Hotel Fraud & Chargeback Guide

Criminal fraud is very common. This is when a purchase is made with a stolen credit card and therefore the authorization never should’ve been made in the first place. The cardholder’s going to flag the fraudulent charge and dispute the case, and that’ll result in the card being closed and a new account number being issued.

Card testing fraud is when a fraudster purchases a stolen credit card via the dark web and begins testing it with authorizations to see if the card still works. In the case of hotels, they book several different rooms to see if they go through, and when they realize the card goes through, they can then use it to make much larger purchases. This is harmful because not only does it limit the amount of rooms shown available to true customers, but hotels also paying for the authorization charges.

Account takeover fraud is when you have sophisticated bots or fraudsters themselves go through hundreds and thousands of different credentials in hopes that they’re able to crack the code on accounts to drain loyalty points, make unwanted purchases, or steal other card numbers that are on that file.

CNP fraud is any type of fraud that takes place when the card is not physically present – most commonly online but also via mail and over the phone.

Friendly fraud is when a person unknowingly commits fraud by asking for a chargeback from their credit card company or bank after a transaction has taken place. It’s generally associated with those that don’t realize they purchased something, forgot that they purchased something, or when they didn’t understand what they were agreeing to pay for. Ultimately, requesting a chargeback is genuine.

Chargeback fraud is when someone knowingly purchases a product or service with the full intention to file a chargeback through the bank or credit card company, goal being to keep the product or service and be reimbursed for it. Due to friendly fraud, it’s hard to combat.

Chargebacks are part of the payment processing system and occur when a guest disputes a transaction. It differs from a refund in that the guest disputes the transaction directly with their bank. This triggers an investigation to determine the validity of the transaction and guests’ request for a refund. Ultimately, the bank can issue a complete refund without your permission.

Chargebacks are often the result of fraudulent activity.

In a Chargebacks 911 report, the expected cost of a single chargeback in 2023 is $190. This doesn't take into account the time your staff loses trying to remedy fraudulent activity and chargebacks or the loss of trust your guests may experience following a chargeback.

1. A lack of standardization for​ card verification and acceptance. For example, enabling 3-D Secure is a great way to authenticate transactions and reduce the risk of fraud, but U.S. merchants have been slow to adopt it.
   
   
2. ​Too many paper-based processes, which make it easy for personal information to get misplaced or misused.
   
   
3. Disjointed technology stacks that make data breaches and information mismanagement easier.
   
   
4. An increasing demand for contactless experiences combined with the lack of better verification methods.
   
   
5. Friendly fraud is on the rise.

Address Verification Service (AVS) is one of the most widely used practices in helping reduce fraud and protecting both you and your customer. The automated system is a way to verify a person’s identity when they are not present at the time of transaction. Check out our AVS guide to learn more.

3DS is a security standard you can adopt to secure online payment transactions and authenticate charges. The best part: most cardholders are automatically enrolled for 3DS by their card issuer, so taking advantage of 3DS is easy for merchants. Contact your payment gateway or processor to get started.

Fraudsters like to act quickly (up to 48 hours prior to check-in), so many hotels have adopted a policy to not accept same-day reservations. While that may not be an option, here are some best practices to follow if you can adopt it:

• Adopt an advance deposit policy and charge a minimum or full amount immediately. If the transaction’s being made with a stolen card, the true cardholder will get a notification of the charge, which will prompt them to contact you.
  
  
• Require a second form of payment. If the first card fails or results in a chargeback, the second option is available. This process can be implemented for all same-day reservations.
  
  

Using Sertifi, for example, you can require the signer to upload an image of their ID/Passport in the authorization form. Typically, fraudsters will abandon the transaction if prompted to submit photo ID. If they do share an ID, your property can examine the ID and look for doctored images. For third-party authorizations, asking for an ID at check-in acts as an effective way to deter fraudsters, especially for authorizations deemed risky.

Train your front desk team to review and research information in your authorization form:

• Business Name, Addresses, and Phone Numbers
  • Be on the lookout for vague, mismatched, or incorrect addresses, as well as any address with a P.O Box. Run a Google search of the provided business name to verify that it's real.
  • Google Streetview can show you if the provided address is really a home, empty lot, bus stop, etc.
  • If the provided cardholder and guest names are different, phone numbers should be different as well.
  • Don’t accept a credit card if the address provided for the card and the address provided for the authorization are drastically different
  • Take note if a business email wasn't used with a business selection.
    
    
• Signature 
  • The signature should match the cardholder's or guest’s name. Hotels have been known to accept authorizations signed with false signatures, such as “AAAAAAA,” resulting in chargebacks.
    
    
• Billing Instructions, Comments, and Special Requests
  • These sections are typically not required to fill out, so fraudsters may skip them to suggest billing was not approved.

One of the easiest ways for friendly fraud to happen is through a confusing and vague hotel policies. Routinely review your existing policies, update accordingly, and make sure updates are made anywhere your guests have access to existing policies. There should be no confusion when a guest leaves your property. They should know exactly who the invoice is from, what it is for, and what they owe at checkout.

If a chargeback does occur, best practice is to reach out to your guest first. They may unknowingly be committing fraud by asking for a chargeback; for example, they may not realize or forgot they purchased something, or they didn’t understand what they were agreeing to pay for. Speaking with the guest can help prevent a full chargeback. Hotels may be able to appease a disgruntled guest through other means (partial refund, future discounts, etc.).

It’s important to observe any unusual interactions you have with guests. As you’re building a fraud prevention plan, talk with your guest-facing teams about what they’d consider strange patterns. What have they experienced in the past that ended up turning into a chargeback?

Always make time to check in with your guest to find how their stay is when they’re at your property. You can get their feedback both in person and from your website and other systems. Give your guests multiple ways to provide feedback during their stay and add notes to your PMS.

• Require entry of security codes (CVV) on payment cards to help ensure the buyer has possession of the card.
  
• Don’t attempt manual authorizations. Always authorize a card through your system.
• Don’t accept a booking made with a third-party vendor along with a reservation made within 24-48 hours of check-in without additional verification.
• Do pre-charge credit card for rates to help validate the card isn’t stolen.
• Do monitor your booking sites for robotic or automated traffic.
• Do enforce face-to-face check-ins for high-risk bookings.

There are a couple best practices you can follow to prepare you for evidence gathering:

1. While time consuming, maintain a thorough record of all your guests.
2. Contact your guest and hear the reason for the chargeback from them directly. Sometimes a small overcharge or incorrect line item could cause them to ask for a complete refund from their bank, so you may be able to resolve it and issue a smaller refund directly.
3. Get familiar with chargeback reason codes so you can understand the type of cardholder dispute you’re dealing with. This in turn helps you determine which evidence to compile.

Chargeback reason codes vary by the credit card company.

For example, Visa organizes their chargeback codes by categories. Here are codes within their "fraud" category:

• Reason Code: 10.1
• Reason: EMV Liability Shift Counterfeit Fraud
• Reason Code: 10.2
• Reason: EMV Liability Shift Non-Counterfeit
  
  

Here are some examples for Discover:

• Reason Code: UA01 
• Reason: Fraud Card Present Environment 
• Reason Code: UA02 
• Reason: Card-Not-Present Environment 

Here’s the list of items that’ll help you build a strong case: 

1. A rebuttal letter summarizing all the evidence you’re submitting.  
2. A copy of the transaction receipt or order form.
3. Copies of communications made with the guest who filed the chargeback.
4. Evidence that proves the transaction was approved and authorized by the guest, e.g., a signed document that describes the product or service being purchased.
5. Proof that you have cardholder verification enabled, e.g., via 3-D Secure.
6. A copy of your refund policy (which should also be easy to find on your website and shared with guests before a transaction is made).
   
   

You need to be prompt about filing a representment case, so it’s important you have the right processes and technology in place to collect the evidence quickly. 

When the case is received, the acquiring bank sends your representment to the issuing bank, who issued the card used in the transaction. The issuing bank then may accept or reject your evidence.

1. If accepted, the issuing bank alerts the cardholder their chargeback has been reversed, and you receive the funds as accepted.
    
2. If rejected, and the acquiring bank agrees with rejection, the acquiring bank initiates a refund to the cardholder.
    
3. If rejected, and the acquiring bank disagrees with the rejection, the issuing bank must conduct its own investigation and make the final chargeback decision.
    

The short story is that it’s a lengthy process that you have very little control over. Ultimately, it’s easiest for the issuing and acquiring banks to side with the cardholder and reject your case, so that’s typically how the process plays out.

It’s worth disputing a chargeback if it relates to fraudulent activity. However, every hotel is different and not all properties have the bandwidth to devote to fighting chargebacks. With every chargeback filed, there’s a risk for lost revenue, so you need to ask yourself if it’s worth eating that cost.

While it’s smart to be prepared to fight chargebacks, it’s even more important to invest in a fraud prevention strategy. That’ll help you minimize your risk of chargebacks altogether. Secure processes and technology can help you stay ahead of chargebacks.