Who Pays For Credit Card Breaches?

PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"

The customer pays. Always.

The merchant has to make a living, the credit card company too. The money for fraud can only come from the end of the chain: the customer. The only notable thing here is that all customers pay, not just the ones who use a credit card.

Re:The customer pays. Always.

[Bastard+of+Subhumani]

To offset that, the prices are raised.

If the market would stand that higher price, why wasn't it being charged to start with? Conversely, if the market won't stand it, then lower volume (yada elasticity yada) could mean the merchant makes even less money.

Re:The customer pays. Always.

[edb]

The credit card companies pay nothing for credit card fraud. Their excuse for the usurious interest rates (24% and up in many cases) is to cover their losses. But in reality, the banks have zero losses due to credit card fraud. All losses are paid by the merchant victims, who accepted the card in good faith. The total cost to the credit card issuers is the overhead for paperwork. Cost to the consumer is time. Cost to the merchant is real $$.

And the credit card issuers advertise that they "protect" the cardholder from credit card fraud. That's fraud right there. The issuers simply charge it back to the merchant who did everything right -- ID check, address verification, signature, everything that could possibly be verified. If the cardholder disputes a charge simply because they don't remember it, the merchant is automatically charged a fine, and the transaction amount reversed. Then, after "investigation", the cardholder admits that the charge was correct, the merchant is still in the hole for the fine and the "research fee", which total at least $50 and can exceed $100 for a single $10 transaction which was correct and is eventually confirmed by the cardholder.

Eventually this cost must be passed through to the customer. Not all at once, and not across the board at all merchants: just like increases in postage, gas, utilities, etc., some merchants will absorb the added cost for a time. Some will raise prices sooner, some will raise them later. But eventually, equilibrium again will be reached, and prices at all merchants will reflect the increase, one way or another, and the differences in price between merchants will again be due to all the other usual factors.

Same old story, same old Slashdot. See the similar thread from Feb 2003: http://it.slashdot.org/comments.pl?sid=54226&cid=5 323876/

Same season, 4 years ago. Same story.

Misses the point

[currivan]

The merchant who accepts the fraudulent charge eats the chargeback, not the one whose site is hacked. How does this encourage information security?

Re:Misses the point

[Scott+Lockwood]

It doesn't. It makes Visa and Mastercard more profitable, however, which is what they care about.

Re:Misses the point

[letxa2000]

As a merchant, this is very annoying. If I submit a charge to Visa/Mastercard and it's authorized, I should be able to count on that unless the valid cardmember has a legitimate complaint that I did not resolve and charges it back. If the use was fraudulent, as the merchant I have absolutely no way to know that--that's why I'm asking Visa/Mastercard for authorization. If they authorize the charge then they think it's legitimate, too, so why should the merchant somehow be expected to think otherwise or be held responsible for 100% of the chargeback?

To pay extortionate discount charges on every transaction and not even be able to trust that the charge is legitimate is abusive on the part of Visa/Mastercard. What's worse, a chargeback comes with a chargeback fee. So not only does Visa/Mastercard not get harmed by fraud, it profits from it. As long as that is the case, Visa/Mastercard has no motivation whatsoever to increase security and decrease fraud.

Re:Misses the point

[letxa2000]

You have to look at it from the other perspective though - like any merchant I'm sure you receive your share of obvious frauds (the ones you delete without even turning on your brain - 400 units of $expensive_product to Lagos etc). Maybe you're honest enough to still decline them if you knew you'd get the money, but lets face it many aren't.

I have looked at it from their perspective and it still doesn't make sense. If someone has a history of lots of chargebacks, that merchant gets canned anyway. If I'm entering ship-to and bill-to addresses into the system and if there's something that makes them (or their computers) uncomfortable, have the merchant call in for verbal authorization where the risks are explained to the merchant and/or Visa/Mastercard can say that they won't take responsibility for the charge.

I'm not opposed to a merchant being expected to be honest enough to do due diligence. If I ship something to Nigeria and expect Visa/Mastercard to pay me, and it turns out to be fraudulent, they have a right to ask me what documentation or evidence I have that I made an honest effort to be reasonably sure the transaction was valid. If I failed to do that, they can expect me to pay for it. But if there's nothing Nigeria-like about the transaction, nothing raises my suspicion, I submit the card to Visa/Mastercard and they authorize it and confirm the zip code and CSV matches, I've done all I can. To then turn around and say, "Yeah, we know we told you the charge was authorized, we know you have the right address, zip code and CSV, but what do you know... our system sucks and even though you obviously have all the right data you could possibly provide, we're still holding you responsible."

If a merchant is fraudulently processing charges or is accepting credit cards that are obviously stolen, that's a crime that should be prosecuted in a court of law. Simply assuming all merchants are crooks and arbitrarily taking back money you already gave them is simply not acceptable.

A customer is in the "business" of buying. A merchant is in the "business" of selling. Visa/Mastercard is in the business of facilitating the transaction. That's their business and they need to make sure it works so the buyer and seller can do their business. It is not acceptable to hold either the customer or the merchant responsible for shortcomings in Visa/Mastercard's system. If a merchant gets an authorization number from Visa/Mastercard, that should be a done deal. If it's fraud, Visa/Mastercard needs to eat that charge. If that means raising the discount rate, fine, do it--and let merchants decide whether they're willing to accept credit cards given the real cost of accepting them; or the customers and/or merchants will demand real security.

Re:Misses the point

[letxa2000]

Nice. So why can't you extend that same logic to Visa/Mastercard? There's no reason to pass it off on the merchants instead of Visa/Mastercard. Like I said elsewhere, a business that takes a credit card has enough stuff going on in their own business to have to be held responsible for flaws in Visa/Mastercard's system.

The whole "if you don't like the risk, don't accept credit cards" is no longer valid. It might have been 20 years ago (and many places didn't accept them back then), but now you can't do business if you don't accept them. Visa/Mastercard/AMEX basically holds a monopoly on transaction processing and if you don't accept them, you often can't do business. So while the "if you don't like the risk, don't take the cards" is a nice, convenient cop-out, it really isn't a legitimate answer.

The fact is, Visa/Mastercard is now a scam. There is essentially zero cost to provide the Visa/Mastercard service now that we have Internet and if they aren't even going to guarantee the payment is valid, WTF am I paying 2-4% in discount fees for? Any decent developer could make a competing system in a few months--the problem is that no-one would use it because the market is dominated by the Visa/Mastercard monopoly. And therein lies the problem: Visa/Mastercard is an abusive monopoly and the merchant gets screwed.

Re:Business partners

[Ctrl-Z]

Why are credit card rates so high? Because that's what the market will bear? Credit card companies aren't having any difficulty finding people to lend money to at exorbitant rates.

Re:Article is Wrong

[scribblej]

Well, of course I was exaggerating when I said "no one." But it's interesting to hear your view. :) I didn't realize newegg provided it.

As for the "address" info - a very well-written system put in front of the credit card processing networks will do a real postal database lookup on an address. That's nice. It's also exceedingly rare. What you normally get for address verification is what the credit card processing networks themselves provide: AVS, the Address Verification Service.

A few interesting notes on AVS:

1) It only validates the digits in the street address and zip code, nothing else. So 123 Fake Street and 123 Oak Street are exactly the same in it's eyes.
2) It never rejects a transaction. Even if the address is wrong, it's approved. It's up to the merchant to check the response from the credit card processing network that says "the address was right" or "the address was wrong" or a dozen values of "the address was kinda' right" and then void the transaction if the response is unacceptable to them.

2 is becoming a little less true recently, though - several issuing banks have taken it on themselves to reject the transaction even if the AVS standard says they aren't supposed to. I think this is a good thing.

Re:Should improve Customer service

[ucblockhead]

Great. You hate it when merchants take extra steps to make sure it's actually you using the card. It's people like you that discourage merchants (and visa/mastercard) from adding extra security that would help ensure that thieves can't swipe cards and go to town.

Re:Having owned a store

[gamer4Life]

...ACTUALLY CHECKING THE SIGNATURE!!!

Doesn't do a thing except waste time. You would catch more false positives before you catch an actual thief that forgot to learn to forge the signature.

Re:Should improve Customer service

[dman123]

If I was a milk and bread merchant and you mentioned to me that I was "harassing" you by asking for ID, I'd just make sure to process that transaction really, really, slow... maybe manually enter the numbers instead of swiping, checking the card with a magnifying glass to check for evidence of tampering, etc. The loss of a sale as you stormed off in a pissy huff would be worth it.

And yes, I would keep helping others in line as I "waited for authorization." Sorry, sir. The computers are a little slow right now. Maybe I'll try calling in for authorization. I'm sure that MasterCard won't put me on hold once they know that we have royalty in line here at the bodega.

Re:Should improve Customer service

[ednopantz]

it's hard enough for small businesses, arbitrarily pissing off customers
As a small business owner, let me say,

Get the hell out of my store!

I don't need customers like you.

Things got a lot better around here once we started "firing" customers who were assholes. More trouble than they are worth.

Re:Should improve Customer service

[DogDude]

You're 100% wrong. I AM a small merchant, and I haven't had to deal with asshats like you before (we deal with jerks... just not in this way). I would be happy to ask you not to come back to the store if you threw a tizzy about us asking for your ID. It's not worth the risk to us to keep assholes happy.

Re:Should improve Customer service

[ednopantz]

If its my money, I'm making sure you are the guy who's name appears on that credit card. If I have any doubt, I'm checking you out before I accept a piece of plastic. I'm the one on the hook for fraud. Not you.

Don't like proving your identity? Then pay cash. We accept that always. Want to give a promise instead? Then get ready for some verification.

How come "checking id when you promise payment in lieu of real money" = instant fascism!! Oh No Everybody Panic!!! 1984!!! AAAAHH!!

And the terms of my contract with VISA are none of your business. Don't like that I look out for my interests? Hit the road, jack.

Re:Should improve Customer service

[Scudsucker]

Both of those things are a violation of your agreement, you can't require ID and you can't arbitrarily refuse my card. Why is it so hard to live up to what you've agreed to?

Because it's virtually impossible to survive as a business without accepting credit cards, and if all credit cards have the same bs terms....

Re:Credit cards and small business

[jtheisen]

That number is written down on the credit card itself. Also, it's transmitted along with the credit card number itself, even if it's not stored. Why not using one-time passwords? You get a list of numbers and are asked for one if you want to do a transaction. The list is issued by post and then you didn't even need ssl for security.

The merchants can do little to enforce such a system, that's up to the banks and credit card companies; so it's their fault that most parts of the world are left with pretty insecure payment systems.