How Do Banks Investigate Unauthorized Transactions?
A customer finds out they have an unauthorized transaction on their credit card.
Their first reaction: Shock. 😯
Most consumers know fraud happens, but no one thinks they’ll be the victim.
The next emotion: Anger. 😡
They’ll undoubtedly contact the card issuer or payment processor to dispute the charge. And that initiates a complex process that often leads to a chargeback.
But how does this impact your online business, and what can you do to prevent unauthorized transactions from happening in the first place?
The worst thing an ecommerce business can do about unauthorized transactions is assume they’re not your problem.
Today’s consumers have high expectations of online retailers.
Even if a fraudster uses stolen credit card information and looks like a valid customer, consumers will turn on brands that allow fraudsters to use their payment credentials.
What Ecommerce Businesses Need to Know About Unauthorized Transactions
1. Unauthorized transactions are increasing
2. How banks investigate unauthorized transactions
3. Who is liable for credit card fraud
4. How fraud impacts small, midsized, and enterprise-level businesses
5. Why businesses should focus on the customer experience
6. The best defense against unauthorized transactions is fraud prevention
The first point ecommerce businesses should know about unauthorized transactions is that they’re on the rise.
1. Unauthorized Transactions Are Increasing
Over the last several years, the number of unauthorized transactions has increased for several reasons.
More online shopping equals more opportunity
Since the beginning of the pandemic, we’ve seen a significant shift to online shopping. In our original research, State of Consumer Attitudes on Ecommerce, Fraud & CX 2021, we found that 78% of consumers spend more and/or are shopping online more often as a result of the pandemic.
The amount of growth the industry experienced in 2020 equaled five years of growth, and that trend has continued. While consumers have resumed in-store shopping, ecommerce is here to stay. The U.S. Department of Commerce reported in August that Q2 2022 online sales totaled more than $257 billion, a 7.4% increase over Q1 2022 and a 13.9% increase over Q2 2021.
And with that increase in online sales and transactions comes an equally large increase in fraud. At the height of the pandemic, when ecommerce shopping was at its peak, so was online fraud – 81% of consumers said they were victims of ecommerce fraud at least one time.
In fact, the increase in transactions makes it easier for criminals to hide out, especially when so much stolen customer data is for sale on the dark web.
Companies struggle to distinguish first-time customers from fraudsters
We also learned in our original research that 13% of consumers made their first online purchase during the pandemic. Great news for retailers, but it presents a challenge. The reason? Novice online users make the type of mistakes that can be misread as fraud.
First-time online customers tend to struggle with entering credit card information, so they may have to make several attempts. That can certainly look like a fraudster testing stolen cards. New customers can also stumble a bit with product selection and seem indecisive. They may also opt for rush shipping to mimic the experience of shopping in-store. Both behaviors may make an online retailer think they’re dealing with a fraudster.
Data breaches put more stolen data onto the dark web
It seems that data breaches have become commonplace, impacting major banking institutions and social media giants like Facebook, now Meta. With each of those breaches, hackers download sensitive and personal customer data and sell it on the dark web.
Fraudsters can easily purchase thousands of data files and use sophisticated software to test each credit card on file until they find their prey. And then they’re off to the races, making one unauthorized transaction after another, posing as legitimate customers and making it difficult for companies or the victims to detect that anything is wrong until the damage is done.
Once a customer finds an unauthorized transaction, they’ll likely contact their bank and initiate the chargeback process.
2. How Banks Investigate Unauthorized Transactions
Unauthorized transactions can happen through a wide array of avenues. The creativity of criminals never ceases to evolve.
From account takeover (ATO) fraud using stolen data from data breaches and phishing to triangulation and card-not-present (CNP) fraud to more sophisticated schemes, fraudsters continue to find new ways to attack ecommerce businesses and innocent customers.
When a customer sees an unauthorized transaction on their statement, they’ll report a disputed charge, which initiates a fraud investigation. From there, the steps are fairly straightforward:
The customer is asked to provide details pertaining to the unauthorized charge, including any supporting documentation that proves the purchase was fraudulent. In situations that involve ATO fraud, that can mean a frustrating level of paperwork and legwork.
Bank/card issuer notification
At the same time, ecommerce business is notified that a charge has been disputed and they’re given a set timeframe to respond, depending on the payment processor:
- Visa gives companies 30 days to respond.
- PayPal’s timeframe is only 10 days to respond.
- MasterCard gives businesses 45 days to respond.
- American Express has a 20-day window.
- Discover gives companies 20 days to respond.
Ecommerce business due diligence
During this timeframe, businesses must gather as much evidence as they can to prove the transaction was valid and submit it to the payment processor. This is referred to as compelling evidence and can include a list of information, including:
- Emailed invoices
- Transcripts/screenshots of all customer service communications
- Proof the customer logged in, downloaded, viewed, and used a digital order (using IP address)
- AVS and CVV match from the customer’s credit card
- Screenshots of a customer’s public social media account that shows the disputed goods being used
Without the right documentation and policies in place, ecommerce businesses find themselves fighting an uphill battle.
Bank/card issuer evaluation
When the bank or card issuer receives all the required documentation, they will have between 30 and 90 days to evaluate the case, formulate a response and resolve the issue. Depending upon the nature and scope of the fraud, the bank may decide to notify law enforcement. If the credit card fraud is accompanied by identity theft, the FBI may also be brought in to further investigate.
In most cases, however, the matter will be handled by internal credit fraud investigators who are experienced in combing through electronic transaction trails to determine where fraudulent purchases originated.
If, for example, the investigator can determine that the fraudulent purchase was made from an IP address in Australia, but the consumer has proof of being in Boise, Idaho, at the time, that’s strong evidence that the charge was indeed fraudulent.
Bank/card issuer response
The bank will advise the consumer to contact the three major credit reporting agencies (Equifax, Experian and TransUnion) and ask for a fraud alert to be placed on file. This will ensure that any attempts to open new credit accounts are declined unless the creditor speaks with the consumer directly and takes extra steps to verify their identity.
The question of who is liable for the fraudulent purchase depends on timing and type of credit card.
3. Who Is Liable for Credit Card Fraud
In many cases, the consumer won’t be on the hook for much. The Federal Fair Credit Billing Act protects consumers, stating that a card issuer can only hold a cardholder liable for up to $50 in fraudulent charges if the physical card is lost or stolen. If the card number is used but the cardholder is still in possession of the actual card, their liability is $0.
The bank will require the business to refund payment, and the bank will subsequently charge a fee or chargeback to the business.
It’s important to note that the rules are different for debit cards. The Electronic Fund Transfer Act states that if fraud is reported within two days of the statement date, consumer liability is limited to $50. If the fraud is reported after two days but within 60 days, their liability is limited to $500. After 60 days, the consumer is responsible for any and all fraudulent transactions.
It’s interesting to note that in some countries, such as China, the responsibility for unauthorized transactions falls on the consumer. This is one of the reasons that credit card payment penetration in China is lower than in other regions.
Depending on the size of the company, how online businesses handle fraud attempts and unauthorized transactions can vary.
4. How Fraud Impacts Small, Midsized and Enterprise-Level Businesses
You’d think unauthorized transactions impact all companies the same way, but it really does vary.
Enterprise ecommerce businesses tend to overlook chargebacks
Enterprise ecommerce businesses may not be as dependent on each individual transaction for revenue since they process countless orders every week. But that doesn’t make them immune to fraud and its impacts. The fact that so many transactions are processed by enterprise businesses gives fraudsters an opportunity to potentially test out new tactics under the radar, unless the business has a solid fraud prevention and protection strategy in place.
And the most common fraud prevention tactic we hear about from large online retailers involves fraud filters, which creates an even bigger problem. Strict fraud filters automatically decline orders that seem even a little bit suspicious. Remember what we said about new customers behaving like fraudsters? A fraud filter will block those orders, turning good, potentially loyal customers away.
As a result, the impact of unauthorized transactions on enterprise businesses is often seen in their approval rates and customer experience, or lack thereof. We’ll address this more in a later section.
Midsized businesses walk a fine line
For midsized online businesses, unauthorized transactions present a mix of impacts – in some ways, the worst of both worlds. Not only do they struggle with revenue issues from too many chargebacks, if the business doesn’t pay attention to chargebacks, their chargeback rate may rise above the industry’s 1% threshold and they may find themselves in a credit card monitoring program.
“When payment processors have to handle too many chargebacks related to an ecommerce business, they can subject that business to a chargeback monitoring program, where the processor levies more fees and may even stop working with the online business.”
David Fletcher, Senior Vice President, ClearSale
From there, the fees get higher and the midsized ecommerce business runs the risk of being dropped by the card issuer altogether. Not to mention the impact on how they’re perceived by the customer.
Ecommerce fraud can hit small businesses hard
Small businesses are like “mom-and-pop” shops. They’re often run by an owner and one or two employees. Although they may have busy seasons, small ecommerce businesses tend to process fewer transactions. That means every sale is crucial for revenue.
So, when a fraudster finds a weakness in a small business’s ecommerce site, it can wreak havoc on that business’s reputation (we’ll talk about that in a later section) and eat away at their bottom line. Chargeback fees account for a significant expense and eat away at their bottom line quickly – and they add up fast.
Small businesses tend to focus on preventing chargebacks for that reason. But they have to make sure they have a comprehensive solution. Too many processors and solution providers make promises about seller protections when they really don’t have a rock-solid solution.
5. Why Businesses Should Focus on the Customer Experience
As we highlighted in the previous section, unauthorized transactions can impact ecommerce businesses in ways beyond chargeback fees and monitoring programs. When the companies opt for a generic approach to reduce fraud by simply using the fraud filters that come standard on one or more of their platforms, they can create a customer experience problem.
The problem with fraud filters
Fraud filters are a familiar option and seem like a reasonable approach to fraud. They involve setting strict thresholds pertaining to AVS matching, purchase attempts and other static measurements that govern which transactions will be automatically declined.
But what about novice customers who accidentally enter their credit card date incorrectly three times? How do fraud filters handle grandparents who buy all their grandchildren’s holiday gifts and ship them to their vacation home in advance of the season? What will fraud filters do about the woman who sends the same gift to all six of her former college roommates?
A fraud filter will almost certainly deny every one of those transactions. And that has dire consequences for online businesses, because each situation will result in a false decline.
These false declines lead to angry customers. In fact, 40% of customers will find another place to shop after one false decline, and 34% will complain on social media. Neither are good news for any business.
Customer experience pertains to the chargeback process
It’s important to note that ecommerce businesses are notified when a customer is disputing a transaction. How you communicate with those customers as they are trying to resolve the issue can make a huge difference in how they view your business. Even if you’re skeptical about the validity of the dispute, showing empathy and kindness is the right approach.
A customer with a legitimate dispute might be irritated. A customer with a legitimate dispute who’s treated like a fraudster by the business? You’re looking at negative reviews and even boycotts if word of their experience goes viral.
The best way to prevent all these headaches in the first place? A smart fraud protection strategy.
6. The Best Defense Against Unauthorized Transactions Is Fraud Prevention
Protecting consumers from credit card fraud requires an approach that involves all stakeholders: Online businesses, banks, credit card companies, credit reporting agencies, law enforcement and consumers.
But ecommerce retailers of any size need to understand that customers see fraud prevention as a business responsibility. Our research revealed that 82% of consumers would be reluctant to shop on a site that allowed a fraudster to use their credit card information to make an unauthorized transaction. The lesson? Prevent fraud from happening in the first place.
At ClearSale, our hybrid solution includes multiple strategies to offer one of the most comprehensive fraud and chargeback prevention solutions on the market.
ClearSale’s hybrid approach to fraud prevention
It starts with an AI-enabled algorithm that leverages trends, intelligence and data gathered from decades of fighting fraud in the most high-risk regions of the world. Using this technology, we can automatically approve most orders quickly.
Suspicious orders are flagged for secondary reviews performed by our more than 1,500 fraud analysts who can recognize some of the hardest-to-recognize fraud patterns. That secondary review usually impacts only 2%-3% of orders at the most.
Using the data gleaned from those secondary reviews, we train our system to become better at distinguishing valid transactions from fraud. That means our system gets better at recognizing “good” transactions as we process more for the client, which increases their approval rates and revenue.
That’s not all.
We also offer end-to-end chargeback management.
Comprehensive chargeback management
Now wait. If our algorithm gets better and better at fraud, why would a client need chargeback management? Not every chargeback is the result of an unauthorized transaction. Friendly fraud, for example, happens when a customer forgets about their recurring charge or a subscription. Or it may involve chargeback fraud, where a fraudster makes everyone go through the chargeback process hoping to keep the goods sold and the refund.
For every possibility, ClearSale has a range of chargeback solutions:
Total Chargeback Protection allows businesses to recoup a portion of losses due to fraudulent transactions.
Chargeback Guarantee reimburses the transaction amount plus the chargeback amount for any unauthorized transaction that’s approved.
End-to-End Chargeback Management delivers comprehensive chargeback mitigation and resolution services, including team training, data audits and timely responses to issuers.
For ecommerce businesses, the best solution is simply to assist their existing fraud teams with analysis, training and providing extra hands during high-volume seasons.
This comprehensive approach gives online businesses the peace of mind that they’re protected and their consumers will be alerted if any unauthorized transactions are detected long before a statement arrives in their inbox.
Contact us today to find out why companies around the world trust the ClearSale solution.