who is held responsible in case of a fraud transaction on a site?

4 Answers

1. 
   

   
   

   cvprasadh on Aug 29, 2010 Reply

   I assume your question is focussed around the liability of an online transaction and NOT the traditional point of sale (POS) terminal transaction. The liability of fraud differs significantly in each of the cases. If it is the former, then liability lies with the merchant viz. Yatra.com, Makemytrip.com, ebay.in. To know why, we need to understand the differences between Card Not Present (CNP) and Card Present (CP) transaction.

   In the CNP cases, the merchant is expected to collect adequate information from the user and authenticate the card holder before the processing the payment. In any case, after a fraud is reported by the card holder to thier issuing bank (ICICI, HDFC etc), it is treated as a dispute a.k.a chargeback. The chargeback is then forwarded to the merchant who is given about 25 – 30 days to contest the chargeback. The merchant is allowed to build a case on thier authentication steps followed, but the eventual decision lies with the issuer. In 95%+ of the fraudulent chargebacks, the online merchants eats the loss. In others words, if an online merchants recieves a fraud chargeback, it is as good they loosing that money. This is one of the reasons why you will see that large online merchants/payment processors (e.g. PayPal, Ebay, Amazon.com) build thier own sophisticated fraud prevention techniques, data models and manual workforce to combat fraud, while card issuing banks focus thier fraud mitigation efforts on the offline POS transactions. In fact, it is a key part of thier product offering to build trust with thier consumer and merchants accepting thier payment method.

   In the Card Present (CP) cases, it is a different ball game. The card issuer will seek information from the merchant about the transaction to carry out thier investigation. Post investigation, if the transaction is determined to be fraud, the issuing bank will bear the loss. However, the fine prints of the policies of the bank may allow them to aportion the loss with the merchant. In the CP transaction world, the card holder signature on the charge slip is important. This is one of the many reasons why a merchant in the physical store will need to retain the charge slip that the card holder signs. If there is signature mismatch, the bank can pass on the liability to the merchant.

   Visa/Master are regulators of the card industry. It is called as the Payment Card Industry (PCI). At a birds eye view, they monitor the entire fraud rates occuring out of their cards issued by various banks. If fraud rates increase beyond a threshold, the banks or the merchant can be fined.

   In totality, the consumer is almost always safe and convered unless proven to have used thier card. Laws in the developed markets require the card issuer to provide provisional credit of the disputed amount untill the outcome of the case is reached.

   For more info on CP and CNP transactions, see this guideline by Visa issued for merchants – http://usa.visa.com/merchants/risk_management/card_not_present.html

   +11 Votes 11 Votes  0 Votes

2. 
   

   
   

   neejain22 on Aug 30, 2010 Reply

   Hi cvprasadh,

   Thanks for you time and a detailed and well articulated answer. It was extremely helpful.

   So, effectively merchant bears all the loss so if I am planning to integrate a payment gateway on my site, the security has to be ensured by me?

   Please let me know what responsibilities are shared by payment gateway service provider i.e. ccavenue, ebs etc? In my opinion, merchant website just acts as a conduit to pass information to them and they are the one who actually do payment processing and collect payment processing charge from the merchants.

   Thanks again,
   Neeraj

   0 Votes 0 Votes  0 Votes

3. 
   

   
   

   cvprasadh on Aug 30, 2010 Reply

   Glad to hear my response was helpful. Speaking about payment gateways, the view of a payment gateway is converse to your understanding. Gateways are viewed as proxy for the merchants to process their payments. This means, the liability still lies with the merchant. Pardon my understanding of CC Avenue or Billdesk, I am more familiar with the US/UK markets. Generally, you will see the payment gateways charge a pretty low payment processing charge, usually a fixed fee of $0.30 to $0.50. This charge is explicitly for processing the payment, collecting payment instruments and storing it as per PCI compliance and providing the merchant back with the authorization and other information to the merchant. This includes handling settlement and reconciliation. Hence they dont take liability for the fraud losses. Instead, they may charge you (as a merchant) for a higher processing fee and provide the fraud management dashboard. Using this dashboard, you can set thresholds of payment which you want to accept or decline. A good example of the threshold can be, decline payments with auth code 503, 508 or sideline transaction for manual review if txn amount > $x + IP country = NG etc.

   In comparison, you can see Google Checkout and PayPal taking liability for the fraud (on physical merchandise only). This is mainly due to two reasons, A) Data Collection and Fraud Modeling – since they have all the data and expertise, they build logical models to identify fraud B) Fee model – Their transaction fee model factors in a specific percentage for fraud losses a.k.a bad debt. You will usually see them charge in the range of 2.5% + $0.30. Note, this is significantly higher than the $0.50 range that payment gateways charge. Hence they can afford to offer fraud coverage in lieu of the bigger picture that more merchants will come on board, offer to sell their content and make money for both parties. It is a great model! Unfortunately, India is yet to catch up with these techniques. To a great extent the financial network (Card Issuer, Acquirer etc..) should join hands to disclose data and cooperate in combating fraud. We are not there yet, but will soon catch up with online transaction growing faster than ever before.

   Here is the pricing info on the gateways and processors. Proving this, just to give you a perspective on the processing costs.
   Gateways
   http://www.authorize.net/solutions/merchantsolutions/pricing/

   My suggestion to you:-

   Evaluate your business model and content type listed for sale:

   - Does business have the appetite for risk? If you are into the sale of digital goods (MP3, social credits, gaming etc), then your cost of goods is almost 0. Hence you can afford to operate at a higher risk rate. Then a CC gateways makes perfect sense.

   - If you are into the sale of physical goods, then I would suggest you have labor force and detection techniques at your end to combat fraud. In India, you can ask for ID card at the time of delivery, this can even be enforced thru the delivery channels like Blue Dart etc..

   - Finally, talk to an account manager or equivalent on the payment gateway side. Ask for their product features and evaluate their risk protection (don’t expect too much though). This will help you make the right call for your business.

   +9 Votes 9 Votes  0 Votes

4. 
   

   
   

   neejain22 on Aug 30, 2010 Reply

   Wow. This is some insight into online payment industry. I am surprised to know that in India, the rates seem to higher than their counterparts in UK/USA but the services offered are much less. They charge merchants up to 7-8% per transaction and still offer no fraud protection!

   You actually solved my problem by defining the criteria one should use to select payment gateway provider. I will most probably be able to protect my interest using this information.

   I really wish to express my sincere thanks to you and if you ever need any assistance where I can be useful, please feel free to contact me. My contact info is available at http://in.linkedin.com/in/nj123

   Thanks a ton,
   Neeraj

   PS: Thanks 59mins.com

   0 Votes 0 Votes  0 Votes