I've really had my eyes opened today as to how vulnerable online merchants are to credit card chargebacks/fraud. Essentially, from what I can tell, everyone in the payment chain abdicates responsibility and the Merchant gets stuck with the bill.
Here is our (pretty standard AFAIK) setup.
Merchant Site > Payment Processor (Realex) > Acquiring Bank (Elavon/BOI)
By definition, we are the weakest link (information-wise) in this chain.
So we have several fraudulent transaction that have emerged - the credit card company has begun issuing chargebacks. For each transaction:
1) Realex "approved" the transaction (more on this later)
2) Elavon (Bank Of Ireland) approved the transaction
3) Goods delivered and signed for by courier
4) Chargeback occours - cardholder says card details must have been stolen from them etc.
Sounds like what you'd think is a fairly 'secure' situation for the Merchant? Not on your life, guess who's liable?, us.
To be honest this is an appalling situation - the Cardholder name wasn't even correct on the transactions and yet (a) this gets thru both Realex & Elavon and (b) we pick up the tab even though we pay both of these companies for "services".
One of the fraudsters just put thru another transaction, and lo and behold it gets thru both Realex & Elavon. So as a test, I phoned both companies to get their take on this transaction.
Me: Tranaction info
Realex: "Looks fine - and Elavon also approved it."
Me: Was the Cardholder name at least validated? Does the address match up?
Realex: "Well unless you use 3D secure, we dont really do any authorization/validation...."
Me: Stunned
Me: But if there's a chargeback later, after all these approvals, we're liable?
Realex: Yup.
Note: If you use 3D on your site, your sales will collapse, customers dont understand whats going on.
Calling Elavon:
Me: Explain situation
Elavon: "Well if you give me the customers credit card number I might be able to find out more details"
Me: We (and most retailers, unless you're huge) dont store or ever see people's credit card details. We'd be mad to.
Elavon: Nothing we can do or tell you then..
Me: But you've approved this transaction?
Elavon: Yes
Me: But if its fraudulent, and Ive sent out the goods, we're liable?
Elavon: Yes
Both companies basically told me that for all the bells and whistles about "processing transactions securely" that it comes down to this: my eyes.
I have to look at a name, an address and an order and "magically" determine the true validity of an 'authorised' transaction. If I get it wrong, I am out of pocket (just like right now) for up to several thousand euro.
This is appalling to say this, but I now have to 'racially profile' orders. And I feel sick to stomach having to do this because foreigners living in Ireland are our best (and often also our nicest) customers. But all our fraud is emenating from 'customers' with names from a distinctive region.
Is there anyone here operating web payments that they actually have some faith in? An approvals process you can actually trust? If so, can you please let me know what you're setup is?
Is this unique to Ireland?
One thing - I'm sure the natural reaction of some of you will be: you have the person's house where the goods were delivered to - surely the guards will be taking it from there etc.
Of course we will be chasing this angle up, but (1) based on daft.ie these addresses appear to be empty rentals that are being used to stage deliveries (2) the last involvement we had with the guards, we handed them CCTV footage of a theft in action with close-up faces and a car registration. Nothing even remotely happened.
Here is our (pretty standard AFAIK) setup.
Merchant Site > Payment Processor (Realex) > Acquiring Bank (Elavon/BOI)
By definition, we are the weakest link (information-wise) in this chain.
So we have several fraudulent transaction that have emerged - the credit card company has begun issuing chargebacks. For each transaction:
1) Realex "approved" the transaction (more on this later)
2) Elavon (Bank Of Ireland) approved the transaction
3) Goods delivered and signed for by courier
4) Chargeback occours - cardholder says card details must have been stolen from them etc.
Sounds like what you'd think is a fairly 'secure' situation for the Merchant? Not on your life, guess who's liable?, us.
To be honest this is an appalling situation - the Cardholder name wasn't even correct on the transactions and yet (a) this gets thru both Realex & Elavon and (b) we pick up the tab even though we pay both of these companies for "services".
One of the fraudsters just put thru another transaction, and lo and behold it gets thru both Realex & Elavon. So as a test, I phoned both companies to get their take on this transaction.
Me: Tranaction info
Realex: "Looks fine - and Elavon also approved it."
Me: Was the Cardholder name at least validated? Does the address match up?
Realex: "Well unless you use 3D secure, we dont really do any authorization/validation...."
Me: Stunned
Me: But if there's a chargeback later, after all these approvals, we're liable?
Realex: Yup.
Note: If you use 3D on your site, your sales will collapse, customers dont understand whats going on.
Calling Elavon:
Me: Explain situation
Elavon: "Well if you give me the customers credit card number I might be able to find out more details"
Me: We (and most retailers, unless you're huge) dont store or ever see people's credit card details. We'd be mad to.
Elavon: Nothing we can do or tell you then..
Me: But you've approved this transaction?
Elavon: Yes
Me: But if its fraudulent, and Ive sent out the goods, we're liable?
Elavon: Yes
Both companies basically told me that for all the bells and whistles about "processing transactions securely" that it comes down to this: my eyes.
I have to look at a name, an address and an order and "magically" determine the true validity of an 'authorised' transaction. If I get it wrong, I am out of pocket (just like right now) for up to several thousand euro.
This is appalling to say this, but I now have to 'racially profile' orders. And I feel sick to stomach having to do this because foreigners living in Ireland are our best (and often also our nicest) customers. But all our fraud is emenating from 'customers' with names from a distinctive region.
Is there anyone here operating web payments that they actually have some faith in? An approvals process you can actually trust? If so, can you please let me know what you're setup is?
Is this unique to Ireland?
One thing - I'm sure the natural reaction of some of you will be: you have the person's house where the goods were delivered to - surely the guards will be taking it from there etc.
Of course we will be chasing this angle up, but (1) based on daft.ie these addresses appear to be empty rentals that are being used to stage deliveries (2) the last involvement we had with the guards, we handed them CCTV footage of a theft in action with close-up faces and a car registration. Nothing even remotely happened.