The Green Sheet Online Edition
January 22, 2018 • Issue 18:01:02
Time to change force-post rules
The thought of force posts takes me back to my issuing-bank days. Paper warning bulletins were sent weekly to all merchants. If merchants wanted to accept transactions above a specific dollar amount (called the "floor" amount), they had to either electronically authorize or manually check the warning bulletin to ensure the cards being used were not listed; otherwise they would be subject to chargebacks.
Today with electronic authorizations, the floor limit for nearly all merchants is zero, and every transaction is electronically authorized. So I thought it appropriate that Visa is set to change this practice. In the Dec. 14, 2017, issue of Visa Business News, Visa outlines its requirements to minimize merchant access to force-post functionality in an article titled "Acquirer Requirements to Control the Use of Force-Post Transactions."
Most merchants never need to force post an authorization with a sale. Force posts allow merchants to manually enter a previously obtained authorization and then force route the transaction through clearing and settlement. At the time the authorization is posted or forced with the sale, it is not validated. This means that whatever code is entered is accepted, and funds are debited to the issuer and credited to the acquirer.
The system forces the original authorization and capture, and that information is submitted into interchange, regardless of whether it was authorized. Later, if that transaction is disputed, and if the authorization is not valid, the issuer may initiate a chargeback, and the merchant will not have recourse.
Fraudsters can exploit force posts
Through the years, as merchants have migrated to electronic authorizations and shortened delivery time, the need to force post transactions has radically diminished, yet acquirers still set up all merchants with that functionality. Most merchants do not even realize what a force post is, and fraudsters have leveraged that fact. Specifically, they have used the force-post process to perpetrate fraud through the following schemes:
- Gain control of a merchant account and then force post transactions. If the transactions are not noticed, the funds can be accessed from the connected deposit account. This can be from a fraudulently obtained merchant account or one involving a cooperating merchant.
- Deceive merchants by presenting a forged bank letter that authorizes "offline" (force-posted) transactions to pay for large sales orders or by convincing the merchant the fraudsters have an authorization code that must be entered into the system. Some merchants do not question the letter's authenticity and release the goods, as they see the transaction in their terminal.
- Process extremely large force-post transactions with offsetting credits from different card numbers. The batch totals are not out of balance, but the force posts disguise the credits from detection. These schemes are sometimes done over a holiday weekend and from foreign cardholder accounts. Consequently, obtaining verification from the cardholder is impractical and the risk staff might be less attentive.
Most risk officers are well aware of these tactics and effectively thwart them. Unfortunately, as basic and old school as these methods seem, they still work. Remember, for a fraud scheme to be effective, it just has to work once. Additionally, regardless of whether the funds are held back from the merchant, they still pass through interchange.
Visa moves to limit vulnerability
Consequently, Visa decided to enforce a rule change to further limit the exploitation of this vulnerability. Effective Jan. 26, 2019, acquirers must grant force-post functionality as an exception and only if warranted by a given merchant's practices. All existing merchants not specifically approved to process force-post transactions must be systematically restricted from doing so. While the details have not yet been worked through, I suspect this will necessitate a full or partial reprogramming of terminals and an update from POS providers and gateways.
I do not foresee processors updating their systems, because some merchants will still require this service, so it cannot be systematically turned down at the processor. Some merchants legitimately need to obtain an authorization prior to the sale so that they can later pair or "force" the authorization and sale.
Think about a mail order merchant who is obtaining a custom part on behalf of a cardholder. Before the merchant hunts down and buys the custom part, he or she wants to ensure the cardholder has the funds available to buy. In that instance, the merchant would be wise to authorize the transaction and, upon shipping the part, pair the authorization and sale.
Going forward, acquirers will need to specifically review and approve merchants to have force-post capabilities. Additionally, they must document the merchant's need and monitor force-post activity to ensure it is not being abused.
I suspect this subset of merchants will be required to acknowledge some additional liabilities in order to have this capability turned on. And all of us will have to again reprogram or update our base of merchants. I encourage you to review Visa's "Acquirer Requirements to Control the Use of Force-Post Transactions" directly. If you do not have the document, which was not distributed publicly, ask your acquirer for a copy.
Ken Musante is President of Eureka Payments LLC. Contact him by phone at 707-476-0573 or by email at email@example.com. For more information, visit www.eurekapayments.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.