Who pays for credit card fraud? When is an ecommerce merchant liable?
When a merchant starts accepting online orders, they’ve officially entered the card not present world.
To a consumer, the decision between purchasing online or in-store is simply a calculation of convenience, price and availability.
To a merchant however, a purchase online versus in-store are two very different scenarios, especially when it concerns liability for accepting a fraudulent transaction.
Let’s dive into an example that will help illustrate the difference for merchants. This will help you to understand who pays for credit card fraud and chargeback merchant rights.
How Do Fraudulent Transactions Happen?
John Smith is a video-game enthusiast, eagerly awaiting the release of a new game. Release day has finally come, and he heads down to his local store to purchase it, happy to discover that he can grab a copy in-store.
For the brick-and-mortar merchant, this is a card present (CP) transaction, meaning the cardholder, John Smith, is physically present with the card at the point of purchase. When a consumer makes an in-person transaction with a physical card, the merchant has the ability to not only inspect the card but to ask for identification (such as a driver’s licence) and obtain a signature from the consumer. In addition, merchants require a secure form of payment such as paying with a chip-enabled card. Chip-enabled cards generate unique transaction codes for each purchase, making the payment information much more secure. If the merchant follows proper procedure such as requiring a chip-enabled card for purchase and getting a signature, the merchant does not hold the liability on the transaction. Liability rests with the bank that issued the cardholder’s card, and if the purchase is later deemed to be fraudulent, the merchant is not responsible for refunding the customer. (However, if a merchant does not have a chip-enabled card reader, and accepts the transaction, they are held liable for that purchase, as they did not undertake the proper updated security procedures.)
Now, say John Smith ran to his local store only to discover the game was sold out, and he needed to order it online.
For the ecommerce merchant, this is a card not present (CNP) transaction, meaning that the cardholder is not physically present at the time of the order. Lacking the opportunity to examine the credit card for the merchant, protection is that much more difficult. Without the standard security measures such as checking identification and paying with a chip enabled card, an online transaction is deemed far less secure. Given the riskiness of accepting an online transaction, the liability of accepting a fraudulent transaction rests with the merchant themselves, and not the issuing bank. If a merchant accepts an order online that is later deemed fraudulent, it is the merchant’s responsibility to refund the customer. The cardholder’s issuing bank will collect on behalf of the cardholder.
Understanding this liability is essential for online merchants, many of whom are unaware of their responsibility to review their orders to weed out fraud that they are on the hook for.
How can online merchants protect themselves against credit card fraud?
It’s imperative that online Merchant Fraud Prevention measures be implemented to protect merchants from the costs of fraudulent transactions, for many reasons.
First, the total cost to the merchant for accepting one fraudulent transaction is often more than twice the cost of the transaction itself, since they cannot recover the original fraudulent shipment and must also refund the scammed customer.
Second, the merchant’s bank (known as the acquiring bank, with whom the merchant stores their money) heavily monitors their customers for fraud acceptance and may charge a fee for every merchant chargeback received – amplifying how important the question of who is responsible for chargebacks really is. And, should the merchant start to process a large volume of fraudulent transactions, an acquiring bank may not only raise card fees sharply, they may take steps to shut down an online merchant’s account.
What are merchants liable for when fraud occurs?
To sum up, when it comes to credit card fraud, merchant responsibility is as follows:
Card present transactions occur in-store, where the merchant can review the identifying documents of the cardholder for legitimacy and take other security steps, like using a chip-enabled card terminal, to further confirm the validity of the purchase. If they follow the process correctly, they are not liable for fraudulent purchases. The cardholder’s issuing bank is.
Card not present transactions occur online (or other non-present channels, like mail), where the merchant is unable to confirm the identity and validity of the purchase in-person. The merchant is liable for the acceptance of any fraudulent order and the cardholder’s issuing bank will collect the customer’s refund from the merchant should a cardholder request a chargeback. If the merchant processes a large volume of fraudulent orders, and thus receives a large number of chargebacks relative to their orders, their acquiring bank will likely take steps to raise fees to penalize the merchant.
If you are an online merchant evaluating commerce protection vendors, you might be interested in our free Commerce Protection Buyer’s Guide. This comprehensive guide outlines the evolution of commerce protection from Ecommerce Fraud Detection and details the integral components of a commerce protection solution. Takeaway resources include:
- A sample RFI template to leverage in your evaluation process
- Tips on how to build a business case for a commerce protection solution
- How to evaluate ROI and understand the tools used to prevent chargebacks
- How to find the right solution for your business
Want to learn more about avoiding ecommerce fraud? We can help.