First, the good news: Shoppers and merchants will conduct more online commerce this winter than they have during any other holiday season. With Internet shopping on the rise, retailers such as Amazon.com are well positioned to flourish during this season, and those merchants who are not in the game yet may want to consider joining it.
But every holiday season has its Grinch, and for merchants conducting online transactions, this year’s could be the proliferation of fraudulent online transactions. Retailers that are already online and those considering the virtues of e-commerce are smart to understand its vices, as well. Chief among those is the merchant’s liability in fraudulent, unauthorized credit card purchases.
Although online commerce represents only a small portion of the retail industry, the number of online transactions will explode during this holiday season and will continue to grow rapidly in the years ahead. In 2001, the retail industry generated $3.16 trillion in revenue, of which $37.7 billion originated online. This year, the retail industry is expected to increase to about $3.3 trillion, of which $52 billion is expected to be attributed to online transactions.
Though that projection may seem modest, this increase in online shopping from 2001 to 2003 represents nearly a 50 percent jump. Merchants who are willing to participate in online commerce will gain a competitive advantage.
But doing business online also increases a merchant’s risk tenfold. Fraud is one of the biggest dangers to online commerce. According to the Gartner Group, a global consulting group in information technology, the rate at which online fraud occurs is about 12 times higher than the rate for transactions in which the physical credit card is present. The most common way perpetrators commit online fraud is through the use of unauthorized credit card numbers.
Credit card fraud
For a merchant, credit card fraud means the bank issuing the card used by the purchaser withdraws funds from the merchant’s bank account rather than the card owner’s account. This process is commonly known as a “chargeback.” A chargeback occurs when a card owner or financial institution disputes the amount submitted by the merchant.
If, for example, a card holder insists his account has been used by an “identity thief” to buy an airplane ticket to Australia, the bank issuing the card will require the airline to reimburse it, leaving it holding the bag for the perpetrated fraud.
Once a chargeback is issued, all of the funds transmitted to the participants (the merchant, the merchant’s bank, the card-issuing bank and the card holder’s bank) are reversed unless the merchant can prove it satisfied certain conditions established by its bank. Reversing the transaction leaves the merchant responsible for reimbursing all losses to the participants.
The merchant is also responsible for the cost of replacing the lost goods, shipping costs, and any bank and transaction fees related to the chargeback. These fees may range anywhere from $10 to $50 per chargeback. If the number of chargebacks becomes excessive, merchants may be put on a “black list” by the card-issuing bank. This unfortunate distinction will lead to higher transaction fees and possibly the removal of the merchant from the card-issuing bank network.
Merchants that do not protect themselves from fraudulent online transactions will expose their businesses to more liability than is experienced in transactions in which the physical card is present. In these latter transactions, all the participants have a greater degree of confidence that the purchaser is, in fact, the owner of the card. The merchant can confirm the signature on the receipt matches the one on the card, and the merchant may examine the patron’s driver’s license to confirm identity.
In contrast, during an online transaction, a merchant does not have access to the physical card or a photo ID. Rather, the merchant receives the card number from a digital stream of input, making the process more susceptible to fraud. Most card-issuing banks thus recognize this danger by shifting the risk of online transactions to the merchant. In transactions in which the card is present, if the merchant follows the steps required by the card-issuing bank, and if a dispute occurs, the bank issuing the card most likely will absorb the disputed amount. In the online world, the merchant usually has to absorb the cost of fraud.
Tricks of the trade
The perpetrators use various techniques to induce a merchant to accept a fraudulent transaction. Some perpetrators steal the identity of an individual by acquiring personal information, such as physical and e-mail addresses, and using this information to impersonate the victim while applying for credit cards.
Other perpetrators will steal valid credit card numbers by analyzing data streams moving across the Internet or by examining a physical credit card. Other perpetrators may use a random number-generator to come up with card number for use at the point of sale.
Merchants can take steps to protect themselves. Here are some of the more common protective measures:
Manually reviewing each transaction.
Applying a rule system to the transaction: The merchant can define rules that automatically prevent some kinds of sales (such as those in which a purchaser is using a credit card from another country and/or a free e-mail address as their contact information) from closing.
Using the Automatic Verification Service (AVS) available from most card-issuing banks. This service compares the purchaser’s ship-to information with the billing address of the authorized card holder.
Analyzing the credit card number against a database containing a list of credit card numbers involved in previous fraudulent transactions.
Unfortunately, there are flaws with these methods that may harm the merchant’s sales and security.
The manual review process requires the merchant to hire additional personnel as the volume of online transactions increases. Using subjective rules to analyze each transaction may lead to lost sales and customers if proper transactions are rejected.
The AVS process does not protect a merchant from all transactions because it (a) is not available for transactions using international cards and even cards issued by some U.S. banks, and (b) it relies on the integrity and accuracy of the card’s billing information. The AVS service also requires the merchant to complete the transaction before the merchant may reverse it, which results in additional processing and payment fees.
The database of “bad” card numbers is based on cards that previously have been used in fraudulent transactions. It is unlikely that a perpetrator will use the same numbers on multiple occasions for an extended period of time.
Though Internet commerce won’t be risk-free for years to come, the potential gains, which are materializing today, are too great to ignore for many merchants. At this time of year and on a regular basis after the holidays, merchants should assess the risks associated with online transactions.
The risk assessment should include a review of its bank’s chargeback policies and an assessment of how often the merchant has been victimized by thieves from online transactions versus physical world sales. Those merchants who are vigilant about protecting themselves and who understand their rights on appealing chargebacks certainly will have a more cheerful online shopping season than others.
Bill McComas, a partner with Shapiro Sher Guinot & Sandler, counsels clients ranging from entrepreneurs to Fortune 100 corporations on commercial transactions across all industry sectors. He concentrates on assisting companies in creating, protecting, acquiring, developing and commercializing technology and valuing and disposing of intellectual property assets. His email address is wam@shapirosher.com.