Home

 Ads and Affiliates
Carts / Transactions
Conversion / Testing
Design / Usability
E-Commerce
E-Mail Marketing
Global Marketing
Linking Strategies
Local Marketing
Marketing Tools
Miscellaneous
Paid Search
Recommendations
SEO
Social Media
Videos
Web Analytics
Helpful Resources

About Us

 Team Bios
Contact Us
Advertise Here
Press
Privacy Policy

Related Sites

Joyful Heart
Renewal Ministries: Internet Bible studies, articles, and stories, Doctor Ebiz

Fraud and Chargebacks Challenge Online Merchants

by Dr. Ralph F. Wilson
Web Commerce Today, Issue 11, June 15, 1998

This article contains older information. Go here for newer information on ecommerce and selling online.

You don't hear about actual people having their credit card numbers stolen over Internet. That's much ado about nothing. The real problem is credit card fraud against Internet merchants. It is rampant, especially against those who provide instant online access to the product -- information, entertainment, subscription, or downloaded software. Some software merchants have lost as much from fraud in a month as they have garnered in sales revenue.

Fraud has plagued merchants since credit cards were first invented. Mail order merchants developed the AVS (Address Verification System) to cut down on their losses. But the advent of Web sales has exacerbated the problem. The anonymity of the medium, the ability for rapid shopping, Internet demographics, and ease of credit card access have all contributed.

You don't think much about it until your credit card processor sends you a chargeback information request for a copy of the transaction and signature. Then you wonder just what kind of guarantee your processor's authorization code really provides you. The answer? Limited.

Internet merchants fall into the MOTO category -- mail order/telephone order -- and consequently tend to pay higher discount rates than merchants who swipe an actual card through their machine. The credit card processors also offer MOTO merchants fewer protections against fraud.

What the Authorization Code Means

When a customer transaction is submitted to your credit card processor, you receive an authorization code. What that means is:

  1. The card has not been reported stolen
  2. The credit limit on that card has not been exceeded
  3. The credit limit on that card has been reduced by the amount of the purchase, and
  4. The purchaser's billing address ZIP code and (probably) the numerical portion of the address match the cardholder's billing address, if you use the Address Verification System (AVS). This does not work for sales outside the US.

The authorization code does not tell or protect you if:

  1. The card number (not necessarily the card itself) has been stolen and is being used without authorization,
  2. The card has been stolen but not reported yet, or
  3. The card number itself is actually a legitimate credit card account. It only does a special 10-mod test to make sure that this could be a valid number. (More on that below.)

The processor only tracks card problems reported to it. It does not check the cardholder's actual account each time a charge is made.

Case study

Several months ago we received a Web Commerce Today subscription which seemed suspicious.

First name: aaa
Last name: bbb
Address: aaa
E-mail: suwxxxxx@yahoo.com (not the actual address)
ZIP: 12345
Cardholder No. xxxx12345678xxxx (I'm not going to give you the full number)

Something's wrong. I call First Data Corp., my bank's processor. They note that the card has not been reported stolen. They determine from the first few digits of the number, that the card was issued by a bank in Taiwan, and suggested I contact the issuing bank. I'd been had! How could this happen?

The bank's computer ran a quick check of the number using what is called the 10-mod test, and the card passed. Then it checked to see if the card had been reported stolen or was over its credit limit. The card came up clean. The AVS (address verification system) didn't catch it since it was an order from outside the US. Then the computer posted a $49.95 debit to the card's credit limit (still not accessing the actual account), and sent my Web server an authorization number, which triggered issuance of a Subscribe Code giving access to our online Electronic Commerce Research Room. For free. How could this happen?

10-Mod Algorithm

All credit cards conform to a specific numbering system. This allows mail order merchants to detect data entry errors on their desktop computer before submitting the card to their credit card processors (which might cost them something any time a card is run). The 10-Modular Ger algorithm (that's the full name) tests whether a card has a possibly valid number.

For the technically minded, here is how it works. For a card with an even number of digits, double every odd numbered digit and subtract 9 if the product is greater than 9. Add up all the even digits as well as the doubled-odd digits, and the result should be a multiple of 10. For a card with an odd number of digits, perform the same addition, but this time double the even numbered digits instead.

The problem is that crooks can find programs on the Internet that will generate thousands of credit card numbers that pass the 10-Mod test but don't necessarily represent actual valid credit card accounts. That's what happened in the case study above. A valid credit card number was used, but since there was no real account behind the number, it could not have been reported stolen or over its credit limit. My processor let it pass. Scary!

Since the product was electronically delivered, I had no physical address. The e-mail address was from a free account and almost impossible to trace. Now you can understand why companies with electronically delivered products are so vulnerable to fraud.

Types of Chargebacks

But Internet merchants are not only vulnerable to fraudulent credit card numbers being used. Since they never have a signed sales slip proving that the sale was authorized, they are at the mercy of the both the crook and the tacky customer requesting a chargeback (a refund to the customer as a result of a disputed transaction where the bank rules in their favor). According to the US Customer Protection Act, customers can dispute transactions in many ways by claiming:

  • They never received the product. Advice: use the Address Verification System (AVS) and a shipper that guarantees you a signature proving delivery.
  • The product was received damaged -- the merchant's responsibility.
  • The product was not what the customer expected. The merchant must make a refund.
  • The product does not work as indicated. You have to make a refund. The bank will always side with the customer.
  • The purchase was made with someone else's card. A customer can see your for-pay information over the Internet and then claim he never authorized the charge. The bank will side with the customer.
  • The product was returned and the merchant failed to issue a credit. The bank may ask for proof from the merchant that the product was returned, but the merchant may still get stuck with a chargeback.
  • The customer can't get satisfactory service if he has problems with the product he bought.
  • The customer requests a copy of the transaction and the merchant can't provide one. Many bankcard processors specify in their merchant agreement that failure to provide a copy of a card imprint or a signature can result in a chargeback. Those in the Internet business won't be able to provide this, so you may just be stuck with a chargeback if the customer demands a copy of the transaction.

Even after this daunting list of liabilities for the merchant, I don't want to discourage you from taking credit cards. Because credit card purchases provide such good protections for the customer, customers trust the system enough to actually make purchases with their cards. Thus cards provide a welcome means of exchange for the Internet merchant, and no other means of exchange even comes close in the United States to providing such a widespread system of trusted transactions. We should be thankful.

Thankful, but vigilant. There are a number of ways to protect yourself from customer chargebacks. Clear, honest descriptions of your products are necessary, as well as a clear statement of your refund and return policies. Good customer service for those who are having trouble with their products is vital. Of course, if you're a porn merchant, you'll still get a lot of transactions that are disavowed by husbands when their wives see the credit card statement. But the occurrence of chargebacks for most legitimate businesses is within acceptable limits.

There are also several ways you can protect yourself against credit card fraud. The next two articles tell you how:

You may read other articles from this issue
| Bkmrk
Three free e-books Subscribe to our free e-mail newsletter — Web Marketing Today®, published to 88,000+ confirmed opt-in subscribers worldwide. Just to encourage you to take this step, I'm including three free e-books that you can download and read: The Web Marketing Checklist: 37 Ways to Promote Your Website, 12 Website Design Decisions Your Business Will Need to Make, and Making & Marketing E-Books, each worth $12 -- just for subscribing. No catch.



(2-letter abbreviation)




Sample newsletter. We respect your privacy and never sell or rent our subscriber lists. Subscribing will not result in more spam! I guarantee it!

Subscribe to the Web Marketing Today RSS Feed

and receive 6 Internet marketing e-books


(2-letter abbreviation)


Sample newsletter. We respect your privacy and never sell or rent our subscriber lists.



Dr. Wilson's Recommendations