Thanks, thinking more:
Technically I think we could implement this crudely with the api disabling someone entirely:
- Listen to refunds and velocity per team member
- If we see it exceeds what we allow then call UpdateTeamMember endpoint to set status =
INACTIVEPUT /v2/team-members/{team_member_id} - Square API Explorer
Q: does that immediately lock out the team member? Would it be within 10 min? (Probably ok). And then after we resolve it can we mark them active again?
Here’s a related discussion in seller community Solved: Re: Limiting Refund Abuse by employees with refund... - The Seller Community
And 3 proposed workarounds (all requiring Square features)
The complexity lies in how our team would handle the setup of a rule-based permission like this.
I think it could be very simple.
- Setting of how many # or $ volume refunds to allow in a day or N hour period before. Could be a settable value based on the merchant, for some $1000 may be a very safe limit that shouldn’t ever be hit, and if it was, it’s probably a problem.
- Needing someone else to do the refund.
This would be a new permission, “Limited Refund” and if it can’t do it due to hitting a limit anyone with the existing “Refund” permission can do it.
- OR - likely simpler even:
- new “Limited Refund” permission, same as above
- This permission only allows refunding over the past N days / hours. That could be hard coded e.g. 7 days or 30 days or it could be a setting. This could have more customer service issues so the above to monitor suspicious / excessive volume behavior would be a safer customer experience probably. (Avoid blocking a valid refund).
- OR - expose existing permissions on the API, and enterprises that need this can implement revoking a permission from a team member if they see any suspicious things on their side.