Merchant911 Arms Little Guys for the Fraud Fight

From Congress to cardholders, everyone is up in arms about recent thefts of personal data from merchants, credit card processors and other data aggregators. The latest hack-and-grab crime wave began in February with the revelation that fraudsters scammed 100,000 accounts from ChoicePoint inc. and culminated—one hopes—in June with the discovery of a potential 40-million card cyberheist from a third-party processor for Visa, MasterCard and others.

Invasions such as those are destructive to personal privacy and finances, of course. But they are just an escalation of the fraud problem that online retailers have to live with every day—a problem that is keeping pace with the growth of e-commerce. These fraud losses can be particularly ruinous to small businesses operating on thin margins. But one e-commerce watchdog says the penalties imposed on by card companies on e-merchants duped by bogus buyers can be just as bad—and even more unfair.

When customers allege that their credit cards have been fraudulently used, it’s the retailers who pay the lion’s share of the reverse charge, known as a “chargeback”, rather than the issuing bank or the credit card processor. By federal law, consumers’ liability in credit fraud is limited to $50; retailers are liable for $100 of a bogus transaction. In addition, retailers often face penalties from either the bank or the processor that can range from $25 to $40 per transaction. These are particularly steep for online commerce, where fraud is a special danger because the card user isn’t physically present at the sale.

But that’s not fair to Tom Mahoney, founder and operator of Merchant911.org, a non-profit Web community dispersing information to e-retailers on fraud protection and prevention. He believes card companies and issuing banks have set up a system that gives merchants all the responsibility of paying for fraud without giving them the tools to detect it.

Mahoney says he learned this lesson firsthand back in 1999, when his wife’s online retail site, TheBarkingLamb.com, began getting orders for its herbal teas and remedies that were paid for with U.S. credit cards but were meant to be shipped to Yugoslavia. Mahoney checked the credit information on the card with the processor and was told that since he was getting an authorization number, the cards were valid and he could ship with confidence.

Months later, he was notified that the card was fraudulent, that he would get hit with $1,200 in chargebacks from the processor, and that in addition he would be liable for a $40 penalty for each of the 17 bogus orders.

“We hadn’t been online for that long and were accustomed to swiping cards at trade shows and crafts fairs with the user present,” Mahoney says. “The issuing bank and the card processor gave us no tools to check the cards, and when we did get suspicious and call them on our own, they said everything was fine.” Barking Lamb got no credit for doing its best to check the card’s authenticity—even when, Mahoney says, it later turned out that some of the card numbers had never even been issued and were not valid for use.

Similar tales from other online merchants led Mahoney to found Merchant911.org, which offers tools e-tailers can use on their own to spot phony or invalid credit cards. But he says the larger problem is that card companies, issuing banks and processors have developed a conflict of interest problem: They say they want to eradicate card fraud, but on the other hand, chargeback penalties have become a tidy profit center for them.

“Visa has said it costs them $35 to replace a credit card,” he says. “Meanwhile, the industry stands to make between $25 and $40 in chargebacks on each fraudulent transaction.” Given that fee structure, Visa, MasterCard and the other lenders in last month’s 40 million-card exposure had no financial incentive to cancel the 68,000 card numbers they know were stolen, according to Mahoney. Why should they, he asks, when they stand to make $150 per phony transaction, as well as penalties from the merchants?

When Mahoney air his opinion about the card companies’ conflict of interest on the CBS Evening News, a card industry representative called his charges “ludicrous” and said the penalties were there to cover processing fees and to give merchants an incentive to be more careful.

“Now, how can those fees be both reasonable recovery and punitive?” Mahoney asks. “At the least, they should have told merchants, ‘We won’t hold you liable for fraud on those cards that we know were stolen.’”

Mahoney also points to a 2003 bill in the West Virginia legislature that would have shifted responsibility for fraud back onto the credit industry and remove chargebacks from merchants who did proper authentication checks. “Visa sent representatives to the hearings to say that if this bill passed, they would stop doing business in West Virginia,” he says. “That tells me they don’t want this to happen.”

Card companies, banks and processors have also been slow in giving retailers the information they need to check cards properly, says Mahoney. He says he has seen instances where banks would not verify credit information on privacy grounds. In other, rarer cases, merchants ran though a checklist of verification points with the issuing bank—name, address, phone and so on—and then, almost on a whim, asked if the card had been reported stolen. Yes, they were told, it had.

“Suppose the retailer hadn’t asked that question?” Mahoney says.

Even the business-resource sections of the Web sites for Visa and MasterCard give lists of fraud “red flags” such as orders from free e-mail addresses but don’t explain why these signs suggest unauthorized activity.

“Because of this lack of information, even when merchants try to do due diligence and get the okay to ship an order, if anybody in the chain makes a mistake, they merchant is stuck with the chargeback,” Mahoney says. “They’re being fined for being victims of a crime, and they’re getting fed up with it.”

And while fraud-prevention measures such as Verified by Visa and MasterCard’s SecureCode add a layer of password protection to online business, they cost money to set up and maintain—money that many small online retailers may not have to spend—and are voluntary. Mahoney thinks they will be ineffectual in curbing fraud until card companies make participation mandatory, with the program costs distributed among the banks, processors and major retailers to make them more affordable for small merchants.

Until that day, Merchant911 gathers together a number of useful Web resources that Internet sellers can use to help cut their chargeback risks down to a minimum. Mahoney, who maintains the site while holding down a full-time job as network administrator for Franklin and Marshall College in Lancaster, PA, compiles a periodic urgent alert list containing information about specific frauds and scams, along with another list that contains broader discussions of credit fraud issues. He also offers searchable databases of free e-mail addresses, free proxy servers, and records on 62,000 known compromised cards (compiled by lurking on card fraud Web sites before the FBI shut most of them down, he says.) Credit card fraud detection companyMaxMind.com also supplies an IP geolocation database down to the country level and updated monthly.

And because these tools could be useful to fraudsters themselves, Mahoney is strict about security. The database functions are open only to members; membership is free, but he checks to make sure each applicant has a Web site, a shopping cart, and a contact address located in the same domain as their Web site.

Takeup among the online retail community has been strong, he says. From 300 original members when Merchant911 went live in January 2001, the group has grown to 3,000 members. And while about 70% are small mom-and-pop e-merchants, Mahoney’s brainchild also numbers members of law enforcement, the card processing industry, payment groups such as PayPal, executives from Dell, Apple and J.C. Penney—“and even one guy from the risk management department at Visa,” he says.

Last May, Mahoney and two collaborators also launched a for-profit Web site called PreventChargebacks.com, offering Internet retailers an interactive course in detecting card fraud.

Overall, Mahoney says, the online fraud problem is not getting better. “CyberSource said the fraud rate lasts year was flat at 1.8%, but that was on a 30%-plus increase in e-commerce,” he says. “So fraud is growing, despite SecureCode, Verified by Visa and all the other anti-fraud efforts. Something’s not working.”

What does he recommend for small online retailers who want to take a bite out of cybercrime before it bites them? Basically, making sure that the person placing the order is the true cardholder. This involves three steps:

* Run all available cross-checks on the Internet, including name, address and phone number.

* Run an IP geolocation check. “If the cardholder says he’s a U.S. citizen, make sure he’s sitting at a computer in the U.S. and not in Indonesia,” Mahoney says.

* Contact the issuing bank if you have any questions at all about the order. (And don’t forget to ask if that card’s been stolen.)

And don’t get carried away by dreams of a sales bonanza. “Most of our members are small merchants, and probably haven’t seen a lot of huge orders,” he says. “All of a sudden, they get an order from they don’t know where for a significant amount, and they desperately want that sale to go through. They’re going to look for a reason to ship that order rather than a reason not to. But I say their mantra should be, ‘It costs less to reject a good order than to ship a bad one.’”