Credit card fraud? Who pays?

[bizerta]

If someone commits credit card fraud, who suffers the loss? The cardholder? The merchant? The bank that issued the card? MasterCard Incorporated? I’m sure the answer is “it depends”, but under what circumstances. Are there any statistics as to how often they crooks are successful or how often the crooks are caught?

I live in the Boston suburbs. Tuesday afternoon, my wife received a call from Staples in Kentucky. Sombody was attempting to charge $1000 worth of merchandise and have it shipped to Westbury, NY. I don’t know whether this was a Staples store or the Staples credit card department. I don’t know what would have transpired had my wife not been home to take the call.

No, my wife has not shopped at Target recently.

What is the probability that someone will be caught and prosecuted over this issue? Would this be enough evidence to arrest the recipient in Westbury, NY?

Could it be related to the following: There was one other fradulent charge that day. Someone charged $115 worth of goods at MLB.com (Major League Baseball). Could it be more than a coincidence that my wife charged a Patriots cap at NFL.com the previous day?

Can anyone shed any light on a personal experience which baffles me to this day? I have a MasterCard with a $22,000 spending limit. I never asked for such a high amount. Other than a $5000 vacation, I have never charged more than $2000 at a time. My average balance is usually less than $500. Three years ago, my two adult children and I awoke at 5 am and drove to New York for a 10am event. We paid cash for gas, donuts, and the train tickets, so MasterCard had no way of knowing where we were. After the event, my son wanted to go “shopping” in the diamond district for an engagement ring. He had been shopping at various stores in Boston for a few months, so he was reasonably knowledgable about diamonds. After about 2 hours of shopping, my son selected a $12,000 diamond from a small jeweler. I pulled out my MasterCard and told my son it would be his wedding present. The jeweler took my MasterCard into the back room and returned two minutes later with something for me to sign. The jeweler then told us to come back in two hours while he set the stone. Two hours later, we picked up the diamond and headed back to Grand Central Terminal.

Here is the part that needs explaining: At no time was I asked for ID other than the MasterCard. I fully expected MasterCard to want to talk to me on the phone and ask me where my mother was born or some other security question.

[DCnDC]

bizerta:

If someone commits credit card fraud, who suffers the loss? The cardholder? The merchant? The bank that issued the card? MasterCard Incorporated? I’m sure the answer is “it depends”, but under what circumstances.

Depends on how the transaction occurred.

If it happened “face-to-face” with the cardholder signing in the presence of the merchant, the issuing bank is generally liable. But if it’s a “card-not-present” transaction, such as on the Internet, over the phone, or via mail, the merchant is liable.

[freckafree]

Hmmm. That article is from 2005. Surely the percentage of face-to-face vs. “card not present” transactions has changed. I wonder if other things have as well.

I’ve been wondering about this too with the Target fiasco. Where will that shit ultimately settle? Does Target outsource their card processing and will they try to place the blame on them?

I find it odd that MasterCard didn’t at least call you to verify the diamond purchase. Maybe the fact that it was “face to face” was the reason. I made a $300 online purchase from Japan for my son, and my bank called within hours of me making that transaction.

[DCnDC]

freckafree:

Hmmm. That article is from 2005. Surely the percentage of face-to-face vs. “card not present” transactions has changed. I wonder if other things have as well.

Surely the credit card company is fine with the way the wind’s blowing, as they are off the hook for a much higher percentage of transactions than before.

However it seems more intuitive to me that it should be the other way, that the merchant would be on the hook for in-person transactions, and the bank for card-not-present transactions.

And I also find it odd that they did not want to verify that large a purchase. I’ve had my bank call me literally within 90 seconds of making an in-person credit card purchase, of just a few hundred dollars.

[bob_2]

I use Mastercard, and when I bought a £5000 car from a dealer, I had to have a phone conversation with them.

More recently, I was called by them to say that there had been a fraudulent charge made to the card, and they were stopping it until they could send me a new one. I never did discover what had actually happened, and at no time had it been out of my possesion.

[Driver8]

bizerta:

Here is the part that needs explaining: At no time was I asked for ID other than the MasterCard. I fully expected MasterCard to want to talk to me on the phone and ask me where my mother was born or some other security question.

It wouldn’t be MasterCard that calls you. It would be your issuing bank. Issuing banks do deny transactions or call the cardholder on suspicious transactions. I’m not sure what their algorithms for flagging transactions look like (and I’m sure they’ll want to keep that secret), but I’ve been called after a denial when buying a $2 ice cream cone on a business trip in Chicago while my wife was still using her version of the card back in California. So geography is one of the criteria (and you should generally tell your bank if you plan on using the card overseas). This was a large national bank. I’m not sure if all of them are as good about this.

In the United States I believe you are limited by law to $50 liability in the case of fraudulent charges on your card (although I think that’s $0 in the case of fraud by stealing the number from a merchant, etc). Many issuers provide zero liability.

As for whether the merchant or the issuer eats the loss, it depends. I imagine contracts can vary, but my understanding is that if the merchant follows all the rules and procedures outlined by the network (e.g. MasterCard) when processing the sale then the issuer is responsible. I’m not sure what the default position is for online transactions, but both MasterCard and Visa offer merchant’s additional verification services that can limit the merchant’s liability.

[Roderick_Femm]

Bumping this thread to see if anything has changed about who loses out in the case of fraudulent credit card transactions.

Recently I made a $200 purchase online from an overseas company via eBay, using my credit card. A few days later, my credit card issuer called me to check on several transactions, including that one. Since I couldn’t see the transaction in my online banking yet, and the name they spelled out for me (without including the “Eb” at the end) I didn’t recognize, I said I didn’t recognize the payment so they reversed it and sent me a new card. On the day I got the new card, I finally saw the transaction, and the reversal, in my online banking, and realized what it was for, so I alerted the bank that I had made a mistake and that this wasn’t a fraudulent transaction (I haven’t heard back from them yet).

What if I hadn’t noticed this transaction, or it had never appeared, so I didn’t see my error? I already had received the item (it was new so it was shipped via DHL). Does that mean that the vendor would have just lost out? Does the vendor have a chance to challenge what happened and get their money back?

This seems very unfair to the vendor, who did nothing wrong, to suffer due to my mistake (and the credit card issuer’s incompetent employee who did not give me full information and rushed through the vendor ID with me on the phone). I suppose the credit card companies have all the power in these situations, but it seems like they should shoulder more of the risk.

[aceplace57]

I’m setup to receive Texts from my bank.

Someone tried transferring 1,000 to Cash App. Whatever that is. Regions immediately texted me to confirm. I responded and also called their fraud dept. They’re sending me a new card.

I’m thankful the banks fraud departments are there watching. I’m not sure how my CC got compromised.

[md-2000]

The security code is a new wrinkle with cards. From what I’ve read, the merchant is strongly forbidden from saving that code anywhere in their system. They perform the transaction validation and forget it. that’s one more hurdle for hackers to overcome when they manage to penetrate a merchant’s system and download a list of credit cards.

Canadian cards are chip-and-pin, meaning they need to be inserted in a POS machine and the PIN typed in. This is a good guarantee the card is present and valid - it’s pretty high tech if at all possible to fake the chip.

In the good old days, when zombies were alive, a merchant just had to compare signatures to verify a sale with card present. Of course, not too many people are able to verify a signature to the extent of a forensic expert, and my experience was 99% of the time did not even bother. (And someone who stole a card would probably practice to present a reasonable facsimile of the signature on the back).

My understanding was this:

The merchant system POS or card imprint could validate the card was present. If the card was present and signature matched, the card/bank ate the fraud. (Before online POS machines, there was checking bad card lists and there was phone authorization over a certain amount.)

Not sure about online or phone sales, but my understanding was that the shipping address had to match the billing address. If so, then the credit card ate the loss.

There’s the interesting story about the company that did credit card clearing for a number of porn sites in the early days. This was a bit more contentious as there was no actual physical delivery, so any address check was not too solid. But again, if the card holder contested the charges, the transaction was reversed at the merchant’s expense. Obviously, for an online porn site, losing a few transactions - or maybe even half of them - did not really matter. However, this one clearing site was responsible for something like 10% of all credit card reversals in North America at one point. As a result of problems, credit card companies came up with new rules. Any merchant with more than X% bad charges (vs good) would pay a progressive penalty, and eventually lose their ability to accept credit cards.

many years ago I arrived in another town for a vacation. I realized the car I had booked was off-airport. I needed to call (before roaming cellphones) so I made a call from a payphone that took credit cards. It took my credit card, but failed to make the call. Eventually I got change and made the call for their shuttle service. When I got the the car, the card was declined; I had to phone the card company and verify this was me to make it work. Apparently, making a call with the credit card triggered the fraud alert. They watched for the pattern where someone tries a small ($1) purchase with the card to see if it works, then tries to do a big purchase very soon after ($300 for a car for a number of days) - also I was in a different city from home. Once they’d verified it was me, they OK’d my card.

Note4 that the whole point of credit cards was to guarantee to the merchant - better than cheques or safer than large sums of money - that they would get paid, no hassle, if rules were followed and the card/bank would take to job of chasing fraud and chasing for payments.

[Dr_Paprika]

My limited understanding is that these are, regrettably, considered a “cost of doing business”. I forget the figures I read but maybe they added up to something as high as 0.74 cents per dollar, probably much less. Still, I think they prosecute when they can to discourage flagrant fouls. Credit card companies charge merchants much more, and raise prices when they can (see Brexit). So ultimately, the merchant ends up paying more, then often the consumer does too outside of competitive markets. But the better technology is more secure than the old paper carbons. Legally, consumers liability in Canada is $50 or less, if they catch it in time. Since Internet is a thing, people opt for more convenience and others subsume most of the risks.

[jjakucyk]

How much liability is on the merchant also depends on the extent of their security procedures. When chip cards started becoming more common for in-person transactions, I believe the card companies made the policy that chip transactions would be covered by them but swipe transactions would be liable to the merchant, since those are less secure. Many gas station pumps are still swipe, but they’re more likely to ask you for your billing zip code as an additional check. Same goes for online merchants. Some require shipping and billing addresses to be the same, at least on the first purchase. Some require the 3-digit CVV number and some don’t. Some international stores, or ones with 3rd-party payment processors, will even go through an extra 2-step authorization such as “verified by VISA” or text confirmation of pending purchases. So these are all contractual ways the merchant/bank/processor shift liability around.

[md-2000]

I suppose gas pumps have the added advantage that (we hope) the pumps are under video surveillance, so an image of the person making the purchase and the license plate of the vehicle are captured at the time. Not perfect, but better than online purchases.

[puzzlegal]

The credit card issuer takes some interest in fraud, for sure. When someone cloned my card and fraudulently bought a bunch of stuff across the country from me, I got several calls from the credit card company, and had to sign an affidavit that the charges were fraudulent to help them prosecute. And the agent I spoke with mentioned that the signatures from the fake transactions didn’t look anything like my signature. (It presumably DID match the signature on the card, since whoever cloned the card could sign it themselves before using it.)