One of my customers called me asking for advice hoping I might be able to shed some light on her situation.
She apparently had a fraudulent credit posted to her merchant account somehow. She called the merchant provider who said they would look into it, she got an email several weeks later (friday) stating her account had been cancelled due to “security risk”.
Her main concern is she was basically robbed of $1300, the merchant security people she spoke to initially were able to determine that the transactions originated overseas and were not legitimate but refused to answer any questions about the status of her funds.
What generally happens in this type of situation?
Does the merchant service compensate her?
Police reports and insurance claim?
Is there any real recourse in this scenario?
I have never run across this but I happen to use the same merchant provider and am watching closely to see how this unfolds.
Tell her to look at her merchant agreement. The merchant is almost always on the hook for any bad charges passed through the account. It’s the merchant’s responsibility to determine if a CC charge is valid or that the cardholder is who they say they are.
Since I sell high ticket items, I’ve required some customers to fax in a copy of the signed order form, a copy of the credit card, and a copy of their driver’s license if there was any question about their legitimacy. At the very least, any merchant account holder can call the credit card company and request that they contact the card holder to verify the charge.
As for your friend, I’m afraid she’s out the $1300 and in the future it will be exponentially harder for her to open up a merchant account with another provider.
I can really only speak from experience with charges over web sites, but if someone doesn’t use particularly strict security with their merchant ID and security codes, it’s pretty easy to generate a charge to their account.
For instance, some people have their merchant ID’s written down on their credit card machines. That in conjunction with an easily ascertained security code can lead to this type of theft.
There are many other ways, of course. Simply having a key logger infiltrate a small business network can completely wreck them, and they won’t even know that they picked it up most of the time. In this case, the scammer usually manages to capture their user ID and password while they are logging into their merchant accounts to close a batch or perform some other common task. With that information, they can then set up a web site that acts as a false store front in order to process a transaction.
The charges will frequently be done on overseas networks because they are harder to trace, but the scammers may actually still be in the US.
Bear in mind that this is not a sleight or an accusation of lax security toward your friend. Everyone is 100% positive that this isn’t what happened to them. Many of them are incorrect, unfortunately.
EDIT: I should also add that it doesn’t usually matter whether the business actually processes transactions online. Depending on the bank or service they use, it may be possible to process transactions online and they just don’t use it.
I can’t help your friend retroactively, but in my merchant accounts there is a setting (usually in the merchant’s Web interface, under settings) where you can turn off the ability for you to issue a credit except when directly referencing a pre-existing debit (charge). Turning off this ability for yourself also turns it off for the bad guys (unless they completely hack your account and can change your settings, of course).
It wasn’t clear from your OP this was the case. If your friend manages her account from the web, it’s quite possible someone hacked into it indirectly via an SQL injection attack, i.e. they probed the database server of the merchant account provider until they found a vulnerability and issued themselves a refund with your friend’s merchant account ID. I bet this has also happened to other merchants with this provider. If your friend used a weak password (which is used internally by the web interface to access the database), it would make this type of attack easier.
None the less, to find out if the merchant account provider was at fault, your friend will probably have to get a lawyer. At $1300 though, this is a small claims matter. I bet her contract stipulates arbitration for all disagreements though, so she may be out of luck since it would cost more to pursue the claim than the loss itself.