Visa and Mastercard, the two biggest credit card issuers in the U.S., are cracking down on refund fraud. The goal is to strike a balance that benefits both merchants and customers.

Visa finalized the rollout of its refund authorization mandate for merchants in the U.S. and Canada in April 2019. Mastercard’s refund authorization mandate will take full effect in April 2020.

“It’s a new process,” Jeff Beene, Vice President of Risk Management and Compliance at Talus Pay, says of refund authorizations. “Merchants are used to doing it the way they’ve been doing it.”

Under these mandates, merchants must initiate an online authorization request for each refund. Each request is sent to a cardholder’s bank through an authorization message. If the request is approved for either a card-present or card-not-present transaction, the acquiring bank will create a return-authorization message.

Through return authorization, the card issuer can verify a cardholder’s account, reject refunds when fraud is suspected and cut back on chargebacks triggered by nonexistent or closed accounts.

Before the Visa and Mastercard mandates, merchants were not required to obtain authorization for refunds.

Fighting Refund Fraud

The refund authorization mandates are aimed at protecting merchants from fraud, according to Suresh Dakshina, Founder and President of Chargeback Gurus, which helps merchants with chargebacks and fraud prevention.

Flashpoint, a provider of business risk intelligence, reports that cybercriminals hijack legitimate merchant accounts and issue refunds to payment cards. “This can be very profitable for fraudsters and damaging to the merchant account owner,” Flashpoint notes.

A refund authorization scheme directed at a merchant often lasts no more than a couple of weeks, according to Flashpoint. But here’s the alarming part. “Merchants often do not notice this activity until the funds are deducted from their bank account,” Visa reports.

How A Refund Fraud Scheme Works

Visa explains how one of these schemes might play out:

Criminals obtain point-of-sale (POS) devices through such avenues as acquirers, online resellers, auctions or even outright theft. They then program the devices with the credentials of a legitimate merchant, thus effectively cloning the merchant’s actual POS device.

The cloned POS devices can then be used to fraudulently complete purchase returns to gift cards—in amounts of $2,000 to $6,000 per transaction. After the purchase returns are posted to the gift cards, the cards are cashed out at ATMs. Criminals prefer gift cards, and sometimes debit cards, because the funds are available quickly.

In these schemes, criminals target merchant credentials and account information such as merchant descriptors, merchant identification numbers and terminal identification numbers. They do this by collecting transaction receipts from a merchant, scanning memory slots of POS devices for apps that contain merchant information, or simply by stealing a merchant’s programmed terminal.

“The criminals possess knowledge of how to program POS device applications and connect such devices to the specific host or front-end platform used by the legitimate merchant,” Visa explains.

Looking for easy-to-use POS equipment bundled with POS software? Check out Talus Pay’s offerings.

New Protections

Visa says the new refund authorization system provides several improvements.

  • Improves the customer experience
  • Reduces customer inquiries related to lack of real-time information about refunds
  • Provides real-time validation from a card issuer
  • Minimizes chargebacks tied to refunds

For customers, the Visa and Mastercard mandates mean they’ll be able to quickly review pending returns, just as they can review pending purchases. Before these mandates, it would take two to five days for information about a purchase return to show up in a cardholder’s account history.

Easy Transition

Dakshina says that for merchants, implementation of refund authorization mandates is seamless, as the changes are programmed through back-end software operated by issuers (like Mastercard and Visa) and acquirers (which are typically the merchant’s bank).

“The merchant doesn’t have to do anything. They just have to be aware of [the change],” he explains.

Dakshina says card issuers and American Express and Discover won’t be imposing return authorization mandates because they operate closed-loop networks. Through such networks, American Express and Discover can access real-time information as both the issuer and acquirer.

Visa and Mastercard operate open-loop networks. They act as issuers but not acquirers.

Upgrade Your Payment Processing

If you’re looking for ways to make your payment processing experience better for yourself and your customers, look no further than the experts at Talus Pay.

Talus Pay’s point-of-sale system provides you with everything you need to grow your business. We even offer custom solutions designed to meet your specific needs. You can learn more at taluspay.com, or feel free to reach out directly to one of our consultants right now.

Want to Build a Better Business?

Stay up to date on the latest business news & insights when you subscribe to the Talus blog.

Ready to Start Growing Your Business?

Connect with a consultant for your free quote or apply today in under three minutes! Just click below.