Credit Card Fraud – Perspective of an online merchant.
By Andrey Butov
Antair, like most online merchants, is not immune from having to deal with credit card fraud.
If you are processing your payments through a middle-man like Plimus or Shareit, a portion of the ridiculous transaction costs that you pay out are used to keep you from having to worry about such things too much. But if you’ve graduated to a proper merchant account, and are processing your own payments, credit card fraud becomes and entirely new source of headaches.
Let me take you through a typical case …
You wake up in the morning, log into your backoffice sales database, and notice a slew of overnight sales. Now this may not be atypical for your shop, except that most of the sales are coming from either the same customer e-mail address, or similar customer names.
Digging into the sale records, you see several thousand dollars worth of purchases from a customer using an obviously fake name. The e-mail address is a generic one (@yahoo, @hotmail, @mac, etc). Several different credit card numbers are used, with seemingly proper addresses, but different phone numbers. The IP address, of course, is nowhere near the physical address for the card-holder. The buying patterns for the products purchased are completely off: 64 units purchased of something which typically sells 1 to 3 units per transaction, 108 units purchased of something for which only a single unit would typically suffice for one person, and so on.
If you’re selling physical goods, you may be checking these orders manually before shipping, in which case, you’re about to lose an enormous amount of time, but probably not a lot of money. If you’re selling software, and are automatically e-mailing license keys upon proper checkout, you technically haven’t lost any money on shipping physical goods either, but get ready to lose just as much time (and you’ll probably eventually see 108 units of whatever was just purchased being sold on e-bay for 1/16th of the price you charge).
So now what do you do?
Well, first you wonder, how is it that my merchant account even let these transactions through? They may not know my selling patterns to be able to recognize fraudulent activity by sight, but surely that week I spent configuring fraud protection mechanisms with them would have been fruitful?
So you go on trying to figure out what happened…
But the credit card numbers are valid. The expiration dates are valid. The addresses match the cards. And even the credit card number security codes are valid. If any of these things were fake, those fraud protection mechanisms would surely reject the transaction. But they are all valid; meaning the credit card was probably stolen, as the thief has access to not only the card number, but the full and proper address, as well as the security code which is typically found on the reverse side of the card (useless piece of data — positional protection).
So now you’ve wasted an hour finding out that there is very little that your immediate processor could have done about it.
So you step back and think for a bit. What do I do? Several of these things came in before the daily reconciliation; meaning that they already cleared and the credit cards were charged. Several of them came in after the reconciliation, meaning they’ve not cleared yet and you can simply void those transactions without them showing up on the credit card statements. The voided ones are easy…but what do you do about the ones that went through? Do you refund those? Surely the customer would be confused upon seeing their credit card statement with a $600 transaction for an unknown product, from an unknown company, with an immediate refund for the same amount.
So what do you do now? Well … you call the issuing bank, of course.
Except the issuing bank doesn’t care! Neither does the card company itself. They either tell you to refund the transaction without justification, or they tell you to “use your best judgement”. What they don’t tell you is if this card is indeed reported as stolen, or what the proper procedure is to go about rectifying the situation.
The processor doesn’t know anything except the phone number of the issuing bank.
The issuing bank doesn’t tell you anything because the customer they just called back isn’t at home, the card hasn’t yet been reported stolen, but yes indeed, everything you tell them about the name being fake and the phone number being fake on the transaction is true. Except that they’re not going to do a damn thing about it until the customer complains.
A merchant is taking time out of his day — spending hours on the phone — not devoting time to his business — to tell you idiots that your own customer is being robbed blind. You are being provided with all the transaction details possible, down to the millisecond of the transaction, and all you can do is say “use your best judgement”? You’re a 12-billion dollar bank, don’t you have policies in place to handle this instead of routing my phone call to Bangalore and giving me some wishy-washy answer?
But what would happen if you “use your best judgement”, and decide that it’s not your problem to eye-ball each and every transaction that comes through. That if three levels of corporate checking decided that the card transaction is valid and let it through, who are you to undermine them? After all, they know better. It’s quite natural for the same named customer with different physical addresses, and 7 different cards to purchase 107 copies of the same $15 video game.
What happens is that the customer receives his statement in the mail 20 days from now, sees a transaction for something he has no knowledge of, and calls his credit card company (or, they call YOU, and YOU have to deal with them personally — because as a merchant, your phone number appears next to the transaction on the statement).
And when the customer call his credit card company, then they start caring. In fact, they go into caring overdrive, sending a team of investigators after you via phone, mail, and e-mail, with an “official open fraud case”, to try to figure out what the hell happened. And no, they don’t care that you spent half the day trying to tell them of this thing three weeks ago. All they want to do is to clear this “official open fraud case”. So now you spend more time dealing with this nonsense, at the end of which, you wind up refunding all the money anyway, and probably get hit with a charge-back fee. And what happens when your merchant bank hears of this? Well, after enough times, they’ll increase your credit card processing rates, or blacklist you entirely, and you’ll be going back to Plimus, or Shareit, or some other payment processing middle-man; out of necessity this time around.
So you give up….
Your processor is telling you to talk to the issuing bank.
The issuing bank is telling you that they can’t do anything until the customer complains.
American Express, Visa, and MasterCard themselves are telling you that they have no control over this and to talk to the issuing bank again.
So you void the pending transactions, hand out refunds for the ones that have already cleared, and get started on writing thousands of lines of new back-office code to deal with future fraud.
Your P&L statement for the day shows $5.00 profit because you made $2005.00 in proper sales, and refunded $2000.00 worth of fraudulent transactions.
… and you hope that you won’t see your products being offered on e-bay two weeks from today.
