Visa has detected an increase in fraud from merchants submitting unauthorized force-posted transactions into the payments system.
The Use of Force-Posted Transactions
Many Point of Sale (POS) devices and payment gateways support functionality for a “Force Sale”—also known as a force capture, or offline transaction— which is used to submit a force-post transaction. A force-post transaction allows the merchant to bypass the authorization process by manually entering a previously obtained authorization code.The transaction is then routed through clearing and settlement and subsequently force-posted to the issuer.
There are specific instances where a merchant is not required to obtain an authorization, like transactions below Visa’s floor limits. However, most card-present and virtually all card-absent transactions require issuer authorization. Transactions that are not authorized by the issuer typically violate the Visa Rules and are eligible for chargebacks under Reason Code 72—No Authorization.
Because the merchant manually enters an authorization code in a force-post transaction scenario, the process is susceptible to exploitation by criminals. Recent fraud cases have involved fictitious or previously used authorization codes or the repetitive use of a single authorization code for multiple transactions. Since force-posted transactions bypass the authorization process, acquirers that lack adequate merchant-monitoring controls may be exposed to excessive chargeback losses if unauthorized transactions enter the payments system.
Characteristics of Force-Posted Fraud
Visa has observed criminals using variations of the following schemes to commit force-post fraud attacks:
- Criminals obtain a merchant account using a fraudulent application or by recruiting a merchant to participate in an attack.
- Criminals deceive existing merchants by presenting forged bank letters that authorize “offline” (force-posted) transactions to pay for large sales orders to be laundered through the merchant’s account.
- The merchant may attempt a small initial sale to obtain a single valid authorization code for repeated use or simply manufacture fictitious codes.
- Criminals may use a small number of offshore cards to process numerous transactions that collectively exceed the merchant’s approved sales volume and average ticket amount.
- The attacks may occur over a weekend or a holiday, when acquiring and issuing staff coverage is perceived to be minimal.
- If the acquirer suspends funding, the fraud actors may present forged documentation to convince the acquirer to release funds.
Failing to detect these red flags may result in significant financial losses and brand damage.
Restricting the Use of Force-Posted Transactions
POS devices and payment gateways have supported the “Force Sale” function—used to submit a force-post transaction—for decades. However, the need for this function has diminished over time, as processing systems have evolved. Regardless, many POS devices and payment gateways still offer this capability as a standard feature to the majority of their merchants.