Ecommerce Solution India

Merchant Mannual   

Ecommerce Solution India
 


E-COMMERCE BASICS

 WEB SITE SCENARIOS

 FRAUD PREVENTION METHEDOLOGIES

 CARDHOLDR INFOMATION SECURITY AGENDA

CHARGEBACK AND LOSS RECOVERY SCENARIOS





 E-COMMERCE BASICS

Recognize the business risks and strategize for the same

  • Keep yourself alert about the risks that are involved in doing business and monetary transactions on the Internet.
  • Acquire knowledge about charge back process.
  • Train your staff for e-commerce risk management.
  • Improve your staff's education, in order to enable them to handle the day to day acceptance process from cardholders efficiently.


 WEB SITE SCENARIOS

A) Evolve Crucial & Meaningful Website Content
It is the content that conveys idea's to the visitors so a meaningful and perceivable content for the website is indispensable. Thus, in order to have an efficient communication, a meaningful content should be provided on the website.

For Merchant & Web-site
  • A link for a precise view of privacy policy should be given on the home page of website. This will help in gaining trust of the visitors.
  • The name of Merchant's firm/company should be prominently displayed on the web pages, because customer recognizes company's or firm's existence by this. The name must be shown desperately on the home page, payment page and on all card transaction records.
  • Ensure your customers that their information is secure and kept under full controls.
  • So as to facilitate the query seekers, provide a link regarding FAQ's on home page of the website.
  • In order to ensure reliability, register with a privacy organization and place a seal of approval on your website.
  • Avoid the use of e-mail for transactions.
  • Necessitate it for the card holder to provide with the card expiration date.

For the Products/Shipping & Delivery Issues
An elaborative and sufficient content for product's shipping or delivery should be given on the website. This content should be created keeping in mind the following points: -

  • In order to ensure transparency in the trading, a merchant must reveal in advance any applicable fees imposed by local law. These fees may comprise the following terms insurance, bona fide commissions, shipping and handling, taxes and so on.
  • A precise description regarding goods and services that are being offered.
  • Inform customers about the availability of the stock as when it will become available to them.
  • Evolve detailed and transparent shipping policy and make it available to the clients at the time of online purchase. This information can be provided by giving a link on the home page.
  • Merchants are advised not to charge a cardholder, either directly or indirectly, a surcharge, any part of merchant's discount, finance charge etc. Surcharge must be charged while payment is made through credit card. As far as, other means of payment are concerned surcharge must not be charged.
  • An elaborative billing practice may prove beneficial for conducting efficient and smooth running of the business.
  • Provide an explanatory statement regarding your refund and credit policy. A merchant must reveal his policy to the clients regarding delivery, returns and exchange of the goods.
  • Merchants are suggested to evolve an E-mail response to the client for any goods or services delivery delays.

After Sales & Customer Services
After sales service is one of the most vital issue for ensuring continuous growth of a business. It is a best way to serve the customers. In order to render optimum quality after sales and customer services, a merchant should follow the below mentioned terms:-

  • Developing a toll free customer service support will prove a good practice for e-business.
  • Providing the customers with an E-mail inquiry feature.
  • As far as possible, try to develop standards regarding inquiry feedback and check for their proper implementation.
  • Regarding customer's query, a feedback process via E-mail's, will help you to gain trust over there.



B) Risk Reduction
  • Make possible efforts to aide the customers who forget their passwords.
  • Make it necessary for the customers to fill in the fields that hold significance in regard to detecting risky situations.
  • As far as possible, make such risky fields highlighted that are required to be filled by the customers.
  • The required data fields should be edit and validate in real-time so as to reduce risk exposure.
  • Permanent Web Browser Cookies should be effectively used in order to recognize and acknowledge existing customers.
  • Ensure yourself in relation to the authentication of customer's physical address, telephone number, e-mail address etc.
  • Evolve safe methods to avoid duplicate transactions.
  • Implementation of “Mod 10” card number check is highly preferred before submitting a transaction for the authorization.
  • Provide the customers with just last 4 card numbers whenever the need for the same may arise.



 FRAUD PREVENTION METHEDOLOGIES
An effective fraud prevention system enables you in intensifying your business activity without having any disruptions. Some of the unique tools for establishing an efficient fraud prevention systems are suggested below: -

A. Implement Internal Fraud Prevention System

  • Create and maintain an internal fraud avoidance file.
  • Set up transaction controls and velocity limits.
  • Take sufficient initiative for the establishment of formal fraud control function.
  • Implement measures of fraud control effectively.
  • Review Approved & Decline Authorizations meeting the criteria as below :-
    • Same IP Address --- Different Card Numbers
    • Same IP Address --- Different Shipping or Delivery Address
    • Same Card Number --- Different Shipping or Delivery Address
    • Same Shipping Address --- Different Card Numbers
  • Ensure that the agency providing courier handling services comply the below mentioned criteria : -
    • The delivery of the product should be made on the authorized address only.
    • Ensure the products are not just left over at counter etc.
  • As far as transaction risks are concerned, transaction controls and velocity limits should be timely changed.

B. Bring into Effect Fraud Screening

  • Establish cost-effective doorstep services for manual fraud screening.
  • High-risk shipping addresses should be thoroughly checked.
  • The fraud-screening tools should be implemented after recognizing high-risk transactions.
  • An internal fraud screening should be performed, before submitting transactions for third party scoring.
  • Perform evaluation of the costs and benefits of third-party scores for low-risk transactions.
  • Establish effective measures in relation to verifying the calls of cardholders.
  • The anonymous e-mail addresses should be treated as fatal one.
  • Create a negative database listing for previous fraudulent case, reported charges/charge backs according to the below mentioned Data fields: -
    1. Customer Address
    2. Telephone Numbers
    3. Email ID
    4. Login ID
    5. Shipping/Delivery Addres


C. Transactions’ Post-Authorization Scenarios

  • Track the rates at which order are declined.
  • For obtaining consent of the customer, issue an e-mail containing order confirmation.
  • Check for all the declined authorizations and take appropriate initiative.
  • Supervise your batches on regular basis.
  • A regular alteration of the password should be made on your payment gateway system.
  • A regular monitoring is required for authorizations and transactions.


 CARDHOLDR INFOMATION SECURITY AGENDA

  • If in case any security breach occurs that first of all the steps related to limiting the information exposure should be taken.
  • CVV2 data must not be stored.
  • Usage of firewalls is highly recommended

Prefer Using a server that is residing on a network protected with a efficient firewall:-

It is highly recommended that the merchant's server should reside on a trusted network that uses internal Internet Protocol (IP) address to route to the database platform through an efficient network firewall only. Internal IP addresses' are effective when they comply to following aspects:

  1. They are capable of self-authenticating to the isolated database platforms.
  2. They are accessible only to other internal IP addresses.
  3. They are not accessible from the Internet.

Perform efficient Encryption on the Data to be transmitted
By using latest and new technology such as Secure Socket Layer (SSL), Secure Electronic Transaction (SET) etc. merchants are advised to encrypt all the transmitted data. It is strictly prohibited to accept account information in un-encrypted format or via e-mails..

Keep Security Prevention updated:

  • By using their acumen, a merchant should timely test their security system and employ effective intrusion detection system that identify suspicious hacker activity and isolate risk.
  • There exists large number of hackers in the society that are working towards developing new and more powerful invasion methods. A prudent merchants requires to regularly seek out updated security patches and anti-virus software that will provide protection against such security threat.
  • Furthermore, a merchant requires to frequently alter or update security systems and anti-virus software as new threats takes place.

Ensure only Limited Personal Access to Data and Database System by Following the Below Guidelines:

  • Only those personnel who are entrusted with the direct responsibility for payment processing, should have the access to cardholder's data. Such accessibility should be restricted to the extent as specified by the cardholders like for shipping orders or customer service.
  • Merchants are suggested that they should restrain physical access to the database platform.
  • The accessibility to the data, manage keys, platform cryptographic support functions should be restricted only to the authorized personnel.
  • Using of methods like Active password management or smart card authentication should be encouraged.
  • As far as possible limit the access to the cardholder's password, user ID and cookie that the merchant places on cardholder's home PC.
  • Usually merchants create files that comprise unencrypted temporary cardholder data. A merchant require to terminate such short-lived data, in order to curtail the risk of it getting mis-used. It can also be seen that maintaining information about static accounts also exposes cardholder data to unnecessary risk. Such data should be terminated as well so as to ensure optimum level of protection.

Generate and Store Encryption and Communication Key in utmost secured manner.

  • Merchants are required to secure key generation and their proper storage that will ensure the safety of the key and allows merchants securely to manage their database, back-up files and transmissions.

Sensitive Cardholder Data and Back-up Files must be stored in Encrypted Form.

  • In general, one can see that whenever any other entity accesses the database then sensitive data is at higher risk of exposure. In order to protect the data from such exposure, a merchant should store all cardholder data in encrypted form. Furthermore, for giving extra protection to the data, all back-up files and those files that are not accessible via the Internet and files stored off-site, should be encrypted by the merchants.

Avoid displaying data on a Web Page

  • Merchants are literally advised to not to display the cardholders secret information such as their account number, expiration date or other personal information, on the web pages when cardholder."signs in" during the consecutive visits.



CHARGEBACK AND LOSS RECOVERY SCENARIOS

A. Avoid as much Charge backs and Processing Costs as possible

  • Exactly Same name of merchants should be displayed on all the marketing and shipped materials, as it is shown on the website. This practice will enable the merchants to reduce the 'No Cardholder Authorization' charge backs that generally happens when cardholders see and unfamiliar merchant name on their billing statements and dispute the doubtful transaction.
  • Obtain a new authorization as soon as the original expires.
  • It is a best practice for web merchants to immediately notify the cardholders by e-mail upon receiving an order, stating at least the following :-
    1. Complete billing address of the order,
    2. Complete shipping address of the order,
    3. Expected delivery date of the order,
    4. Items’ description,
    5. Items’ price,
    6. Total price of the order, inclusive of taxes, shipping fees, and any other applicable fees,
    7. Customer service phone number and e-mail address of the merchant itsel
  • The merchant should provide clear disclosure on their web sites about polices for recurring payments, refunds and trial memberships if any. Such disclosure will assist to diminish the chargeback that result form cardholder confusion.
  • In order to recognize multiple processing of identical transactions, apply system tracking. Check those transactions in which the merchant has presented an account number more than once with identical transaction amounts.
  • Do not post transactions until goods and services are delivered to the cardholder.
  • In order to minimize or eliminate unnecessary chargeback losses, get well acquainted with your representment rights.
  • A distinction must be maintained in Internet charge backs and non-Internet charge backs.
  • Pay special attention to the situations where a customer deserves the credit of a valid dispute.
  • Bring into effect process reversals immediately when multiple processing of identical transactions occurs.
  • If a merchant is operating with minimum inventory then he should have sufficient customer service policies to tackle those situations in which either specified items are out of stock or ordered from suppliers only upon customer request.
  • Ensure that sales draft requests are responded by data rich responses.
  • Ensure timely response to the sales draft requests.

B. Bring into effect efficient loss recovery mechanism

  • In order to collect low-dollar amounts take initiatives by adopting methods like e-mail collection reminders etc.
  • As next step make phone calls to those who do not respond to your initial correspondences.
  • And as final step consider outsourcing to collections agency on a contingent fee basis for the recovery of the unpaid balances.