So yesterday someone used my card number to buy something online. I called my bank and as usual got excellent customer service. The my card was immediately cancelled and the charge was reversed within 12 hours. But now what happens?
I’m assuming the bank will not pay the money. How does wallyworld.com find out that they aren’t getting paid?
Is it the bank or wallyworld that leads the investigation into finding the creditcard thief?
Assuming it is pretty straightforward to find the thief because they wanted their goods delivered to Real Name, Real Address, Real Town. What happens?
Do things change depending on whether or not Wallyworld shipped the items?
I had the same experience several years ago, IIRC:
The bank will “charge back” the transaction electronically - basically what happened when the purchase was made, but in reverse. WalMart.com will have to eat the loss since the purchase was made online. Had the unauthorized charge been made in person at a physical location, WM could dispute the chargeback within a certain timeframe by producing a signed receipt, in which case the bank would have to reinstate the original transaction, making it their loss.
WM, I believe, since they are suffering the loss in this scernario. However, unless it was for a very large purchase they wont bother. It’s just not worth the effort, especially considering that the relevant WM department is most likely located in a different city/state than the person who used your card number.
Again, probably nothing.
If the items haven’t shipped yet, I’m sure WM will try to cancel if possible. However, bear in mind that their could very well be a delay between when WM receives the chargeback and when someone there has a chance to do anything about it. If, in the unlikely event that WM decides to put any effort into investigating the transaction, I’m sure that knowing the shipping address, as well as having any sort of delivery confirmation, would be helpful.
Expect to receive in the next few weeks a piece of paper from your credit card company which you must sign and return stating that you did not make the charges. One time the credit card company required I file a police report with my local police department, despite the charge being from another state. Another time I was not required to file a police report, but that could be because the charge was international. The local PD did not seem bothered, and said the forward the information to other relevant jurisdictions.
Once that is done (if it’s even required) expect to not hear anything more about it from your credit card company or the PD.
This happened to me twice in the last 6 months. On both occassions, they called me and walked me through my recent purchases until I stated that I had not made one or two of them. I never even saw those charges on my bill once I received it.
It’s pretty amazing how quickly they can now spot fraudulent charges. For me, it was cash advances on my card, which I never take. I, too, wondered what happened to the (in my case, bank) vendor who forked over the goods or cash. I guess it’s their loss, not the credit card’s.
Now, if only my vendors would stop giving out my numbers to thieves!
I don’t think there are many vendors that will fork over cash/goods. The transaction is flagged immediately and the vendor sees that it has not cleared. It would be quite dumb of them to ship any goods when the transaction has a fraud block on it.
I’ve ordered stuff online a couple of times where the cc company’s fraud system triggered. The vendor put a freeze on the order (would not ship) until I cleared it up with the cc company and the payment cleared .
I’ll give you my perspective as an employee of a company with a relatively small (~1 million gross revenue) e-commerce site.
The money gets pulled from our account immediately after the charge-back is submitted by the card holder. We get notice from our merchant service provider and an opportunity to contest the charge-back. Contesting is time consuming and difficult. If the order was shipped anywhere other than the billing address for the credit card, it’s practically a guaranteed loss.
Investigation doesn’t happen. Not even remotely possible. Write off, end of.
See above.
We ship most orders the same day or next. To my knowledge, we have never been notified of a charge-back before an order has shipped.
Mostly, if someone steals your account information and places an order that ships, the merchant eats the cost. There are paid services that evaluate the likelihood of risk for any given transaction, but they are costly and offer no guarantees. We had a free trial with our current e-commerce infrastructure company when we migrated to them last year. We didn’t keep it as a paid service.
What do we look at? An order with the same bill to and ship to address is pretty safe from a merchant perspective. An order shipping to a legitimate business address to the cardholder’s attention with the cardholder’s residential address as the the billing address is pretty safe, especially if the email address is on the company’s domain. We use Google Search, Google Street View and WHOIS queries (to check the email domain) regularly.
Residential delivery anywhere but the billing address is a red flag. Business address that can’t be easily verified is a red flag. If the business address is a freight forwarder, that’s a giant red flag. Orders with a gmail, yahoo or other free and potentially disposable email address is a red flag amplifier. If anything seems off, we will contact the order placer and ask them to contact the card issuer and place a note on the account that the shipping address is authorized. We ask them for their full credit card number (we only have the last 4 digits) and card issuer’s phone number to verify the order.
It’s a pain in the ass but it’s better to lose the potential profit of an order that to write off the full value of the order. Our profit margins are low. A single order write off will offset profits of over ten times it’s value in future revenue. Most people are understanding and will go through the effort if we explain our motives. The ones that will not aren’t worth it from a risk management perspective. We cancel their order and wish them well.
The biggest problem you will likely have is if you have some merchants make automatic debits to your credit card. You will need to contact all those merchants with the new number.
If you see a fraudulent charge on your account, the transaction was already authorized by the card issuer. The merchant will capture the funds prior to or shortly after shipping and is then susceptible to having those funds pulled back out of their account after the fact. As I mentioned, I’m not aware of my company ever being notified of fraud by our merchant service provider before an order has shipped. Hell, I don’t even think we get email notification. I’m pretty sure it’s a letter on paper weeks later.
The only way it’s flagged for the merchant’s benefit would be if the card was already identified as stolen, in which case the transaction is declined and nobody ships an order on a declined transaction.
Jake: I’ve seen the case you describe, but I’ve also seen where my card was instantly fraud locked. One time was in-store, one other time was online shopping. Both cases were larger transactions ($1K and $2K, respectively), and somewhat outside my usual shopping habits. The cc company would not complete the transaction to the vendor until they had talked to me on the phone.
Right. In each case you describe, there was never an authorization for purchase. The merchant had a declined transaction in both cases. This is the exact opposite of successful credit card fraud. It’s not at all what the OP was about. The OP described a situation in which his card was charged. His card issuer authorized the transaction. They didn’t know anything was wrong until he told them it was.
In the meantime, the thieves might have made multiple transactions. Until the account is officially shut down by the card issuer, anything previously authorized will not be known by the vendor. Already authorized transactions are “fuck you” to the merchant, because the card issuer and the merchant service provider are covered in over 90% of all cases and 90% is a very conservative estimate.
It’s simply not like you think it is. When you have to talk to your card issuer over a decline, their fraud department has determined an unusual transaction and declined it. The merchant is not at risk. It’s declined, and the merchant will not hand over goods against a declined transaction.
When (as the OP relates) you have a fraudulent charge on your account, the charge has already been approved and the merchant is hanging in the wind if you claim a charge back unless the merchant can definitively prove that you received the order in question. It’s hard to do.
I’m not trying to be a dick about this, but you’re dead fucking wrong in your thinking. You’re thinking of fixing a declined transaction when we’re talking about who pays for a charge-back on an authorized transaction. Apples and mangoes.
Yes, I have to agree, as someone who ran a company that did tens of thousands of ecommerce credit card orders over the years and has consulted with other small businesses. Jake Jones is completely correct and zwede is dead wrong. Not trying to be a dick either, of course.
I realize that if the cc company allowed the transaction and later you dispute it, the merchant is SOL if they already shipped the items. Sorry if my post indicated otherwise. Just wanted to point out that often the fraud is caught at an earlier point where the merchant is not hosed.
This used to be true, but is no longer now that the security code has become standard on virtually every card and every web site.
I used to manage a payment system for a large online merchant in the early days of online credit card payments. We had a huge fraud problem with large numbers of chargebacks. We sold domain names, so it was no problem to simply cancel the domain name. But the associations fine the merchants for chargebacks and if your rate is high enough they’ll cancel your merchant contract. In those days, for a card-not-present transaction the merchant was highly at risk and responsible for a fraudulent transaction, because they could not produce a signed receipt that matched the signature on the card.
We were one of the first ones in the industry to collect the security code from cardholders. Our card associations treated that as equivalent to having a signature on a receipt. Once we started doing that our chargeback rates dropped like a rock.
Money. Money makes the world go round. The chance of catching the fraudster is relatively low, and most law enforcement agencies are spread thin enough.
Low? I would think this is low hanging fruit. Clearly they can link the order to the fraudster and they have the address and confirmation it was delivered. Show up the next day and arrest them. Seems pretty easy.
Not necessarily. I recall in some anti-fraud training I had, that a common tactic for fraudsters was to use empty homes or addresses of people on vacation and just come by later and pick up the package that was dropped off. Obviously this doesn’t work if a signature is required for a package, but unsigned deliveries are fairly common.
Even if that was the fraudsters actual name and address, there’s no proof that they actually placed the order (similar to how some people get charged with illegal downloading for stuff they’ve never heard of (e.g. an 84-year-old man dl’ing some hardcore porn)).
I had a woman who attempted to use my address as a drop box for her shipments…she thought that she could pick up her mail and packages at my address, because she rarely saw me around. She knew that my husband worked on a fairly regular schedule, though.
It only takes a couple of minutes to look at the neighborhood, see if someone is watching, and then taking packages or mail that’s left at a residence. The cops would have to stake the place out for hours in order to catch the fraudster. Or at least that was what I was told.
When I got the mail or packages, with her name but my address, I always sent them back if possible, with “no such person at this address” marked on them.
However, I do think that we should put a higher priority on these cases.
Regarding the interest of the local cops in pursuing the perp:
I have an in-law that had a store for many years with some high-ish priced items. The police were never the least bit interested in going after people who stole from or ripped him off. In one case, he tracked down the names and address of one group. Told the local police. They did nothing. It wasn’t worth their time and effort. (Of course, these crooks knew this and just went on and on and on. The concept of stopping criminals who are making a living stealing doesn’t enter the equation.)
And that’s for a local. Their reaction to a remote request for an investigation would hardly be any greater.