Module 5: Refund, Reversal, and Chargeback Abuse
Purpose
This module focuses on how refunds, reversals, and chargebacks are exploited in virtual card systems. We will detail how these flows work, how fraud occurs within them, and what preventative or investigatory controls your teams should implement.
This is essential training for:
Treasury and float management teams
Fraud and compliance analysts
Support teams handling transaction inquiries
Engineers implementing refund/reversal/chargeback logic
Legal or audit stakeholders investigating loss events
Definitions
| Term | Meaning |
|---|---|
| Refund | Initiated by a merchant after a transaction is settled; funds are returned to the card or float. |
| Reversal | Occurs before settlement, often within 24h; authorizations are voided, no funds are moved. |
| Chargeback | A dispute initiated by the cardholder or issuer after the transaction has settled. The funds are forcibly reversed. |
How Each Works Internally
Refund Flow
User spends $200 at a merchant.
Merchant initiates a refund (days later).
Processor pushes funds back to Bitnob.
Bitnob credits:
Card (if active), or
Master account (if card is frozen or terminated)
Reversal Flow
User makes a purchase.
Authorization is placed, but no settlement.
Merchant cancels or fails to complete the order.
Bitnob receives a reversal webhook.
Authorization hold is lifted; funds are restored.
Chargeback Flow
User disputes a charge (e.g. fraud or failed service).
Bitnob notifies the processor and requests reversal.
If valid, processor debits the merchant and credits Bitnob.
Cardholder receives funds (or master wallet is credited).
Processor charges a penalty fee for the dispute.
Common Abuse Patterns
1. Refund Abuse
Fraudsters create multiple cards, spend and terminate them, and receive refunds that flow back to their wallets.
Example:
Create card, top up $100
Spend $90
Terminate card
Merchant refunds $90
Refund lands in float; fraudster demands payout
2. Reversal Exploits
Use cards to “test” platforms that issue reversals instead of declines
Appear inactive (no real spend) but cycle balances rapidly
Pattern: Rapid top-up → spend → reversal → repeat. Can indicate laundering or collusion with merchants.
3. Chargeback Fraud
User makes a legitimate purchase, then disputes the charge weeks later claiming fraud.
High-risk signals:
Frequent disputes from same user across multiple cards
Chargebacks against high-risk MCCs (ads, gaming, etc.)
No prior complaint through support before dispute
Controls & Detection Strategies
| Area | Control |
|---|---|
| Refund Mapping | Require matching spend reference before refund is accepted |
| Terminated Cards | Always credit refunds to float, never to terminated cards |
| Chargeback Thresholds | Auto-flag users with >2 chargebacks/month |
| Reversal Anomaly Detection | If reversal:top-up ratio > 0.3, flag as laundering |
| MCC Risk Rules | Block refunds from high-risk MCCs if no matching spend |
Refund & Chargeback SLA Guidelines
| Action | SLA |
|---|---|
| Refund Processing | Post to card or float within 2 business days of webhook |
| Reversal Hold Release | Immediate upon webhook confirmation |
| Chargeback Dispute Window | Typically 30 days to respond; varies by scheme |
| Manual Refund Escalation | 24 hours for treasury investigation |
| Refund to Terminated Card Escalation | Flag and route to compliance within 1 hour |
Section 6: Logging & Audit Best Practices
Log original spend reference and webhook reference in all refund records
Maintain ledger integrity across top-up → spend → refund path
Store MCC, merchant, BIN, IP, and device for each reversal or chargeback
Flag multiple refunds to same card in short succession
Track “refund value ” by user weekly
Support Team Checklist
| Step | Action |
|---|---|
| 1. | Confirm if refund or chargeback exists in webhook logs |
| 2. | Pull spend reference and match value + merchants |
| 3. | Check card status: active, frozen, or terminated |
| 4. | Confirm refund landing (card vs float) |
| 5. | Escalate if refund mismatches spend, no matching spend exists, or card has suspicious lifecycle |
| 6. | Document with refundRef, cardId, userId, merchant, amount, and status |
Module 5 Knowledge Check
1. Which of the following is true about reversals?
A. They occur after settlement
B. They involve merchant disputes
C. They occur before settlement and release the hold
D. They trigger chargeback fees
Correct Answer: C
2. What should happen when a refund is issued to a terminated card?
A. It’s automatically lost
B. It must be credited to user wallet
C. It should be rejected
D. It must be credited to float and logged
Correct Answer: D
3. A user has 3 chargebacks in one week across 3 cards. What should happen?
A. Lock account, investigate
B. Issue new cards
C. Accept the chargebacks without action
D. Credit user with float balance
Correct Answer: A
