Card Fraud

You cannot ignore the possibility that your online store will be subject to card fraud. A fraudulent transaction, where the transaction is not authorised by the cardholder, can result in a chargeback. When a cardholder has an issue with a charge on their credit card, they can contact their bank to dispute the charge. The bank will then make a chargeback or inquiry. The cardholder can be one of your customers or someone who believes that their card was used on your store without their permission. If the cardholder’s bank makes a chargeback, then the bank will take the disputed amount from you right away. The cardholder’s bank will also take a chargeback fee from you. If the cardholder’s bank makes an inquiry, then they won’t take the disputed amount or a fee right away.

You can try to resolve the chargeback or inquiry in a few ways. Often, the company that issued the cardholder’s credit card will review any evidence and then close the chargeback in either your favour or the cardholder’s favour. If you win the chargeback, then you get the disputed amount back, and the chargeback fee will be refunded. If the cardholder wins the chargeback, then the disputed amount is returned to the cardholder. Potentially you will therefore have paid for the product, received no income from it and been charged a chargeback fee as well. Clearly chargebacks will affect your bottom line.

A chargeback can be initiated by a customer for a number of reasons such as:

  • Fraudulent
  • Unrecognized
  • Duplicate
  • Subscription cancelled
  • Product not received
  • Product unacceptable

There is a also the possibility that the chargeback itself is fraudulent i.e the customer did order the product, did receive it and wants to keep it, but is fraudulently claiming that they didn’t make the transaction.

When you receive a chargeback you can try to talk to the customer who made the order by phone or email to see if you can resolve the issue. If the customer agrees that the chargeback isn’t necessary, then the customer must contact their bank and ask them to drop the chargeback. You should also submit evidence that shows that the customer agreed to drop the chargeback.

You can also submit evidence to the cardholder’s bank. The amount of time that you have to submit evidence depends on the credit card company and the reason for the chargeback. Consider including proof of customer authorization, service provided, or item delivery. You can also add your terms of service and refund policy. If you are adding any document or images, then make sure you have formatted them clearly so that they can be viewed without zooming or cropping.

Shopify Payments for instance collects evidence and sends a response to the credit card company for you on the due date. You can also add your own evidence.

Most payment solutions will offer some form of fraud prevention. Shopify for instance has built in fraud analysis to help bring suspicious orders to your attention, although you don’t get all the features of this on a basic plan.

Fraud indicators which Shopify will highlight include:

  • whether the credit card used for the order passes AVS (address verification) checks. Does the cardholder address match the one provider by the customer?
  • whether the customer provided the correct CVV code (the 3 security digits on the back of a card)
  • whether the customer tried to use more than one credit card.
  • details about the IP address used to place the order (not forgetting that it is possible to shield an IP address) and if so you are travelling you may login from a different device. The IP address of a customer is probably the least useful indicator of fraud.

Other indicators to watch out for include:

  • Delivery addresses that are freight forwarders or P.O. Boxes. These don’t indicate a fraudulent transaction in themselves, but they are more risky if you accept them.
  • Especially large orders
  • Requests for rush delivery
  • Multiple cards for orders being placed to the same address

Shopify will provide a fraud recommendation for a transaction (flagged on the orders page) and you can subscribe to order notification emails. You also have the option to manually capture payments for orders in Shopify allowing you time to review an order before you take payment. But you will need to capture a payment for an order before the authorization period for that order ends. You can also receive warning e mails to let you know that authorisations are about to expire.

Paypal transactions can be covered by Seller Protection for sales on EBay. If you are selling on other platforms and using Paypal as the payment solution then Paypals Seller Protection will not help you. Seller Protection protects you against unauthorised transactions and claims that customers did not receive their product.  The product and its delivery must however conform to Paypal’s rules. It doesn’t extend to services or digitally delivered items (eg software, e-books). They must be shipped with proof of delivery from within your country to buyers in your country or other countries where PayPal is accepted. Shipping should be within 7 days to the address indicated in the transaction details using a qualified Shipping Company according to PayPal’s User Agreement, and you should provide an accurate delivery estimate at the time of the sale. You should fully review Paypal’s requirements to ensure you are protected.

Stripe (an online payment processor) users can process card payments that require authentication with 3D Secure. 3D Secure provides a layer of protection against fraudulent payments that is supported by most card issuers. Unlike regular card payments, 3D Secure requires cardholders to complete an additional verification step with the issuer. Users are covered by a liability shift (the liability for the chargeback is met by the card issuer, not the merchant) against fraudulent payments that have been authenticated with 3D Secure as the card issuer assumes full responsibility.

While 3D Secure protects you from fraud, it requires your customers to complete additional steps during the payment process that could impact their checkout experience. For instance, if a customer does not know their 3D Secure information, they might not be able to complete the payment.

When considering the use of 3D Secure, you might find the right balance is to use it only in situations where there is an increased risk of fraud, or if the customer’s card would be declined without it. If the card or issuer isn’t enrolled in 3D Secure but the type of card could support 3D Secure (e.g., most Visa and Mastercard consumer cards), liability is still shifted to the card issuer.

There are certain circumstances where payments that are successfully authenticated using 3D Secure do not experience a liability shift. This is rare and would happen, for example, if you had an excessive level of fraud on your account and were enrolled in a fraud monitoring program by a card issuer. For that reason you shouldn’t take the attitude that fraud doesn’t matter because you have no liability, because excessive fraud can result in that protection being removed.

Furthermore should a customer dispute a payment for any other reason (e.g., product not received), then the standard dispute process applies. As such, you should make the appropriate decisions regarding your business and how you manage disputes, if they occur, and how to avoid them completely.