How Much Fraud Protection Do Online Merchants Have?

How the System Works

First, you need to understand the various parties involved with a merchant credit card account in the US. Policies in other countries may vary.

• Issuing Bank. All credit cards are issued by what is called the "Issuing Bank."
• Acquiring Bank. Merchant credit card accounts are issued by a bank or financial institution called the "Acquiring Bank." This may be your own bank, or a bank you've been matched to by an Independent Sales Organization. The Acquiring Bank assumes some risk if the merchant fails to fulfill orders that cardholders have billed for.
• Independent Sales Organization (ISO). These are third party companies and entrepreneurs who advertise widely and offer to match up merchants with banks that will issue them a merchant credit card account -- for a fee.
• Processor. The company the Acquiring Bank contracts with to handle all credit card transactions. The bank outsources the entire operation to the processor. First Data Corp. (FDC) is the largest processor in the US, and handles about 70% of the transactions.
• Payment Gateway. Companies like Signio.com, CyberCash.com, Anacom.com, or Authorize.net connect your website to the processor, and so provide a "payment gateway." This is the process: (1) a transaction is submitted at your site, (2) goes through a secure web connection to the Payment Gateway, and then (3) through leased phone lines to the Processor who checks the databases. The authorization then travels (4) from the Processor through leased phone lines (5) to the Payment Gateway, and through a secure Web connection (6) to your website, and (7) from there to your customer's web browser with the message, "Thank you for your order" or "Your credit card transaction didn't go through." Confusing, isn't it. If you use a payment gateway, you generally pay a monthly fee. Sometimes these fees are paid directly to the Payment Gateway and sometimes they are included or hidden in the overall billing on the merchant account.

Occasionally, a bank or ISO wraps all these operations into a single package which they administer.

Classes of Merchants

Banks that sign up merchants for merchant accounts that allow them to take credit card payments divide merchants into two major classes:

• Card present -- where a card is swiped through an electronic card swipe machine and automatically sent to the processor for authorization. Once the authorization has been received by the merchant, the Acquiring Bank takes responsibility for any stolen cards or fraudulent transactions.
• Card not present (MOTO) -- where the merchant gets the credit card information by phone, mail, or the Internet, and the actual card is not swiped. These are called MOTO transactions for "Mail Order/Telephone Order." If one of these proves to be a stolen card or a fraudulent transaction, the merchant bears full responsibility, even though an authorization number has been received. Is it fair? No. But that is the present system in the US.

Online merchants can get stuck even if it wasn't a fraudulent transaction, if the customer disowns the transaction. The bank's processor will demand that the merchant show a signed sales slip, and if one cannot be produced (and on the Internet there are no signatures at present), the consumer, not the merchant, is given the benefit of the doubt.

Merchant Account Fee Structure

Moreover, rates are stacked against the online merchant. Typically, when you sign up for a merchant credit card account you are charged these types of fees:

• Application Fee. Your own bank may charge little or no application fee, but if you sign up through an Independent Sale Organization (ISO) such as CardService International and many others, this may run $100 to $200 or more, which may go to the ISO as a sales commission.
• Discount Rate. This may run from 1.5% to 4.0% of each total sales transaction. Rates vary with the amount of the average sales transaction. A higher average gives you a lower discount rate. Card Present transactions are typically 1.0% or more lower than Card Not Present rates, even though the bank has little liability and the merchant carries full liability in case of fraud for online sales. If you can get an online discount rate of 2.25% to 2.50% for online sales, that's pretty good. Being a short time in business, or having a high rate of chargebacks (money refunded to card holders because of disavowed or fraudulent sales) may cause the discount rate to be higher.
• Per Transaction Fee. If charged, this is typically 25 to 50 cents per transaction.
• Monthly Report Fee. Often $5 to $20 monthly.
• "Lease Fee." Traditional brick-and-mortar merchants usually have a card swipe machine at each register. This equipment is typically leased by the bank or ISO, sometimes over a period of several years. Some ISOs talk small businesspeople into signing four-year lease contracts to get a merchant credit card account, even though the "equipment" they "deliver" is a Web payment gateway SERVICE rather than a physical card swipe MACHINE. When the small business folds after six months or a year or two, the "lease fee" is still due and payable. Read the fine print. DON'T sign an agreement with a lease fee!

As you can see, though MOTO merchants are charged a 1% higher discount rate by the bank, they also assume liability for fraudulent transactions. This isn't logical, but that's the current system.

Processor Authorization

Obtaining an authorization number from the processor doesn't require a rigorous check at all. When a transaction is submitted for authorization, the credit card number is checked against a list of reported stolen cards and a list of over-the-credit-limit accounts. If the card number doesn't show up on either list, an authorization number is generated. Note that the processor doesn't check the actual account for validity, but only a negative list. In addition, the amount of sale is debited against the card holder's credit limit, but this is done in a separate action.

Fraudsters can trick the system in several ways. They can generate phony card numbers that meet the credit card industry's mod-10 standard for consistency. Unless numbers are reported stolen, the transaction may be authorized since the actual account number is not checked for validity. If the issuing bank is a foreign bank, it may be difficult to trace even with a telephone call due to language barriers. Cards numbers and home addresses may be stolen without the cardholder's knowledge. Then they may be used in one short burst of online activity which ceases before the fraudulent charges are reported to the bank by the cardholder.

Address Verification System (AVS)

One protection online merchants can and should take advantage of is AVS or the Address Verification System, effective only for shoppers in the United States. This system takes the shopper's ZIP code and the numbers in her street address, and compares them with the numbers in the credit card billing address. If they agree, the transaction is authorized; if they do not, the transaction is flagged or perhaps not allowed, depending upon the merchant's preference. Using AVS lowers the merchant's discount rate, and can protect against stolen credit cards where the thief has only number, but not a correct address.

In short, online merchants don't have much protection against fraudulent credit card charges with the current system. Merchants need to do what they can to protect themselves.