FAQ: Fraud Monitoring with TC40 and SAFE
Table of Contents
- What is TC40 data?
- What is Mastercard's SAFE?
- How do TC40 and SAFE work?
- How does TC40 data help prevent chargebacks?
- Can merchants view TC40 data?
- What requirements do TC40 and SAFE impose on banks?
- How do TC40 and SAFE reports impact merchants?
- What is a TC40 or SAFE report?
- Do all TC40 reports result in chargebacks?
Visa and Mastercard are the two largest credit card networks, and as such, they have a vested interest in monitoring and preventing credit card fraud. Among the tools they use to assist in this process are TC40 (for Visa) and SAFE (for Mastercard).
Despite how they may sound, these aren’t droids from the latest Star Wars movie. They’re part of Visa and Mastercard’s credit card fraud monitoring programs, and while many merchants haven’t had to deal with TC40 and SAFE data firsthand, they're often generating a lot of it without even knowing it.
Knowing how and why this data is generated and collected can give you insights into how fraudsters might be targeting your business. In this FAQ, we’ll try to answer the most pressing questions merchants have about TC40 and SAFE, including the most important one: Can they help you avoid chargebacks?
What is TC40 data?
What is Mastercard's SAFE?
How do TC40 and SAFE work?
TC40 is the name of the report that issuing banks send to Visa to report fraudulent transactions as part of its Risk Identification Service, and SAFE (System to Avoid Fraud Effectively) is Mastercard’s analogous fraud monitoring program.
Information included in these reports can include:
- Merchant information, including name, location, MCC, etc.
- Bank information for both parties involved in the transaction.
- Transaction details, including location, time, etc.
Usually, the way an issuing bank finds out that a transaction may have been fraudulent is that the cardholder contacts them to dispute it.
It is therefore highly likely that all fraud-related chargebacks generate TC40 or SAFE reports, but not every possible instance of fraud that gets reported to the card networks will become a chargeback.
Some banks will simply reimburse cardholders out of their own funds for low dollar amount disputes simply because it’s cheaper than activating the entire chargeback process.
How does TC40 data help prevent chargebacks?
This data can give merchants insight they might not otherwise have into fraud claims, especially those with a low transaction value. In particular, a merchant being targeted for card testing might not even realize it without looking at this data, since that kind of fraud involves low-value transactions that will usually be refunded by the cardholder's bank directly.
Data about fraudulent transactions that didn't result in chargebacks can also be fed into fraud prevention tools that analyze transaction data using machine learning to better detect potentially illegitimate purchase attempts.
However, it's important to note that there are limitations to the usefulness of these reports. They aren't a good indicator of rates of true fraud chargebacks, since not all fraud claims result in chargebacks. They also can't be used to give a merchant early warning of a potential chargeback, since they often aren't released until long after the claim is made.
If you want to be proactive about responding to disputes, chargeback prevention alerts are the better option, since they’re specifically designed to facilitate this approach. For merchants, the primary value of TC40 and SAFE data is in what you can learn about your specific fraud vulnerabilities.
Can merchants view TC40 data?
What requirements do TC40 and SAFE impose on banks?
As part of their overall fraud monitoring strategy, Visa and Mastercard require that issuing banks provide them with data about fraudulent transactions. This information is used to assess the patterns of fraud activity and improve fraud prevention efforts. Reports and findings are shared with both issuers and acquiring banks.
Banks are not required to notify merchants when one of their transactions is included in a TC40 or SAFE report. At their own discretion, acquiring banks may provide their merchants with TC40 and SAFE data upon request.
While many issuers may choose to submit these reports on a frequent and timely basis, there can be considerable lag time between the initial dispute and the reporting. Mastercard specifically is fairly generous with the time frame it gives issuers to report, which means that by the time SAFE data is available you might be looking at fraud activity that’s two months old.
How do TC40 and SAFE reports impact merchants?
The data used in TC40 and SAFE reporting is used to determine which merchants have sufficiently high levels of fraud that they qualify for interventions such as the Visa Fraud Monitoring Program. The metrics Visa looks at to calculate high or excessive fraud activity (the total monthly value of fraudulent transactions and the monthly ratio of fraud dollars to sales dollars) are derived from TC40 reports, not from chargebacks.
In the future, these reports may be more accessible and more useful to merchants. Companies like Ethoca and Verifi are working to find ways to leverage the information in these reports to help merchants avoid chargebacks and fight fraud more effectively.
In the meantime, the best thing merchants can do with TC40 and SAFE reports is analyze them to figure out how to improve their overall risk management strategies with respect to fraud and chargebacks. Because these reports can be challenging to obtain, and you have no assurance that you’ll receive them in a timely manner, they aren’t well-suited for troubleshooting active disputes or fraud problems.
You also have to keep in mind that the data is largely informed by cardholders self-reporting fraud on their accounts. There will be inaccurate information that gets captured, and many types of chargebacks, like friendly fraud, will be entirely absent from these reports.
If you’ve never seen your own TC40 or SAFE data, we encourage you to reach out to your acquirer and find out what they’re able to provide.
If you can sift through the data critically and analyze it within an overall framework of matching chargebacks to their root causes and identifying the policies and procedures that can help you avoid similar chargebacks in the future, these reports can inform your plans for fraud and chargeback defense.