Is fraud free real time credit card processing possible?

[stevenrt2]

Imagine I am launching this fictitious web based business (don't worry I'm just using it as an example):

Shareware developers put their software on my site and people visit the site, browse through the software and purchase it using a credit card. At the end of each month I collect the money from the credit card processor (say Worldpay) and pay the developers who sold software after deducting my cut.

The site must process credit card transactions in real time without human intervention (so no hand checking for fraudulent transactions). It must also take customers from around the world (so no AVS). I have enrolled in Verified by Visa etc ... and whatever else you can suggest.

My question is simple: Is it possible (by choosing to sign up with Verified by Visa or whatever else you suggest) to completely avoid chargebacks due to fraudulent use of credit cards? Assume for the sake of argument that no customer is ever unsatisfied with the software so that is never a reason for a chargeback.

So, with Verified by Visa, is this possible? I assumed it was since as long as I the merchant was signed up with Verified by Visa I was covered even if a customer used a card that was not enrolled. This always seemed too good to be true and then I read this:

http://support.worldpay.com/kb/user_...ntication.html

read the section titled Liability Shift

that seems to back away from making such a sweeping claim for shifting liability from the merchant.

I'm frustrated because VbyV has been out for years now and even now I can't seem to get a straight answer to a simple question: can I run this (fictitious for the sake of illustration) site without loosing a single dime due to credit card fraud?

I honestly appreciate any guidance people here can give me.

Steven

[stymiee]

No.

75% of all credit card fraud happens online. Even if you use every precaution the odds are eventually one will get through. If you remove the human intervention and accept international credit cards, the odds of one slipping through increases dramatically. It's, unfortunately, part of doing business online.

[stevenrt2]

What if I restrict acceptance to only credit cards which are authenticated with VbyV etc? Yes, that will drastically restrict the number of customers who can pay (I read only 1 in 9 credit cards is authenticated), but would I at least eliminate all fraud risk in those that I accept?

[stymiee]

Well, it wouldn't eliminate most of the fraud but not all of it. Someone can always say it never arrived or you didn't send what they ordered. vbv doesn't cover that as far as I know.

[stevenrt2]

sorry did you mean "well, it would eliminate most of the fraud"? I presume so from the context? Don't worry about the non delivery scenario, assume for the sake of argument that is not an issue, I'm just talking about chargebacks due to fraudulent use of a credit card.

So if I do restrict myself to only accepting credit cards that are enrolled in VbyV etc... then I can TOTALLY eliminate chargeback risk?

[stymiee]

Still no. Vbv only protects against certain types of chargebacks. I'm not an expert on vbv so you'll have to wait for CardinalCommerce to swing by and add his two cents on exactly what it does protect you against and what you are still exposed to.

[stevenrt2]

The reason from my confusion in part stems from advice I received from this forum over a year ago. The thread was http://www.sitepoint.com/forums/show...+visa+restrict from which I quote:

CardinalCentinel
SitePoint Enthusiast
Join Date: Sep 2004
Location: Cleveland, Ohio
Posts: 86
Not all merchants require it from their shoppers. The only card-holders who are required to enter in their PIN, are the one's who have gone out and established one.

A non-participating cardholder sees nothing upon checkout. The protection occurs on the back-end in that case. These transcations (non-participating) are 100% guaranteed against credit card fraud, regardless of any fraud screening flags it may raise. The VbV transaction is no longer liable to YOU the merchant. The Bank must now take responsibility for that transaction, and ultimately their card-holders. Visa and these programs have one goal in mind...putting you the merchant back into the business of doing business. Since about 1993 online merchants have had to bear the burden of fruad. Banks have never taken responsibility for their card-holders since the conception of the internet, and they make money off chargebacks, while merchants pay for everything. With eCommerce growing at an exponenetial rate along with fraud, Visa and the payment networks decided something needed to be done. VbV's long term goal is to put cardholder-not-present transaction liability on the shoulders of the cardholder.

Whether this was or was not true at the time, I certainly don't think it is the case now. There has been a shift of liability BACK to the Merchant even when he is Verified by Visa enabled when a customer uses a non enrolled card. It is a complete 180 that apparently has gone unnoticed here until I just pointed it out.

That's really annoying because the advice I received here - that the Merchant would NOT be liable even in the event a non enrolled card was used - influenced me to spend time and money developing. Either the advice was always incorrect or the Verified by Visa program has changed in the last year to shift liability back to the Merchant.

[stevenrt2]

I'm not trying to piss anyone off or accuse anyone of incompetence, I'm just trying to get a definitive answer. It's so confusing, here is http://www.beanstream.com/website/me...oducts/vbv.asp which states in bold

" When a merchant uses VbV to attempt to authenticate a credit card transaction, they will be protected against claims of fraudulent credit card use. This "liability shift" occurs even if the cardholder has not yet registered for the VbV service."

This is exactly what cardinal said so there seems to be some basis for this (I can find any number of similar quotes on the web).

On the other hand I can find quotes that say the exact opposite: (from http://www.merchantservices.co.nz/ol...authentication )

Am I protected against all chargebacks?
No - you are protected against the most common e-commerce chargeback, which is "unauthorised or fraudulent use of a credit card account" for cardholders that are enrolled and have been fully authenticated (password has passed verification by the cardholder's bank). In some cases, you may also benefit from the liability shift for transactions where the merchant has successfully attempted authentication on a non-participating customer. You are still liable for chargebacks for non-participating cardholders, or where receipt or quality of the goods is in dispute, or any failures to abide by your merchant agreement.

Either the Merchant benefits from "Liability Shift" when the customer is not enrolled or not? Which is it? Apologies again if I have offended anyone including Cardinal I am not trying to blame anyone just get to the bottom of something very confusing and very important.

[stevenrt2]

To clarify, if a card is enrolled, but the user DOES NOT enter the VbyV PIN, and you STILL accept the transaction which then turns out to be fraudulent, then I understand and accept that the Merchant bears the liability - maybe this is the liability the above quotes are referring to ("Cardholder did not complete authentication" in the worldpay document at http://support.worldpay.com/kb/user_...ntication.html - look at the Liability Shift heading).

OK that makes sense and I'm cool with that, if the card is enrolled in VbyV and the PIN is not entered and you still accept the transaction then it's on you.

However there is another condition referred to in the aforementioned Worldpay document where the Merchant still bears liability, called "Cardholder authentication not available". Any idea what that means? I'm guessing it means the case where you the Merchant are not enrolled in VbyV so you cannot authenticate the cardholder?

Yes I'll call them but I can't till Monday and I'm really anxious to get to the bottom of this.

As a final note, if you look at the table in the worldpay document it seems Visa offers more protection for the Merchant than Mastercard - the Liability Shift in the case where the card is not enrolled is only offered in certain geographic regions for Mastercard (for Visa the protection is global)

[shadowbox]

We implemented VBV and Securecode on a test site in September, and to date, we've not had a single person use it. According to my PSP, hardly anyone has signed up because VISA and Mastercard are simply not making any effort to promote it. As a consumer with both VISA and Mastercards, I have never had a single piece of literature sent to me about this system and while it remains a bit of an opt-in secret, I doubt anyone will use it.

My PSP is also unconvinced as to how much liability is to be shifted from the merchant, as the ToS in all cases are suitably vague.

The site must process credit card transactions in real time without human intervention (so no hand checking for fraudulent transactions). It must also take customers from around the world (so no AVS). I have enrolled in Verified by Visa etc ... and whatever else you can suggest.

We process and deliver digital goods in real time on most of our sites and it's worth noting that there are methods you can implement to reduce the problems. For example, with our PSP, we do not settle transactions automatically, and hence at the end of each day we can run through the orders and suspend obvious fraud so we avoid being charged transaction fees (we only get charged on settlements).

At our end, we only dispatch automatically if transactions meet certain criteria. For example, if we get 'NO DATA MATCHES', the item is made available to the client.

As for no AVS on international transactions, this is not quite true anymore, as we are regularly getting 'ALL MATCH' on US Mastercard transactions, of course this is still next to useless because it is not consistant and VISA certainly haven't implemented this.

My question is simple: Is it possible (by choosing to sign up with Verified by Visa or whatever else you suggest) to completely avoid chargebacks due to fraudulent use of credit cards? Assume for the sake of argument that no customer is ever unsatisfied with the software so that is never a reason for a chargeback.

I think first you need to understand that chargebacks will happen no matter what, but more so with digital delivery due to the instant gratification nature for fraudsters and the fact that no proof of delivery is possible. That said, on my main site last year, we had only 0.4% chargebacks (in terms of yearly turnover). If I add to that the fraud cases I caught before they settled, that may push this up to 1%. This is a site that does 85% business with international customers.

I personally find that completely acceptable (as does my bank!), so I don't consider fraud to be that much of a pressing issue for my business at the moment - of course fraud rates will vary from site to site and I do know of some sites that have a 9% chargeback rate.

My advice would be that while vigilance is in order, don't get so worried about fraud that you do something silly like only accept VBV orders. Better to run your business for a while and assess just how much of a problem fraud is.

It's also worth noting that Worldpay (last I checked, but this was a while ago, as I no longer recommend Worldpay to my clients), charge you an actual penalty fee for each chargeback, in addition to taking back your funds and keeping the transaction fees. Hence each case of fraud can be an expensive experience for you. But if you have a true merchant account, you don't tend to get this penalty fee charged at all (e.g. HSBC don't charge this, neither did Barclays when we used them in the past) - they simply take your money back and of course you still get charged for the settlement fee (e.g. 2-3%). You'll also have a lot more control over your settlements and security checking if you choose to go with your own merchant account/PSP combo.

So weighing things up - i.e. the fact that delivering a digital file doesn't actually cost anything except a 2-3% transaction fee and a little bit of server bandwidth, fraud may be of little concern.

Where you would have to be careful is the fact that you are paying your developers each month, so 6 months down the line if you get a load of chargebacks, you need a system in place to ensure you are not covering the fraud for these guys and you get your money back. This could be accomplished by holding back a proportion of their earnings each month (lawyer time...).

[stevenrt2]

Thanks for your detailed reply. In response to your first paragraph, depending on how you read the TOS the point seems to be that even if the customer doesn't use VbyV the fact that you support it should shift Liability from you. So if you sign up for VbyV it shouldn't matter if customers use it or not, you are not liable for fraudulent transactions.

Or not? That is what I can't find the answer to.

[thetopguy]

We signed up with Cardinal on one business but it did not really reduce our fraud whatsoever. We implemented other procedures and stop using their services.

I would call whatever company you are wanting to deal wiht, and reference the above articles. There are a few companies that will offer you these services.

[decor]

...even if the customer doesn't use VbyV the fact that you support it should shift Liability from you. So if you sign up for VbyV it shouldn't matter if customers use it or not, you are not liable for fraudulent transactions. Or not? That is what I can't find the answer to.

In the UK at least only up to 1% charge backs, as liability shift has now been limited (it was after all only offered to encourage merchants to sign up). Its most likely that liability shift we be removed altogether in the future... but with VISA it certainly doesn't appear to cover merchants with chargebacks above 1% (this was back in 2004... its probably changed again since then)... with so few consumers currently enrolled... if you rely on VBV only... you will most likely get caught with your pants down!

It can only really be used as an additional weapon to fight fraud... and is most likely to become mandatory for both merchants and consumers for CNP online transactions... probably about 2 years away! Maybe by then 3-D Secure checks will have become free...