This article provides an overview of chargeback and credit card fraud prevention, including fraud best practices and red flags, how to avoid chargebacks, PCI compliance, risk review processes, and using the CardPointe dashboard.
Table of Contents
Fraud
Fraudsters use a variety of tactics including account takeover, new account fraud, triangulation fraud, friendly fraud, and more. The first step toward preventing fraud is knowing what to look for. The following red flags are telltale signs of fraudulent activity:
a. New Email Addresses – A new or temporary ("burner") email address may indicate the buyer plans to commit fraud and then disappear.
b. High-Ticket Value – Fraudsters often buy high-value goods that can be easily resold for cash.
c. Transaction Velocity – Multiple transactions in quick succession may indicate stolen account information being used before discovery.
d. Expedited Shipping – Fraudsters tend to choose the fastest shipping option so goods arrive before they are intercepted.
e. Buying in Bulk – Ordering as many high-ticket items as possible before maxing out the account can signal fraud.
f. Address Mismatch – The shipping address may not match the billing address on file with the bank or in previous transaction records.
g. Repeat IP Addresses – The same IP address tied to multiple transactions and multiple cards may indicate stolen information from multiple consumers.
Reducing Risk
- Verify customer details using Address Verification Service (AVS), CVV checks, and email or phone confirmation during checkout. CVV is the three- or four-digit security code on payment cards and helps verify the cardholder has the card. AVS checks the billing address in the transaction against the address on file with the issuing bank.
- Establish clear return, refund, and delivery policies at checkout to reduce friendly fraud disputes.
- Train staff to spot fraud indicators and protect sensitive data.
- Apply risk-based controls such as velocity limits (card testing protection), risk scoring, and manual review for high-risk orders (e.g., new customers, high average order value, rush shipping).
Note: Even with the right tools and tactics in place, there is no way to fully fraud-proof or chargeback-proof a business. Staying up to date on threats is an ongoing effort.
Chargebacks
Chargebacks are fees incurred when a customer disputes a transaction with their issuing bank, which then reverses the transfer of funds. You may dispute a chargeback; the acquiring bank and issuing bank must then come to an agreement. Chargebacks are categorized as technical, clerical, quality, or fraud based on the reason for the dispute. Transaction reporting in CardPointe can support winning chargeback disputes.
CardPointe's Security tab allows you to enable or disable CVV and AVS verification. By default, these are disabled. Enabling them will automatically decline transactions with a CVV or AVS mismatch, helping protect against chargebacks.
To change this setting:
1. Click Administration in the top navigation bar of the CardPointe desktop application.
2. Click the Security tab.
3. In the CVV/AVS section, check the box next to the validations you wish to activate (CVV – when active, CVV mismatches are automatically declined; AVS – when active, AVS mismatches are automatically declined).
4. Click Save when finished.
Reducing Risk
- Provide an outstanding customer experience so customers are more likely to resolve disputes with you rather than through their bank.
- Minimize merchant errors by manually checking customer and transaction data and following a strong quality-control procedure.
- Establish a post-sale process: communicate with customers during transit and after delivery so channels stay open if a customer has a complaint.
- Strictly adhere to payment protocols: enforce AVS and CVV, remain fully PCI compliant, and retain proof of delivery (e.g., contracts, tracking information) for use when disputing chargebacks.
- Make returns and refunds policies clearly visible at applicable touchpoints so customers are less likely to initiate a chargeback due to confusion.
PCI Compliance
If you accept, transmit, or store cardholder data, you must meet Payment Card Industry (PCI) requirements. PCI compliance helps protect cardholder data and reduces vulnerability to data breaches. Compliance status is determined by your standing in the PCI Manager Portal. Tips for becoming PCI compliant:
1. Log into CardPointe and navigate to My Account.
2. If your MID is not PCI compliant, a message displays at the top of the screen. Click Learn How to Get Compliant to log into the PCI portal, or log in directly at cardpointe.managepci.com/safemaker/login/portal. Merchants have a three-month grace period to become PCI compliant.
3. If your MID is PCI compliant, click the Compliant link in the My Merchant Account section of the My Account screen to log in to the portal.
PCI requirements are set by the PCI Data Security Standard (PCI DSS) and managed by the PCI Security Standards Council (PCI SSC). Although not required by law, non-compliance can result in significant fees and data-breach consequences. PCI compliance helps maintain customer trust, protect customer information, and avoid non-compliance fees. Partnering with a payments provider that offers PCI-validated solutions and guidance can simplify the process.
Risk Review
As your processor, we take on risk and liability for your processing account (e.g., next-day funding, monthly billing). Every transaction carries some risk. The risk team monitors merchant processing to identify anomalies that could be fraudulent, illegal, or a compliance concern. Changes in volume, frequency, transaction size, or daily thresholds may trigger a risk review.
An active risk review involves a Request for Information (RFI) sent to the client contact on file, typically within 24 business hours of the investigation, from SVC-CreditRiskManager@fiserv.com with the subject line "[RFI-(case number)]: Risk Review Notification." The RFI includes the reason for the review and the documentation requested. Merchants should resolve risk items directly with the assigned risk analyst. Reply directly to the RFI notification; responses sent outside the RFI or with content removed may not be received by the analyst.
The risk analyst generally responds within 72 business hours. If you have not received a request for additional information or need to schedule a call with the investigator, contact the Customer Support Help Desk at 877-828-0720. The risk analyst must have received the requested documentation at least 48 hours before a call is requested.
Tip: Risk limits are dynamic. To avoid a risk review, you can proactively notify the risk team of anticipated changes (e.g., higher volume, new product lines). Open a support ticket with a summary of the change, merchant DBA, merchant MID, and any supporting documentation (e.g., invoice).
CardPointe Dashboard
You can register for CardPointe using the Merchant Registration page (merchantcenter.cardconnect.com/account/registration#/registration). To register:
1. Enter your Merchant ID (MID), Tax ID or Social Security Number (SSN), and zip code in the corresponding fields.
2. Click Submit to Confirm. The Set Up Admin screen displays so you can associate an administrative user with your Merchant Account.
3. After completing the fields, click Submit. You will receive an email with a link to complete registration.
To access CardPointe:
1. Go to https://cardpointe.com and enter your login credentials.
2. You will be prompted for a one-time security code sent to the email or mobile number on your account (from Ping Identity).
3. Check your email (from PingOne <noreply@pingidentity.com>) or phone for the one-time security code.
4. Enter the one-time security code to authenticate and complete login.
The Dashboard gives a high-level overview of merchant activity, including transaction activity, recent funding events, funding trends, and notifications. The Dashboard Notifications tab lets you edit which notifications you receive on the CardPointe Dashboard (System Notifications and Transactions & Event Notifications). Grant permissions by checking the box to the left of the permission name. For Transactions & Event Notifications, use the drop-down at the top of the section to change the location for which you receive notifications. Click Save at the bottom of each section to save changes, or Cancel to discard them. The Email Notifications tab works the same way for notifications sent to your registered email.