Sunday, July 29, 2007

VISA e-Commerce Guide to Risk Management: Travel Agencies

Tools and Best Practices for Building a Secure Internet Business

Ok, I got lazy today. Not an impressive way to start the week, but I got good reasons to be. Out from the treasure trove of high risk merchant account providers I spotted a copy of VISA's e-Commerce Guide to Risk Management. What a blessing for all of us, although the guide could have practically been buried in the box for eons. And even if it was, most high risk merchants have unfaithfully forgotten VISA's attempt to enlighten them when it comes to doing business online anyways.

It's just that the playing field is never the same as doing it with a brick store. Otherwise, VISA wouldn't bother.

For this time I'd focused on Travel Agencies, as being a traveler I've always been concerned about airline ticket and travel planning frauds. Read the guide, get wise, and outdo the scammers!


Recognize your potential sales agent liability. Understanding your risk exposure can help you take appropriate steps to minimize it, and protect your agency from losses associated with customer disputes and fraud.

As a sales agent of an airline, for example, your agency may be liable for the entire amount of an airline ticket if it is disputed by the customer or purchased with a stolen account number. To mitigate risk, you need to establish e-commerce policies and procedures that address the following factors:

1. An approved authorization request indicates that the account is in good standing. However, the response is not proof that the legitimate card holder is making the purchase, nor is it a guarantee of payment. In most cases, therefore, airlines are liable for fraudulent card not present transactions even when they were approved by the Issuer.

2. Even if a travel agency is not a Visa merchant subject to Visa regulations, the airline partner is. In most fraud-related cases, the airline transfers financial liability to the travel agency partner as part of the contractual agreement.


1. Require website membership to book airline tickets and other travel series such a hotel accommodations and car rentals. By requiring customers to become members of your website service, you can collect additional customer data that can help you assess risk. When establishing member profiles:

  • -Verify the customer data that you collect before you store it.

  • -Ensure that strong security measures such as secured data storage and limited employee access are in place to protect sensitive customer data.

2. Capture and retain Internet protocol addresses. It is important to know the IP addresses if the ISPs from which your customers make purchases. With a database of these addresses, you can develop fraud-screening tools based on transaction characteristics.

3. Display a website notice that the customer's billing addresses will be verified. If you access Address Verification Service (AVS) offline, you may encounter address verification failures long after your customer has completed booking. By letting customers know that the billing address will be verified, you can prepare them to understand potential address inquiries later. This website notice should clearly state that airline tickets cannot be issued until the customer's billing address has been verified by the Issuer.

4. Require a waiting period of at least four to six hours between ticket purchase and flight time. Tickets purchase just before a flight may indicate fraud risk. To protect your company from potential losses, you need adequate time to verify the validity of the customer and payment card before travel begins.




More of VISA's e-commerce protocol will come in the future articles. Just be reminded that for every high risk merchant account service you render to your customers, there's always a great percentage that your customers may be hackers or spammers. It pays to destroy their modus operandi.

No comments: