This article series provides information about how ecommerce credit card processing works.
Nowadays millions of people use credit and debit cards to buy goods and services, but few understand how they actually function. In this guide, we'll explain the process in detail so you can learn the part you play as an online business owner. We'll teach you what you need to know, including how money moves from the cardholder to you, and how a payment gateway fits in. Then you can focus on what's important: making money and protecting yourself against loss.
Credit Card Fraud
Issuers let cardholders submit chargebacks on purchases they didn't make (purchases made with a stolen card), usually for up to 180 days. A chargeback is a reversal of the charge made at the issuing bank's discretion. The issuing bank debits the merchant bank, which in turn debits the merchant's account. This means that all money merchants choose to accept can be taken out of their accounts without warning.
These situations are unpleasant for all parties involved except the card thief, and merchants pay the heaviest price. Not only do they lose the transaction funds, they also lose the merchandise they shipped. On top of that, their processing service usually charges a standard fee for the inconvenience.
In the worst cases, if a merchant is unlucky enough to become the target of a thief who makes high-ticket or high-volume purchases, the potential of additional loss can lead the processor to freeze the funds in the merchant account to cover further chargebacks the issuing bank is likely to make in the future. They do this because they're on the hook to pay the issuing bank for anything their merchants' accounts can't cover.
Physical cards are rarely lost or stolen. When they are, cardholders usually notice within 24 hours and contact their issuing banks. In these cases, the bank cancels the card, which stops the illegitimate cardholder from using it. This means that when the physical card is present, the merchant stands little risk of chargeback due to a fraud.
In the online world, however, physical cards aren't used, and the card's alphanumeric details stand in place of the magnetic stripe or chip. Hackers can steal these details without the cardholder's knowledge during any online transaction by exploiting website security flaws or weak data management practices (on the part of the cardholder or the merchant). As a result, when online purchases are made with stolen data, the cardholder is unaware; the cardholder doesn't contact the issuer, and the bank continues to authorize transactions that use the stolen card details.
Cardholders usually only become aware of this type of card theft when they see transactions they don't recognize in their online account summaries or on their monthly statements. And many cardholders don't check their accounts or statements regularly or review them closely. This is why issuers generally allow chargebacks for such a long period of time after the purchase date.
PCI DSS guidelines forbid online merchants from temporarily storing security code data (the 3-digit code on the back, or the 4-digit code on the face of American Express cards) alongside all other card details. For this reason, the CVC value is much more difficult for online thieves to steal. With Volusion, your gateway should provide a CVC response that lets you know if the value the purchaser entered matches the one on the card. Contact your gateway for response code details.
The default authorization & capture setting for your Volusion store is ideal for online transactions because it keeps the order process streamlined for shoppers while simultaneously giving you the opportunity to look over transaction details before you capture funds. You should never capture money on a transaction that features a CVC mismatch. The proper step is to void the authorization. Whether you cancel the order outright or reach out to the cardholder for another payment method is up to you.
We also recommend that you make other commonsense evaluations. For example, the purchaser name, purchaser email address, and cardholder name generally shouldn't use different people's names. Additionally, you should be suspicious of high order amounts or quantities that deviate significantly from your store's averages.