Who Pays For Credit Card Breaches?

PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"

Should improve Customer service

[Iridium_Hack]

As one who has worked part-time in a retail store for extra cash on top of my day job, I've found most customers now days prefer that you ask for ID. Up until now, store policy has been lax or even negative on the subject. For example, "if it's less than a hundred dollars or so (depends on season), don't bother the customer and ask ID unless it's AE or the card isn't signed."

Maybe some of these retail stores will finally make it policy to ask for ID when making a purchase. Wouldn't you like it that way?

Having owned a store

[JohnnyComeLately]

I would say it's set up correctly. Sure VISA makes Billions and merchants eat fraud, but it's really the best point to do it. And, technically, I already do it with Checks (the reason a lot of people don't take them). Some storeowners don't get it and think credit cards are "magic"...they can take all the cards they want and money appears (minus a 5-15% fee) in their bank account. They don't realize they can minimize by: ACTUALLY CHECKING THE SIGNATURE!!!, suggest Debit over Credit (if it's both, their fees are less if it runs as a ATM, and security it better!). But it's the same as anything else in life: If you're uneducated you will always pay more.

Got suckered into a 15 year AARM mortgage with a pre-pay penalty and balloon payment? Education. Paid $30k for a Ford truck (which immediately dropped to a $19k wholesale value) and are upside down in value? Education. If there's one lesson...just one lesson...I could boil my entire MBA, stock market, and general life experience (regarding businees) into:

He who has the most accurate and timely information wins.

Coming back around full circle: This is why merchants should be responsible (and their banks). It forces them (and me!) to educate myself and minimize EVERYONE's risk. A previous owner left draft information for bank auto withdrawal in a binder, on the desk, by the door, for all his customers. Huge fraud potential. Some leave credit card information in the store after the day of sale. Huge fraud potential. I could go on, but I've proven the premise for my conclusion: You have to be active and reduce your costs through fraud prevention. How can I reasonably hold VISA accountable when I'm a merchant stupid enough to charge a card with someone elses name (I've seen guys try to use their wife's card....Dudes do not look like a "Wendy" to me).

On the flip side, I had a merchant pissed because I called in a charge back. Yeah he was pissed, because chargebacks increase fees a bank charge....but I gaurantee you he'll call next time he does an unauthorized pre-pay on my card. I manage a tech support department and we follow the policy I told him he should follow to reduce costs: Always call someone before you charge their card. In my case, he charged a 2nd $700 and then my wife said, "Should there be a 2nd one?" I said, "Nope" (not thinking two steps past why she asked) and so she called the credit card to charge it back. Whole thing could have been avoided.

So there you have it...I've mentioned my perspective from personally being both sides of the "coin" (and being accountable for the $$)....and I'd say the system is set up efficiently, and for the most part, fairly.

Slightly OT about merchants eating charges

[hellfire]

I'm absolutely shocked by the ignorance some people about credit cards. Now I'm not talking about a Joe on the street, I'm talking about people taking the orders. Many merchants favor convenience over everything else.

For example, in the order processing system I support, we mask the first 12 digits of the credit card when you retrieve an existing order. It didn't always do that, but it eventually did as part of an upgrade to comply with the PCI standards above. That makes sense, lots of systems started doing that even before the standards and now all of them do. But one guy wanted to argue with me that it will hurt his customer service because he can't read the card number. I explained to him that it's out of my control and that Visa imposed these restrictions on all computer systems and you can't buy a system that doesn't have this feature any more. Further more merchants and software companies could be fined by Visa if they didn't have these restrictions.

I was going to explain why Visa mandated the changed and explain card security when he demanded: "We'll take the chance, change it back." If I were his customer, I'd have yanked my business, knowing that it's an easy inside job for him to steal my credit card.

Also, it's happened to me twice recently, where two major chains I visited (Superfresh and Target) took my card and made me sign an electronic signature capture device for my signature. In both cases, the signature pad and/or pen was broken and was basically reading garbage. I could not write my signature. In both cases they said "we don't need your signature" and just ushered me out of line. Okay they are major chains, and could eat a charge now and then, but hell you would think they would care about their signature pads a little more. Maybe close the line or have replacements on hand to easily swap out. Everyone going through that line that day was a potential risk to the merchant for a chargeback, just because they didn't capture a proper signature. And that exposes me as well because I'm unable to sign my signature which leaves me open for question when signing other receipts.

The way security works now in credit cards I feel is good, and it's designed to increase the security on integrated systems. 80 to 85% of credit card number theft is an inside job. People stealing card numbers and internal information, and computers just make it easier to do that without restrictions on said computer. The merchant doesn't care if you get hit with fraud. Visa cares because if their cards are insecure, no one will use them. So Visa makes the merchant's care by assigning responsibility to them, because that's were most fraud occurs. It's very logical.

You'd think the same with cleared checks, but no

[Anonymous Coward]

My friend had a cashiers check given to him by a 3rd party for a car he was selling. He took the check and deposited it into his account with a bank that sounds like TNC and is located in PA. Check clears, so he pulled out the money and uses it to buy a different car. Life seems good. A night or two later him and I decide to go shoot some pool and get some wings. He checks his account online, only to find it's nearly 3 grand in the hole. After a few rounds of calls to "TNC" he finally learns the cashiers check was a fake. Guess who's stuck with the loss even though THE CHECK CLEARED??? Not the bank! After some researching we've sorta figured out in the US and Canada, just because a check has cleared does not mean the check is legit and valid... apparently the clearing "process" is just a damn joke is just a delay for you to get your money, not time used to check everything is correct.

After contacting the local police and being passed over to the local FBI branch he came to learn this had happened a few times before in our area. I just hope the other banks actually protect their customers better than "TNC". Needless to say he switched banks after that, and when I moved my girlfriend into the dorms at *P*itt I yelled at the people pretending to be helpers for the freshman but who were really trying to get you to sign up at "TNC". Guess you could say leason learned the hard way.

I've seen it happen. (Sort of.)

[Kadin2048]

Some friends of mine still tell a story from pre-internet days: an obviously fraudulent order was reported to the police, who actually took action(!) Two police officers dressed as couriers delivered a fake parcel and nicked the thief when he signed for it.

This is what really gets me about internet/mail-order fraud. The risks would be huge if the police gave a shit, since frequently it is blatantly obvious, and the thief has given the place and time he's going to receive the goods, and all that has to be done is turn up and put cuffs on him. No-one cares though.

They start to care when the amount of money exceeds trivial amounts, though. Not too long ago, I spent some time living in a house with a few guys (*cough* Craigslist *cough*). One of the other people in the house was actively engaged, I suspected, in some type of shady dealing. Needless to say, I moved out in a heck of a hurry. As it all came out later, this not-too-bright fellow thought he had discovered the perfect scheme: he was copying credit card numbers down at work, and then using them to buy things online, which he had shipped to various empty houses, and then he'd go and pick the stuff up later, and pawn or fence it on eBay. (And this is pretty much all I know about it; I don't quite get how he was getting the billing zip codes, which are usually required, or anything else.)

He got away with it for quite a while, too -- somewhere around six months, maybe more -- probably because he never used the same card more than once, never bought stuff from the same online store, and never charged more than $100 or so per card. But eventually the credit card companies must have caught on, and run all the accounts that had disputed charges through some sort of filter, and figured out that the common thread was the retail establishment where he worked. One day, according to the story I heard, they just walked in and arrested him. They had a stack of photos of him picking up packages from other people's houses, plus transaction details from the various merchants with the stolen CC numbers and the shipping addresses.

So both the credit card companies and the police have some level of interest in going after people engaged in fraudulent activity, but the bar seems to be pretty high. I've no idea how much money had to go missing before someone at one of the CC companies (or an automated program of some sort) decided to take a closer look and see what the common thread was, but it must have been in the thousands of dollars, perhaps tens of thousands.

In this case, I don't see how the merchants would have ever caught on; to all the places where things were ordered, it looked just like a regular transaction. It was only at the CC back offices, where they had the ability to cross-reference all the suspect accounts and see that they had all visited the same store within the past 24-48 hours (or whatever, I assume this is how they caught on), that they had the capability of doing anything. To push the financial burden out to the merchants, probably would have meant that he could have gotten away even longer.

The Power of Cartels

[yintercept]

Expanding on this thread. The credit card cartels actually benefit from the fraud since they can slam merchants with fees.

If there were competition in the credit card business, then merchants could choose different merchant services, or have more say in which cards get used.

One way for merchants to deal with credit card fraud would be for merchants to tack different service fees on to different cards. A merchant might charge a 1 percent fee on checks or debit cards, a 3 percent fee on card A, a 4% fee on card B (which seems more prone to fraud), a 5% fee on card D (which requires higher merchant fees).

As it stands, of course, the credit card companies prevent merchants from the one logical course of action in the light of credit card fraud ... charging fees based on the performance of the payment method.

The power of a cartel is that what goes around never comes around. And you you get to take a percent of what goes around.

Anecdote

[king-manic]

My family owns a very small chinese food place. We had a mastercard account. My parents were ludites and refused to upgrade to an electronic terminal because they didn't understand how to use it. Our bank/merchant account reseller droped the imprinter proccess and implemented a complicated IVR. My sister registered a transaction on the ivr for 62.86. The IVR registere dit as 44,400.00 instead. We got a notice about it after and co-operated in resolving it for our customer. Despite the fact it was an obvious mistake and was greater then the actual limit of the customers card we got a charge back of $2456.00. Which is more then the total MC orders we get in a year. We tried for weeks to address this since we were sure it was a ivr error. especially since it exceeded the customers limit. but we had no course of action to resolve it as an error. we were stuck with a $2456.00 chargeback because the IVR either had a bug or did not do a proper check ont he amount. We dropped MC support and dropped all of our MC cards because of this. but it won't protect merchants form other arbitray decisions Visa/MC/AMEX make.

Re:Misses the point

[planetmn]

As a former retailer, I very well know the frustrations of a chargeback that comes out of no-were. As a consumer, I've found that it's quite easy to deny a charge for very little reason.

It's also quite easy to shoplift from a lot of stores, to back into somebody's car and just drive off, etc. Just because something is easy, doesn't mean that people take advantage of it.

Every chargeback I have made has been completely legitimate. One of the reasons I pay for everything on a credit card is that security it provides me. Once a merchant didn't want to obey their return policy, so I left the store and disputed the charge, got my money back. Another time, a service provider decided he deserved more of a tip than I gave them (he even called me after the chargeback and tried to argue that he deserved the additional money), again, I got my money back. I don't bother arguing with customer service anymore. If they don't follow their own return policy, I'll say thank you, walk out, and dispute the charge.

Sure, if the system is being abused, then I feel bad for the merchant. I don't personally know the percentage of instances where a chargeback is not warranted, but given to the consumer, but if as a merchant it costs you too much, don't accept credit cards.

-dave

Re:The Power of Cartels

[swillden]

Just one general comment: Anyone who talks about "credit card companies" doesn't know what they're talking about. Those who understand the credit card industry call them by their real name: "banks".

Visa and Mastercard are not companies in the normal sense at all, they're consortia of member banks, and they're primarily funded by dues paid by the members. They're clubs, basically, whose primary job is to establish standards so that their members can interoperate (issuing bank A's card can be read by acquiring bank B's machines and the two can communicate to authorize the transaction and arrange payment).

Note that there *are* Visa and Mastercard corporations, but they're just regional organizations established to manage the work of the club. Some of these corporations also own transaction processing intermediaries and various other supporting businesses, but those are strictly penny ante compared to the money they get from dues which, in turn, is miniscule compared to the money issuers and acquirers make from finance charges and transaction fees.

Re:Should improve Customer service

[The Outbreak Monkey]

Here is what I think you are missing:
If he gets a charge back, HE has to eat the cost. He asks you to show your ID so that he can verifiy that the transaction probably isn't fradulent.

So what if Mastercard stays it isn't OK...give the guy a break and give him a little reassurance. It's no skin off your back, and it helps him out. Is your time really so important that you can't flash your ID for 2 seconds?

(I think) He called you an asshole because you'd rather point out page numbers of credit card contracts and argue with him, instead of cutting him a little slack by taking 2 seconds to prove that you own the card.

I mean really, what is the big deal?

Who cares what Mastercard says about showing your ID...we are talking about customers putting food on the merchant's table, and we are talking about theives trying to take it off the table. Give him a break and help him figure out if you are a customer or a thief.

That's how us non-assholes think.

Peace.

Re:Should improve Customer service

[Scudsucker]

Asking you to abide by terms of a contract you signed, is an unreasonable thing?

It is if the contract is totally unreasonable and you have to either sign the contract of go out of business.

Re:Anecdote

[jrumney]

My brother was once mistakenly charged $12,000,000 on his debit card, putting him $11,999,000 in overdraft. This happened on a Friday afternoon. The following week, he spent 3 days trying to find someone at the bank with sufficient authority to reverse the charge, and a further couple of days trying to get the $20,000 in interest charges credited back (which did not happen automatically after they reversed the $12mil). The merchant in this case was the bank itself - he had ordered a new customised card, which was supposed to have a $12 fee. So I'd keep fighting for that $2456 if I was you - try small claims court. This sort of thing does happen, and it often is the bank/credit card company's fault, especially when it well exceeds the limits that are supposed to protect the customer from silly charges.

Re:Anecdote

[king-manic]

Thank you for the suggestion. I think we'll move on. The legal fees would exceed the amount to be recouped. I'm in canada and we have a loser pays system. The bank themselves were somewhat gracious but Visa itself was beeing bullies. The bank waived their commission ont he transaction but Visa was the one demanding their cut. Small claims may not incur very must legals fees but the lose rpays system doubel it if we lose and a win would recoup less then the $2456. We'd spend th time and labour; and then still face the possibilities of losing and losing the legals fees of both parties.