Professional Documents
Culture Documents
Summary:
Beginning in September 2022, Visa Payment Fraud Disruption (PFD) identified an increase in threat actors conducting
purchase return authorization (PRA) fraud. In this current PRA fraud tactic, threat actors exploit misconfigurations in
issuers’ open-to-buy (OTB) settings by conducting purchase return transactions for which there are no connected initial
purchase transactions. Threat actors are currently targeting issuers in the Central Europe, Middle East and Africa
(CEMEA) region using merchants acquired in the US. However, if an issuer’s OTB settings are not configured properly,
this scheme can impact any issuer globally via a merchant acquired in any region. As such, PFD is providing the
following fraud scheme details and prevention recommendations to assist clients in identifying and mitigating this type
of PRA fraud.
2. Recommendations
Visa PFD assesses that threat actors will continue to attempt to exploit misconfigurations in issuers’ OTB settings and
issuers, acquirers, and merchants should remain vigilant in combatting fraud related to PRA schemes.
PRA transactions are referred to as “merchandise returns” and have processing code “20” in field 3.1. Issuers should not
increase the balance on the account after authorizing such a transaction until after settlement is complete. To further
1
PFD-22-48 Visa Confidential
Visa Confidential
Visa Payment Fraud Disruption
mitigate the risk associated with this PRA fraud scheme, Visa strongly recommends issuers apply the following best
practices:
• Do not increase the payment limit / open-to-buy (OTB) on the account for PRA transactions (where the acquirer
message type/authorization request type = 0100, and field F03.1 = 20).
• Check/update the settings of your processing systems in order to correctly process PRA transactions. Contact your
Visa Risk or Client Services representative for any questions regarding these settings.
• Set up/update the rules within internal fraud monitoring systems in order to identify fraudulent transactions of this
type.
• Utilize Visa tools such as Visa Stand-In Processing (STIP) or Visa Risk Manager (VRM) to implement proper
transaction decisioning logic for PRAs.
• Identify and flag risky PRAs where the amount, location, and merchant type do not match the cardholders’ normal
spending behavior.
• Utilize tools such as Visa Risk Manager (VRM) and Visa Stand In Processing (STIP) to employ custom rules
and transaction decisioning logic to detect and prevent transaction fraud related to PRA schemes.
Acquirers and issuers must comply with Visa requirements (effective October 2019) to send and respond to purchase
return authorizations (PRA). PRAs are subject to fraud detection triggers. Should an acquirer suspect purchase return
fraud (e.g., due to velocity triggers or lack of offsetting sales), acquirers may block the clearing messages. Please review
the Visa Business News article released 7 March 2019 detailing PRA requirements available on Visa Online.
Visa recommends acquirers apply the following best practices:
• Perform Merchant Activity Monitoring
• Monitor unusual purchase return activity—such as velocity spikes or lack of offsetting sales
• Contact third party processors about implementation of fraud controls offered by such processors
• Validate POS Devices
• Ensure a process is in place to validate POS devices that are connected to your host to ensure no unauthorized or
cloned POS devices can link to a live merchant ID (MID); consider using a combination of transaction data
elements/terminal messages for this validation including, but not limited to the combination of
MID+TID+MCC+Descriptor
• Randomize terminal IDs (TIDs), as sequential TIDs are easier for criminals to use
• Educate Merchants on Good Data Security Practices
• Avoid printing sensitive information, such as MIDs or TIDs, on transaction receipts
• Remind merchants that account information and terminal applications must be securely deleted from all memory
slots when decommissioning a POS device
• Warn merchants of phishing scams aimed to obtain payment gateway credentials
In the event of a confirmed or suspected compromise incident, refer to Visa’s What to do if Compromised
(WTDIC), published August 2022.
Refer to the following resources for more information on security standards, PCI compliance requirements, and best
practices: PCI Data Security Standard Quick Reference Guide
Additional information on PCI DSS can be found at www.pcissc.org
3. Additional Resources
• PFD-19-016_Visa_Security Alert_Ongoing Purchase Return Fraud
2
PFD-22-48 Visa Confidential
Visa Confidential
Visa Payment Fraud Disruption
Disclaimer:
This report is intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other
advice. Visa is not responsible for your use of the information contained in this report (including errors, omissions, or non-timeliness of any kind) or any
assumptions or conclusions you may draw from it.
All Visa Payment Fraud Disruption Situational Intelligence Assessment content is provided for the intended recipient only, and on a need-to-know basis.
PFD reporting and intelligence are intended solely for the internal use of the individual and organization to which they are addressed. Dissemination or
redistribution of PFD products without express permission is strictly prohibited
3
PFD-22-48 Visa Confidential