name do not include the legal business name. In such cases, ensure the invoice and all correspondence provide the legal name. Here are some examples.
• Provide the full business name in your 'About us' or similar pages that provide company information (like your Facebook page). Invoices and email signatures should include the legal name alongside the popular domain like 'domain.com (a division of ACompany)'. Include the full legal name in marketing communication like promotions and advertisements. Spell out abbreviations, especially if this will help customer to identify your business and what it sells more readily. For instance, registering your credit card transactions under Kris Tiling & Maintenance Inc makes it easier than the abbreviated form KTM Inc if KTM is not a a household brand name. Besides, customers may also remember buying tiles from someone named Kris more easily
• Make it easy for customers to contact you. Ensure your company telephone number and or website URL appear on the credit card statement. If still unable to recognize the company name, customers can easily check.
• use fraud prevention apps. There are several options that range from free to over USD 1,000 monthly. An example of a free app includes Shopify's Fraud Filter or the free version of FraudLabs Pro Fraud Prevention (that monitors up to 500 monthly transactions).
• sign up for third party coverage to get chargeback reimbursements if orders resulted after having been deemed 'safe'. A few companies exist for this purpose, the most common of which include Signifyd. (Do not expect such companies to cover all types of chargeback. See Signifyd reasons for chargeback reimbursements. Friendly fraud is apparently not covered.)
• Include the official company name on your website. Use the 'settings' and 'general' options in Shopify to set this up. 
• Have a clear shipping and returns policy. Furthermore, encourage customers to understand your policies before buying
• create accurate product expectations with product images and descriptions. For instance, images should be as representative as possible and if something about the product differs from how you portray it, explain the (potential for) variations. One of your data entry objectives should be to write product descriptions that are as unambiguous and specific as possible 
• Create a policy on how you deal with credit card fraud prevention. BTW, do not lose the opportunity to mention this potentially strong purchase motivator in your email marketing. For instance, terms may include assuring customers that your agents will never request the following.
  • to provide part or the entire billing address
  • to provide the security code
  • to send information or documents via any means that is not directly related to the website (like a free email address or non-secure webpage) 
  • the password for the customer's account on an ecommerce of other website (where they can access information that will enable them to impersonate the credit card holder)
• create reasonable delivery expectations. Product pages should include this information. However, if for whatever reason you are unable to send the product as quickly as advised on your website or other correspondence, provide your customer with new ETAs. Otherwise, (s)he may worry that you have no intention of sending the package. A simple explanation like 'product out of stock' will help to put a customer's mind at ease.
• use only those courier services that offer tracking services, especially for more costly merchandise. Whenever possible, such services should also require a recipient's signature, preferably that of the the card holder as clear proof of delivery to the card holder.
• When tracking services are available, ensure that your store generates strong order numbers that can not be easily guessed. This is particularly useful if the tracking service can be readily accessed by anyone on your website. Failing this, ensure that the tracking information is available only if the order email address is also provided. 
• Maintain current customer contact details (like telephone number and email address) for members of mailing and other lists. These may become useful when calling to check whether a credit card is being used legitimately. If need be, incentivize your customers with the assurance that this information may be useful in protecting them against credit card fraud
• When they are due, pay refunds promptly.
• Beware of the following situations as they may be warning signs of unauthorized credit card use and or ill-intentioned customers. Call to investigative whether credit card fraud is involved. If need be, you have the right to reject such orders.
• high value orders that exceed the norm, especially if they involve new customers. Although it is possible for new customers to make large purchases, it is more common for new customers to begin with less costly, tripwire-type sales before committing to more costly ones
• multiple orders within limited periods 
• mismatching addresses can sometimes raise a red flag, especially if they do not match those used in pre-existing customer records
• When the shipping address does not match the billing address, this might be a case of fraud, most commonly when the distance between the addresses is significant (like from a different country or across the country). However, remember that people do sometimes buy and send gifts to others at different addresses
• free email addresses (gmail, yahoo and so on) can be a sign of unauthorized card use, especially if they do not match those used in pre-existing customer records
• rushed, overnight orders should be closely scrutinized. Check with the issuing bank as this may indicate unauthorized use.
• multiple failed attempts at entering card details correctly, like the card number, expiration date and so on 
• multiple orders using multiple credit cards with only one delivery address. Check with the issuing bank as this may indicated unauthorized use
• international orders where address verification is not possible and for which retrieval of the goods would prove difficult and costly
• Transactions that appear to be too good to be true.
• Although duplicate transactions occur infrequently, keep an eye out for them in your orders page. When you see what appears to be duplicate orders, immediately contact customers for verification.
• You should almost certainly decline the credit card transaction in the following scenario(s)
• customers can not provide the credit card security code (CSC), aka the card verification value  CVV.
• when the billing address on file with the issuing bank does not match the transaction address in the automatic address verification system (AVS). This may be good reason to decline the transaction

--

--

How to check suspicious transactions?

As a merchant, you will not be allowed to verify the billing address on file with the customer's issuing bank. Consequently, you must rely on Shopify's system will mark such orders as 'high risk'. 

This is how Shopify's automatic alerts appear when a transaction is flagged for being potentially high risk. 

You may immediately cancel and refund the order. However, if you wish to investigate before canceling the order, the following are ideal responses. Regardless of how you proceed, remember that you are within your right to protect your business by declining suspicious orders according to your verification standards.

• Call the telephone number used in the order. Monitor how readily the counter party answers your questions
• If you are calling the phone number of a fraudster, they are unlikely to even answer. A non-response should be a sign that the transaction is not legitimate.
• Request a scanned copy of signature-bearing photo ID (like a driving license or passport) and the credit card signature strip to verify whether the signatures match. For the customer's continued safety, they should block the security code when revealing the signature strip.
• Request a photo of the person holding the same forms of ID on one side of their face. I like this idea because if a wallet is stolen, a thief will present a very convincing case as (s)he can present all of these documents. However, unless the individual was also kidnapped, it should not be possible to pose along with the cards. Although possibly considered unusual, it seems like a more certain way of verifying the legitimate use of the card because the issuing bank will not respond to your queries regarding whether the customer's credit card was reported stolen
• Does the person lie about anything, including their current location? The IP address of their order will verify this detail.
• Research the email address for matches with social media accounts like Facebook, Twitter and so on or other public posts
• Research the email address online for reported cases of fraud
• Check the order address(es). 
• Check whether there is a match between the billing and shipping addresses. Matching addresses are ideal. 
• Mismatches that translate into a distance of a few miles is generally considered safe, especially if the IP address correlates with one of the addresses. Although a home address is usually a customer's billing address, many shoppers entire their work place as a shipping address, simply because deliveries are often completed during office hours. Furthermore, they often live and work only a few miles away. On this basis, merchants generally overlook orders with mismatched addresses when the distance is small. However unlikely, it is possible for unauthorized card use to occur near to the billing address.
• Distant mismatches, especially if the order IP address is also mismatched or hidden (with the use of virtual protocol networks / VPNs) can be clearer signs of fraud. Although it is possible for card holders to be traveling far from home or even overseas, the risk of stolen identity is heightened considerably with distance. Calling customers in such cases can help to clarify the matter. 
• Check whether there are multiple orders that have different customer details but the same shipping addresses. Contact the customers using the contact details used at checkout

False alerts

In some cases, the nature of some customers' business requires them to always ship to their customers. Consequently, if not pre-approved, the mismatching and changing addresses in their transactions can always create false alerts. 

• Exercise appropriate flexibility with these situations so as not to block loyal customers 
• Although there is an understanding of their circumstances, it will not hurt to make a few occasional spot checks 
• If your system allows, create customer groups (like teachers, students and so on) to receive different filtering rules

-- --

CONTENT RELATED TO CREDIT CARD CHARGEBACKS

• Shopify manual on fraud protection 
• Call script to investigate potential credit card fraud