Merchant911 Blog

This afternoon, one of our Merchant911 members filed a fraud report that once again shows us that banks just don’t have a clue about fraud prevention - or maybe they just don’t care. We’re not talking about a little bank here, folks. We’re talking about Washington Mutual - WaMu - one of the largest credit card issuers in the country. It shows, once again, that AVS is just about as useless to a merchant as a bicycle is to a fish.

The scenario

It went like this:

Kudos to the member for doing the manual fraud checks recommended at Merchant911 and in the online course, Preventing E-Commerce Chargebacks. If the merchant had not done the manual checks, she would have been nailed with two large chargebacks. The transactions passed AVS but the merchant caught the fact that GeoLocation and the telephone number cross reference didn’t seem right.

Analysis

It looks like the bad guys were able to change the billing address for the WaMu credit cards undetected. This resulted in transactions passing AVS which could have meant that expensive merchandise was sent to the bad guys door. Had the bad guys changed the telephone number on the account, the fraud would have gone undetected until the cardholder disputed the charge and the merchant got the chargeback. Of course, in this case, there might be good news for the merchant - the billing address was changed so the real cardholder may never get a bill to dispute.

I have to wonder how many times this has happened. I suspect it happens a lot. It certainly explains the reports we get from merchants telling us about chargebacks on shipments to AVS approved addresses. Of course, banking officials will tell you it can’t happen and blame it all on the merchant so they can pass the loss to them and collect a chargeback fee on top of it.

The Internet Crime Complaint Center has released their 2007 Internet Crime Report. For those that never heard of them, The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).

To be fair, I acknowledge that this, like any statistical report, can only report on the statistics that are collected. Having said that, it would be very interesting to know the demographics of the people that have filed complaints with the IC3. The statistics are vastly different from the numbers that merchants are experiencing.

According to the 2008 Annual Online Fraud report published by CyberSource, which can be downloaded here, the fraud rate has remained substantially the same at 1.4% of revenue but, because of the increase in online sales, the dollar amount lost to fraud has risen to $3.6 Billion. I have seen at least one other survey that is consistent with these figures. Those statistics are for online credit card fraud alone! That’s far greater than the $239 Million TOTAL losses reported by the IC3. In fact, the IC3 reports that only 4.6% of that $239 Million, or $15.3 Million is from credit card fraud. Does anyone besides me see the disparity between $3.6 Billion and $15.3 Million?

I suspect that people are not reporting their losses to the IC3 for one of two reasons. The agency is fairly new so perhaps people are just beginning to learn that there is, indeed, a place to report cybercrime. The more likely reason is that people just don’t bother because nothing is done. Law enforcement, especially on the Federal level, simply does not have the resources to investigate a median loss of $680. We’re lucky if they touch 10 times that amount. In fact, the IC3 report itself tells us that “only one in seven incidents of fraud ever make their way to the attention of enforcement or regulatory agencies.” and that’s across all classes of reported cybercrime!

The IC3 is nothing more than a statistic gathering joke, and a poor one at that.

Not only does law enforcement fall far short (through no fault of their own) but the payment industry as a whole has no incentive to stop credit card fraud. When merchants are victims of credit card fraud, they loose their money, their product or service, and they are forced to pay additional fees, generally $25-$35 per chargeback, for what amounts to being fined for being the victim of a crime. The proceeds of those fines go directly into the pockets of the payment industry - the processors and the card issuing banks. As long as there is a revenue stream from fraud for the only people that can stop it, fraud will continue.

If the IC3 report has any accuracy at all, it’s the fact that card holders reported losses of $15.3 million while online merchants suffered losses of $3.6 Billion. Cyber merchants take all the losses - but we knew that already!

You can download the full IC3 report here. I suggest that you don’t read it on a full stomach.

When merchants contract with a payment processor, they are given the tools they need to make it all work. That can include Point of Sale terminals, PIN pads, software, and what ever else they need. The merchant may know that he’s supposed to be PCI compliant although, according to an article in QSR Magazine.com, a whopping 61% don’t. Chances are, the merchant will take it for granted that the payment processor will take care of PCI/DSS. After all, the merchant didn’t write the software, provide the hardware, or program the terminal - the processor did.

That line of thinking can get the merchant in big trouble. In a January 2007 case, Abanco International LLC, (a payment processor) was fined $27,000 by Visa and MasterCard for noncompliance. They passed the fine on to the restaurant that was the common point in some compromised accounts.

The lesson

Merchants should never assume that their systems are secure. You need to know what’s required by PCI and question your payment processor to make sure you are. Then verify everything, because the chances are that the processor isn’t going to tell you if they aren’tcompliant - you might go elsewhere.

How many merchants?

It’s impossible to say how many merchants are compliant. I suspect that most are not. According to Visa, a full 99% of their merchants are small mom & pop operations. Those businesses represent about 70% of the membership at Merchant911. Most of these folks don’t know what’s expected of them, how to accomplish it, or how to remain compliant if they do. And you can bet that if something goes wrong and the payment processor can pin the problem on the merchant they are going to do just that. And it could put the merchant out of business.