Who Pays For Credit Card Breaches?

PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"

The customer pays. Always.

[Anonymous Coward]

The merchant has to make a living, the credit card company too. The money for fraud can only come from the end of the chain: the customer. The only notable thing here is that all customers pay, not just the ones who use a credit card.

Re:

[HomelessInLaJolla]

The only notable thing here is that all customers pay, not just the ones who use a credit card

Some pay more equally than others, though. It works like a pyramid scheme. The government uses the same principle: it is the reason why we have hundreds of different hidden taxes in thousands of different places.

"We screw the other guy to pass the savings on to you."

Re:

[redelm]

Yes of course some customers pay more. It's called "market segmentation". Different people pay different amounts in an attempt to capture the range of consumer utility while maintaining volume.

Re:

[ShieldW0lf]

Of course the customers just pay more. If they're dealing with a huge corporation that can absorb all these losses, raise their rates and have customers with no option but to return.

Of course, if you run your own business making and selling high ticket items, and you need the money from your sales to buy supplies and cover your cost, it's not the same.

You can't double the cost of what you sell next to recoup the loss when someone rips you off on one of those high ticket items, no one would buy it.

This trea

Re:

[redelm]

There are differences between big & small businesses, particularly their ability to spread extra-ordinary losses over more/fewer customers.

However, the customer still pays in the long run even with small biz: if an industry is prone to large risks of loss, it will attract far fewer entrepreneurs, and those it does attract will demand margins to cover the losses.

Re:

[jrp2]

"The merchant has to make a living, the credit card company too. The money for fraud can only come from the end of the chain: the customer. The only notable thing here is that all customers pay, not just the ones who use a credit card."

All good points, but you are missing one major issue. The customers of the companies that put proper safeguards in place (check ID/shipping Address, firewalls, etc.) do not have to pay, or pay as much at least.

Therefore, those companies are able to charge less for the same g

Re:

[sqlrob]

The merchant gives the credit card company money.

To offset that, the prices are raised. So yes, the customer pays.

Re:The customer pays. Always.

[Bastard of Subhumani]

To offset that, the prices are raised.

If the market would stand that higher price, why wasn't it being charged to start with? Conversely, if the market won't stand it, then lower volume (yada elasticity yada) could mean the merchant makes even less money.

Re:

[gfxguy]

The prices are raised, and the consumers shop elsewhere.

Fact is, it's usually the merchants fault. Or, at least in my case, where every single fraudulent purchase I've had made with my cards (and there's been a lot, sadly) have come, 100% of the time, from merchants who didn't verify the card owner when the shipping address was different than the billing address.

Keep in mind, credit card fraud is different from identity theft. I've had my identity stolen, too. You may now be thinking I'm an idiot that do

Re:

[ResidntGeek]

Where do you think the merchant gets his money? That's right, from the customers. So, if the merchant loses a lot of money to credit card fraud, how do you think he recovers the money? By selling his penis on ebay?

Misses the point

[currivan]

The merchant who accepts the fraudulent charge eats the chargeback, not the one whose site is hacked. How does this encourage information security?

Re:

[Scott Lockwood]

It doesn't. It makes Visa and Mastercard more profitable, however, which is what they care about.

Re:Misses the point

[letxa2000]

As a merchant, this is very annoying. If I submit a charge to Visa/Mastercard and it's authorized, I should be able to count on that unless the valid cardmember has a legitimate complaint that I did not resolve and charges it back. If the use was fraudulent, as the merchant I have absolutely no way to know that--that's why I'm asking Visa/Mastercard for authorization. If they authorize the charge then they think it's legitimate, too, so why should the merchant somehow be expected to think otherwise or be held responsible for 100% of the chargeback?

To pay extortionate discount charges on every transaction and not even be able to trust that the charge is legitimate is abusive on the part of Visa/Mastercard. What's worse, a chargeback comes with a chargeback fee. So not only does Visa/Mastercard not get harmed by fraud, it profits from it. As long as that is the case, Visa/Mastercard has no motivation whatsoever to increase security and decrease fraud.

Mod parent up!

[khasim]

As long as that is the case, Visa/Mastercard has no motivation whatsoever to increase security and decrease fraud.

EXACTLY!

Instead of working out a BETTER SYSTEM, they just pushed the fiscal responsibility for the FLAWED SYSTEM to the merchants.

The merchants are the ones LEAST ABLE to fix the existing system or implement a better system or validate that the transaction is legit.

The ONLY people that this is good for is Visa/Mastercard. They make huge profits without the risk.

The Power of Cartels

[yintercept]

Expanding on this thread. The credit card cartels actually benefit from the fraud since they can slam merchants with fees.

If there were competition in the credit card business, then merchants could choose different merchant services, or have more say in which cards get used.

One way for merchants to deal with credit card fraud would be for merchants to tack different service fees on to different cards. A merchant might charge a 1 percent fee on checks or debit cards, a 3 percent fee on card A, a 4% fee on card B (which seems more prone to fraud), a 5% fee on card D (which requires higher merchant fees).

As it stands, of course, the credit card companies prevent merchants from the one logical course of action in the light of credit card fraud ... charging fees based on the performance of the payment method.

The power of a cartel is that what goes around never comes around. And you you get to take a percent of what goes around.

Re:

[swillden]

Just one general comment: Anyone who talks about "credit card companies" doesn't know what they're talking about. Those who understand the credit card industry call them by their real name: "banks".

Visa and Mastercard are not companies in the normal sense at all, they're consortia of member banks, and they're primarily funded by dues paid by the members. They're clubs, basically, whose primary job is to establish standards so that their members can interoperate (issuing bank A's card can be read by acq

Re:

[bastion_xx]

There are better systems, just ask our Europeans counterparts. It's near impossible to buy anything in the UK (and I assume other EU countries) where the merchant does not have chip/PIN capability. Chip cards significantly reduce the risk to the merchant, and thereby reduce the discount rate paid, and provides the merchant with more chargeback rights.

Granted, if the merchant puts out a Visa or MC logo, they still have to honor swiped transactions (not withstanding that one Brick Lane curry house that kept s

Re:

[mike2R]

If the use was fraudulent, as the merchant I have absolutely no way to know that--that's why I'm asking Visa/Mastercard for authorization. If they authorize the charge then they think it's legitimate, too, so why should the merchant somehow be expected to think otherwise or be held responsible for 100% of the chargeback?

You have to look at it from the other perspective though - like any merchant I'm sure you receive your share of obvious frauds (the ones you delete without even turning on your brain - 400

Re:Misses the point

[letxa2000]

You have to look at it from the other perspective though - like any merchant I'm sure you receive your share of obvious frauds (the ones you delete without even turning on your brain - 400 units of $expensive_product to Lagos etc). Maybe you're honest enough to still decline them if you knew you'd get the money, but lets face it many aren't.

I have looked at it from their perspective and it still doesn't make sense. If someone has a history of lots of chargebacks, that merchant gets canned anyway. If I'm entering ship-to and bill-to addresses into the system and if there's something that makes them (or their computers) uncomfortable, have the merchant call in for verbal authorization where the risks are explained to the merchant and/or Visa/Mastercard can say that they won't take responsibility for the charge.

I'm not opposed to a merchant being expected to be honest enough to do due diligence. If I ship something to Nigeria and expect Visa/Mastercard to pay me, and it turns out to be fraudulent, they have a right to ask me what documentation or evidence I have that I made an honest effort to be reasonably sure the transaction was valid. If I failed to do that, they can expect me to pay for it. But if there's nothing Nigeria-like about the transaction, nothing raises my suspicion, I submit the card to Visa/Mastercard and they authorize it and confirm the zip code and CSV matches, I've done all I can. To then turn around and say, "Yeah, we know we told you the charge was authorized, we know you have the right address, zip code and CSV, but what do you know... our system sucks and even though you obviously have all the right data you could possibly provide, we're still holding you responsible."

If a merchant is fraudulently processing charges or is accepting credit cards that are obviously stolen, that's a crime that should be prosecuted in a court of law. Simply assuming all merchants are crooks and arbitrarily taking back money you already gave them is simply not acceptable.

A customer is in the "business" of buying. A merchant is in the "business" of selling. Visa/Mastercard is in the business of facilitating the transaction. That's their business and they need to make sure it works so the buyer and seller can do their business. It is not acceptable to hold either the customer or the merchant responsible for shortcomings in Visa/Mastercard's system. If a merchant gets an authorization number from Visa/Mastercard, that should be a done deal. If it's fraud, Visa/Mastercard needs to eat that charge. If that means raising the discount rate, fine, do it--and let merchants decide whether they're willing to accept credit cards given the real cost of accepting them; or the customers and/or merchants will demand real security.

I've seen it happen. (Sort of.)

[Kadin2048]

Some friends of mine still tell a story from pre-internet days: an obviously fraudulent order was reported to the police, who actually took action(!) Two police officers dressed as couriers delivered a fake parcel and nicked the thief when he signed for it.

This is what really gets me about internet/mail-order fraud. The risks would be huge if the police gave a shit, since frequently it is blatantly obvious, and the thief has given the place and time he's going to receive the goods, and all that has to be done is turn up and put cuffs on him. No-one cares though.

They start to care when the amount of money exceeds trivial amounts, though. Not too long ago, I spent some time living in a house with a few guys (*cough* Craigslist *cough*). One of the other people in the house was actively engaged, I suspected, in some type of shady dealing. Needless to say, I moved out in a heck of a hurry. As it all came out later, this not-too-bright fellow thought he had discovered the perfect scheme: he was copying credit card numbers down at work, and then using them to buy things online, which he had shipped to various empty houses, and then he'd go and pick the stuff up later, and pawn or fence it on eBay. (And this is pretty much all I know about it; I don't quite get how he was getting the billing zip codes, which are usually required, or anything else.)

He got away with it for quite a while, too -- somewhere around six months, maybe more -- probably because he never used the same card more than once, never bought stuff from the same online store, and never charged more than $100 or so per card. But eventually the credit card companies must have caught on, and run all the accounts that had disputed charges through some sort of filter, and figured out that the common thread was the retail establishment where he worked. One day, according to the story I heard, they just walked in and arrested him. They had a stack of photos of him picking up packages from other people's houses, plus transaction details from the various merchants with the stolen CC numbers and the shipping addresses.

So both the credit card companies and the police have some level of interest in going after people engaged in fraudulent activity, but the bar seems to be pretty high. I've no idea how much money had to go missing before someone at one of the CC companies (or an automated program of some sort) decided to take a closer look and see what the common thread was, but it must have been in the thousands of dollars, perhaps tens of thousands.

In this case, I don't see how the merchants would have ever caught on; to all the places where things were ordered, it looked just like a regular transaction. It was only at the CC back offices, where they had the ability to cross-reference all the suspect accounts and see that they had all visited the same store within the past 24-48 hours (or whatever, I assume this is how they caught on), that they had the capability of doing anything. To push the financial burden out to the merchants, probably would have meant that he could have gotten away even longer.

Re:I've seen it happen. (Sort of.)

[Target Drone]

I've no idea how much money had to go missing before someone at one of the CC companies (or an automated program of some sort) decided to take a closer look and see what the common thread was

They may have figured it out from his IP address. If your on highspeed you IP tends to remain the same for weeks or months at a time. Other providers may be different. The credit card API that I used had an optional field to send through the IP address of the customer making the purchase. If enough online retailers fill in the field then it's pretty obvious that you have charge backs on different CC numbers that were purchased from the same IP address.

Re:

[josquint]

When I worked retail it was company policy to ALWAYS ask for ID and compare signatures on a card to the ID. Due to our credit card processing company making it known that it was OUR reponsibility to verify this, as the end user is the only one that can.

On the flip side of this, I walked into Home Depot and purchased $49 worth of merchandise with a credit card in the SELF CHECKOUT and was NOT REQUIRE TO EVEN SIGN. Anything under $50 does not require a signature. Now how is it even remotely possible for th

Re:

[planetmn]

As a former retailer, I very well know the frustrations of a chargeback that comes out of no-were. As a consumer, I've found that it's quite easy to deny a charge for very little reason.

It's also quite easy to shoplift from a lot of stores, to back into somebody's car and just drive off, etc. Just because something is easy, doesn't mean that people take advantage of it.

Every chargeback I have made has been completely legitimate. One of the reasons I pay for everything on a credit card is that securi

Re:

[planetmn]

If you don't like the system, don't accept the credit cards. Nobody is requiring you to. If you get chargebacks, that's part of the cost of doing business and you have to determine whether or not that is acceptable.

-dave

Re:

[GooberToo]

Because most merchants are given a discount rate based on the agreement that identity will be verified at the time of purchase. Most merchants refuse to do this or ask for information they should NOT to ask for (e.g. phone number or address, both unconfirmed). Please, give a fake address and phone number everyone a clerk asks you for this information. In turn, the merchant expects the issuing bank to eat it because the merchant basically helped steal the product to begin with.

As a result, issuing banks a

Re:

[Dan Ost]

What about on-line merchants? How are they supposed to compare your signature or view you ID?

Seriously, what protections do they have?

Re:

[planetmn]

It's a cost of doing business and a problem that they have to consider. Just like a retail business has to determine if the cost of a storefront and physical presence is worth the cost. If they don't like the risk, don't accept credit cards or don't set up shop.

-dave

Re:

[jfengel]

Yeah, that would sure be nice. I'd really like to see one of the many digital-signature checking systems catch on with merchants. The kind that involve a private key. That would put a lot more on the consumer to protect his keys, but it would take a lot of pressure off the merchant.

Theoretically paypal is such a system. I'm not sure what happens with paypal disputes, but at least it's difficult for somebody to claim that somebody stole their paypal account the way somebody can steal a credit card number,

Re:

[ShibaInu]

Technically neither Visa nor MasterCard is a for profit business. It looks like that is changing, but for most of their history both companies were just a service provider to the various banks that issued credit cards. So it wasn't Visa chasing down the money, it was the bank that issued the card that was.

Re:

[truthsearch]

Both Visa and MasterCard have been operating for-profit for over 10 years. Visa started first, then MasterCard decided they needed to fill their coffers to keep up. I was working at MasterCard when they started to focus more on profits. The change really became a focus at the company after MasterCard lost their application with the US government to be considered a non-profit organization to avoid paying taxes.

Re:

[hackstraw]

It makes Visa and Mastercard more profitable, however, which is what they care about.

OK. A merchant does not have to accept credit card payments at all. Its a choice up to the merchant, and part of that choice involves the complexity of implementing a CC payment system, the cost of a percentage of profits on each transaction to the CC people, but I was under the assumption that the benefits to the merchant were:

1) more customers can buy things

and

2) they are guaranteed payment

Checks can bounce, cash can be

Re:

[planetmn]

Convenience for the customer (could) mean more customers.

I don't carry cash. I charge everything. It keeps my purchases easy to categorize in Quicken, and if there is a problem, I have the security of being able to do a chargeback (retailer won't follow their return policy, etc.). If a store doesn't accept credit cards, I don't shop there. Period.

But like you said, the merchant has a choice whether or not to accept credit cards. If the costs are too high, then they shouldn't accept them.

-dave

Re:

[Erwos]

Clearly, they should have done a better job actually authenticating that the person who did the charge actually is the card owner. Good security doesn't involve just protecting credit card numbers from being stolen - it's trying to prevent those credit cards from being used fraudulently, too.

Re:

[Bryansix]

If you use a virtual terminal on your merchant account and sell stuff over the phone or online then you can only check the fields the merchant bank allows you to check. Even checking name, address, card number, security code etcetera will not prevent fraud in the case of a stolen customer database that would store all of that information.

The retailer is not supposed to store all of that info but many do and many store it insecurely.

Re:

[multimed]

Not to mention whoever got hacked - be it the merchant, MC/Visa or the issuing bank - usually manages to keep the whole thing secret. Even when it's your account info that has been stolen, they won't even admit to you that it has. Of course they justify this because you don't have to pay for fraudulent charges that result. If you catch them in time. And of course it assumes that they can't do anything else with the info. I can accept the fact that they won't ever really pay the cost when they can pass

Re:

[dbaker]

False. Have you ever signed a merchant contract? I have.

The merchant whose billing data was compromised is liable as well -- both for the charges, the cost of replacing cards, and fines by the issuer and/or credit card network.

It's easy to take a bunch of fraudulent charges and see which merchant they have in common to determine the source of the data. Merchants are fined more if they don't disclose a breach of data before the credit card companies discover it.

Business partners

[HomelessInLaJolla]

Credit card companies are branches of banks (who else has money to lend?). They are affiliated, strongly, with insurance and investment companies. Just as any other large corporation when one division suffers a loss then, in nothing more than the ledger book, the losses are distributed amongst the other divisions.

Think about that next time the interest rates on home mortgages goes up, or the premium on the insurance plans, or when the quality of service for medical insurance goes down, or when the price o

Re:

[Ctrl-Z]

Why are credit card rates so high?

Because that's what the market will bear? Credit card companies aren't having any difficulty finding people to lend money to at exorbitant rates.

Federal Reserve is privately owned

[HomelessInLaJolla]

Credit card companies aren't having any difficulty finding people to lend money to at exorbitant rates.

The illusion of a multi-trillion dollar federal debt, passed along to the taxpaying public through taxes, is a convenient business m0del, n'est-ce pas?

Re:

[Rakishi]

Why are credit card rates so high?

Interest rates? Likely there are a lot of cc debts which are simply never paid off. Furthermore its not like anyone has to pay interest rates, its not that hard to realize that CC are not free money and that the balance should be paid off each month. There are some exceptions to that (school, emergencies, etc.) but I doubt most CC interest charges are from them.

Re:

[rainman_bc]

the losses are distributed amongst the other divisions.

Think about that next time the interest rates on home mortgages goes up

That's just ignorant on your part. Interest rates on mortgages are tied to the bond market. Any move in the yield curve will present itself in the mortgage market.

Now mortgage brokers have made lenders so competitive that the spread between bond rates and mortgages should be nominal at best. Mortgage lenders profit by issuing bonds ( borrowing money ) and issuing bonds ( lending b

Re:

[king-manic]

or they are gouging. Ther eis no garentee they are simply charging a fair price. It may nto be collusion but they compete wiht each other and many industries no longer compete on price. They compete only on marketting.

Re:

[Kalriath]

Credit card companies are branches of banks (who else has money to lend?).

Depends what you mean by "credit card company". Mastercard & Visa are not banks, they just rent out their name to banks. It's the bank that issues the cards. Mastercard & Visa set some standards in their contracts with the the banks.

Not entirely true [wikipedia.org]. Visa is in fact a conglomerate of 11,000ish banks, founded by Bank of America.

PCI?

[AikonMGB]

And here I thought they implemented PCI to make it easier to attach peripherals to your computer O_o I can't keep up with the world today.

Article is Wrong

[scribblej]

Merchants have been responsible, not VISA, all along. It's ALWAYS been that way.

I say that as someone who's been int he industry for ten years, so I'll admit maybe things were vastly different before I got here. But for at LEAST the last decade, merchants have eaten fraudulent charges.

Here's how it works in a nutshell. I'll assume an internet ("e-commerce") transaction since it's what i'm most familiar with.

1) Evil bad guy steals a credit card number.
2) Evil bad guy makes a charge from Bob the Merchant
3) Bob the Merchant ships Evil Bad Guy his product.
4) Joe, the actual owner of the credit card sees the charge on his statement.
5) Joe calls Bob the Merchant and says, "Why did you charge me?"

At this point, the only thing Bob the Merchant can do is issue a refund to Joe. He'll never see his product that Evil Bad Guy took, or the money, ever again. What happens is he refuses to give Joe his money?

6) Joe calls his issuing bank and asks for a chargeback.
7) Bob the Merchant is forced by his merchant account provider to refund the money to Joe. Also, to pay a chargeback fee of somewhere around $50, and if he gets more than 1% of his charges returned as chargebacks, VISA refuses to ever let him do business with a domestic bank again.

So who loses here? Not VISA. Not Joe, the cardholder. Not Joe's issuing bank. The merchant, is out product and money, and there's jack-all he can do about it.

There is only one exception I am aware of: Verified by Visa. If a merchant uses VBV on his website, then VISA will guarantee the charges, and if there is a chargeback, VISA will eat the cost. This is a HUGE change from how things have always worked in the past. However, no one uses VBV because it requires the CARDHOLDER to take extra steps to sign up and become active, but the CARDHOLDER has no reason to care, since he's already protected.

Anyhow. Long before PCI, long before CISP, long before any of the security standards were standards, the merchants were already responsible for all fradulent charges. It's the way things are. PCI makes a much cleaner audit trail when things go south, but it's not really about fraud nearly as much as it's about data security. There's a few tiny parts of PCI that address a few particular cases of fraud, and ALL the rest of it is about data security and handlling policies.

Re:

[Rakishi]

no one uses VBV

Newegg does and signing up is rather trivial actually, the bitch is remembering the password (assuming I'm thinking of the right system). It takes me a lot longer to add an alternative (shipping) address to the CC and many websites require that (including some whose incompetence at being able to check it leaves me shocked).

Re:Article is Wrong

[scribblej]

Well, of course I was exaggerating when I said "no one." But it's interesting to hear your view. :) I didn't realize newegg provided it.

As for the "address" info - a very well-written system put in front of the credit card processing networks will do a real postal database lookup on an address. That's nice. It's also exceedingly rare. What you normally get for address verification is what the credit card processing networks themselves provide: AVS, the Address Verification Service.

A few interesting notes on AVS:

1) It only validates the digits in the street address and zip code, nothing else. So 123 Fake Street and 123 Oak Street are exactly the same in it's eyes.
2) It never rejects a transaction. Even if the address is wrong, it's approved. It's up to the merchant to check the response from the credit card processing network that says "the address was right" or "the address was wrong" or a dozen values of "the address was kinda' right" and then void the transaction if the response is unacceptable to them.

2 is becoming a little less true recently, though - several issuing banks have taken it on themselves to reject the transaction even if the AVS standard says they aren't supposed to. I think this is a good thing.

Re:

[bastion_xx]

Well, of course I was exaggerating when I said "no one." But it's interesting to hear your view. :) I didn't realize newegg provided it.

As for the "address" info - a very well-written system put in front of the credit card processing networks will do a real postal database lookup on an address. That's nice. It's also exceedingly rare. What you normally get for address verification is what the credit card processing networks themselves provide: AVS, the Address Verification Service.

A few interesting notes on AVS:

1) It only validates the digits in the street address and zip code, nothing else. So 123 Fake Street and 123 Oak Street are exactly the same in it's eyes.
2) It never rejects a transaction. Even if the address is wrong, it's approved. It's up to the merchant to check the response from the credit card processing network that says "the address was right" or "the address was wrong" or a dozen values of "the address was kinda' right" and then void the transaction if the response is unacceptable to them.

VbV and MC SecureCode also give additional discount rates. I think upwards of 25-50 basis points.

We setup a special authorization transaction type for AVS, basically AVS+Auth. AVS was tried first, and only if succeeded would we follow up with an authorization request. And since AVS only checks can be completed for a marginal amount (less than 2 cents), was our first line of fraud detection for the merchant. Ugh, I still remember the various ISO 8583 single character return codes for AVS.

I have to get out o

Re:

[ps_inkling]

I have seen more web sites that uses VBV. My credit card was "automatically and for my convenience" signed up for VBV by my issuing bank. More than once I've cancelled my order instead of dealing with the additional verification.

When I finally needed to buy from NewEgg, it took 3 or 4 tries to get through the VBV crap page (unblock popups, unblock cookies, allow JavaScript). Surprised it let me try that many times. I was not impressed with the security or functionality, from the consumer standpoint.

Re:

[Jah-Wren Ryel]

Newegg does [verified By Visa] and signing up is rather trivial actually, the bitch is remembering the password (assuming I'm thinking of the right system). It takes me a lot longer to add an alternative (shipping) address to the CC and many websites require that (including some whose incompetence at being able to check it leaves me shocked).

I use disposable/single-use/single-merchant credit card numbers linked to my Visa card. I've found that when I use one of those numbers at a VBV merchant, the system a

Re:

[HomelessInLaJolla]

if he gets more than 1% of his charges returned as chargebacks, VISA refuses to ever let him do business with a domestic bank again

Who offers a form of chargeback insurance to the merchants? The whole system is such a racket that someone must be working that angle.

Re:

[acvh]

Who offers a form of chargeback insurance to the merchants? The whole system is such a racket that someone must be working that angle.

These guys. [bankcardcentral.com]

Re:

[scribblej]

Do you work for Bankcard?

A lot of companies offer chargeback insurance, and I wouldn't necessarily endorse one over another.

Re:

[Not_Wiggins]

3) Bob the Merchant ships Evil Bad Guy his product.

Does Bob the Merchant have access to Joe's credit-card billing address?

I'm going to plead total ignorance here, but it would make sense that, with that information, Bob could ask Visa/MC if the billing address is the same as what's on file for the card. No, it doesn't eliminate all fraud, but it would certainly reduce it.

I think the point of making merchants liable was because they're the ones accepting the payment. That is the last line of defense aga

Re:

[scribblej]

Does Bob the Merchant have access to Joe's credit-card billing address?

No - if he did, we'd have a nice way to verify things. See my other post on AVS: http://slashdot.org/comments.pl?sid=223350&cid=180 85442 [slashdot.org]

The postal database lookup I mentioned would only verify that the input address exists, not that it belongs to Joe.

Bob could ask Visa/MC if the billing address is the same as what's on file for the card. No, it doesn't eliminate all fraud, but it would certainly reduce it.

You're right, and he can

Re:

[Sigma 7]

3) Bob the Merchant ships Evil Bad Guy his product.

Does Bob the Merchant have access to Joe's credit-card billing address?

I've recently observed a new type of CC scam - where the Evil Bad Guy enters the credit-card billing address as the ship-to. After that, Evil Bad Guy calls the Joe on "behalf" of Bob the Merchant saying that he accidently shipped the product to him, and arranges a "return" where UPS comes by and picks up the product from Joe.

The return generally has a temporary address to the Evil Bad G

Re:

[francisew]

I noticed that Discover cards seem to have an interesting protection feature as well- disposable electronically generated card numbers for individual transactions. Seems ideal to me.

http://www.discovercard.com/deskshop/ [discovercard.com]

Francis

That's retarded

[pavera]

One of the largest CC heists of all time happened last year when MASTERCARD lost I forget how many card numbers, it was > 1 million cards though.
The Merchants who processed transactions with those stolen cards have to eat it?! How can that be proper?!

Further, as noted elsewhere, this does not penalize the proper people. If I am a merchant and someone buys something from me with a stolen card (even though I have great security, maybe I don't even store CC information, I just process the card and I'm done

Re:

[NewWorldDan]

In your scenario it is entirely proper for the merchant to eat the loss. They are at the point of transaction and are the only one with the possibility to identify the consumer and verify that they are authorized for the account. There are otherwise just far too many avenues to obtain credit card information to otherwise be effective. I'll certainly admit that most merchants do not have adequate tools to identify and validate most customers, nor do most customers care to deal with that level of scrutiny,

Kill the cards?

[phorm]

I'm assuming that in such a case the cards would be either tagged or disabled? I know when my girlfriend's card went through a retailer that was found to have been hacked at the time (or had an employee stealing CC #'s) it was cancelled by the CC company and she had to wait on a new one.

As a merchant, I call shenanigans!

[silentbozo]

Uh bullshit. Let's say I'm merchant A, and I do everything by the book, and have never had a breach.

I can still get screwed if merchant B has a breach, as far back as a year ago, if I'm taking card not present transactions, and get stuck with an order from some punk who uses a stolen number.

Is it right that I get penalized for charges made and authorized by the issuing credit card company, due to no fault of my own?

A lot of people will say that's the cost of doing business. The problem is, that there is n

Should improve Customer service

[Iridium_Hack]

As one who has worked part-time in a retail store for extra cash on top of my day job, I've found most customers now days prefer that you ask for ID. Up until now, store policy has been lax or even negative on the subject. For example, "if it's less than a hundred dollars or so (depends on season), don't bother the customer and ask ID unless it's AE or the card isn't signed."

Maybe some of these retail stores will finally make it policy to ask for ID when making a purchase. Wouldn't you like it that

Re:Should improve Customer service

[damiangerous]

Maybe some of these retail stores will finally make it policy to ask for ID when making a purchase. Wouldn't you like it that way?

No, I hate being asked for ID when using my card. In fact, Visa and MC rules prohibit merchants from requiring you to show ID to accept a card. I go They can ask, but can't require it. They also cannot accept a card with "See ID" without making the cardholder sign it. See page 29 of the Visa merchant rules (PDF) [visa.com] and pg 48 of the MasterCard merchant rules (PDF) [mastercard.com].

I usually file a complaint here [mastercard.com] and check the "merchant required identification" box.

Re:

[ucblockhead]

Great. You hate it when merchants take extra steps to make sure it's actually you using the card. It's people like you that discourage merchants (and visa/mastercard) from adding extra security that would help ensure that thieves can't swipe cards and go to town.

Re:

[damiangerous]

Great. You hate it when merchants take extra steps to make sure it's actually you using the card.

Nope. They should feel free to take any steps they like that don't involve harrassing me and violating their agreement with MasterCard that I, as a MasterCard cardholder, should be able to rely on them to follow. If they feel like they can break their agreements at will because they think they know better, how should that make me trust them and provide even more information?

It's people like you that discour

Re:

[dman123]

If I was a milk and bread merchant and you mentioned to me that I was "harassing" you by asking for ID, I'd just make sure to process that transaction really, really, slow... maybe manually enter the numbers instead of swiping, checking the card with a magnifying glass to check for evidence of tampering, etc. The loss of a sale as you stormed off in a pissy huff would be worth it.

And yes, I would keep helping others in line as I "waited for authorization." Sorry, sir. The computers are a little slow right n

Re:

[damiangerous]

If that was your attitude I'd probably have a talk with your manager. If you were the owner, I'd be happy knowing you'd probably not be in business long. it's hard enough for small businesses, arbitrarily pissing off customers about an issue you're in the wrong about pretty much seals your fate.

Either way I wouldn't have to worry about the situation because I wouldn't shop there again unless I felt assured it wouldn't happen again. I know I certainly wouldn't be the loser in that situation.

Re:

[ednopantz]

it's hard enough for small businesses, arbitrarily pissing off customers
As a small business owner, let me say,

Get the hell out of my store!

I don't need customers like you.

Things got a lot better around here once we started "firing" customers who were assholes. More trouble than they are worth.

Re:

[damiangerous]

I love that a customer who simply asks, asks mind you, that you keep your word and stick to a contract you agreed to, is suddenly an "asshole".

Re:

[ednopantz]

Waaah! I'm being oppressed! You can't ask for ID! Waah! = PITA/not worth dealing with/some asshole we can do without.

Re:

[damiangerous]

What's the name of your business, so I know to avoid shopping there and saving us both the hassle?

Re:

[ednopantz]

What, and miss out on the educational aspect of firing a customer?

*******

"Waaah! I want [totally unreasonable thing]."

Sorry.

"Waaah! If you don't give in, I'll take my valuable [read easily replaced] business elsewhere."

Good, go.

"Waaah! I want to speak to the manager."

I'm the owner.

"Waaah! But I'm the customer, and the customer is always right."

No. The customer is often wrong. And you are not our customer anymore. Go away.

"Wah! But...but...but..."

Get out now!

*******

I wouldn't feel right depriving you

Re:

[ednopantz]

If its my money, I'm making sure you are the guy who's name appears on that credit card. If I have any doubt, I'm checking you out before I accept a piece of plastic. I'm the one on the hook for fraud. Not you.

Don't like proving your identity? Then pay cash. We accept that always. Want to give a promise instead? Then get ready for some verification.

How come "checking id when you promise payment in lieu of real money" = instant fascism!! Oh No Everybody Panic!!! 1984!!! AAAAHH!!

And the terms of my con

Re:

[damiangerous]

I should probably clarify that I've never actually refused to show ID yet. I'm not the sort of person who makes a scene and inconveniences others. I tell them briefly that it's not allowed by the MasterCard agreement and if they insist or don't care I go ahead and let them know I'm going to file a complaint with MasterCard. I then decide if I want to continue shopping there, based on how they handle the situation.

If the staff are pricks about it, like you seem to be, then I certainly wouldn't. If it's

Re:

[damiangerous]

Indeed. Good thing I'm talking about a MasterCard branded debit card then.

Re:

[raoul666]

At the same time, if the cashier doesn't feel your signature matches, he/she can simply reject the sale entirely. My standard procedure was to check if the signature matched, and if it didn't (or if the sale felt fishy), I would simply say, "these signatures don't match. I'm afraid I can't sell this to you." Most people, at this point, will offer photo ID willingly.

Re:

[damiangerous]

At the same time, if the cashier doesn't feel your signature matches, he/she can simply reject the sale entirely.

No, you cannot. If you have suspicions about a transaction you need to make a Code 10 call. Rejecting the card outright is also a violation (and there's a spot on that same complaint for for that as well). If you reject a card without calling, you've done one of two things: you've allowed someone to make a second fraudulent attempt to use that card or you've turned away a paying customer.

Re:

[damiangerous]

My credit card doesn't identify where I live, for one thing. Now that's not the most closely guarded secret in the world, obviously, but I don't care to share it with the kid who's ringing up the laptop I'm buying, for example. It's just personal information I don't care to share at the whim of anyone who might ask and have no reason to.

I'll show ID to anyone who has a reasonably good reason to see it. Store clerks simply do not. That's just one of the reasons I use a debit card instead of writing a ch

Stop & Shop's fault

[dreamt]

No matter what people think about who should or should not pay, this was Stop & Shop's fault. The Globe article only slightly mentioned (was covered better on the news last night) that someone basically walked off with the PIN boxes, hacked them, and reinstalled. I know that there are ideas in some of these replies as to which business pays for stolen credit card usage, but Stop & Shop has got to do better than letting someone walk off with their equipment.

Having owned a store

[JohnnyComeLately]

I would say it's set up correctly. Sure VISA makes Billions and merchants eat fraud, but it's really the best point to do it. And, technically, I already do it with Checks (the reason a lot of people don't take them). Some storeowners don't get it and think credit cards are "magic"...they can take all the cards they want and money appears (minus a 5-15% fee) in their bank account. They don't realize they can minimize by: ACTUALLY CHECKING THE SIGNATURE!!!, suggest Debit over Credit (if it's both, their fees are less if it runs as a ATM, and security it better!). But it's the same as anything else in life: If you're uneducated you will always pay more.

Got suckered into a 15 year AARM mortgage with a pre-pay penalty and balloon payment? Education. Paid $30k for a Ford truck (which immediately dropped to a $19k wholesale value) and are upside down in value? Education. If there's one lesson...just one lesson...I could boil my entire MBA, stock market, and general life experience (regarding businees) into:

He who has the most accurate and timely information wins.

Coming back around full circle: This is why merchants should be responsible (and their banks). It forces them (and me!) to educate myself and minimize EVERYONE's risk. A previous owner left draft information for bank auto withdrawal in a binder, on the desk, by the door, for all his customers. Huge fraud potential. Some leave credit card information in the store after the day of sale. Huge fraud potential. I could go on, but I've proven the premise for my conclusion: You have to be active and reduce your costs through fraud prevention. How can I reasonably hold VISA accountable when I'm a merchant stupid enough to charge a card with someone elses name (I've seen guys try to use their wife's card....Dudes do not look like a "Wendy" to me).

On the flip side, I had a merchant pissed because I called in a charge back. Yeah he was pissed, because chargebacks increase fees a bank charge....but I gaurantee you he'll call next time he does an unauthorized pre-pay on my card. I manage a tech support department and we follow the policy I told him he should follow to reduce costs: Always call someone before you charge their card. In my case, he charged a 2nd $700 and then my wife said, "Should there be a 2nd one?" I said, "Nope" (not thinking two steps past why she asked) and so she called the credit card to charge it back. Whole thing could have been avoided.

So there you have it...I've mentioned my perspective from personally being both sides of the "coin" (and being accountable for the $$)....and I'd say the system is set up efficiently, and for the most part, fairly.

Re:

[King_TJ]

All valid points, but I'd also say it's arguable that credit card companies themselves have helped foster this "lax" security environment we're seeing on the part of many merchants.

Take, for example, the cases of a woman coming in, buying something using a card with a man's name on it, or vice-versa. The fact is, the credit card companies are more concerned about people using their cards as often as possible than in caring WHO uses them. My ex-wife ran up charges on my cards all the time, despite never ev

Re:

[gamer4Life]

...ACTUALLY CHECKING THE SIGNATURE!!!

Doesn't do a thing except waste time. You would catch more false positives before you catch an actual thief that forgot to learn to forge the signature.

Merchant pays? Not all the time.

[Itninja]

I am an online merchant and I use both Google Checkout (in the foreground) and Paypal Payments Pro (in the background) to process CC transactions. Both of those providers will (and have for me in the past) eat the fraudulent charges as long as I had taken all required steps to ensure the transaction was genuine.

For example, I had one $100 sale that, a few months ago, came back as 'fraudulent'. Paypal asked me to provided documentation to show the steps I took to verify the buyers information. I keep all these records, so I sent Paypal address verification, proof of delivery, etc. After about a week they contacted me, told me that I followed their verification process properly, and that they would absorb the cost of the disputed transaction.

Slightly OT about merchants eating charges

[hellfire]

I'm absolutely shocked by the ignorance some people about credit cards. Now I'm not talking about a Joe on the street, I'm talking about people taking the orders. Many merchants favor convenience over everything else.

For example, in the order processing system I support, we mask the first 12 digits of the credit card when you retrieve an existing order. It didn't always do that, but it eventually did as part of an upgrade to comply with the PCI standards above. That makes sense, lots of systems started doing that even before the standards and now all of them do. But one guy wanted to argue with me that it will hurt his customer service because he can't read the card number. I explained to him that it's out of my control and that Visa imposed these restrictions on all computer systems and you can't buy a system that doesn't have this feature any more. Further more merchants and software companies could be fined by Visa if they didn't have these restrictions.

I was going to explain why Visa mandated the changed and explain card security when he demanded: "We'll take the chance, change it back." If I were his customer, I'd have yanked my business, knowing that it's an easy inside job for him to steal my credit card.

Also, it's happened to me twice recently, where two major chains I visited (Superfresh and Target) took my card and made me sign an electronic signature capture device for my signature. In both cases, the signature pad and/or pen was broken and was basically reading garbage. I could not write my signature. In both cases they said "we don't need your signature" and just ushered me out of line. Okay they are major chains, and could eat a charge now and then, but hell you would think they would care about their signature pads a little more. Maybe close the line or have replacements on hand to easily swap out. Everyone going through that line that day was a potential risk to the merchant for a chargeback, just because they didn't capture a proper signature. And that exposes me as well because I'm unable to sign my signature which leaves me open for question when signing other receipts.

The way security works now in credit cards I feel is good, and it's designed to increase the security on integrated systems. 80 to 85% of credit card number theft is an inside job. People stealing card numbers and internal information, and computers just make it easier to do that without restrictions on said computer. The merchant doesn't care if you get hit with fraud. Visa cares because if their cards are insecure, no one will use them. So Visa makes the merchant's care by assigning responsibility to them, because that's were most fraud occurs. It's very logical.

PCI Misconceptions

[brufar]

A lot of people seem to have a misconception of exactly what PCI is, what it covers, and what it does.

PCI affects all areas of the transaction stream.

When looking at ATM's for instance the units must be tested and Certified (InfoGuard, TNO and T Systems). If you attempt to open the device it dumps the program and tampers the unit so it can't be reprogrammed. this prevents a situation such as the one at stop and shop where a malicious party opened the POS device and apparently hooked up a device to sniff the

Where's my rate cut?

[teflaime]

Credit card companies justify their ridiculous interest rates by pointing to the losses the "have to eat" when credit card fraud happens. Since they no longer have to eat those losses, where's my rate cut, you theiving bastards?

Bull

[iamacat]

Credit card today is a dumb piece of plastic with no security to speak off. When credit card companies come up with a decent authentication scheme and implement it in ALL locations, they can pass the responsibility for fraud to vendors.

why are these numbers being stored?

[ALpaca2500]

when i swipe my debit card through the machine at stop and shop, it says "approved". At that point, the money is wired from my bank to stop and shop, and my personal information should be purged. or am i mistaken, and is there a reason for stop and shop keeping everyone's crdit and debit card numbers?

Re:

[cdrguru]

Approved means nothing - just that your card says it has been approved for use and the amount is covered by your account. Period.

Later that day a batch of transactions are sent to the processing company. This is how the merchant gets paid. Why isn't this done immediately? Because there is a per-batch charge on top of the authorization charge. So it makes sense to build up a number of transactions to be sent over at the end of the day.

The batch also allows the merchant to change or void the transaction

Re:

[el_gordo101]

The article was light on details, but what I have read and heard the past few days was that the card readers were physically removed from the checkout lanes, tampered with, and then replaced. The swipe readers were then used to collect card numbers and/or PINs. It was not a breach of their back-end database, it was collecting the data off of each customer that used the affected card readers.

Re:

[Kalriath]

I don't know. EBGames here in NZ does the same thing. They swipe the card through the EFTPOS terminal (which causes the bank to provide an authorization) and THEN they copy the credit card number, expiry, and CVV2 code into their computer systems. One time I asked them not to and they said it's "required for reconciliation".

Anecdote

[king-manic]

My family owns a very small chinese food place. We had a mastercard account. My parents were ludites and refused to upgrade to an electronic terminal because they didn't understand how to use it. Our bank/merchant account reseller droped the imprinter proccess and implemented a complicated IVR. My sister registered a transaction on the ivr for 62.86. The IVR registere dit as 44,400.00 instead. We got a notice about it after and co-operated in resolving it for our customer. Despite the fact it was an obvious mistake and was greater then the actual limit of the customers card we got a charge back of $2456.00. Which is more then the total MC orders we get in a year. We tried for weeks to address this since we were sure it was a ivr error. especially since it exceeded the customers limit. but we had no course of action to resolve it as an error. we were stuck with a $2456.00 chargeback because the IVR either had a bug or did not do a proper check ont he amount. We dropped MC support and dropped all of our MC cards because of this. but it won't protect merchants form other arbitray decisions Visa/MC/AMEX make.

Re:

[jrumney]

My brother was once mistakenly charged $12,000,000 on his debit card, putting him $11,999,000 in overdraft. This happened on a Friday afternoon. The following week, he spent 3 days trying to find someone at the bank with sufficient authority to reverse the charge, and a further couple of days trying to get the $20,000 in interest charges credited back (which did not happen automatically after they reversed the $12mil). The merchant in this case was the bank itself - he had ordered a new customised card, whi

Re:

[king-manic]

Thank you for the suggestion. I think we'll move on. The legal fees would exceed the amount to be recouped. I'm in canada and we have a loser pays system. The bank themselves were somewhat gracious but Visa itself was beeing bullies. The bank waived their commission ont he transaction but Visa was the one demanding their cut. Small claims may not incur very must legals fees but the lose rpays system doubel it if we lose and a win would recoup less then the $2456. We'd spend th time and labour; and then stil

The other half of the problem

[GreyPoopon]

While security at merchants and banks might be half of the problem, the following quote from the article sums up the other half:

It's still such a nightmare to get the problems resolved.

The biggest problem for consumers is not getting back the money they lost. It is repairing their credit record. We have a situation where three credit bureaus are collecting and disseminating private financial data about consumers. There is little or no control for the consumer over what information is given out in a credi

Sorry - Merchants *AND* CC are to blame

[AnalogDiehard]

Two years ago I started signing the back of my cards with the warning PHOTO ID REQUIRED. One out of ten merchants who saw the card in person bothered to check the back of the card, much less ask to look at it. So merchants share the blame because their security is lax.

Credit Card companies also share the blame. Do you know how EASY it is to open a fraudulent credit account without your knowledge? When we were separated, my ex forwarded all my mail to a PO Box without my knowledge/consent, opened a cre

Re:

[Skye16]

Until a bunch of middle class suburban teenagers show up with a few baseball bats and beat him to death [cnn.com].

I guess that's a small price to pay for being safe from fraud, though.

Re:

[operagost]

You just have to walk near someone with one and walla

Please... French is only my second language and I'm thoroughly pissed at seeing this garbage. It's "voilà".

Re:

[Stanistani]

C'est la vie, c'est la guerre, c'est la pommes de terre -"V'wallah!"

ATM fees make cash expensive.

[Kadin2048]

Cards are a rather flawed system, particularly when not in person. Not to mention how unfriendly credit cards are to customers. It's wonderful to have cash now, but not worth the interest charges. Past that, their unfriendly to merchants, but due to the "convenience" of cards, they're all but required.

Cards are effectively required because of one thing: ATM surcharges.

Customers use credit cards, and their kin, debit cards, because it's obnoxious and impractical to use cash anymore. If you get your paycheck