Fraud to Sale Ratio
The fraud to sale (F2S) ratio is the ratio of transactions that were declared fraudulent by the issuing banks in relation to the merchant’s total sales for that month. This regulation is distinct from the chargeback ratio regulations. The issuer’s fraud-to-sale report does not necessarily contain chargebacks, but does contain transactions that have been detected and marked as fraudulent by their issuing banks.
In most cases, Nuvei receives these notifications after a long delay between the original transaction date and the date the cardholder was reported as fraudulent. For this reason, these transactions cannot be voided. When the authenticity of the transaction reported as fraudulent by the bank cannot be proven and the cardholder has not yet initiated a chargeback, Nuvei advises you to block the respective users from further deposits.
The credit card companies (Visa, Mastercard, and Amex) have several parameters by which they detect fraudulent or unauthorized activity with a card, such as:
- Card reported lost or stolen
- Card not received when mailed
- Card issued on the basis of a fraudulent application
- Issuer or acquirer reported counterfeit
- Fraudulent use of an account number
Visa, Mastercard, and Amex have created several programs to reduce high fraud-to-sale ratios.
The tables below describe the different fraud-to-sale programs provided by Visa, Mastercard, and Amex, including the thresholds that must be exceeded to be placed in a program.
Visa Program
The Visa Fraud Monitoring Program (VFMP) compares the amount of the transactions reported as fraud in the current month over the amount of the sales transactions processed in the same month.
Program Thresholds
| Threshold | Fraud amount | Ratio |
|---|---|---|
| Early warning threshold | $ 50,000 | 0.65% |
| Standard threshold | $ 75,000 | 0.9% |
| Excessive threshold | $ 250,000 | 1.8% |
VFMP has several program timelines – ‘Early Warning’, ‘Standard’, ‘’High Risk, and ‘Excessive’.
The ‘Early Warning’ period applies when a merchant does not have a breach of the VFMP ‘Standard’ thresholds, but has exceeded the ‘Early Warning’ thresholds. The merchant has the opportunity to reduce the fraud levels before they are identified under VFMP. The notifications to merchants do not count towards the program timeline or have any non-compliance assessments.
The ‘Standard’ program timeline applies when a merchant is assigned a non-High Risk Merchant Category Code (MCC) and meets or exceeds the ‘Standard’ fraud program thresholds.
A merchant is moved from the ‘Standard’ timeline to the ‘High Risk’ timeline if:
- It is categorized by a ‘High Risk’ MCC as defined in the Visa Rules.
- Visa determines that it causes harm to the goodwill of the Visa Payment System.
If at any point a ‘High Risk’ MCC merchant breaches the VFMP thresholds, they immediately enter the program and are not afforded a workout period.
The following table describes how the Visa High-Risk MCCs are applied:
| MCC | Description |
|---|---|
| 5962 | (Direct Marketing — Travel-Related Arrangement Services) |
| 5966 | Direct Marketing – Outbound Telemarketing Merchants |
| 5967 | Direct Marketing – Inbound Telemarketing Merchants |
| 7273 | Dating and Escort Services |
| 7995 | Betting, including lottery tickets, casino gaming chips, off-track betting, wagers at race tracks, and games of chance to win prizes of monetary value. |
| 5122 | Drugs, Drug Proprietaries, Druggist Sundries |
| 5912 | Drug Stores, Pharmacies |
| 5993 | Cigar Stores and Stands |
| Upon Visa’s determination, the following MCCs may be considered as ‘High Risk’: | |
| 6051 | Non-Financial Institutions – Foreign Currency, Liquid and Cryptocurrency Assets (for example: Cryptocurrency, Money Orders [Not Money Transfer], Travelers Cheques, and Debt Repayment) |
| 4816 | Computer Network/Information Services |
| 5816 | Digital Goods Games |
The ‘Excessive’ program timeline applies when a merchant meets or exceeds the ‘Excessive’ fraud program thresholds. Once a merchant falls into the ‘Excessive’ timeline, it remains in the timeline until it fully remediates out of the program. The merchant is not moved to the ‘Standard’ timeline even if its performance drops below the monthly ‘Excessive’ fraud program thresholds.
Standard Program Timelines and Fines
Program Timelines
| Program Month | Program Status | Actions |
|---|---|---|
| 1 | Notification | Review the fraudulent transactions, define fraud prevention measures. |
| 2 to 4 | Workout Period | After entering the program, the merchant should provide a plan to reduce the fraud levels submitted to Visa. |
| 5 to 12 | Enforcement Period | The merchant must continue to provide updates with information about the results of the implemented plan. The merchant may be liable for chargebacks related to fraudulent transactions submitted under dispute condition 10.5. The merchant could be closed for Visa processing. |
Fines
| Month | Fee |
|---|---|
| 1 to 4 | No fee |
| 5 to 6 | $25,000 |
| 7 to 9 | $50,000 |
| 10 to 12 | $75,000 |
High Risk and Excessive Program Timelines and Fines
Program Timelines
| Program Month | Program Status | Actions |
|---|---|---|
| 1 to 11 | Enforcement Period | The merchant should provide a plan to reduce the fraud levels. The merchant may be liable for chargebacks under dispute condition 10.5. |
| 12 | Enforcement Period | The merchant must continue to provide updates with information about the results of the implemented plan. The merchant may be liable for chargebacks under dispute condition 10.5. The merchant could be closed for Visa processing. |
Fines
| Month | Fine |
|---|---|
| 1 to 3 | $10,000 |
| 4 to 6 | $25,000 |
| 7 to 9 | $50,000 |
| 10 to 12 | $75,000 |
Exit Parameters
The merchant can exit VFMP once it is below at least one of the program fraud thresholds for three consecutive months. If the merchant is below the program threshold for less than the required three consecutive months, its program status continues to be counted from the previous identification month.
Mastercard Excessive Fraud Merchant Program
The goal of the Mastercard Excessive Fraud Merchant (EFM) Program is to reduce fraud on electronic commerce (e-commerce) transactions, create a more secure ecosystem, and provide a better experience for cardholders.
The EFM program measures compliance at the merchant ID (MID) level and sends notifications and potential financial assessments through the acquirer.
Merchants registered in the following countries are excluded from the EFM Program:
| Aland Islands | Falkland Islands (Malvinas) | India | Mayotte | San Marino |
| Albania | Faroe Islands | Kosovo | Moldova | Serbia |
| Andorra | Finland | Latvia | Monaco | Slovakia |
| Antarctica | France | Ireland | Montenegro | Slovenia |
| Austria | French Guiana | Isle of Man | Netherlands (the) | South Georgia and the South Sandwich Islands |
| Belgium | Gibraltar | Italy | Norway | Spain |
| Bosnia and Herzegovina | Germany | Jersey | Poland | Svalbard and Jan Mayen |
| Bulgaria | Greece | Liechtenstein | Portugal | Sweden |
| Croatia | Greenland | Lithuania | Réunion | Switzerland |
| Cyprus | Guadeloupe | Luxembourg | Romania | Ukraine |
| Czech Republic | Guernsey | Macedonia | Saint Barthélemy | United Kingdom |
| Denmark | Hungary | Malta | Saint Martin (French part) | Vatican City |
| Estonia | Iceland | Martinique |
Program Thresholds
The EFM program monitors the total amount of fraud-related chargebacks occurring at a given e-commerce merchant, as well as the number of transactions authenticated through 3D-Secure.
Merchants are considered non-compliant when all of the following conditions are met in a given month:
- Total volume from chargebacks with fraud reason of 50,000 USD or above for the reported month
- Fraud chargeback ratio – 0.50% or above (0.20% for Australia)
- Number of monthly cleared transactions – 1,000 or above
- 3D Usage – Less than 10% for non-regulated countries OR less than 50% for regulated countries
| Program | Min. Number of Transactions | Fraud Chargebacks | Fraud Count Ratio | 3D Utilization |
|---|---|---|---|---|
| EFM | 1,000 | 50,000 USD | 0.50% | Less than 10% non-regulated or less than 50% regulated |
The tables list the countries identified as regulated or non-regulated.
Regulated Countries
- Bangladesh
- Malaysia
- Singapore
- Nigeria
Non-regulated Countries
All non-EU countries except for Bangladesh, Malaysia, Singapore, and Nigeria.
Fines
Mastercard applies assessments for appearing on the EFM program at increasing increments depending on how long a Merchant ID appears on the program.
| Number of Months above EFM Thresholds | Violation Assessment |
|---|---|
| 1 | 0 |
| 2 | EUR/USD 500 |
| 3 | EUR/USD 1,000 |
| 4 to 6 | EUR/USD 5,000 |
| 7 to 11 | EUR/USD 25,000 |
| 12 to 18 | EUR/USD 50,000 |
| 19+ | EUR/USD 100,000 |
Exit Parameters
When the merchant is below the program thresholds for three consecutive months.
Amex Fraud Program
Under the Amex Fraud Program, Merchants’ F2S performance thresholds fall into either a Low Tier or High Tier calculation. This calculation excludes Fraudulent Applications and SafeKey/3D Transaction Attempts.
The following table describes the two tiers within the Performance criteria:
Program Thresholds
| Threshold | Fraud Amount | Ratio |
|---|---|---|
| Low Tier | $25,000 | 0.90% |
| High Tier | $50,000 | 1.80% |
In the “Low Tier” period, the merchants have the opportunity to reduce the fraud levels before being added to the High-Risk List. If the Merchant does not remain below the program thresholds for three consecutive months, they are subject to Fraud Full Recourse Chargebacks and can no longer qualify for liability shift with Safekey/3D.
If the merchant reaches the “High Tier”, they are subject to Fraud Full Recourse Chargebacks and can no longer qualify for liability shift with Safekey/3D. The merchant remains on the High-Risk list until their F2S ratio falls below 0.9% or $25,000 for three (3) consecutive months.
While being in this program, the Merchant is subject to the following penalties:
| Non-compliance | Fee | ||
|---|---|---|---|
| 1st violation | $1,000 | ||
| 2nd violation | $5,000 | ||
| 3rd violation | $10,000 | ||
| 4th violation | $25,000 | ||
| 5th violation | The fee will be at discretion of Amex. | ||
| 6th violation or more | Additional fees will be equal to all penalty fees levied for a 12-month period. The 12-month period begins upon the 1st violation. |
Visa and Mastercard Programs for Mitigation of Card Testing and Enumeration / BIN Attacks
An enumeration attack is a scheme in which criminals systematically submit card-not-present transactions with enumerated values such as card number, CVV, expiration date, and postal code to derive legitimate payment account details. The fraudsters use the authentication response to identify valid payment accounts.
Account testing occurs by initiating transactions of $1 to $2 to verify if an account is active in order to use it for fraudulent purchases or to sell it over the dark web. Typically, these attacks focus on a single Bank Identification Number (BIN) range and use the same name, email address, and/or billing address for multiple transactions.
Merchant account takeover – Fraudsters may also gain access to the payment system by obtaining a merchant’s login credentials, and subsequently taking over their payment gateway to conduct illicit transactions. These credentials can be obtained when a merchant falls victim to phishing schemes.
The following activities may indicate an enumeration attack or account testing:
- A high number of transaction attempts sent within a few hours or one day, possibly from one IP address, or for a specific BIN / account range.
- An increased number of rejected or timed-out authentication attempts that receive a challenge request.
Mastercard defines a third-party fraud attack as a BIN attack when the following conditions are met:
- At least 100 authorization requests or authentication requests are sent within one hour for the BIN or BIN Account range from one or more Merchants.
- The Issuer, its Service Provider, or Mastercard (using a network fraud detection tool) declined fifty percent (50%) or more of the authorization requests or authentication requests within one hour.
Visa monitors for Card-Absent authorization attempts concentrating on a single BIN or multiple BINs while iterating through various combinations of payment values. These payment values generally include the Primary Account Number (PAN), expiration date, Card Verification Value 2 (CVV2), and postal code. Issuers decline the authorization attempts until the right combination of payment values returns an approval response. An approved authorization response (and often a subsequent sale) is an indicator to the fraudsters that they have obtained a combination of valid payment values. This scheme is also known as a brute force attack. Visa identifies situations where the Merchant or the acquirer meets or exceeds the monthly enumeration thresholds.
Enumeration Monitoring Program Thresholds
- Early Warning Timeline Thresholds
Enumeration Risk Operation Center (ROC) Block Count>=1,000 and <=5,000; AND Enumeration ROC Block Rate >= 10%
OR
Enumeration ROC Block Count >= 50,000; AND Enumeration ROC Block Rate >= 1% and <= 5%
* The ROC Block Rate is calculated by the number of ROC blocked transactions divided by the total card-absent transaction count.
- Standard Timeline Thresholds
Enumeration Risk Operation Center (ROC) Block Count >= 5,000; AND Enumeration ROC Block Rate >= 5%
- Excessive Timeline Thresholds
Enumeration ROC Block Count >= 50,000; AND Enumeration ROC Block Rate >= 10%
Flagging in this Visa program may incur additional per-authorization fees to the Merchant whose systems are not well protected and are attacked by the fraudsters.
In its fraud prevention systems, Nuvei has implemented internal controls to mitigate such attacks as much as possible.
Last modified October 2024