Visa Confidential

Visa Payment Fraud Disruption

Visa Security Alert SEPTEMBER 2022

INCREASE IN PURCHASE RETURN AUTHORIZATION FRAUD

Distribution: Visa Issuers, Processors and Acquirers

Summary:
Beginning in September 2022, Visa Payment Fraud Disruption (PFD) identified an increase in threat actors conducting
purchase return authorization (PRA) fraud. In this current PRA fraud tactic, threat actors exploit misconfigurations in
issuers’ open-to-buy (OTB) settings by conducting purchase return transactions for which there are no connected initial
purchase transactions. Threat actors are currently targeting issuers in the Central Europe, Middle East and Africa
(CEMEA) region using merchants acquired in the US. However, if an issuer’s OTB settings are not configured properly,
this scheme can impact any issuer globally via a merchant acquired in any region. As such, PFD is providing the
following fraud scheme details and prevention recommendations to assist clients in identifying and mitigating this type
of PRA fraud.

1. PRA Fraud Tactic

In this PRA fraud scheme, a threat actor obtains unauthorized access to the merchant’s gateway and/or terminal and
initiates a PRA transaction for which there is no connected initial purchase transaction. The first PRA transaction is a
pre-authorization request for a return-of-goods credit request, which is quickly followed by a reversal request. The
reversal request indicates to the issuer to provide the cardholder a credit even though there was no original debit
transaction on the account. Due to the issuer’s misconfigured open-to-buy (OTB) settings, the issuer releases the OTB
prior to settlement. Additionally, to note, a pre-authorization should only occur for a purchase transaction and not for
return-of-goods credit request transaction.
To initiate the fraudulent PRA transactions, threat actors conduct point-of-sale (POS) entry mode 01/Key Entered
transactions using various merchant types, names, CAIDs, and MCCs; the variety of merchants are typically acquired by
the same entity. The initial pre-authorization PRA transactions are sent as acquirer message type = 0100, with field
F03.1 = 20), and the reversal requests are sent as acquirer message type = 0400. Once the threat actors obtain the
erroneously credited funds to the threat actor-controlled accounts, which are often debit payment accounts, they likely
monetize the funds via ATM withdraws or through the purchase of other goods/items.

2. Recommendations
Visa PFD assesses that threat actors will continue to attempt to exploit misconfigurations in issuers’ OTB settings and
issuers, acquirers, and merchants should remain vigilant in combatting fraud related to PRA schemes.
PRA transactions are referred to as “merchandise returns” and have processing code “20” in field 3.1. Issuers should not
increase the balance on the account after authorizing such a transaction until after settlement is complete. To further
1
PFD-22-48 Visa Confidential
 Visa Confidential
Visa Payment Fraud Disruption

mitigate the risk associated with this PRA fraud scheme, Visa strongly recommends issuers apply the following best
practices:
• Do not increase the payment limit / open-to-buy (OTB) on the account for PRA transactions (where the acquirer
message type/authorization request type = 0100, and field F03.1 = 20).
• Check/update the settings of your processing systems in order to correctly process PRA transactions. Contact your
Visa Risk or Client Services representative for any questions regarding these settings.
• Set up/update the rules within internal fraud monitoring systems in order to identify fraudulent transactions of this
type.
• Utilize Visa tools such as Visa Stand-In Processing (STIP) or Visa Risk Manager (VRM) to implement proper
transaction decisioning logic for PRAs.
• Identify and flag risky PRAs where the amount, location, and merchant type do not match the cardholders’ normal
spending behavior.
• Utilize tools such as Visa Risk Manager (VRM) and Visa Stand In Processing (STIP) to employ custom rules
and transaction decisioning logic to detect and prevent transaction fraud related to PRA schemes.

Acquirers and issuers must comply with Visa requirements (effective October 2019) to send and respond to purchase
return authorizations (PRA). PRAs are subject to fraud detection triggers. Should an acquirer suspect purchase return
fraud (e.g., due to velocity triggers or lack of offsetting sales), acquirers may block the clearing messages. Please review
the Visa Business News article released 7 March 2019 detailing PRA requirements available on Visa Online.
Visa recommends acquirers apply the following best practices:
• Perform Merchant Activity Monitoring
• Monitor unusual purchase return activity—such as velocity spikes or lack of offsetting sales
• Contact third party processors about implementation of fraud controls offered by such processors
• Validate POS Devices
• Ensure a process is in place to validate POS devices that are connected to your host to ensure no unauthorized or
cloned POS devices can link to a live merchant ID (MID); consider using a combination of transaction data
elements/terminal messages for this validation including, but not limited to the combination of
MID+TID+MCC+Descriptor
• Randomize terminal IDs (TIDs), as sequential TIDs are easier for criminals to use
• Educate Merchants on Good Data Security Practices
• Avoid printing sensitive information, such as MIDs or TIDs, on transaction receipts
• Remind merchants that account information and terminal applications must be securely deleted from all memory
slots when decommissioning a POS device
• Warn merchants of phishing scams aimed to obtain payment gateway credentials

In the event of a confirmed or suspected compromise incident, refer to Visa’s What to do if Compromised
(WTDIC), published August 2022.
Refer to the following resources for more information on security standards, PCI compliance requirements, and best
practices: PCI Data Security Standard Quick Reference Guide
Additional information on PCI DSS can be found at www.pcissc.org

3. Additional Resources
• PFD-19-016_Visa_Security Alert_Ongoing Purchase Return Fraud
2
PFD-22-48 Visa Confidential
 Visa Confidential
Visa Payment Fraud Disruption

• Payment Facilitator and Marketplace Risk Guide

• Visa Business News Article, 20 October 2021 - Additional Processing Changed to Support Merchandise Return
Authorization Transactions

For more information, please contact paymentintelligence@visa.com

Disclaimer:
This report is intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other
advice. Visa is not responsible for your use of the information contained in this report (including errors, omissions, or non-timeliness of any kind) or any
assumptions or conclusions you may draw from it.
All Visa Payment Fraud Disruption Situational Intelligence Assessment content is provided for the intended recipient only, and on a need-to-know basis.
PFD reporting and intelligence are intended solely for the internal use of the individual and organization to which they are addressed. Dissemination or
redistribution of PFD products without express permission is strictly prohibited

3
PFD-22-48 Visa Confidential