Best Practices for Instant Pull Payments
Product guidelines for accepting payments.
An Account Funding Transaction (AFT) to an account easily converted to cash (ATM withdrawal, Western Union money order, P2P transfer) presents unique risks because:
- This process can be exploited to convert stolen cards to cash in minutes.
- It can be difficult to demonstrate that the actual cardholder authorized and participated in the account funding transaction.
Risk Management - General Considerations
Before setting up an Account Funding origination or Pull program, TabaPay Clients should carry out a comprehensive risk assessment covering their business policies and practices, fraud prevention and detection techniques, anti-money laundering program, and other risk controls.
In addition to the recommended fraud prevention tools, TabaPay Clients should ensure adequate practices are in place to minimize fraud losses and excessive customer service inquiries.
TabaPay Clients must comply with the network rules, local regulations, applicable sanctions, and “Know Your Customer”(KYC), anti-money laundering, and anti-terrorist financing laws.
Identifying Suspicious Activity
Merchants should be able to identify indicators of suspicious activity that may point to potential fraud; this includes but is not limited to:
- Large volumes of AFTs
- Significant activity on an account reactivated from inactive or dormant status
- Increasing volume of AFTs or significant fluctuations in type or volume of AFTs that are inconsistent with patterns identified in a customer’s profile
- Change in account credentials followed by out-of-pattern AFT activity
AFT with Debit or Credit Card?
Account Funding Transactions (AFT) works regardless of the card type – debit or credit, and all the card types will be supported. To start accepting Credit as well (let’s say as a fallback mechanism), a few things you need to be aware of:
• Most Credit Card issuers treat an AFT as quasi-cash and they may incur Cash Advance fees
• Cash Advance fees, when applied, could be a flat fee or percentage
• In order to cover the above fees as well as to avoid chargebacks, you may want to apply appropriate messaging to your consumers before they place the transaction.In addition, standard credit card acceptance fee will apply
Risk Management
To monitor transaction activity and manage risk and fraud, Merchants should implement manual or automated anomaly detection mechanisms that focus on individual account holder or peer group behavior by establishing a model of expected behavior for each account holder:
- Analyze activity patterns of AFTs; e.g., frequency, amount, and count of AFTs.
- Recognize significant activity on an account reactivated from inactive or dormant status.
- Identify increasing volume of AFTs or significant fluctuations in type or volume of AFTs that are inconsistent with patterns identified in a customer’s profile.
- Detect changes in account credentials followed by out of pattern AFT activity.
- Establish thresholds for new or dormant accounts to monitor for large or multiple AFTs.
- Consider segregating new accounts from existing accounts and incorporating tighter controls for new accounts.
- Establish multi-factor authentication before account credentials can be changed or new beneficiaries are established.
- Establish enhanced controls over changes to account profiles initiated online or via customer service representatives.
- Monitor accounts that may have historical suspicious activity with enhanced due diligence.
- If third party vendors and technology solutions are engaged to monitor accounts for suspicious activity, dedicate internal resources to monitor vendor performance and develop risk assessment standards for vendor engagement, such as incorporating independent code reviews and Payment Application Data Security Standard.
- Ensure that technology solutions are updated with latest patches.
- Establish distinct first, second and third lines of defense as customary with standard risk management practices to monitor and test design and operating effectiveness of policies, procedures and monitoring mechanisms.
- Consider factoring key differentiators to monitor for suspicious activity and establish transaction limits based on parameters such as:
- Geographies from and to which transactions are sent
- Customer base
- Risk appetite
- Use common cardholder and payment authentication and validation processes in approvals of AFTs:
- Payment account address validation (AVS)
- CVV/CVV2
- EMV 3-D Secure (3DS)
- Account Name Inquiry
- Post Transaction Processing:
- Track chargebacks, reversals and declines to identify patterns.
- Suspend or terminate accounts when fraud is detected.
TabaPay requires that all AFT programs implement and complete technical certification to use AVS and Duplicate Card Check (both enabled by TabaPay).
Third-party services (identity verification, bank account verification, and fraud scoring).
- Ekata
- Idology
- Plaid
- Socure
- Yodlee
TabaPay Payment Features
| Payment Feature | Benefit | Recommendation |
|---|---|---|
| Merchant Initiated Transaction Framework | Merchant Initiated Transactions (MIT) is an optional service for you to charge your customer’s card without their activate participation. A transaction is first made with the cardholder actively present, or a cardholder payment agreement is made for future payments. MIT allows you to store a payment credential-on-file and use it for subscriptions, or on-going payments. | Required for recurring transactions using an Original transaction (per MIT framework) |
| Partial Authorization Service | While prepaid and debit cards are used for instant pull payments, what happens if they do not have enough funds to cover the full transaction amount? TabaPay’s Partial Authorization Service provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. Participating issuers return a response with an approval for a portion of the original amount requested, enabling the remainder of the transaction amount to be paid by other means using split-tender functionality. You can increase sales and decrease declines by enabling customers to use all available prepaid or debit card funds, supplementing with an alternate payment method for a seamless purchase experience, ensuring satisfaction even with an uncertain remaining balance. | Highly Recommended for Pull Activity |
| 3D Secure | Three-Domain Secure or 3DS is a messaging protocol merchants use to authenticate their customers’ card information when processing card-not-present (CNP) e-commerce, or mobile purchases, and payments. By enhancing authentication, 3DS helps prevent fraud and provides an additional layer of security for CNP credit card and debit card transactions.This service is provided by all four major card networks. | Highly Recommended |
| Account Name Inquiry | To help address growth in account takeover fraud and authorized push payment scams, market demand, and increasing concern from governments and regulators, card networks have introduced Account Name Inquiry (ANI) functionality. It enables an account cardholder’s name to be checked against the name held by their Issuing bank. | Highly Recommended, but also dependent on your use case |
| Address Verification | Address Verification Service (AVS) is a fraud prevention mechanism that reduces fraud and chargebacks. The service verifies if the card issuer recognizes the address provided by a cardholder. The results of the verification will help you determine whether to accept or decline a particular transaction or take further action. AVS is effective to both reduce fraud and reduce chargebacks. | Highly Recommended, but also dependent on your use case |
| CVV2 Verification | CVV Verification is a tool that helps verify if the cardholder has possession of the physical card. While it is not effective against lost or stolen card fraud, it is an additional check beneficial in e-Commerce channels since the Card security code is only printed on a physical card and is not available anywhere else. | Highly Recommended, but also dependent on your use case |
| Apple Pay and Google Pay Tokens | Up to the client | - |
| Duplicate Account Check | When using TabaPay's Account API to create or update a TabaPay account, TabaPay allows you to check if a card is already associated with another account. This is called duplicate card check. If we detect that you are trying to create a duplicate account (same card), then we return a 409 response and give you the account_id associated with said card. | Highly Recommended, but also dependent on your use case |
| TabaPay Account Updater | TabaPay Account Updater (TAU) is a service that enables TabaPay clients who store cards on file with TabaPay to get them updated with the card networks to ensure they reflect the information available at the card issuer. This in turn addresses our client's need to run recurring payments and MIT on the cards on file without requiring their customer's to update them when the payment credential at the issuer has been updated. TAU significantly reduces customer friction, and meets the need to collect an updated card expiry date or payment credential since TabaPay automatically updates cards you store on file with us. | Highly Recommended at the Client level based on your business needs |
| TabaPay Tokens | TabaPay stores and manages payment cards and bank accounts securely for you. We call this TabaPay Tokens (aka TabaPay Vault). This capability allows you to be an efficient fintech while letting us manage the burden of PCI-DSS compliance for you. TabaPay takes on the complexities of storing these payment instruments safely and securely, while you to focus on your core value proposition! For every payment card or bank account, TabaPay validates the incoming payment instrument and stores them as an Account ID. This Account ID is what is provided back to you, so you do not have to manage the 16-digit payment card number or bank account. You will be able to utilize the Account ID within our Unified API (Create Transaction API) to Push and Pull. | Highly Recommended at the Client level based on your business needs |
Chargeback Management
Network Mandates
Essential Reading
TabaPay Shield
Read here.
Network Mandates
Read here.
Transaction Integrity - Network Monitoring
Read here.
Updated 6 days ago