August 19, 2016
By Karisse Hendrick, Editor-at-Large, CardNotPresent.com
Here is a real-life scenario that has confounded many merchants: An online gaming company began to experience a spike in declines. This caused unhappy and confused customers to call their issuing banks. They had more than enough credit to cover the purchases, so why couldn’t they complete the transactions? The banks told these customers this merchant was associated with fraud and the charges were declined for their protection. These customers wanted to pay, had funds to pay, but their bank was not letting them, frustrating both the customer and the merchant.
A look into the decline logs told the merchant several issuers were declining all its transactions—a perplexing state of affairs because its chargeback volume was minimal. The company finally, through one of the card brands, found the declines were based on something called a TC-40 report. The gaming company, like many merchants, had no inkling of the existence of TC-40 reports. So, what are they, why do they cause declines, where can merchants get theirs and how can they use them to increase authorizations and customer satisfaction?
So, first thing’s first. What are they? Every time a cardholder claims fraud, issuers file a TC-40 claim for that transaction. These claims are then reported to the card brands and out to all issuers and to the merchant’s acquirer in a report known as the Risk Identification Service (RIS) Report for Visa transactions and System to Avoid Fraud Effectively (SAFE) report for MasterCard transactions. These reports contain the raw data for each transaction including issuer BIN, region, currency code, fraud postdate, etc.
How are TC-40s different than chargebacks?
While both chargebacks and TC-40s track fraud, they are different in many ways. TC-40s are typically reported within days, if not hours, of the cardholder reporting fraud. It can take up to three months for a merchant to be notified of a chargeback. Also, chargebacks encompass a variety of reasons beyond fraud such as customer dissatisfaction and not receiving goods, while TC40s are only issued due to customers claiming fraud. Additionally, chargebacks have a direct financial impact on the merchant, resulting in a reversal of funds to the cardholder. That is not always the case with TC-40s.
Because it is a cost for issuers to process chargebacks (just like merchants), most have an internal policy that transactions under a certain amount will not be charged back, even though they have to cover the cost of the disputed transaction themselves. For instance, if an issuer has a policy not to issue chargebacks for transaction values under $30, merchants that have an average ticket value of $9.99 may never see a chargeback from a particular issuer. However, each cardholder report of fraud will result in a TC-40 and will be added to the merchant’s RIS or SAFE report. Most issuers use these reports to measure the risk of fraud at each merchant. Once the risk rating has risen above a certain threshold, they may no longer issue authorizations for that merchant. Low-dollar merchants are especially susceptible to declines based solely on this report.
Also, it is possible for a merchant to be fined by a card brand if the volume of TC40 claims exceeds a certain threshold. If a merchant exceeds the threshold for more than 10 months, they may not be able to accept a certain brand’s cards.
How do I know if TC40s are impacting my business?
In most cases, TC-40s impact declines for low-ticket transactions. If this pertains to your business, the easiest way to check if these are affecting your decline ratio is to investigate your decline log. Separate the declines by issuer to determine if any issuers are declining almost all transactions. You can also look at the decline reason codes, though most use “general decline” in these cases.
Another way to determine if this is an issue is to track customer calls. If you see a spike in customers saying their cards were declined but they don’t know why, this also may be a symptom of this issue. Lastly, you can contact your processor to see if they track TC-40 volume. If they don’t, they may be able to contact the card networks on your behalf to determine if this is impacting your business.
Where does a merchant find its TC-40 report?
While these reports are used primarily by issuers and card networks to assess the risk of a merchant, this data is also always passed on to the merchant’s acquirer and/or merchant processor, typically on a daily basis. Whether the merchant has access to this report is at the processor’s discretion and that discretion can be difficult to come by, but it is the first place a merchant should look.
Several merchants told CardNotPresent.com for this article that their processors do not provide this report. Some have cited the exceptionally large data files as a reason they can’t provide the report to merchants on a regular basis. One merchant said it received its TC-40 report for both major card brands once, but their processor said a system upgrade prevented them from ever providing it again. Some merchants told CardNotPresent.com that “smaller, more agile processors” may be more likely to provide this information upon request.
Visa Europe has provided the information from its networks to several merchants processing European cards on a European merchant account, for a small fee. Though it is unclear if MasterCard and Visa offer this service to U.S. merchants for U.S. issued cards directly. While TC-40 reports are for Visa and MasterCard transactions, Discover said it provides reporting similar to the RIS or SAFE reports merchants can access by contacting Discover’s Global Fraud Solutions department.
The third place to look for this report is with services that partner with issuers to offer “chargeback alerts.” Several merchants have reported that most, if not all, of the transactions listed on these daily reports come from TC-40 data. While you may end up refunding transactions that do not result in a chargeback, the benefit of acting upon this data quickly could be invaluable.
What should a merchant do with this data?
If you are able to access this data, the hard part may not be over. It is likely you will receive the raw reporting data from your processor and you may be confused by some of the descriptors it contains. Only worry about the ones you understand, remembering that several parties access this data and not every line item will pertain to a merchant. Chances are you will need to research each claim, matching it up with the account information in the merchant database. Additionally, these transactions should be marked as fraud and probably refunded (to avoid a chargeback).
The faster these transactions are marked as fraudulent in your system, the faster your business will be able to identify and prevent similar fraud. When a fraudster finds a way to get through without the transaction being canceled, they exploit the vulnerability as long as it is present, resulting in high volume of fraud. The difference between identifying this within days through the TC40 report and waiting up to three months to receive a chargeback could be millions of dollars. This also will result in fewer transactions being reported to the RIS and SAFE reports, which could mean more authorizations from cautious issuers.
We now return to our true-story online gaming merchant. Once it became aware of TC-40s and the RIS and SAFE reports, it no longer trusted only its chargeback report as a measure of how successful its fraud team was. The company worked with its processor and the card networks to gather as much information as possible to identify transactions and fraud trends it was missing as well as issuers that were declining its transactions.
It did attempt to contact some of those issuers to plead with them to authorize their transactions, though the most effective way the company found to increase its authorization rates was to be more proactive in its fraud efforts and to issue declines on transactions, even when they knew the amount would be under most issuer’s chargeback thresholds. Over time these changes resulted in less fraud, more revenue and better, more satisfied repeat customers.