Who Pays For Credit Card Breaches? 313
PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"
Should improve Customer service (Score:2, Interesting)
As one who has worked part-time in a retail store for extra cash on top of my day job, I've found most customers now days prefer that you ask for ID. Up until now, store policy has been lax or even negative on the subject. For example, "if it's less than a hundred dollars or so (depends on season), don't bother the customer and ask ID unless it's AE or the card isn't signed."
Maybe some of these retail stores will finally make it policy to ask for ID when making a purchase. Wouldn't you like it that way?
Having owned a store (Score:5, Interesting)
Got suckered into a 15 year AARM mortgage with a pre-pay penalty and balloon payment? Education. Paid $30k for a Ford truck (which immediately dropped to a $19k wholesale value) and are upside down in value? Education. If there's one lesson...just one lesson...I could boil my entire MBA, stock market, and general life experience (regarding businees) into:
He who has the most accurate and timely information wins.
Coming back around full circle: This is why merchants should be responsible (and their banks). It forces them (and me!) to educate myself and minimize EVERYONE's risk. A previous owner left draft information for bank auto withdrawal in a binder, on the desk, by the door, for all his customers. Huge fraud potential. Some leave credit card information in the store after the day of sale. Huge fraud potential. I could go on, but I've proven the premise for my conclusion: You have to be active and reduce your costs through fraud prevention. How can I reasonably hold VISA accountable when I'm a merchant stupid enough to charge a card with someone elses name (I've seen guys try to use their wife's card....Dudes do not look like a "Wendy" to me).
On the flip side, I had a merchant pissed because I called in a charge back. Yeah he was pissed, because chargebacks increase fees a bank charge....but I gaurantee you he'll call next time he does an unauthorized pre-pay on my card. I manage a tech support department and we follow the policy I told him he should follow to reduce costs: Always call someone before you charge their card. In my case, he charged a 2nd $700 and then my wife said, "Should there be a 2nd one?" I said, "Nope" (not thinking two steps past why she asked) and so she called the credit card to charge it back. Whole thing could have been avoided.
So there you have it...I've mentioned my perspective from personally being both sides of the "coin" (and being accountable for the $$)....and I'd say the system is set up efficiently, and for the most part, fairly.
Slightly OT about merchants eating charges (Score:3, Interesting)
For example, in the order processing system I support, we mask the first 12 digits of the credit card when you retrieve an existing order. It didn't always do that, but it eventually did as part of an upgrade to comply with the PCI standards above. That makes sense, lots of systems started doing that even before the standards and now all of them do. But one guy wanted to argue with me that it will hurt his customer service because he can't read the card number. I explained to him that it's out of my control and that Visa imposed these restrictions on all computer systems and you can't buy a system that doesn't have this feature any more. Further more merchants and software companies could be fined by Visa if they didn't have these restrictions.
I was going to explain why Visa mandated the changed and explain card security when he demanded: "We'll take the chance, change it back." If I were his customer, I'd have yanked my business, knowing that it's an easy inside job for him to steal my credit card.
Also, it's happened to me twice recently, where two major chains I visited (Superfresh and Target) took my card and made me sign an electronic signature capture device for my signature. In both cases, the signature pad and/or pen was broken and was basically reading garbage. I could not write my signature. In both cases they said "we don't need your signature" and just ushered me out of line. Okay they are major chains, and could eat a charge now and then, but hell you would think they would care about their signature pads a little more. Maybe close the line or have replacements on hand to easily swap out. Everyone going through that line that day was a potential risk to the merchant for a chargeback, just because they didn't capture a proper signature. And that exposes me as well because I'm unable to sign my signature which leaves me open for question when signing other receipts.
The way security works now in credit cards I feel is good, and it's designed to increase the security on integrated systems. 80 to 85% of credit card number theft is an inside job. People stealing card numbers and internal information, and computers just make it easier to do that without restrictions on said computer. The merchant doesn't care if you get hit with fraud. Visa cares because if their cards are insecure, no one will use them. So Visa makes the merchant's care by assigning responsibility to them, because that's were most fraud occurs. It's very logical.
You'd think the same with cleared checks, but no (Score:1, Interesting)
After contacting the local police and being passed over to the local FBI branch he came to learn this had happened a few times before in our area. I just hope the other banks actually protect their customers better than "TNC". Needless to say he switched banks after that, and when I moved my girlfriend into the dorms at *P*itt I yelled at the people pretending to be helpers for the freshman but who were really trying to get you to sign up at "TNC". Guess you could say leason learned the hard way.
I've seen it happen. (Sort of.) (Score:5, Interesting)
This is what really gets me about internet/mail-order fraud. The risks would be huge if the police gave a shit, since frequently it is blatantly obvious, and the thief has given the place and time he's going to receive the goods, and all that has to be done is turn up and put cuffs on him. No-one cares though.
They start to care when the amount of money exceeds trivial amounts, though. Not too long ago, I spent some time living in a house with a few guys (*cough* Craigslist *cough*). One of the other people in the house was actively engaged, I suspected, in some type of shady dealing. Needless to say, I moved out in a heck of a hurry. As it all came out later, this not-too-bright fellow thought he had discovered the perfect scheme: he was copying credit card numbers down at work, and then using them to buy things online, which he had shipped to various empty houses, and then he'd go and pick the stuff up later, and pawn or fence it on eBay. (And this is pretty much all I know about it; I don't quite get how he was getting the billing zip codes, which are usually required, or anything else.)
He got away with it for quite a while, too -- somewhere around six months, maybe more -- probably because he never used the same card more than once, never bought stuff from the same online store, and never charged more than $100 or so per card. But eventually the credit card companies must have caught on, and run all the accounts that had disputed charges through some sort of filter, and figured out that the common thread was the retail establishment where he worked. One day, according to the story I heard, they just walked in and arrested him. They had a stack of photos of him picking up packages from other people's houses, plus transaction details from the various merchants with the stolen CC numbers and the shipping addresses.
So both the credit card companies and the police have some level of interest in going after people engaged in fraudulent activity, but the bar seems to be pretty high. I've no idea how much money had to go missing before someone at one of the CC companies (or an automated program of some sort) decided to take a closer look and see what the common thread was, but it must have been in the thousands of dollars, perhaps tens of thousands.
In this case, I don't see how the merchants would have ever caught on; to all the places where things were ordered, it looked just like a regular transaction. It was only at the CC back offices, where they had the ability to cross-reference all the suspect accounts and see that they had all visited the same store within the past 24-48 hours (or whatever, I assume this is how they caught on), that they had the capability of doing anything. To push the financial burden out to the merchants, probably would have meant that he could have gotten away even longer.
The Power of Cartels (Score:5, Interesting)
If there were competition in the credit card business, then merchants could choose different merchant services, or have more say in which cards get used.
One way for merchants to deal with credit card fraud would be for merchants to tack different service fees on to different cards. A merchant might charge a 1 percent fee on checks or debit cards, a 3 percent fee on card A, a 4% fee on card B (which seems more prone to fraud), a 5% fee on card D (which requires higher merchant fees).
As it stands, of course, the credit card companies prevent merchants from the one logical course of action in the light of credit card fraud
The power of a cartel is that what goes around never comes around. And you you get to take a percent of what goes around.
Anecdote (Score:5, Interesting)
Re:Misses the point (Score:3, Interesting)
It's also quite easy to shoplift from a lot of stores, to back into somebody's car and just drive off, etc. Just because something is easy, doesn't mean that people take advantage of it.
Every chargeback I have made has been completely legitimate. One of the reasons I pay for everything on a credit card is that security it provides me. Once a merchant didn't want to obey their return policy, so I left the store and disputed the charge, got my money back. Another time, a service provider decided he deserved more of a tip than I gave them (he even called me after the chargeback and tried to argue that he deserved the additional money), again, I got my money back. I don't bother arguing with customer service anymore. If they don't follow their own return policy, I'll say thank you, walk out, and dispute the charge.
Sure, if the system is being abused, then I feel bad for the merchant. I don't personally know the percentage of instances where a chargeback is not warranted, but given to the consumer, but if as a merchant it costs you too much, don't accept credit cards.
-dave
Re:The Power of Cartels (Score:3, Interesting)
Just one general comment: Anyone who talks about "credit card companies" doesn't know what they're talking about. Those who understand the credit card industry call them by their real name: "banks".
Visa and Mastercard are not companies in the normal sense at all, they're consortia of member banks, and they're primarily funded by dues paid by the members. They're clubs, basically, whose primary job is to establish standards so that their members can interoperate (issuing bank A's card can be read by acquiring bank B's machines and the two can communicate to authorize the transaction and arrange payment).
Note that there *are* Visa and Mastercard corporations, but they're just regional organizations established to manage the work of the club. Some of these corporations also own transaction processing intermediaries and various other supporting businesses, but those are strictly penny ante compared to the money they get from dues which, in turn, is miniscule compared to the money issuers and acquirers make from finance charges and transaction fees.
Re:Should improve Customer service (Score:2, Interesting)
If he gets a charge back, HE has to eat the cost. He asks you to show your ID so that he can verifiy that the transaction probably isn't fradulent.
So what if Mastercard stays it isn't OK...give the guy a break and give him a little reassurance. It's no skin off your back, and it helps him out. Is your time really so important that you can't flash your ID for 2 seconds?
(I think) He called you an asshole because you'd rather point out page numbers of credit card contracts and argue with him, instead of cutting him a little slack by taking 2 seconds to prove that you own the card.
I mean really, what is the big deal?
Who cares what Mastercard says about showing your ID...we are talking about customers putting food on the merchant's table, and we are talking about theives trying to take it off the table. Give him a break and help him figure out if you are a customer or a thief.
That's how us non-assholes think.
Peace.
Re:Should improve Customer service (Score:2, Interesting)
It is if the contract is totally unreasonable and you have to either sign the contract of go out of business.
Re:Anecdote (Score:3, Interesting)
Re:Anecdote (Score:3, Interesting)