How To Handle Credit Card Catastrophes: Fraud, Data Breaches, Poor Payment Processing

Tactics for dealing with three major issues: card fraud, data breaches, and coping with a bad card data processor.

Americans make recurring payments in several ways, but plastic tops the list. Scheduling payments — set it and forget it, so to speak — are easily charged to a credit card and then tapped per arrangement at regular periods.

When you look at exactly how subscribers pay for subscriptions, the dominance of credit becomes clear:

(Source: Vantiv Now Worldpay; Socratic Technologies, via Statista)

The exact percentage varies by product category. 62% of gift box subscribers say they turn to plastic for regular payments; that drops to 45% for clothing. But for all categories, more subscribers said they use credit cards than other payment methods.

Vantiv elaborates on this research: when you look at the totality of subscription payments, more than half (52%) are made by credit card.

Moreover, the volume of transactions made with credit cards is steadily increasing, from $1.2 trillion in 2000 to $2.1 trillion in 2010 to $3.3 trillion in 2016:

(Source: The Nilson Report; ProQuest via Statista)

With the clear importance of credit card transactions, what are the best ways for subscription companies to avoid the pitfalls and challenges that they also present? Let’s take a look at some of the biggest hurdles.

CATASTROPHE 1: Card Fraud offers a useful synopsis of the dangers fraud poses to subscription firms:

  • Fraudulent transactions costs are multifold for subscription-based businesses. Direct financial impact includes lost goods and services as well as hefty fees by gateways and merchant banks due to chargebacks. And, if abnormal or excessive chargebacks occur, merchants also face the risk of suspension or termination of gateway and merchant bank relationships. In addition, combating fraudulent transactions often requires large investment in personnel to conduct arduous manual reviews of potentially risky transactions.

At the Chargebee Blog, John Solomon raises some excellent points regarding the hidden danger of chargebacks. He says that around 0.01% of all transactions end in a chargeback, and 20% of all chargebacks are fraud. At a cost of up to $40 to fight a chargeback, the expense may not be worth it. There’s also the danger that companies themselves perceived to be frauds may lose the ability to accept credit cards — and that can happen if a company has a too-high chargeback rate. That’s a real danger for subscription companies if users forget they subscribed and then dispute the charge, or if they simply decide to cancel their subscription with a chargeback.

Solomon also has some ideas on cutting back the most fraudulent abuses, including fighting users of stolen card data.

  • Requiring consumers to enter the CVC2 and CVV2 numbers from the back of their card, in addition to credit card number and expiration date, merchants have been able to reduce chargebacks by 26%. … Address verification systems can also significantly reduce the risk of fraud, because many thieves don’t know the address associated with the card.

Winning disputes with actual card holders is easier if you have prepared for the battle, according to Ballistic Merchant Services. Some of their tips:

  • Be clear about refund and return policies.
  • Respond to inquiry letters as soon as possible.
  • Let customers know what name will appear on statements.
  • Watch out for orders using free email addresses

The flip side of fraud is reassuring subscribers that their data is secure. Customers are certainly alert to card fraud issues:

(Source: Vantiv Now Worldpay; Socratic Technologies, via Statista)

CATASTROPHE 2: Card Data Breach

The first facet of a breach danger is preparation before and response to potential breaches. It should be obvious, but just in case anyone out there thinks it is 1995, no, it is not good to throw a javascript form on your homebrew website to collect and email credit card data to your son’s AOL address so that he can fulfill orders. Just no. In fact, you do not handle credit card data at all! It looks to your customers like you do, but in fact, all data is sent from the customer’s browser to your credit card processor, who uses a tokenization process to handle that data securely.

On your end, you need to ensure that your site is secured via SSL — the little padlock icon in your nav bar tells you if a site is protected with this technology. Also, you need to follow the PCI DSS standard, that is, the Payment Card Industry Data Security Standard. Failing to meet these minimal standards can get you in trouble. At Sysnet, Jeremy Lacy details those consequences:

  1. Lost Sales. Skittish customers often look for other solutions when they think their data is at risk.
  2. Damaged Reputation. Once your customers do not trust you, the damage is very hard to repair.
  3. Compensation Costs: You may need to offer customers free credit monitoring and/or identity theft insurance.
  4. Legal Action. You face steep court costs even if you are sued and win. And if the breach was your fault, a loss could be a true catastrophe.
  5. Fines. While you do not have to reimburse anyone when thieves use data they steal from you, you will likely get fined.
  6. Government Audits. In the U.S., the FTC may audit you and even fine your business if they find that guidelines such as PCI DSS were not followed.
  7. Remediation Costs. The price tag to investigate, fire, hire, and fix problems can be high.

At Air Worldwide, Adam Reichert puts it in stark perspective:

  • It takes time for stolen cards to make their way through black markets and be charged, and the full amount that a merchant is liable for can take years to determine. A large credit card data breach can put an ill-prepared company out of business. Many companies have some form of crime insurance to protect themselves from such losses.

The second facet of card data security is reassuring customers that their data is safe, both before and after a breach incident. The implication is that a successful subscription business has to make customers feel secure. For Crystal Gilliam at the TradeGecko blog, that starts with the company website. Make your website as secure as possible, and bring your website up to PCI standards, she says.

Aarthi Rayapura at Zuora says that providing a solid checkout experience is important when a customer is getting out the credit card and typing in numbers.

  • Many companies focus on marketing their service or product online but neglect their payment pages. They fail to realise how crucial this customer touchpoint really is. If a customer has reached your payment page, it usually means they are interested in signing up. It’s best to ensure a quick and seamless payment process to seal the deal.

Some basics to keep in mind:

  • Keep it short: Ask only for the essential information. You will have other opportunities later to gather more detailed profile information.
  • Automate: As much as possible, auto-fill fields such as card type, zip code, etc. The less work your customer have to do, the quicker the sign-up.
  • Validation and Errors: Identifying errors with inline validation before a form is submitted makes it faster for your subscribers to correct them. If a user hits ‘Submit’ and then has to fill the form all over again due to an error or two, the chances of customer abandonment increases.
  • Design for all screens: Online sign-ups are not limited to computers anymore. Make sure your design is friendly with screens of all sizes including mobile phones and tablets.
  • Localize: One of the most basic ways to achieve a higher conversion rate is to ensure your checkout speaks the same language as your customers. Extremely important for international customers, you should localize your payment pages for different regions.

Writing for Forbes, Matthew Lieberman says that customers need more than apologies and transparency after a hack takes place. They need to compensate victims, improve systems, and offer credit monitoring.

  • Trust is key, and offering the best possible customer experience is critical during the time following a security breach. Companies must also understand and address these concerns prior to any attacks and on an ongoing basis. They can do so by putting cybersecurity and privacy at the forefront of their business strategy and backing it with proven security tactics, implementing robust data governance and customer control over data, going beyond existing regulations to make customers more comfortable, being more transparent when using new or emerging technologies and focusing on continually earning consumer trust.

CATASTROPHE 3: Payment Processors

With the right processor, handling card transactions is easy and simple; with the wrong one, life becomes a nightmare. Here are some tips to help pick the best one and cope with a shady one.

Be alert for signs that a provider offers poor service or outright rips off customers. According to Christina Lavingia at the PayJunction blog, complex bills and clunky websites are danger signs.

  • The main reason providers successfully get away with unfair billing practices is the intentional complexity of merchant statements. It’s just too easy for providers to bury a markup or add a fee without a clear description. As a business owner, you’re busy and want to trust your provider, which incentivizes you not to question each and every fee on your statement in detail. Additionally, some businesses just possess terrible software. Quality is simply lacking, which creates more tension and lost time.

Alex Neir at MaxxMerchants has more danger signs that a processor may be a shady operator. Are low prices hiding unstated fees? Can the contract term be negotiated, or are you locked in to a long term? Is there a merchant account that is right for your business? Neir offers some intense advice on specific fees:

  • Watch out for termination fees; they can be a sign that a company is not invested in helping the business grow, and would rather see a customer terminate his/her agreement early so that it can collect the pricey termination cost. Also keep an eye out for reprogramming fees, as although a company may try to convince your business that it must lease or buy equipment in order to avoid having to re-configure the devices, this typically is not the case; in generally the virtual terminal used for Internet credit card processing is easy to set up or reconfigure.

Say you realize you made a mistake, and you need a new company to process card transactions for you. Unfriendly processors can also sabotage your business by refusing to move your customer’s card data to a new provider when you want to switch. If your new processor does not have all the old data, you will have to go to each customer and request the data again. That’s a situation almost guaranteed to lose you some customers. A different post from John Solomon at Chargebee addresses this issue:

  • Before you sign up with a payment gateway, you need to know whether it supports credit card data portability. With no regulations in the payment credit card industry with regards to data portability, merchant account providers have been operating on their own terms and leaving merchants at the mercy of their terms and conditions. This is very problematic since it locks merchants from changing providers lest they lose all their customers’ credit card numbers.

The solution to these kinds of issues, according to the Tandem blog, is due diligence piled upon due diligence.

  • The terms and conditions from a credit card processor can be bulky and confusing, but if you skim over their contents, you’ll regret it later. Take your time and read carefully so you don’t miss any red flags. If you find something suspicious, ask your potential processor about it and make sure the problem is resolved before signing a contract. … You don’t have to sign with the first eCommerce processor you find. Instead, shop around. Read reviews. Talk to processors personally. Wait until you find one who’s transparent, affordable and responsive, and you won’t have anything to regret down the road.

Insider Take

Credit cards makes commerce possible, but they come with challenges. The cards themselves expire or fail; users, both criminal and merely contrary, derail the process; and shady or incompetent processors throw sand in the gears of your business. Fortunately, all three problems can be minimized with the right preparation.

Up Next

Register Now For Email Subscription News Updates!

Search this site

You May Be Interested in:

Log In

Join Subscription Insider!

Get unlimited access to info, strategy, how-to content, trends, training webinars, and 10 years of archives on growing a profitable subscription business. We cover the unique aspects of running a subscription business including compliance, payments, marketing, retention, market strategy and even choosing the right tech.

Already a Subscription Insider member? 

Access these premium-exclusive features

(Normally $57)

Perfect To Try A Membership!
$ 35

(Normally $395)

$16.25 Per Month, Paid Annually
$ 195

(10 Members)

Normally Five Members
$ 997

Interested in a team license? For up to 5 team members, order here.
Need more seats? Please contact us here.