Acquirer Fraud Loss Control Programs
An acquirer's fraud loss control program must meet the following minimum requirements, and preferably will include the recommended additional parameters. The program must automatically generate daily fraud monitoring reports or real-time alerts. Acquirer staff trained to identify potential fraud must analyze the data in these reports within 24 hours. To comply with the fraud loss control standards, acquirers also must transmit complete and unaltered data in all card-read authorization request messages, and also CVC 2 for all card not present (formerly MO / TO), voice, and e-commerce transactions.
Additionally, acquirers with high fraud levels must:
- Install "read and display" terminals in areas determined to be at high risk for fraud or counterfeit activity, or
- Install EMV chip terminals.
Daily reports or real-time alerts monitoring merchant authorization requests must be generated at the latest on the day following the authorization request, and must be based on the following parameters:
- Number of authorization requests above a threshold set by the acquirer for that merchant.
- Ratio of non-card-read to card-read transactions that is above the threshold set by the acquirer for that merchant.
- PAN key entry ratio that is above threshold set by the acquirer for that merchant.
- Repeated authorization requests for the same amount or the same cardholder account.
- Increased number of authorization requests.
- "Out of pattern" fallback transaction volume.
Daily reports or real-time alerts monitoring merchant deposits must be generated at the latest on the day following the deposit, and must be based on the following parameters:
- Increases in merchant deposit volume.
- Increase in a merchant's average ticket size and number of transactions per deposit.
- Change in frequency of deposits.
- Frequency of transactions on the same cardholder account, including credit transactions.
- Unusual number of credits, or credit dollar volume, exceeding a level of sales dollar volume appropriate to the merchant category.
- Large credit transaction amounts, significantly greater than the average ticket size for the merchant's sales.
- Credits issued subsequent to the receipt of a chargeback with the same account number and followed by a second presentment.
- Credits issued to an account number not used previously at the merchant location.
The acquirer must compare daily deposits against the average transaction count and amount for each merchant over a period of at least 90 days, to lessen the effect of normal variances in a merchant's business. For new merchants, the acquirer should compare the average transaction count and amount for other merchants within the same merchant code (MCC) assigned to the merchant. In the event that suspicious credit or refund transaction activity is identified, if appropriate, the acquirer should consider the suspension of transactions pending further investigation.
To optimize the effectiveness of fraud analysis staff, merchants that appear in the monitoring reports should exceed the average by 150% or more. However, the amount over the average is at the acquirer's discretion.
Recommended Additional Acquirer Monitoring
MasterCard recommends that acquirers additionally monitor the following parameters:
- Fallback methods.
- Credit transactions (such as refunds) and merchant authorization reversals.
- Transactions conducted at high-risk merchants.
- Personal account number (PAN) key-entry transactions exceeding ratio.
- Abnormal hours or seasons.
- Inactive merchants.
- Transactions with no approval code.
- Transactions that were declined.
- Inconsistent authorization and clearing data elements for the same transactions.