EMV Readiness Checklist for Web Merchants

Tuesday, October 20, 2015

Many e-commerce merchants are still wondering how EMV will affect their online business. According to the European Central Bank, card-not-present (CNP) fraud accounted for 60 percent of the total value of card fraud in 2012, which has been steadily rising since 2008 after the implementation of EMV in Europe.*

While there is no single solution that will wipe out the possibility of fraud, there are a number of things merchants can do to fight this. To reduce the risk of fraud, from identity theft (e.g. stolen cards, account info, etc.) to the threat of a data breach, Heartland recommends using a layered fraud management approach. This ranges from ensuring your staff is trained to spot fraudulent orders to using an online solution that tokenizes cardholder data. The good news is that many of these items are simple to implement, come standard with some gateways (like Heartland’s) or are available at an affordable price point.

Create a Plan & Train Your Staff

The most critical step for web merchants interested in tightening up their security for a post-EMV launch is to create a plan detailing how to identify fraud and what is to be done in the event a fraudulent order is spotted. Keep your plan simple so that it is easy to follow. Here are some example points your plan might contain:

Manually review suspect orders with:

  1. Manually review suspect orders with:

    • Mismatched billing and shipping addresses. Use free tools like Google Earth to verify the customer’s shipping address.

    • Order amounts greater than your average order amount (e.g. $100).

    • Shipping addresses beyond your normal geographic reach. If you normally ship orders within 25 miles of your primary location, you may want to review orders being shipped beyond 25 miles.

    • Small ticket amounts (e.g. $25) with expedited shipping requests

  2. When a possibly fraudulent transaction is detected, report the order to the store owner

Your plan should also include some data security basics for staff to follow to reduce the risk of a breach:

Don’t surf the web on the same machine used to access your administration and payment processor.

  1. Don’t surf the web on the same machine used to access your administration and payment processor

  2. Always use complex passwords and update them on a regular basis

  3. Ensure that every machine on the network is properly equipped with up to date antivirus software

Create a plan that fits your business and present it to your staff a couple of times a year. This plan should be a living document: as you find new fraud attempts, add new instructions to the document.

Use this time to also ensure that your customer-facing policies (shipping and terms of service) match your internal policies and are kept up to date.

Tighten Up Your AVS & CVV Settings

While Address Verification on its own might not be the best method to detect fraud, it can still help as part of a layered fraud strategy. To get the best card-not-present interchange rates, you should at least be sending the bill to zip code. The issuing bank will send back the appropriate AVS and CVV response, but it is ultimately up to the merchant to decide when to fail a transaction. Keep in mind that a CVV mismatch response means the cardholder did not have possession of the card at the time of the purchase. These orders should always be viewed as suspect and manually reviewed.

There is a trade-off when it comes to address verification settings and fraud: strict settings might reduce overall fraud, but could also reduce legitimate orders. Relaxed settings might not reduce fraud, but will allow for legitimate orders to succeed.

These authors recommend failing mismatched billing zip and mismatched CVV orders every time.

Use Gateway-Provided Advanced Fraud

Most modern gateways offer some level of advanced fraud services already: take advantage of this immediately. This is a solution that provides additional transaction screening to spot potentially fraudulent activity that may not be picked up by AVS and CVV checks alone.

Heartland includes advanced fraud services for small businesses as part of our standard gateway offering. Leveraging a rules-based decisioning model, our screening solution reviews all transaction types for potentially fraudulent activity. Checks include excessive authorizations and failures with the same card, large retail and sale amounts, high risk international orders, among others.

For Heartland e-commerce merchants, it is highly recommended to enable this service as it will allow Heartland to perform more advanced checks against the merchant’s transactions to help identify possible fraudulent transactions and reduce total cost of payment acceptance. Not only is this easy to implement, but is also available at an affordable price point.

Tokenize All Credit Card Transactions

There are two types of tokenization: single-use and multi-use. Single-use tokens solve the problem of keeping the customer’s credit card off the merchant’s web server for the first transaction. Multi-use tokens solve the problem of keeping the customer’s credit card on file for a reduced-friction checkout.

Single-use tokenization has some major benefits to the customer and the merchant:

  1. Reduce the overall scope of PCI-DSS dramatically

  2. Increase security for the customer by keeping their credit card secure

  3. Increase security for the merchant by keeping their server card-free

Each of Heartland’s pre-built SecureSubmit solutions are single-use tokenized out of the box. Check out our developer portal to learn more.

Reduce Chargebacks

Chargebacks are a costly problem for e-commerce merchants. And with e-commerce fraud expected to rise as EMV is implemented in physical stores, so too will chargebacks.

Simple things, like ensuring your billing descriptor accurately describes your business on consumer credit card statements can help reduce chargebacks due to buyers not recognizing the purchase. Also, including a customer service number in the descriptor provides an easy way for customers to contact your business with any questions. Offering flexible shipping and return policies (and ensuring they’re clearly displayed on your site) can also help reduce friendly fraud.

For merchants seeking additional assistance mitigating chargebacks, Heartland has partnered with Verifi to provide merchants with access to their Cardholder Dispute Resolution Network™ (CDRN). CDRN has an extensive and growing network of card issuers, which helps provide merchants advance notice of impending chargebacks. This not only helps reduces fees related to chargebacks, but can also help prevent chargebacks from additional billings and stop losses from fulfillment of goods and services.


Every business is unique and this checklist is intended to be a starting point to get you started. Some things won’t fit and some things will fit like a glove: tweak the requirements to match your business needs. Most important, if you have questions, contact your Heartland representative or reach us at 1-844-814-4026 or Insidesales_ecomm@e-hps.com.

*European Central Bank, “Third Report On Card Fraud”, February 2014