Mastercard Fraud Monitoring Program: What to Do When You Get Enrolled
- August 9, 2023
- 6 minutes
So you’ve been enrolled in the Mastercard® fraud monitoring program — also known as the Mastercard Excessive Fraud Merchant (EFM) program. Maybe you knew it was coming. Maybe it feels unfair. So what do you do now?
What is the Mastercard Excessive Fraud Merchant Program?
Mastercard’s EFM program is a way for the card brand to ensure you maintain compliance with their fraud thresholds. If you fall out of compliance, the program is partly meant to serve as a penalty. But mostly, the point of the program is to help merchants reduce fraud and develop better fraud management practices.
When you breach Mastercard’s fraud thresholds, you are automatically enrolled in the program by your acquiring bank. The program monitors your merchant account for compliance and issues fines for months that you fail to meet compliance requirements.
Merchants are enrolled in the Mastercard EFM Program only if all of the following criteria are met:
- Volume requirements: At least 1,000 Mastercard transactions in the previous month
- Amount threshold: $50,000 (USD/EUR) or more in fraud claims
- Fraud ratio threshold: 0.50% or higher fraud-to-sales ratio
NOTE: Enrollment criteria differs for Australian-based merchants. If you operate a business in Australia, your ratio must be below 0.2% and your fraud amount below $15,000 USD.
If you use 3D Secure, there are additional thresholds you need to keep in mind. These thresholds vary depending on whether or not your country has legal or regulatory requirements for strong cardholder authentication.
How do I calculate my fraud rate?
Your fraud ratio or fraud rate is the total number of fraudulent transactions you process in a given month measured against your monthly sales volume. Mastercard calculates your fraud ratio by taking the total number of fraud claims filed against your business in the current month and dividing it by the sales count from the previous month.
The calculation looks like this:
Mastercard assesses fines for merchants enrolled in the EFM Program based on the amount of time you spend in the program. The first month is a grace period — Mastercard doesn’t issue any fines during that time. However, your processor might.
After the first month in the program, fines are issued monthly and increase the longer you are enrolled in the program. Amounts can range from $500 (or €500) to $100,000 (or €100,000) or more.
How Fraud Monitoring Programs Can Affect Your Business
Fraud alone can cause a plethora of problems for business — damaged reputation with banks and customers, increased labor costs, and more. Navigating fraud schemes like card testing and account takeover fraud are already challenging to overcome. But the addition of being enrolled in a fraud monitoring program can increase the strain on your business.
Not only is fraud costly to resolve, the fines you accrue from the program can put a huge dent in your bottom line and strain your resources.
What’s more, being enrolled in a program puts your merchant account in jeopardy. If you are enrolled in a program for too long, your merchant account will likely be terminated.
What to Do When You Are Enrolled in the Mastercard EFM
Navigating a monitoring program can be overwhelming. And it may feel like your options are limited or hope is dwindling. But there are actions you can take to get your business back on track.
Develop a remediation plan.
Part of a fraud monitoring program is to help merchants develop an effective risk management strategy. Mastercard may request that you submit a remediation plan that outlines the steps you’re taking to resolve issues and regain compliance.
Most remediation plans include the following key elements.
Card networks first need to get a good sense of who you are. Let them know what type of business you own, payment and billing methods you accept, marketing efforts, and any other notable aspects of your business.
Provide details about your return and refund policies, terms and conditions, and any other internal procedures that could be related to your fraud issues.
Provide details of the events that lead to the increased level of fraud and number of chargebacks with fraud reason codes. This step may involve taking a closer look at your data to figure out the root cause of the issues so you can tell a complete story about what happened.
Risk management strategy
Your strategy for reducing risk is one of the most important parts of the remediation plan. You’ll need to provide a description of all fraud tools and prevention methods you plan to use, when you will implement them, and how those will help prevent fraud issues in the future.
Provide a detailed description of steps you will take to reduce fraud and chargebacks — what technologies you will use, when you will implement them, and your expected results. You’ll also need to include a backup plan in case the first plan fails.
Develop a complete fraud and chargeback management strategy.
It’s important to start managing risk effectively as soon as you find yourself in a monitoring program. But it’s equally important to continue those efforts long after you exit a program so that you never face enrollment again. That’s why you want to develop a well-rounded strategy that can provide long-term protection.
Best business practices for an effective strategy usually consists of the following items.
Scalable, accurate, and flexible technology
Using fraud protection software is the quickest way to reduce fraud accurately and effectively — which is especially important when you have a limited amount of time. You want to look for technology that allows you to customize policies so that it fits your business needs and can scale as you grow.
It’s important to find a solution that can resolve your issues and get you out of the monitoring program. However, keep in mind that the best solution is one that will benefit your business long-term.
Web security protocols
An important element to mitigating fraud is to boost your website security. Add a firewall so that you can monitor incoming and outgoing traffic on your site and block suspicious traffic. Additionally, add CAPTCHAs during checkout to verify that the user interacting with your site is a human.
Using these protocols will help you block bad traffic from bots — software that is programmed to run automated tasks such as card testing fraud and credential stuffing.
Another way to combat fraud is to implement verification protocols during checkout. This helps determine if the cardholder — or fraudster — is making the purchase.
One method is to require the shopper to enter the security code (CVV) printed on the card. This step helps ensure the shopper has the card in hand and isn’t just using stolen card information from online hacks.
You can also sign up for address verification service (AVS) — which allows you to compare the billing address a customer provides during checkout to the billing address on file with their bank. If the addresses don’t match, the transaction could be declined.
Lastly, you can use 3D Secure 2.0 — an identity verification tool that authenticates card-not-present transactions. When a customer makes a purchase, you can send information like shipping address and order history to the customer’s issuing bank. The bank then reviews the information to determine the likelihood of fraud. This analysis can help determine if the transaction should be accepted or declined.
It’s great to stop fraud, but it’s better to discover the root cause of fraud.
Fraud reports provided by the card brands are pretty generic — they simply inform you that the cardholder claimed the transaction was fraudulent. But how do you know if that fraud claim was legit or not?
What about opportunistic shoppers who try to get items for free? Or spouses making purchases without the cardholder’s knowledge?
Oftentimes, the only way to discover the true cause of fraud is with data analysis. You need to look for patterns to identify anomalies. The easiest and most accurate way to analyze data is to use fraud detection software.
Up-to-date policies and procedures
Sometimes fraud happens because your refund and return policies aren’t very clear or are hard to find. Or sometimes your employees aren’t trained to recognize social engineering tactics — methods of manipulation fraudsters and customers use to get goods for free.
The best thing you can do is to keep your policies up-to-date and your employees well-trained on fraud trends — such as refund fraud, e-gift card fraud, chargeback fraud, and more.
Exiting the program
To get out of the Mastercard EFM program, your merchant account needs to be below the EFM program thresholds for three consecutive months. And because you must meet all requirements to be enrolled in the program, if you fall below the threshold for any of the requirements, your account will be considered compliant for the month.
Want help exiting a Mastercard fraud monitoring program?
If you’ve been enrolled in a monitoring program, you need rapid results. And the best way to see quick and accurate improvements to your fraud situation is to use fraud detection technology.
We recommend our partner, Kount. Kount has the industry’s leading fraud detection and prevention software with proven-effective solutions.