FAQ: Fraud Monitoring with TC40 and SAFE
Merchants, do you know about TC40 and SAFE? No, they aren’t the droids from the new Star Wars movie. They’re part of Visa and Mastercard’s credit card fraud monitoring programs, and while it’s quite possible that you haven’t had to deal with TC40 and SAFE data firsthand, you might be generating a lot of it without even knowing it. Knowing how and why this data is collected can give you insights into how fraudsters might be targeting your business. In this FAQ we’ll try to answer the most pressing questions merchants have about TC40 and SAFE, including the most important one: can they help you avoid chargebacks?
What is TC40 Data?
What is SAFE?
Both of these terms refer to data that the major card networks use to identify and track fraudulent activity. TC40 is the name of the report that issuing banks send to Visa to report fraudulent transactions, and SAFE (“System to Avoid Fraud Effectively”) is Mastercard’s analogous fraud monitoring program.
Whenever an issuing bank receives information that a transaction might have been carried out without the cardholder’s knowledge or authorization, they submit details of that transaction to the card network through the appropriate reporting system. The report includes merchant information, the bank identification number, geographic region, currency code, and other information.
Usually, the way an issuing bank finds out that a transaction may have been fraudulent is because the cardholder contacts them to dispute it. It is therefore highly likely that all fraud-related chargebacks generate TC40 or SAFE reports, but not every possible instance of fraud that gets reported to the card networks will become a chargeback. Some banks will simply reimburse cardholders out of their own funds for low dollar amount disputes simply because it’s cheaper than activating the entire chargeback process.
What Requirements do TC40 and SAFE Impose on Banks?
As part of their overall fraud monitoring, Visa and Mastercard require that issuing banks provide them with data about fraudulent transactions. This information is used to assess the patterns of fraud activity and improve fraud prevention efforts. Reports and findings are shared with both issuers and acquiring banks.
Banks are not required to notify merchants when one of their transactions is included in a TC40 or SAFE report. At their own discretion, acquiring banks may provide their merchants with TC40 and SAFE data upon request.
While many issuers may choose to submit these reports on a frequent and timely basis, there can be considerable lag time between the initial dispute and the reporting. Mastercard specifically is fairly generous with the timeframe it gives issuers to report, which means that by the time SAFE data is available you might be looking at fraud activity that’s two months old.
What Can Merchants Learn from TC40 and SAFE Data?
Reviewing TC40 and SAFE reports can give merchants a lot of useful information and insights about how they’re being targeted by fraudsters, especially if they’re getting hit with a lot of disputes over small dollar amounts. Since the issuers may opt to each these losses themselves, merchants have no way of knowing that these transactions were fraudulent unless they can see the reporting data themselves. This can reveal the true extent of a fraud problem that may have been obscured by the way the bank was handling things.
What TC40 and SAFE are ill-suited for is real time chargeback prevention. While it is theoretically possible to learn about a dispute in progress from the raw data before it comes back to the merchant as a chargeback, in the majority of cases the timing won’t allow for this. Trying to circumvent a chargeback by issuing a refund based on TC40 or SAFE reports carries a high risk of getting hit with the chargeback after the refund has been issued, resulting in double the revenue loss.
If you want to be proactive about responding to disputes, chargeback prevention alerts are the better option, since they’re specifically designed to facilitate this approach. For merchants, the primary value of TC40 and SAFE data is in what you can learn about your specific fraud vulnerabilities.
How do TC40 and SAFE Data Impact Merchants?
The data used in TC40 and SAFE reporting is used to determine which merchants have sufficiently high levels of fraud that they qualify for interventions such as the Visa Fraud Monitoring Program. The metrics Visa looks at to calculate high or excessive fraud activity (the value of monthly fraud transactions and the monthly ratio of fraud dollars to sales dollars) are derived from TC40 reports.
In the future, these reports may be more accessible and more useful to merchants. Companies like Ethoca and Verifi are working with the card networks to find ways to leverage the information in these reports to help merchants avoid chargebacks and fight fraud more effectively.
In the meantime, the best thing merchants can do with TC40 and SAFE reports is analyze them to figure out how to improve your overall risk management strategies with respect to fraud and chargebacks. Because these reports can be challenging to obtain, and you have no assurance that you’ll receive them in a timely manner, they aren’t well-suited for troubleshooting active disputes or fraud problems.
You also have to keep in mind that the data is largely informed by cardholders self-reporting fraud on their accounts; there will be inaccurate information that gets captured, and many types of chargebacks, like friendly fraud, will be entirely absent from these reports.
TC40 and SAFE reports can potentially serve as a treasure trove of actionable information, and many merchants don’t even realize that they’re out there. If you’ve never seen your own TC40 or SAFE data, we encourage you to reach out to your acquirer and find out what they’re able to provide.
The caveat with these reports is that the incidents they describe may be more than a month old and contain the cardholder’s subjective impressions of where and how they were victimized by fraud. If you can sift through the data critically and analyze it within an overall framework of matching chargebacks to their root causes and identifying the policies and procedures that can help you avoid similar chargebacks in the future, these reports can greatly inform your plans for fraud and chargeback defense.