News
Mastercard Excessive Fraud Merchant Program
Fraud is costly to merchants. According to LexisNexis, overall U.S. retail fraud attacks have decreased slightly since 2021, but ecommerce fraud attacks have increased 50% in 2022, with successful attacks increasing 63%. Additionally, every dollar of fraud costs U.S. merchants $3.75 due to all the additional costs, fees, and losses associated with fraud. Numerous factors contribute to those increased fraud costs beyond the amount of lost payments. One such factor is the costs assessed by card brands to merchants that routinely have fraud ratios above what the brands determine to be acceptable. Card brands will place these merchants in monitoring programs such as the Mastercard Excessive Fraud Merchant (EFM) program.
Mastercard Excessive Fraud Merchant Program
Mastercard’s EFM program is designed to discourage merchants from allowing excessive levels of fraud. It assesses fines and restrictions on merchants who receive excessive amounts of fraud related chargebacks that carry the reason code 4837 for “No Cardholder Authorization” or 4863 for “Cardholder Does Not Recognize – Potential Fraud.”
The EFM program is one part of a larger Mastercard program known as the Acquirer Chargeback Monitoring Program (ACMP). The other part is the Excessive Chargeback Program (ECP), which is similar to the EFM program but focused on excessive chargebacks rather than specifically on chargebacks resulting from fraud.
Excessive Fraud Merchant Criteria
There are four main criteria that must apply to a merchant in order for that merchant to be put into the EFM program. The merchant must meet or exceed all four of the following:
- Processing 1,000 e-commerce transactions
- Receiving fraud-related chargebacks totalling $50,000
- Receiving 50 basis points, a Mastercard statistic in which the number of fraud-related chargebacks in a month are divided by the total number of e-commerce transactions from the previous month and multiplied by 10,000 (this is essentially equivalent to a 0.50% fraud ratio)
- Processing less than 10% of their clearing volume through 3D-Secure (this threshold is 50% in regulated countries—namely APAC countries and some European countries)
If the merchant meets or exceeds these four criteria in any two months, they will be placed in the EFM program. Those two months need not be consecutive for the EFM program to be applied.
EFM Program Penalties
The schedule of fines for the EFM program is as follows:
Months In Program |
Fine |
1 |
$0 |
2 |
$500 |
3 |
$1,000 |
4-6 |
$5,000 |
7-11 |
$25,000 |
12-18 |
$50,000 |
19+ |
$100,000 |
Exiting the EFM Program
Merchants must remain below the EFM program thresholds for three consecutive months in order to be removed from the program. Merchants can request that Mastercard suspend an assessed fine once during their time in the EFM program if they believe that they will manage to get below the thresholds over the next three months.
Mastercard may contact the merchant’s acquirer and request that they submit an action plan for the merchant. This plan includes an explanation of the cause of the fraud related chargebacks, the actions being taken by the merchant to reduce fraud, and the controls being implemented by the merchant to ensure that fraud doesn’t reach excessive levels again in the future.
Conclusion
As with most responsible merchant business practices, the most effective way to handle the Mastercard Excessive Fraud Merchant program is to avoid being placed in it in the first place. This likely involves employing anti-fraud tools—such as 3D-Secure, machine learning tools, real-time fraud scoring, velocity monitoring tools, device ID, and IP geolocation—and implementing policies to catch fraud before it occurs
As an example of how important prevention is compared to remediation, we can point to the 10% threshold for 3D-Secure being one of the key criteria for placement in the EFM program. A merchant could avoid placement in the program entirely by using 3D-Secure on more than 10% of transactions. But for a merchant already in the EFM, exceeding that 10% threshold is only one of the remediation efforts necessary to escape the program.
Of course, it can be difficult for merchants to prevent fraud if they are not aware of what their fraud ratio is. Mastercard reports fraudulent transactions through its System to Avoid Fraud Effectively (SAFE) but those reports are not always forwarded to the merchant in such a way as to allow them to track their fraud ratio. Tools such as chargeback dashboards can assist with tracking this metric and serve as a starting point for fraud-prevention efforts. Knowledge is power and an ounce of prevention is worth a pound of cure.
Frequently Asked Questions
The Mastercard Excessive Fraud Merchant program is a program of penalties and restrictions that Mastercard uses to discourage merchants from allowing their fraud rates and volumes to exceed certain thresholds.
Merchants are placed in the Excessive Fraud Merchant program if they meet or exceed all four of the following criteria for any two (consecutive or nonconsecutive) months: processing 1,000 e-commerce transactions, $50,000 in fraud-related chargebacks, 50 basis points, and use of 3D-Secure on fewer than 10% of their monthly transactions.
Merchants are removed from the Mastercard Excessive Fraud Merchant program if they stay below the thresholds for all four necessary criteria for three consecutive months.
They are different parts of the broader Acquirer Chargeback Monitoring Program, each designed to address different problems. The Mastercard Excessive Fraud Merchant program discourages merchants from allowing too much fraud while the Mastercard Excessive Chargeback Program discourages merchants from allowing too many chargebacks, regardless of their source. The basic structure of the programs are superficially similar but the details are tailored to each specific concern.
Basis points are a metric that Mastercard calculates in order to track how much of a merchant’s transactions are fraudulent. It is a different way of representing the same information demonstrated by fraud ratio.
Mastercard calculates basis points by taking the number of fraud-related chargebacks in a month and dividing them by the total number of e-commerce transactions from the previous month then multiplying by 10,000.