Chargebacks are a growing problem for any organisation that sells tickets or accepts donations.

Responding to chargebacks is costly and time-consuming, even when you contest them and win. Worse still, most chargebacks in our industry are driven by credit card fraud—and the merchant might not spot the fraud for weeks or even months after the transaction. It can mean refunds after an event has already settled or your finance team has closed the month or quarter.  The problem is particularly acute in North America. Fortunately, there are controls you can put in place to reduce the likelihood or impact of chargebacks.

Why are chargebacks on the rise?

Over the last two decades, the number and value of e-commerce transactions has grown steadily. This is partly because of technology that makes it easier for merchants and buyers to trust each other online. I’m more likely to buy something from a merchant with a professional and trustworthy website, where I can use my preferred payment method, and if I know there’s a way to get a refund.

Enter the chargeback. Mastercard, Visa, American Express, and Discover all give their cardholders a simple way to dispute a transaction. Chargebacks also protect cardholders from transactions they didn’t authorise—a common type of credit card fraud. If the chargeback is upheld, the merchant usually has to refund the value of the transaction, and pay a fee to their bank. Now your organisation has lost the revenue from the ticket as well as the bank fee.

Slow fraud: carding

At one time, the most common source of fraud and chargebacks in our industry was what security experts call carding. This is where a criminal who has a large number of stolen card numbers uses a low-value purchase to test whether the cards work. If they do, these known-working card numbers can be resold to other criminals. They’re worth more than untested card numbers. Plus, they can be used for more lucrative fraud (and with a lower chance of being caught). 

This model most often uses bots or scripts to test thousands or tens of thousands of card numbers very quickly. Carding attempts happen to merchants all over the world; I used to see them frequently with arts and culture organisations in Australia. As anti-bot software improves, I’m seeing less and less of this model.

Faster fraud: reselling

An up-and-coming business model monetises the stolen cards more directly. If you have a stolen card, a quick way to get paid is to buy something with that card, then resell that thing immediately. The most efficient fraud is when both transactions happen online and you can deliver the product to an email address. 

If you have a stolen card, a quick way to get paid is to buy something with that card, then resell that thing immediately. The most efficient fraud is when both transactions happen online and you can deliver the product to an email address.

That makes e-commerce businesses selling tickets a common target. Ultimately the cardholder notices the unexpected charge on their card, they notify their bank, and they’re refunded. Unless you can prove the cardholder authorised the transaction, the merchant who sold the ticket—your organisation—is liable for the refund. 

What you can do

Fortunately, there are things your organisation can do to prevent fraudulent chargebacks. I’ve listed these six strategies in order from most technical to least. 

1. Use the Address Verification Service (AVS) or 3D Secure

With these payment technologies, the card number alone isn’t enough to complete a transaction. AVS is used widely in North America and checks whether significant parts of the cardholder’s address match the address provided during the purchase. 

3D Secure is even more sophisticated, and it can shift the liability for a chargeback from the merchant (your organisation) to the bank who issued the card. It is mandatory in much of Europe and is starting to be more common in the US. You might know it by names like Mastercard SecureCode, American Express SafeKey, or Visa Secure. 3D Secure uses multifactor authentication, often a one-time password sent to the cardholder’s phone or email. Tessitura supports 3D Secure, including through the recently launched Tessitura Merchant Services.

2. Implement bot protection measures

Bots or scripts are commonly used both in carding and by fraudsters who resell tickets in bulk. The simplest bot protection measure is a captcha: a puzzle that (in theory) only a human can solve. Captchas aren’t perfect and are best used in combination with other measures. 

More sophisticated bot protection looks at the technical and behavioural characteristics of each person (or robot) using your website. For example, in Tessitura’s cloud environment, we use a specialist bot-protection firewall that can tell the difference between good robots (like a search engine crawler), bad robots (like a resale bot) and humans. The tool gives us strong protection out of the box, and because we host websites for hundreds of Tessitura organisations, we also customise the bot-protection rules based on what we learn defending our members.

3. Leverage your payment processor's risk rules

Most payment processors offer rules to manage the risk of fraud. These can be as simple as limits on the number of times a card can be used in a specific period, or a block on repeat transactions from a single IP address. They can also use sophisticated techniques to calculate a risk score for transactions.

If your organisation uses Tessitura Merchant Services, you can take advantage of the built-in fraud controls like RevenueProtect and Shopper DNA to implement and define risk rules. 

4. Delay the delivery of digital tickets

If you’re sending tickets to your customers’ email addresses or mobile wallets, consider delaying the delivery of those tickets until the day of the event. The earlier a scammer receives a digital ticket, the easier it is for them to post the ticket for sale on a secondary market or social network. 

If you’re sending tickets to your customers’ email addresses or mobile wallets, consider delaying the delivery of those tickets until the day of the event. The earlier a scammer receives a digital ticket, the easier it is for them to post the ticket for sale on a secondary market or social network.

Delaying ticket delivery has a customer experience trade-off. But it’s effective, and it’s less extreme (and easier on your box office) than holding all tickets for will-call only.

A Tessitura member organisation recently shared with me a strategy to reduce the customer experience trade-off: they were sending digital tickets instantly, but only to existing customers who had purchased tickets before. New customers with no ticket history had to wait for their ticket delivery.

5. Adopt time-fenced or dynamic barcodes

These barcodes change every 10 minutes (for example), or don’t appear on a digital ticket until minutes before the event. This state-of-the-art technology, offered by Tessitura partner True Tickets, lets you send digital tickets immediately while controlling when they’re used. They’re an effective way to help you control resale. 

6. Invalidate resold tickets before they're used

If you can identify fraudulent transactions soon after they’ve occurred, you can stop the associated tickets from being used for entry. To mitigate the customer experience impact, you can hold the seat or entitlement so that it can be resold to the customer for face value. They can then pursue a chargeback against the person who tried to defraud them.

Identifying and invalidating fraudulent transactions is particularly important during high demand on-sales. The ideal outcome is for your loyal customers to be able to purchase valid tickets through authorised channels. Nobody wants to pay a premium to scalpers or surprise fees to secondary marketplaces. Tessitura organisations can use real-time reporting to identify suspicious activity, streamlining the investigation into fraudulent transactions. The faster your staff can identify and refund a transaction, the faster the tickets can be put back on sale, and the more likely you are to avoid both a chargeback and a missed sale.

•     •     • 

The right number of fraud controls is the minimum that will do the job.

From the six strategies above, choose those that fit your organisation best. You don’t need to use all six: the right number of fraud controls is the minimum that will do the job. Some strategies also take longer to put into place than others. Start small with simpler strategies while you build towards more effective automated solutions.

Tessitura members can log in to find out more about security recommendations. 

Looking for more information on these Tessitura Merchant Services features?
Get in touch ›