HomeAboutMerchant AgreementFAQForms and GuidesContact BankCardUSA

Frequently Asked Questions > E-Commerce Risk Management Guidelines

The continuous rapid growth of Internet generated transactions has provided businesses with an invaluable tool for attracting customers around the world. With accepting transactions in this non-face-to-face environment, merchants must take additional steps to ensure the validity of the customer and the card being presented as well as the follow-through with the total transaction. MasterCard and Visa regulations provide little recourse to merchants that receive chargebacks for Internet based transactions based on the fact that both the card and the cardholder were not present during the transaction.*  Listed below are guidelines for accepting Internet transactions to reduce exposure to fraudulent activity as well as other disputes from genuine customers.

A complete Visa manual entitled “Electronic Commerce Risk Management – Merchant Best Practices” is available for a minimal cost of $10. This manual will provide comprehensive information relating to conducting an electronic commerce business from website content to Internet resources. Please contact our Merchant Services Department at 1-800-589-8200 to place an order.

• Ask for both a card type (Visa, MasterCard, American Express, etc.) and the card number.

Ensure that the card type matches the beginning digit(s) of the card number as listed below. Invoke an error message for all mismatches and do not proceed with the transaction.

Card Type Beginning Digit(s):

American Express 37
Visa 4
MasterCard 5
Discover 6
Diners Club 3000-3059


• Require the customer to manually enter the valid / expiration date(s) of the card. Do not provide a default date(s). This will ensure the customer enters the information and does not allow the default date(s) to stand, which will most likely differ from the actual valid / expiration date(s).

• Include an Address Verification System (AVS) request with all authorization requests. AVS will identify if the billing address given by the customer matches the billing address on file with the Issuing bank. This is currently available within the United States only. Although a transaction may be completed without a positive AVS response, a negative match may indicate that the customer is not the authorized owner of the card number being used. Also, use caution when sending merchandise to a shipping address that differs from the billing address, regardless of whether or not the billing address received a positive AVS response. AVS response codes are as

Y Exact match of street address and five or nine-digit zip code
A Street address matches; zip code does not match
Z Zip code matches; street address does not match
N No match
U Address info. unavailable or Issuer does not support AVS
R Issuer authorization system unavailable, retry at a later time

• Utilize a payment gateway that offers fraud prevention screening. Fraud prevention screening will check the customer’s information against a database of information known for past fraudulent activity. Reject any transaction that does not pass this process.

• Require the customer to provide the three-digit validation code appearing as the last three digits on the signature panel of the card. This will require the customer to have the card in his/her possession to provide a valid code. In the near future, this three-digit code will be required for the authorization process to crosscheck the validity of the information embossed on the card.

• Secure payment information in a manner that will prevent fraud by staff and external individuals:

  • Display only the last four digits of the card number to internal staff and require
    a password for staff that is required to obtain the full card number for
    operational purposes.
  • Track internal access to payment information.
  • Encrypt all stored card numbers on a secure server and retain payment
    information behind firewalls to prevent unauthorized access.

• Send an email order confirmation to the customer including detailed information regarding the transaction such as:

  • Business name as it will appear on the customer’s billing statement
  • Total sales amount including sales tax and shipping and handling charges
  • Recap of item(s) ordered and stock status with expected delivery date
  • Any applicable return/cancellation policy including any restocking fee upon possible return of merchandise
  • Customer service contact information, preferably both a toll-free telephone number and e-mail address to prompt the customer to contact customer service with any inquiries or cancellation requests prior to contacting the Issuing bank to request a chargeback.

• Set parameters to review high-risk transactions prior to the authorization request based on type of merchandise, dollar limits, amount of separate transactions, and any past spending patterns from individual customers.

• Avoid duplicate transaction processing by both staff and the customer:

  • Provide buttons that require a customer to click to order instead of hitting the [ENTER] key, which is more likely to be in error.
  • Display a message during any real-time authorization process to alert the customer that the transaction is in process.
  • Send an email notification to the customer as detailed above to confirm the
    initial order has been successfully placed.
  • Set a system in place to identify identical orders within a specified short period of time and confirm with the customer that the order is indeed a separate transaction.

• Establish a detailed return/cancellation policy displayed on the website. Require the customer to click to accept the terms prior to completing the transaction.

• Upon receipt of cancellation and/or returned merchandise from a customer, issue credit promptly. Confirm the processing of the credit with the customer to avoid a potential chargeback. Please keep in mind that MasterCard and Visa do not recognize return/cancellation policies generated from an Internet transaction as being valid against cardholder disputes as they are not physically signed by the customer.

* Please refer to the Chargeback & Retrieval Guidelines information in the BankCard USA Merchant Services Guide for answers to frequently asked questions and prevention tips regarding chargebacks and retrieval requests.

  Home | About | Merchant Agreement | FAQs | Forms and Guidelines | Contact | BankCardUSA.com
BankCard USA Merchant Services is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA. and Westamerica Bank, Santa Rosa, CA. American Express may require separate approval.

Copyright © 2000-2016 BankCard USA Merchant Services. All Rights Reserved.