how do online credit card transactions work?

My google-fu is weak so I ask here.

How do companies verify online purchases w/credit cards?
What is the process (or processes) used to ensure that the person making the purchase is allowed to make said purchase?

If, for example, I wanted to buy an airline ticket and I used Joe Schmoe’s card to pay for it, and I have all of Joe’s personal information, how can they stop me from using his card? (Assume I finally got that Nigerian president’s millions deposited in my account and plan on a one way to Buenos Aires.) :wink:

They can’t.

All online credit card transactions are authenticated based on what information you have. If you’ve got a valid billing address, number, expiration date and security code, you can buy whatever you want.

So what’s the process when Joe finds out? Obviously he didn’t book it, so is he expected to pay it? Is there some sort of insurance to cover these losses to businesses and credit card co’s?

Fraud is a cost of business to the credit card companies. By law in the states you cannot be held liable for more than $50. I am not sure how much of the cost of fraud they can shift to the merchants but I do hear people complain on this board about stores getting the shaft when they process transactions for cards that are later found to be stolen.

By and large this sort of fraud is the cost of business for merchants and creditcard companies.

They verify you are the cardholder. By cardholder I don’t mean cardowner, I mean they verify that you are holding the card in your hand, by asking for the security code number in addition to the card number. Merchants absorb the loss from fraud via the additional sales that they would not be getting without online purchases.

Generally speaking, if the merchant did everything correct in the transaction, they are not liable for any fraud. The credit card company has to absorb the loss.

I used to work in the loss control area of a major bank credit card operation. I was privy to the financial information related to fraud and stolen card loss. The numbers were beyond huge. As a comparison to the revenue they took in, I’m frankly suprised any of them are still in business.

If you entered the valid Card Verification Value (CVV) from the card, it is prima facie evidence that you had physical access to the card, so when Joe complains to his credit card company one of the first questions they’ll ask him is “have you had your card in your possession all this time.” If he admits he lent it to his assistant to buy something-or-other, then he might be on the hook.

I’ve had very few chargebacks (maybe 1 in 1,000 transactions, if that), but I’ve never successfully fought one. For us Web retailers, if we ship to an address other than the cardholder address, we lose every time. But our products are often sent as gifts, so it just isn’t practical to ship only to the cardholder address.

[QUOTE=Raza]
If you entered the valid Card Verification Value (CVV) from the card, it is prima facie evidence that you had physical access to the card, so when Joe complains to his credit card company one of the first questions they’ll ask him is “have you had your card in your possession all this time.” If he admits he lent it to his assistant to buy something-or-other, then he might be on the hook./QUOTE]That’s certainly the way it works, but the card companies’ CVV is hardly a cure-all.

If you’ve EVER handed your card to a waitperson & they’ve taken it away to run it through, well you’ve lost possession long enough for a crook to get both the front & back number. They may not use that info for days, weeks, or months, but they have it.

So as a practical matter, no one who has ever paid by CC in a restaurant can truthfully say “yes” to the question “Have you had your card in your possession all this time?”

CVVs certainly reduce the massive fraud from CC numbers gotten from dumpster diving & mail theft, but they are hardly rock-solid security.
The thing that amazes me is that with all the losses being eaten by the card co’s now, they’re preparing to release RFID cards with no better security than the current cards, and in may ways less. The transition to RFID is a historic opportunity to put real security in place. And in the rush to be the first with the lowest transaction costs they’re all-but ignoring security.

This is not true for online transactions or other card-not-present transactions, which is what the OP is about. I managed billing and payment systems for a large online company for a few years. Depends on what you mean by “everything correct.”

Before the CVV codes were commonly used, a card-not-present merchant had a large exposure for fraudulent transactions. For card-present transactions, a signature that matches the signature on the back of the card is sufficient proof of a valid transaction and the merchant will not be held responsible in case of a chargeback. However, card-not-present merchants had no such protection. Since the adoption of the CVV codes, the associations all consider a CVV equivalent to a verified signature. What is proves is that the customer has physical access to the card, which is good enough.

An online merchant is not required to get a CVV, but most are doing it now. We were one of the early adopters because we had a huge problem with chargebacks.

Just as in any other type of credit card transaction, having a valid card in your hand doesn’t mean that you’re not committing fraud. But the associations want to make it as easy as possible for customers to execute the transaction, so they assume the risk. They have rules like if a customer presents a signed card, the merchant cannot ask for other ID.

As for what is going to happen after you use Joe Schmoe’s card, he’ll see his statement and call the bank to initiate a chargeback. When it can be shown that no goods or services were delivered to him, or he did not authorize the transaction, or some other number of things, then if the merchant had a CVV, the bank eats it. If the merchant did not have a CVV the merchant (probably) eats it.

How does this solve anything, though? Whenever I need to give my credit card number for anything, I also have to give my verification number. Which means that those extra three digits are effectively just part of the card number, and just as easy to obtain fraudulently. I suppose there’s some slight advantage to making the credit card number three digits longer (if nothing else, it’s harder to brute-force it), but really, what does it bring to the table that’s new?

Maybe not. The card account number is not random or (simply iterated from the previous one issued). There is a complex algorithm “hash” to determine if an account number is valid. I suspect the extra 3 numbers are not part of the algorithm, but instead represent something else.

So, we are in agreement?

The extra three digits were meant to make sure that whomever is using the card must have the physical card with them. The CVV (technically CVV2) number is not contained in the mag stripe of the card so that physical card terminals shouldn’t store it (by function) and online merchants shouldn’t store them by policy.

I’m in agreement with you that CVV doesn’t deter credit card theft at all (and niether will the “Verified by Visa” program but that’s a different discussion) It was a poorly conceived program. Credit card numbers (with full address details and cvv values) can be purchased extremely cheaply on the black market.

I’ll address the issue of liability (merchant vs. issuing bank) in a reply to a relevant post.

I’ve seen places where a company will store you card number for future transactions, but not the CVV. So to reuse the stored number, you have to have the card in front of you.

I’m going to have to go ahead and disagree with you here. I don’t know how recently you worked for that company but that is not the environment online merchants are in today.

The online merchant eats the loss in the vast majority of cases for unauthorized chargebacks. It doesn’t matter if they can show a valid CVV number (it doesn’t even matter if they can provide a signed proof of delivery).

The chargeback dispute arena is heavily skewed in favor of issuing banks. I know from professional, everyday experience that not all banks, nor most even, treat CVV as the equivalent of a signature. Perhaps they did when the program first rolled out but once push came to shove they started forcing the losses to the merchants.

I worked there from '98 to '03. Interestingly we were bought by a company in Mountain View, and then sold off again in '03. Anyone in the biz will know who I’m talking about. We had a very large number of chargebacks claiming that the charge was never authorized. We sold domain names, and were one of the first online companies to have real-time credit card transactions. We found that fraudsters found out that they could use us to find out very quickly if a stolen card number was still good. If they got past us, they would run out to Best Buy. Then the owner eventually would issue a chargeback, and we would eat the cost. At least in our case we did not deliver hard goods so we were not out assets; we just deactivated the domain name.

When we worked with FDMS to start using CVV numbers for V, MC, AMEX, we were not held liable for chargebacks for unauthorized charges when we had collected a CVV. Our merchant agreement spelled it out. The banks have to abide by it. Period.

However, there is quite a range of reasons that a cardholder can give for a chargeback. If the cardholder claims that goods or services were paid for but not delivered as promised, then it doesn’t matter that you’ve got a CVV or a sig. But in our case, these were fraudulent transactions not authorized by the cardholder. Instituting the collection of CVV got us out of some very deep shit with the associations, because they don’t like chargebacks. We were fined for them, and were even threatened with losing our merchant agreement if we didn’t get the chargeback rate down. Verifying CVVs was a huge gain. (We also used a third-party real-time fraud rating service, which also was a huge gain.)

The associations explicitly forbid merchants from storing CVVs. (In fact, you’re supposed to encrypt credit card numbers if you store those.)

I dunno, it depends on what you mean by “correct.” The merchant has no obligation to collect a CVV, according to the merchant agreement. It’s protection for the merchant. So it is “correct” to fail to collect one but risky. (Technically I suppose you could say that the merchant is neither obligated to get a signature but that claim would be more tenuous.)

If that was the case then FDMS (I assume that’s First Data Merchant Services?)was eating it, NOT the cardholders’ issuing banks. That’s a pretty good deal to get from any payment processor though.

My company got into hot water for high chargeback rates several years ago so I know what kind of deep shit that is. We worked out the problem with some creative in-house modeling and detection systems. CVV did exactly jack-shit for us.

We did some in-house stuff too, including manual review of some transactions. But we did very well with the third-party outfit. They have a neural net that provides a rating of 0-1000 on a transaction, the higher the number, the more suspect. You have to feed them a lot of data. The more transactions they handle, the smarter their system gets. You take the number and do whatever you want with it. You can set a threshold for outright rejecting a transaction, which is what we did, after a little tuning.

And we never took any transactions whatsoever from Indonesia. That place was the fraud capital of the world.