Online Payments: Merchant Liability

[soma]

I've really had my eyes opened today as to how vulnerable online merchants are to credit card chargebacks/fraud. Essentially, from what I can tell, everyone in the payment chain abdicates responsibility and the Merchant gets stuck with the bill.

Here is our (pretty standard AFAIK) setup.

Merchant Site > Payment Processor (Realex) > Acquiring Bank (Elavon/BOI)

By definition, we are the weakest link (information-wise) in this chain.

So we have several fraudulent transaction that have emerged - the credit card company has begun issuing chargebacks. For each transaction:

1) Realex "approved" the transaction (more on this later)
2) Elavon (Bank Of Ireland) approved the transaction
3) Goods delivered and signed for by courier
4) Chargeback occours - cardholder says card details must have been stolen from them etc.

Sounds like what you'd think is a fairly 'secure' situation for the Merchant? Not on your life, guess who's liable?, us.

To be honest this is an appalling situation - the Cardholder name wasn't even correct on the transactions and yet (a) this gets thru both Realex & Elavon and (b) we pick up the tab even though we pay both of these companies for "services".

One of the fraudsters just put thru another transaction, and lo and behold it gets thru both Realex & Elavon. So as a test, I phoned both companies to get their take on this transaction.

Me: Tranaction info
Realex: "Looks fine - and Elavon also approved it."
Me: Was the Cardholder name at least validated? Does the address match up?
Realex: "Well unless you use 3D secure, we dont really do any authorization/validation...."
Me: Stunned
Me: But if there's a chargeback later, after all these approvals, we're liable?
Realex: Yup.

Note: If you use 3D on your site, your sales will collapse, customers dont understand whats going on.

Calling Elavon:

Me: Explain situation
Elavon: "Well if you give me the customers credit card number I might be able to find out more details"
Me: We (and most retailers, unless you're huge) dont store or ever see people's credit card details. We'd be mad to.
Elavon: Nothing we can do or tell you then..
Me: But you've approved this transaction?
Elavon: Yes
Me: But if its fraudulent, and Ive sent out the goods, we're liable?
Elavon: Yes

Both companies basically told me that for all the bells and whistles about "processing transactions securely" that it comes down to this: my eyes.

I have to look at a name, an address and an order and "magically" determine the true validity of an 'authorised' transaction. If I get it wrong, I am out of pocket (just like right now) for up to several thousand euro.

This is appalling to say this, but I now have to 'racially profile' orders. And I feel sick to stomach having to do this because foreigners living in Ireland are our best (and often also our nicest) customers. But all our fraud is emenating from 'customers' with names from a distinctive region.

Is there anyone here operating web payments that they actually have some faith in? An approvals process you can actually trust? If so, can you please let me know what you're setup is?

Is this unique to Ireland?

One thing - I'm sure the natural reaction of some of you will be: you have the person's house where the goods were delivered to - surely the guards will be taking it from there etc.

Of course we will be chasing this angle up, but (1) based on daft.ie these addresses appear to be empty rentals that are being used to stage deliveries (2) the last involvement we had with the guards, we handed them CCTV footage of a theft in action with close-up faces and a car registration. Nothing even remotely happened.

 

[rekhib]

I'm sorry to hear of your troubles soma. We operate a similar system on our sites with the exception of the acquiring bank and what you describe above is exactly the situation. There was a great BBC podcast a couple of months back about this very subject (I'll try dig up a link). The other worrying thing which they touched on which you didn't mention above is the length of time after the order which a chargeback can occur. This can push 6 months after the transaction date. At that point, it is highly likely that the goods/services have been delivered already. Fortunately for us, we operate in an industry where we always have physical contact with the person (at some point in the future - and always before they are in receipt of their purchase) and where it's not absurd for us to request an official documentation number. To date, no one transaction has caused us too much hassle (touch wood).

If you can request an official document ID, passport number, driving licence number, ppsn, that will cut down on fraud because they're highly traceable documents. Realex also have quite sophisticated fraud scoring software (but professional help is definitely required to get it up and running successfully). The other thing you can do is not auto-settle your transactions and then throw a cursory glance over the day's transactions to see if anything jumps out. Make sure you cross-reference the customer's IP address with the country that they say they're from.

In short, there's no guarantees here, other than shifting the ECI using 3DS. I fully agree with you, it's a flawed process. 3DS is a great idea but it must have had it's advertising budget cut because customers have no clue what it is!

 

[mathepac]

... 3DS ... must have had it's advertising budget cut because customers have no clue what it is!

That's not true, IME.

I registered 2 cards for 3DS some years ago but since registration only a tiny number of online transactions have activated the additional check. According to the credit-card companies, this is because merchants haven't bothered to integrate 3DS into their online store applications.

This ties in with the reason why OP hasn't bothered with 3DS because his / her "customers dont understand whats going on". With an attitude like that, I suspect sales may take a dip for other reasons.

 

[rekhib]

@mathepac, I honestly think that merchants tend to avoid using it because it affects conversion rates. On our sites, we use it, because we sell high ticket items. But, if we were selling low ticket, high volume items, we would probably abandon it because that's where the pips really matter. I've had the same experience as you, I have 3DS activated on my own personal card and I've only ever been presented with it on 2 websites. As I say, I think it boils down to customer education. As they become more familiar with it (and it begins to impact positively on conversion rates rather than negatively - i.e. when customers expect to see it rather than not), it will be more widely implemented by merchants. Its ability to prevent fraud isn't in question but at the moment, for most merchants, the trade-off against conversion rate is too high to warrant implementation.

 

[soma]

If you can request an official document ID, passport number, driving licence number, ppsn, that will cut down on fraud because they're highly traceable documents.

Putting myself in the customer's shoes for a moment. If I bought something online and then I recieved an email requesting a scanned document or PPSN - I think my gut reaction would be: Has my transaction been comprimised and someone is trying to pull identify theft on me? I'd go buy somewhere else.

The other thing you can do is not auto-settle your transactions and then throw a cursory glance over the day's transactions to see if anything jumps out.

Yeah the batches dont go thru till midnight. But as I was saying in my OP - theres a transaction today that I KNOW is fraudulent (because the address has already been involved in a chargeback) and yet neither Realex nor Elavon can see anything wrong with it and are giving me the thumbs up - how is anyone else supposed to know..?

Make sure you cross-reference the customer's IP address with the country that they say they're from.

Yes we also do this but its also so easy to spoof your IP.

 

[soma]

Mathepac I would like to know from what vendor experience you are talking from - my guess is zilch, and that you are extrapolating your own skill/knowledge levels to the average web user.

I registered 2 cards for 3DS some years ago but since registration only a tiny number of online transactions have activated the additional check.

Yes you (and I as a matter of fact) may be comfortable with this added level of security and enable it - but at a guess I would say you are very computer literate and comfortable with the workings of the online world.

Guess what, 99.9% of our customers are NOT people like you. They are people who are intimidated by simple forms, spook very easily, there are grandmothers who are trying to place orders after taking a local computer course etc.

This ties in with the reason why OP hasn't bothered with 3DS because his / her "customers dont understand whats going on". With an attitude like that, I suspect sales may take a dip for other reasons.

Thanks for the jibe - and what other reasons might these be, or are you just in a bad mood..?

We take conversion VERY seriously and we rigorously test - we are the best at it in our niche, no mean feat in the current climate where I see a lot of the competition throwing in the towel.

You throw something like 3DS on a website that isn't selling something like computer parts - and watch your sales implode. Adding an extra field in a form hurts your conversion rate, nevermind a jarring user experience like 3DS/VBV. One of the Irish online flower sites had to pull these extra steps off their site as sales collapsed.

 

[gezza1]

Soma
you are so right about these companies we do all the work but the credit companies never get caught, just today I got another 2 chargebacks from the bank.
We have got some luck with the guards and have caught a few people but sure what do they get but a slap on the wrists! Next week they are back trying it again.
When speaking to the guards I asked about getting online companies together to share this sort of information but was told it’s against the private data act or something!
and yes 3D has been proved to slow down sales for online companies!