Search code examples
credit-card3d-secure

What data should I retain to best protect myself from credit card chargebacks?

I'd like to set up credit card payments, for a website where chargebacks, especially "friendly" chargebacks, are a large issue (where their customers lie and later claim to not have made the payment, when they really did).

I'm wondering what information exactly I should be collecting from the end user, that will actually be helpful in fighting these chargebacks. I want to collect everything that could actually be useful, but at the same time, make the checkout as painless as possible for legitimate customers.

  • I have 3D Secure set up. Beyond simply passing in the CAVV/XID/ECI values to my acquirer, should I be logging any of the data from 3D Secure? What will my acquirer want from me in order to keep the liability shift?

  • Does 3D Secure work for recurring transactions? For following transactions, I would no longer have access to a CAVV/XID/ECI. Would simply marking my parent transaction as "recurring" be enough to also give me the liability shift for this?

  • Of the cardholder name, their CVV code, their street address, their postal code, IP address, browser headers, etc. what information of this should I actually ask for?

  • To the best of my knowledge, the CVV and Address Verification is more to give the merchant assurance that the card is not stolen, but it cannot actually be used to fight a dispute. Claiming on a chargeback that "AVS returned a positive value" doesn't help win it; most fraud artists have access to that information anyways. Knowing that the majority of my transactions are actually authorized, but simply that the user "claims" it isn't, I don't need that assurance. I only need actually useful information that can be submitted and used to fight these chargebacks.

Solution

  • It's the PARes (Payment Authentication Response) that you should be retaining after an authenticated 3DSecure transaction. This should be stored for up to 6 months (the same length of time allowed for chargeback requests) and can be used to dispute a chargeback, most often successfully.

    3DSecure is the only technology that currently allows liability shift for card-not-present transactions. It won't protect you 100% for all transactions of course. Any transaction where the cardholder doesn't use 3DSecure for example won't be covered.

    CV2/AVS checking is useful only to merchant, and does not offer liability shift.