--- description: >- Protect your business from fraud and chargebacks. Understand the chargeback process, why anti-fraud matters, and best practices for secure payment operations. --- # Mitigating Fraud & Managing Chargebacks ## Why This Matters Every card transaction carries risk. When fraud slips through or a legitimate customer disputes a charge, the result is a **chargeback** — and chargebacks are one of the most expensive problems in payments. Understanding how they work, and how to prevent them, is essential for any business accepting card payments. --- ## What Is a Chargeback? A chargeback is a **forced reversal** of a card transaction, initiated by the cardholder through their issuing bank. Unlike a refund (which you initiate voluntarily), a chargeback is imposed on you — the funds are pulled from your account, and you must prove the transaction was legitimate to get them back. ### How the Chargeback Process Works ``` 1. Cardholder disputes a charge with their bank │ ▼ 2. Issuing bank reviews the claim and files a chargeback │ ▼ 3. Funds are immediately debited from your merchant account + a chargeback fee is applied (typically $15–$100 per case) │ ▼ 4. You receive notification and have a limited window to respond (usually 7–30 days depending on the network) │ ▼ 5. You submit evidence (representment): - Proof of delivery / service rendered - AVS/CVC verification results - 3DS authentication records - Customer communication logs - Signed agreements or terms │ ▼ 6. Card network reviews both sides and makes a ruling │ ┌───┴───┐ ▼ ▼ You win You lose (funds (funds stay with returned) cardholder; you absorb the loss + the fee) ``` ### Why Chargebacks Are So Damaging Chargebacks hurt far more than a simple refund: | Impact | Details | |---|---| | **Financial loss** | You lose the transaction amount + the chargeback fee + the cost of any goods/services already delivered | | **Chargeback ratio** | Card networks track your chargeback rate (chargebacks ÷ total transactions). If it exceeds **1%**, you face penalties, higher processing fees, or account termination | | **Operational cost** | Each dispute requires staff time to gather evidence, prepare documentation, and respond within tight deadlines | | **Reputation** | High chargeback rates can result in being placed on industry monitoring programs (Visa VDMP, Mastercard ECM), making it harder to get processing in the future | ### Common Chargeback Reasons | Category | Examples | |---|---| | **True fraud** | Stolen card used without cardholder's knowledge | | **Friendly fraud** | Cardholder made the purchase but claims they didn't (buyer's remorse, family member used the card) | | **Merchant error** | Wrong amount charged, duplicate charge, product not as described | | **Processing issue** | Charge appeared after cancellation, refund not processed in time | | **Unrecognized charge** | Cardholder doesn't recognize the merchant name on their statement | --- ## The Connection Between Anti-Fraud and Chargebacks Every fraudulent transaction that slips through your defenses is a chargeback waiting to happen. The real cardholder **will** dispute it. And in most fraud-related chargebacks, you lose — because you authorized a transaction with a stolen card. This is why anti-fraud isn't optional. It's directly tied to your bottom line: - **Prevent fraud** → fewer chargebacks → lower fees → keep your merchant account - **Ignore fraud** → chargeback ratio climbs → penalties → potential account termination ### The Pre-Authorization Advantage This is where [pre-authorization](apis/payment/pulling-funds/cards/authorizing/) (`capture: false`) becomes your most powerful tool. When you pre-authorize instead of directly capturing: 1. **Authorize the card** — funds are held, not settled 2. **Review the results** — check AVS, CVC, 3DS outcome, and run your fraud analysis 3. **Decide:** - ✅ Everything looks good → [Capture](apis/payment/pulling-funds/cards/capture.md) the payment - ⚠️ Something is suspicious → [Void](apis/payment/pulling-funds/cards/void.md) immediately — funds are released instantly, no chargeback risk If you had directly captured, you'd need to refund — and if the cardholder files a dispute before your refund processes, you get a chargeback anyway. --- ## Proactive Refunds: Your Best Defense When something goes wrong in the **post-transactional flow** — order can't be fulfilled, product is out of stock, service was not delivered as expected — **refund the customer immediately**. Don't wait for them to call their bank. **Why proactive refunds prevent chargebacks:** | Scenario | Bad outcome | Good outcome | |---|---|---| | Order can't be shipped | Customer waits, gets frustrated, disputes with bank → chargeback | You refund immediately → no dispute | | Product arrives damaged | Customer calls bank first → chargeback + you lose the product | You process a refund on contact → customer satisfied | | Subscription cancelled but still charged | Customer disputes → chargeback + regulatory risk | You refund the erroneous charge → clean resolution | | Duplicate charge | Customer sees two charges, panics, calls bank → two chargebacks | You detect the duplicate, void or refund proactively → zero friction | > **Rule of thumb:** A refund costs you the transaction amount. A chargeback costs you the transaction amount + the fee + staff time + damage to your chargeback ratio. **A voluntary refund is always cheaper than a chargeback.** ### Refund Timing Matters - If the payment is still in **AUTHORIZED** state (not yet captured): [**Void**](apis/payment/pulling-funds/cards/void.md) it. Instant. Clean. The cardholder sees the pending charge disappear. - If the payment is **CAPTURED**: [**Refund**](apis/payment/pulling-funds/cards/refund.md) it. The refund takes 3–10 business days to appear on the cardholder's statement, so communicate with the customer. - **Don't delay:** The longer a charge sits on a customer's statement without resolution, the more likely they are to file a dispute with their bank instead of contacting you. --- ## Anti-Fraud Best Practices ### 1. Use 3D Secure [3DS authentication](apis/payment/pulling-funds/cards/authorizing/handling-3d-secure.md) verifies the cardholder's identity with their bank. In markets where liability shift applies, a fully authenticated 3DS transaction shifts chargeback liability to the issuing bank — meaning you're protected even if fraud occurs. ### 2. Review AVS and CVC Results Every authorization response includes [AVS and CVC verification results](apis/payment/pulling-funds/cards/authorizing/handling-avs-cvc.md). Use them: - **CVC = FAILED** → Strong fraud signal. Consider voiding even if the bank authorized. - **AVS = FAILED** → Address mismatch. Combine with other signals before deciding. - **Both APPROVED** → Lower risk, but not zero. Continue with other checks. ### 3. Implement Velocity Controls Set limits to detect abnormal patterns: - Maximum transactions per card per hour/day - Maximum total amount per card per day - Maximum failed attempts before temporary block - Unusual geographic patterns (card from one country, IP from another) ### 4. Secure Your API Keys - Never expose `clientId` or `secretId` in frontend code, repositories, or logs - Use the [Backend-for-Frontend (BFF) pattern](authentication-methods.md) — all API calls go through your server - Rotate credentials if you suspect compromise ### 5. Never Store Cardholder Data - Use [tokenization](apis/tokenizing-cards.md) for all card operations - Never store PAN, CVV, or expiration dates on your systems - Comply with PCI DSS requirements ### 6. Implement KYC Verify customer identities before processing high-value transactions: - Document verification (ID, passport, driver's license) - Address verification - Phone/email verification - Transaction scoring based on risk factors ### 7. Monitor Transactions Continuously - Set up [webhooks](apis/webhooks.md) to track payment status changes in real-time - Flag unusual patterns for manual review - Track your chargeback ratio daily — intervene before it approaches 1% ### 8. Educate Your Customers - Use a recognizable merchant name on card statements (reduces "unrecognized charge" disputes) - Send clear order confirmations and receipts - Make your refund policy easy to find and understand - Provide accessible customer support — customers who can reach you won't call their bank first ### 9. Keep Records Maintain detailed records for every transaction. If a chargeback does occur, you'll need: - Transaction timestamps and amounts - AVS/CVC/3DS verification results - IP address and device information - Proof of delivery or service rendered - Customer communication history - Signed terms and conditions --- ## Chargeback Response Checklist When you receive a chargeback notification: 1. **Don't ignore it** — You have a limited response window (typically 7–30 days) 2. **Gather evidence** — Pull transaction details, verification results, delivery proof, and communication logs 3. **Assess honestly** — If the customer is right (merchant error, unfulfilled order), accept the chargeback. Fighting a legitimate dispute wastes resources and damages your standing. 4. **Submit representment** — If you have strong evidence the transaction was legitimate, submit it through the chargeback response process 5. **Learn from it** — Every chargeback is a signal. Was it fraud you should have caught? A process gap? A customer service failure? Fix the root cause. --- ## Summary | Prevention Layer | Tools | |---|---| | **Before authorization** | KYC, velocity controls, device fingerprinting | | **During authorization** | 3DS, AVS, CVC, pre-authorization | | **After authorization** | Fraud review, void suspicious pre-auths | | **After capture** | Proactive refunds, clear communication, fast support | | **After dispute** | Evidence gathering, representment, root cause analysis | > **The best chargeback is the one that never happens.** Invest in prevention, use pre-authorization to give yourself a review window, and refund proactively when things go wrong. Your chargeback ratio — and your merchant account — depend on it.