Fraud 101

Learn about the payments ecosystem, chargebacks and fraud detection.

How online payments work

  1. The players - who's involved?
  2. The payment flow - from buy to capture
  3. Authorization vs. capture
  4. AVS and CVV

Before we go further into the world of chargebacks and ecommerce fraud, let’s examine how online payments work in the U.S.

The flow of payments underpins the entire ecommerce market, and provides the structure and process for the exchange of goods and services between the merchant and the customer.

First, we'll tackle the players involved, and provide a short description of what they do. Then, we’ll delve into an in-depth example of the path an online purchase takes.

Who's involved?

Acquiring Bank

An acquiring bank is a bank who mainly works with businesses and organizations and is not focused on the individual. When an organization wishes to store their money from a sale (be it a church, non-profit, school or corporation), they would utilize an acquiring bank. Within the acquiring bank, the business is required to set up a merchant account.

Merchant account

All merchants, be it it brick-and-mortar or ecommerce, are required to set up a merchant account if they wish to accept a payment. Much like an individual opening up a personal savings account with bank, a merchant needs to go to an acquiring bank and open up a merchant account to store their money from their sales.

All the funds from a merchant's sales are held for a merchant in the merchant account, and the liability of the merchant account is underwritten by the acquiring bank. Merchants who are unable to pay off debts in their merchant account due to excessive refunds or chargebacks will have those debts covered by the acquiring bank with whom they have their merchant account.

Issuing Bank

A bank that issues accounts and debit/credit cards directly to consumers, not businesses, is an issuing bank. For credit cards, the issuing bank (such as Wells Fargo or Bank of America) will set up a line of credit and be responsible to ensure that the cards debts are paid off. Any debts on a card that is ultimately not paid off by the cardholder will have to be paid off by the bank that issued the card.

Payment Gateway

To accept a payment online, a merchant will need to set up a payment gateway account. A payment gateway is a service that authorizes and transmits transaction data on behalf of the merchant to the payment processor used by the merchant's acquiring bank.

Think of the payment gateway as the online equivalent of an in-store point-of-sale system. Brick-and-mortar merchants don’t need a payment gateway, as in-store transactions are handled by their point-of-sale system, which collects the sale and passes the payment details to the payment processor of the merchant’s acquiring bank.

For online purchases, a customer typically enters their payment information into the shopping cart or online checkout used by the merchant’s ecommerce platform, which forwards the payment details to the payment gateway, who in turn communicates with the payment processor of the merchant’s acquiring bank to authorize the transaction.

A payment gateway will charge the merchant a small flat fee per order.

Payment Processor

The payment processor sits between the consumer’s issuing bank and the merchant’s acquiring bank. The payment processor is the entity that actually transacts the payment, passing both the transaction details for payment authorization between banks and also transferring the actual payment between each. Both in-store and online transactions rely upon a payment processor.

A payment processor will take the information passed by the payment gateway (and initially entered into the online checkout or shopping cart) and check with the issuing bank to first confirm if (1) the account is valid, (2) the payment information matches, and (3) if there are funds available for purchase. If the card is active and funds are available for purchase, the payment processor will then transfer the funds from the issuing bank to the acquiring bank where the merchant account resides.

A payment processor will charge a merchant a certain percent per order.

Note: It’s becoming more common for payment gateways and payment processors to be one and the same company. (See Braintree, Stripe, PayPal etc.)

If you see pricing listed as a percent plus flat fee per transaction, that’s usually an indication you’re dealing with a combination provider.

Card Associations

A card association is a company, such as Visa or Mastercard, that functions as a payment network wherein all the financial information between the different players (the issuing bank, acquiring bank, payment processor, and payment gateway) is transferred, and they set the transaction rules that all the players adhere to if they want to continue participating in the network. (An example of the rules is the interchange rate, and in the case of fraud, the maximum percentage of orders that are allowed to be chargebacks.)

We’ll use Visa as an example. A bank that does not participate in Visa’s payment network (in other words, a bank with no official Visa relationship), would not be able to accept payments from Visa cards or issue Visa cards. When a transaction is made with a Visa card, Visa carries the financial details of that transaction as well as the cardholder information to each relevant party in the payment chain.

Now that we’ve covered the players involved, let’s run through an example transaction to illustrate the process.

The flow of the online transaction

A customer has decided to purchase a tent from CampingXYZ.com. They enter their shipping and billing details into the site’s online checkout system, and click “buy now.”

What happens next usually occurs over a series of seconds.

  1. After “buy now” is clicked, the merchant’s payment gateway collects the transaction and order information and passes it to the merchant’s payment processor.
  2. The merchant’s payment processor is then routed to the customer’s issuing bank via the card association network, who informs the payment processor which issuing bank the customer belongs to.
  3. The merchant’s payment processor will then check with the customer’s issuing bank to see if the card passed to it:
    1. is valid,
    2. has the funds available for purchase,
    3. and if the transaction passed the AVV/CVS check.
  4. The issuing bank will then indicate to the payment processor if the card information passed to it was accurate or not and if the payment is possible.
  5. If the issuing bank confirms that the card used in the transaction is available, the payment processor will either put:
    1. an authorization hold on the funds, or,
    2. will do a capture on the funds and immediately transfer the money to the merchant's acquiring bank, where the funds will settle in the merchant account.

Authorization vs. Capture

Depending on the merchant’s preference, or the particularities of their order review or fulfillment process, a merchant may wish to have their payment gateway simply place an authorization hold on the money for the order or capture the money right away.

A merchant may choose to place an authorization hold, generally in the amount of the purchase, if they want to take more time reviewing the order before capturing the funds. (They may wish to do so to ensure orders are legitimate and avoid a possible chargeback.) Depending on their payment gateway, a merchant may have 24 hours, a week or 30 days to maintain an authorization hold until the authorization expires.

Most merchants choose to capture the funds immediately after the initial authorization check, especially in the case where a merchant delivers the goods or service instantly, like a digital download.

From the cardholder’s angle, when a merchant places an authorization hold on the money for the purchase, cardholders would see that reflected as a “pending” charge on their credit card.

AVS and CVV

There are a variety of legitimate reasons that a transaction might fail during the initial authorization check.

For example, the customer might have entered the credit card number incorrectly, leading the issuing bank to be unable to locate the card. The customer may also have failed the standard AVS/CVV security check.

The customer’s issuing bank checks both AVS and CVV to determine the validity of the card used. AVS stands for Address Verification System, and it compares the address and zip code provided by the customer during the order process to what the bank has on file for the card. Banks also check CVV, which stands for Card Verification Value. CVV is the 3 or 4 digit code on the front or back of card that a customer must type in for every purchase. The purpose of CVV is to verify that the cardholder had the card in their hand at the time of purchase.