e-Fraud factsheet
Here we present both a high level FAQ addressing some common questions regarding the risks of online trading and additionally some industry data on fraud.
Frequently asked questions
Q: What are the risks of trading online and why should I care?
A: The risk is that you will be the victim of fraud and you will lose money. Under the terms of the card payment process it is you the merchant that is liable for all payments that you accept via credit and debit cards in the cardholder-not-present environment. You are therefore the victim when fraud occurs as the cardholder that has had their card information used without their permission will be reimbursed by their bank and the funds will be taken from you in order to achieve this. The reimbursement of funds to the cardholder following a report of fraud to their bank is called ‘chargeback’.
Q: That’s news to me. Who says?
A: This is in line with the Card Scheme rules as set out by Visa, MasterCard and the other payment associations. By electing to accept card payments you agree to abide by these rules. The terms set out by your payment service provider and/or acquiring bank will explain you liability in more detail.
Q: Why is trading on the Internet so risky?
A: The Cardholder-Not-Present (CNP) environment provides the perfect platform for fraud, as you do not see the cardholder or the card. The Internet provides anonymity for the fraudster. Under Card Scheme rules, by which the entire process is governed, you, the merchant, are financially liable when things go wrong. That is to say, when fraud occurs you are the victim; as you have either taken on an order that later turns out to be fraudulent, meaning you have lost the goods, but later, when the cardholder initiates a chargeback to reclaim the money that has been paid out of their account, you lose the funds paid to you for those goods as well. And even if you detect a suspect order in time and refund it, you normally still pay away the fees to your service provider for processing the transaction for you in the first place regardless of its suspect nature.
Q: Surely if a payment has been authorised by my payment service provider I will get the funds?
A: It is imperative that you remember two things. Firstly, authorisation is not a guarantee of payment. Authorisation simply means:
- There is sufficient cleared funds available on the account to accommodate the payment
- The card has not been reported lost or stolen
- The expiry date is correct (or at least is a date in the future)
Some banks, though not all, will check the 3 to 4 digit card verification value code imprinted on the card itself. This is known as CVV2 or CVC. Some banks will refuse the payment if the CVV2 code is incorrect. Many will still authorise it even if it is wrong.
Secondly, your payment service provider does not authorise payments. Their role is to facilitate the payment process on your behalf. As part of this process, they route the transaction to the appropriate card issuing bank via their connection to the payment network. It is then up to the issuing bank to authorise, refer or decline based on the information presented to them.
Q: What does my payment service provider do to protect me from suspect transactions then?
A: It is not your payment service provider’s responsibility to protect you from fraud. It is your responsibility, as you have elected to run a business, and, in the case of CNP payments, take money from complete strangers. It is an inherently risky activity. There is no reason why anyone other than you should take on this risk as it is your business.
Q: I think I’ve seen talk of fraud screening on my payment service’s website but I didn’t really look into it in detail and assumed it meant I was protected. Doesn’t fraud screening mean that they should stop fraud before I see it?
A: Some payment services will use pre-set fraud rules to automatically refuse some payments based upon their acceptance criteria. Some will flag activity that breaks pre-set rules when such activity is detected via an automated screening system. In such cases you may receive an alert of some description, for example a fraud flag or risk score. These services are normally for advisory purposes only and will not influence the outcome of a particular payment attempt. It is down to you to decide what to do next based upon the alerts you receive. Absence of an alert is usually not an endorsement of a payment’s validity, and simply means nothing was detected that triggered a pre-set rule. It is your responsibility to manage a payment once received, including whether you decide to accept the payment and proceed to fulfil the order, and equally your responsibility to repay a cardholder if you have taken their money inadvertently through accepting a payment that was not authorised by them i.e. fraud.
Q: Surely that is not right, why should I be punished for acting in good faith?
A: Unfortunately, accepting payments is not a right but a paid-for privilege. Successful business is not built on good faith. If a cardholder has had their card compromised and used on your site they deserve to have their money back. Consider the position as a cardholder yourself - if your account was abused you would expect the funds back. It has to come from somewhere. That somewhere is the business's bank account or service provider's balance. It will be your business that ends up left out of pocket. That is just the way it is. To say you were not aware of the process or your liability is not an excuse.
Q: What could the consequences be if I do nothing to protect myself from fraud?
A: You will not know what the danger signs are or what to do if you have suspicions. You will send goods to someone that later turns out not to have been the true cardholder. When the true cardholder realises their card details have been used without their authority they will chargeback the transaction with their bank and this money will be forcibly refunded out from your bank account or payment service balance. If you did send goods you will therefore have lost both the goods and the money. Excessive fraud and/or chargebacks will come to the attention of your payment service provider putting your facility at risk. Your payment service provider will levy a fee for each chargeback you receive as a disincentive (typically £10-£20 per disputed transaction), and may also implement large financial reserves that you will have to pay in order that you might still continue to use their service. Your payment service provider may suspend your facility, or they may terminate it. If your facility is terminated due to fraud your payment service provider will report you to Visa and MasterCard and tell them that your business had its facility withdrawn due to excessive fraud and/or chargebacks. Other payment service providers around the world check new client applications against Visa and MasterCard’s records so you may not be able to get another facility with a different provider, effectively because you have been blacklisted. Visa and MasterCard may assess your business for fines for breaching their fraud and/or chargeback programmes, e.g. Excessive Chargeback Programme (ECP). These fines run into tens of thousands of dollars per month and usually escalate on a per monthly basis depending upon the severity of the problem. You will have to pay these fines which will be debited from your bank account or your payment service balance. Failure to meet your responsibilities in terms of paying fines and/or other fees may lead to you being reported to the various credit agencies (e.g. Experian) and action may be taken against you to retrieve any monies owed including being contacted by debt collection agencies. You may be taken to court. Your business reputation may be harmed. You could go out of business.
Industry Data
Note: Our e-Fraud Guide is relevant to all e-Commerce businesses globally not just those in the UK, as fraud is not region specific.
The UK Cards Association announces latest fraud figures.
| Card Fraud Type – on UK issued credit and debit cards |
2005 | 2006 | 2007 | 2008 | 2009 | +/- (08/09) |
|---|---|---|---|---|---|---|
| Phone, internet and mail order fraud (Card-not-present fraud) |
£183.2m | £212.7m | £290.5m | £328.4m | £266.4m | -19% |
| Counterfeit (skimmed/cloned) fraud | £96.8m | £98.6m | £144.3m | £169.8m | £80.9m | -52% |
| Fraud on lost or stolen cards | £89.0m | £68.5m | £56.2m | £54.1m | £47.9m | -11% |
| Card ID theft | £30.5m | £31.9m | £34.1m | £47.4m | £38.2m | -20% |
| Mail non-receipt | £40.0m | £15.4m | £10.2m | £10.2m | £6.9m | -32% |
| TOTAL | £439.4m | £427.0m | £535.2m | £609.9m | £440.3m | -28% |
| Contained within this total: | ||||||
| UK retail face-to-face transactions | £135.9m | £72.1m | £73.0m | £98.5m | £72.1m | -27% |
| UK cash machine fraud | £68.5m | £62.0m | £35.0m | £45.7m | £36.7m | -20% |
| Domestic/International split of total figure: | ||||||
| UK fraud | £356.6m | £309.9m | £327.6m | £379.7m | £317.7m | -16% |
| Fraud abroad | £82.8m | £117.1m | £207.6m | £230.1m | £122.7m | -47% |
The UK Cards Association is the leading trade association for the cards industry in the UK. With a membership that includes all major credit, debit and charge card issuers, and card acquiring banks, the role of the Association is both to unify and represent the UK card payments industry. It is responsible for formulating and implementing policy on non-competitive aspects of card payments including codes of practice, fraud prevention, major infrastructural changes, development of standards and other matters where cross-industry benefits are identified. More information about The UK Cards Association is available at www.theukcardsassociation.org.uk
e-Fraud Guide
Our e-Fraud Guide is an invaluable resource for any merchant looking to protect their business from shopper fraud.
The key benefits:
- Fraud prevention tools and techniques
- Lower the risk of chargebacks
- Get the best from your payment service
Payment options:
 |