Credit card fraud on your website, who is responsible?

[Grimspoon]

So this oke I know has an online store and someone used a stolen / fraudulent credit card to buy stuff last month. The bank picked it up and did what they call a "charge back" and took the money out of his account. Now whats the norm here. He has a SSL certificate on his site as well as merchant account that when the card details are processed it goes directly to the banks card verification system.

Obviously the card was valid and had funds otherwise the merchant software / bank would have rejected the transaction. Now surely it is not the vendors problem that a credit card was stolen and not reported? Why must he now take the knock for this? Doesn't seem fair.

If Takealot have someone use a stolen or fraudulent card surely Takealot don't have to now pay the bank the funds?


Any thoughts?

[roughiain]

The responsibility is his - it is in the agreement with banks.

Some basic stuff to look at to reduce charge backs.

http://www.maxmind.com/app/ccv_overview

Also if he only sells to SA - filter by IP address to block non SA customers buying or force them via pay-pal

[roughiain]

Also set it up so that secure code and the mastercard stuff are required for all cc transactions

[Denouncer]

Unfortunately with online stores, the merchant is always liable (and for up to 6 months after the transaction has happened), because it's a Card Not Present transaction. The only way to reduce this is to do better fraudulant checks on the order/payment before processing it.

It's worth noting though, that if the card is registered for Mastercard SecureCode or Verified by Visa (3D Secure), the liability generally falls back to the bank again, even with a CNP transaction. But this may have changed since I last checked.

[Grimspoon]

That sucks. I really didn't think he would be held liable. But I guess this is how things go. I will advise that he gets 3D secure. I see most online shops don't use 3D secure do they? I never have had to put in a pin when buying from the likes of Takealot and Kalahari.

[Grimspoon]

Another thing I forgot to mention is that this d00s placed another massive order which they are waiting for stock first before they deliver, now obviously they not going to deliver it but would be nice to set up a sting for this pos.

[killadoob]

Shops that do not make use of the secure 3d are a bit silly. It should actually be forced

I am still amazed that the banks expect the merchants to carry the loss, i can understand a manual merchant being responsible because they can see the physical card.

Take the CCV number for instance, why do they print it on the credit card? It is basically the pin. They give thieves all the details they need to commit fraud.

[bekdik]

Another thing I forgot to mention is that this d00s placed another massive order which they are waiting for stock first before they deliver, now obviously they not going to deliver it but would be nice to set up a sting for this pos.

fraud squad could probably help out

[Kosmik]

Did this happen even with using the 3rd party Credit gateways? Like VCS etc?

[Denouncer]

That sucks. I really didn't think he would be held liable. But I guess this is how things go. I will advise that he gets 3D secure. I see most online shops don't use 3D secure do they? I never have had to put in a pin when buying from the likes of Takealot and Kalahari.

Most online payment gateways, such as VCS, PayGate, Netcash, Payfast, and so on, all utilize 3D Secure (and should be on by default), so you should find out who he is using. Just remember though, that while you can enable your payment gateway to use 3D Secure, unless the cardholder is registered for it, it won't use it. ie. you can't force everyone to use it, but it adds additional cover for both the merchant and client where the cards have been registered.

[chrislim2888]

You can reverse the chargeback, however, solid statement must be on yours. However, I may suggest you to implement a layer of protection to reduce the chargeback, such as http://www.fraudlabs.com

[patrick]

Eish, good to know. I was planning on starting something requiring payment. I think I'll stick to paypal...

[Flidiot]

On a side note, Netcash usually asks, "what will you be selling?" to protect the merchant from cases like this one. For example, if you are a start-up selling high value items, they won't approve you to make use of their CC gateway. I think VCS has a similar policy.

Still sukkeling a bit with them to get this going.