Hacker News new | ask | show | jobs
by bradwschiller 3737 days ago
One of the big issues with the credit card business is fraud. Fraud is around 1% of all credit card transactions. Fraud tends to be higher on online payments where the "card not present" rate that merchants pay is higher than the "card present rate" enjoyed by brick and mortar stores.

In addition to fraud, credit card companies have to contend with the purchasing power of large companies (e.g., the Costco example ditching Amex) and also their own expenses as many people like concierge services and other "perks" that cost money and are becoming more standard on cards for people with higher credit and income.

In practice, it's fairly difficult to offer much of an incentive beyond 2% cash back (which Fidelity Amex and the Capital One Visa Spark Card offer). However; these cards are closer to being loss leaders for their institutions as they want to incentivize you to do your banking with them as well (Fidelity does this fairly well as the cash back must be deposited into a Fidelity account). Charles Schwab was the first to have a 2% cash back card many years ago and they discontinued it, likely because they lost money on it.

Travel-based rewards cards can get away with offering seemingly better incentives because of their margin. Starwood is a perfect example of this as hotels have a high fixed cost base and low variable cost base. The variable cost to stay at a high-end hotel is something like $50-60 per night if the room is vacant. So while Starwood seems to be paying out 2 cents on the dollar (e.g., 10,000 points for a $200 room), they are really only paying out 0.5 cents on the dollar. This is why the Starwood Amex is seemingly the best Credit Card. It's all about the economics of the company that brands it.
4 comments
tyingq 3737 days ago
>>In addition to fraud, credit card companies have to contend with the purchasing power of large companies

For online transactions, credit card companies have -0- liability for fraud. 100% of the costs come from the merchant's pockets.

It's really a shame, because they are the ones with the broad access to data that would enable tools to reduce it. Of course, since there's no incentive on their end, nothing is provided.

link
MichaelApproved 3737 days ago
> 100% of the costs come from the merchant's pockets.

I get that you're referencing the cash part of the transaction but the card companies still have to maintain code that detects fraud early, hire staff to support customers and investigate fraudulent transactions. That's not 0 cost to them.

link
tyingq 3737 days ago
>>still have to maintain code that detects fraud early, hire staff to support customers and investigate fraudulent transactions

In addition to sticking me with the bag for every online fraudulent transaction, they also levy an additional fee, which I assume offsets some or all of that cost. In fact, if it was a low-end purchase, they may make more on the chargeback fee than the original purchase.

I see no evidence of "code that detects fraud early", at least for online transactions. Any merchants ever get a call from a cc company, or issuing bank saying "hey, you know that transaction we approved a few days ago? you might not want to ship that." ? Nope.

link
gist 3737 days ago
All true by my experience as a merchant.

But one other thing. Did you ever notice that there is no feedback loop where you can inform the issuer or bank that you have discovered a fraudulent charge? For what we do it's easy to spot a fraud charge. We void (or credit it) and move on (still a big pain of course). But the thing is there is no way to alert the credit card company (manually in some way or even by email) that we have figured out a card is stolen. Otoh, as a card user I've received calls from my bank from time to time when a particular purchase doesn't fit a pattern (and that pattern has never caught any fraud, only purchases that I have made).

link
tyingq 3737 days ago
>>Did you ever notice that there is no feedback loop where you can inform the issuer or bank that you have discovered a fraudulent charge?

Great point. I end up just refunding the ones I find. In many cases I can tell 100% it's fraud, but there's nobody to tell.

link
ChemicalWarfare 3737 days ago
The issuing bank is in business of keeping their cardholders happy not the merchants. That's just the reality of the situation. As a merchant however you have options to utilize the services of managed risk providers (obv there's an additional cost involved) to protect yourself from online fraud.

EDIT: some of these providers are either directly operated by or have very tight relations with cc networks so they do have access to enormous amount of data which they use to make their risk management decisions.

EDIT #2: at a risk of sounding like an ad - one example would be Cybersource who is owned by Visa.

link
tyingq 3737 days ago
>>you have options to utilize the services of managed risk providers

Helps a little, but they are, of course, still dealing with a tiny fraction of the available data out there, and the cost is pretty high.

For small to medium sized players you're much better off just doing what you can with AVS, CVV2 match codes, known freight-forwarder addresses, ip geolocation, etc. That's all free other than a bit of dev time.

It's just a shame that the kind of improvements that could be made with access to data only the CC companies and issuing banks have aren't ever going to happen.

link
tyingq 3737 days ago
>>EDIT: some of these providers are either directly operated by or have very tight relations with cc networks

Who is that? There's a couple operated by credit reporting services, which is not the same thing at all.

link
thaumasiotes 3737 days ago
> I see no evidence of "code that detects fraud early", at least for online transactions. Any merchants ever get a call from a cc company, or issuing bank saying "hey, you know that transaction we approved a few days ago? you might not want to ship that." ? Nope.

They definitely do do this. But when they see a likely-fraudulent transaction, they call the cardholder, not the merchant. I have received calls of this type.

link
tyingq 3737 days ago
>>when they see a likely-fraudulent transaction, they call the cardholder, not the merchant

Right. Which means the item gets shipped. Because...yep.

Edits: a) In the real world, the bank does not catch these things in between auth/capture. b) 3rd party companies are limited in what they can do. They don't have the full picture.

link
ChemicalWarfare 3737 days ago
Not necessarily :) If the bank calls the cardholder on file and the cardholder tells them the tx is not his they will at least reverse the auth so the merchant can't issue a capture against it when shipping the actual goods. In some cases they call them before the auth is approved.

But again the banks are not in business of protecting the merchant. There are companies that are in that business however and as a merchant you have an option to use their services.

link
jon-wood 3737 days ago
All the UK card issuers I've used decline the transaction at my end and then contact me to verify I was trying to make that payment. Once that's done I can try again and the transaction will clear.
link
jon-wood 3737 days ago
Our card processor regularly puts a hold on transactions when they suspect possible fraud to allow us to investigate further.
link
reviseddamage 3737 days ago
there is evidence some "code" but it's not very good.
link
chrischen 3737 days ago
What's the incentive for them to do well on that part then?
link
ChemicalWarfare 3737 days ago
>For online transactions, credit card companies have -0- liability for fraud. 100% of the costs come from the merchant's pockets.

Which credit card companies are you referring to? If you're talking about issuing banks then liability for the fraudulent transaction is shifted towards the bank vs the merchant in some cases including card not present txs.

link
tyingq 3737 days ago
Not in the US. 100% of the cost of card-not-present fraud is on the merchant.

Edit:

a) In the US, currently, 3DS would reduce your conversion to the point it would useless if mandatory. If optional, use would be abysmally low.

b) "payment facilitator entity handling fraud liability on merchant's behalf" Never heard of this. Certainly, Stripe and their ilk don't do this.

link
ChemicalWarfare 3737 days ago
This will depend on a couple of things. 3DS for example shifts the liability towards the bank. Another example would be a payment facilitator entity handling fraud liability on merchant's behalf.
link
the_mitsuhiko 3737 days ago
> One of the big issues with the credit card business is fraud. Fraud is around 1% of all credit card transactions. Fraud tends to be higher on online payments where the "card not present" rate that merchants pay is higher than the "card present rate" enjoyed by brick and mortar stores.

These are things that will change over time. 3DSecure is standard in Europe because the EU pushes transaction fees so low that credit card companies need to reduce fraud because they cannot afford it any more.

link
lsc 3737 days ago
Do consumers all have little usb smartcard things so they can use the smartcard to make online purchases? or does this mostly just make 'card present' transactions that much safer?
link
hrrsn 3737 days ago
3D Secure basically redirects you to a webpage run by a third party (usually your bank) to enter additional details, like a seperate password.

I find it much more annoying. My New Zealand (.co.nz) bank redirects me to a .co.uk domain with their logo (!!), where it doesn't even prompt me for any additional details, just forwards back to the original merchant.

link
xyzzy123 3737 days ago
It is likely that they are processing a risk score for your transaction, based on browser fingerprint, referer, ip, time of day and so on. That is, the "bounce" may not be entirely useless.

If the risk score exceeds a certain threshold then they can then require additional security. While this may seem very weak, in practice a lot of fraud has pretty obvious signatures.

link
hrrsn 3731 days ago
Fair enough. Just having a .nz bank direct me to a .uk domain is a huge red flag for anyone that bothers looking at this sort of thing
link
lsc 3737 days ago
huh. yeah, there's a 'verified by visa' thing that America has that is similar... I think it does some statistical something something. It sure looks a lot weaker than a public key transaction where the key never leaves the card. The 'verified by visa' site itself looks pretty fishy.

In theory, a chip and pin solution where the user owns the reader is more secure than a transaction in the store where the vendor owns the reader. but, I guess that's too expensive and inconvenient or something.

link
cowsandmilk 3737 days ago
"Verified by Visa" is 3-D Secure.

https://en.wikipedia.org/wiki/3-D_Secure

link
the_mitsuhiko 3737 days ago
When 3dsecure just redirects it means the bank decided to trust the transaction based in something. For instance for me it skips it for some known vendors and transactions.
link
the_mitsuhiko 3737 days ago
My Austrian bank embeds a 2FA system on the iframe. I get an authentication code on my phone and enter that. It typically asks that when shipping to a new address or dirst use of a vendor that uses 3dsecure
link
gst 3737 days ago
While 3DSecure and Verified by Visa is a good idea in theory, the implementation is a mess. For example, my bank requires me to enter my banking username and password into the banking website, which is loaded via an iframe inside the merchants site. How is a regular user supposed to verify that the iframe loaded his banking website and not some phishing website?
link
jon-wood 3737 days ago
My bank is marginally better than this and includes a string I set when I first configured 3D Secure in the iframe, but its still a mess and asking for phishing attacks.
link
the_mitsuhiko 3737 days ago
Sounds like a problem with your bank. Mine prompts me for a token that is sent to my phone where it also shows me what transaction i confirm. In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.
link
Natanael_L 3737 days ago
> In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.

No, they can do a replay attack on this setup when not encrypted

link
thesimon 3737 days ago
My German bank does the same, my UK bank just asks for details that are written on the card. Seems a bit ... weak and prone to attacks.
link
pbreit 3737 days ago
"Fraud is around 1% of all credit card transactions"

No, card fraud rates are in the 5-20 basis point range (0.05%-0.2%).

link
tyingq 3737 days ago
>>No, card fraud rates are in the 5-20 basis point range (0.05%-0.2%).

Depends on the "total pool" you're drawing from, and whether you're counting money, or transactions. The 5-20 basis points fits if you include, for example, all ATM withdrawals.

You get close to the 1% claimed in the parent if you count just "online card transactions", and count revenue instead of number of transactions.

link
nostromo 3737 days ago
Why does fraud matter to the banks anyway when merchants are the ones that eat the charges?
link
the_mitsuhiko 3737 days ago
Because in some places the fees are set by legislation. For instance in the EU the fees are so low that credit card companies are forced to combat fraud or they lose money.
link
Aeolos 3737 days ago
> credit card companies are forced to combat fraud or they lose money.

Sounds pretty reasonable.

link
Artemis2 3737 days ago
Do you have a source for that? I mostly hear about numbers around what your parent comments gives, or a bit over.
link
the_mitsuhiko 3737 days ago
Some statistics from Europe: https://www.ecb.europa.eu/pub/pdf/other/4th_card_fraud_repor...
link
pbreit 3737 days ago
For example, from the Fed: "By number, the fraud rate for general-purpose cards was 3.60 basis points (3.60 unauthorized transactions per 10,000 transactions) and by value the fraud rate was 8.27 basis points."

https://www.frbservices.org/files/communications/pdf/researc...

Even the riskiest card-not-present/online merchant would rarely hit 1% or they lose their merchant account entirely.

I'd be curious to see what numbers you're looking at.

link
Artemis2 3737 days ago
I should clarify, I was only talking about online payments, which I know a lot better than physical transactions.

From talking to some acquiring banks, I gathered that 1%-1.5% was the maximum fraud rate they would tolerate, depending on the value of your account. With fraud rates like that, you will not see volume discounts anytime soon either.

link
nissehulth 3737 days ago
It varies a lot depending on what kind of business you're running. For a typical e-commerce site, you could be right.
link
rebootthesystem 3737 days ago
I wish people and broadcasters would stop using "basis points" and "three tenths of one percent".

Both of them are and sound ridiculous. As the above comment illustrates, are pointless because either people have to do the math to understand what the hell you are saying or you have to spell it out.

Not saying anything at all about the content or merit of your post, you, your family, neighbors, cousins, dogs or cats. Just saying this "financial" language is, well, kinda silly.

Some TV news anchors would have said: "five one-hundreds of one percent to two tenths of one percent". Or "half a tenth of one percent".

Nutty.

link
pbreit 3737 days ago
I hear you. I put both since I know the in-the-biz term, basis points, isn't universally understood. I feel like % can be confusing because 0.05 is 5% so putting 0.5% might not always be immediately understood.

My pet peeve is "quarter of a billion" to try to make the number sound bigger.

link
AstroJetson 3737 days ago
What is your suggestion then on how to say it? I like basis points since that's what my investment charges are quoted. But happy to learn a new term.
link
rebootthesystem 3737 days ago
I guess my point may have been lost. There is no need to learn a new term. "1%" is read "one percent". "0.5%" is read "zero point five percent" or, shorthand, "point five percent".

How did we get from "zero point five percent", which is the literal value, to "one half of one percent", which imposes a cognitive load?

Or, better yet, why "one half of one percent" and not "half a percent"

It's like reading the number "1" as "one-hundredth of one hundred", or "10" as "one tenth of one hundred".

Question: Do they do the same in Europe? I must admit, I've been there tons of times but never paid attention to this (probably because I never watched enough TV while there). Of course, in Europe (and the rest of the world, as far as I know) it's "comma" not "point".

I can understand the use of basis points in some financial circles as a term of trade or convenient insider's unit. I don't understand it when used to communicate with the public. Go out there and ask a random sampling of people what a basis point is. I'll bet very few will say "0.01%", even if they own stocks.

link
Scoundreller 3737 days ago
> Travel-based rewards cards can get away with offering seemingly better incentives because of their margin.

They also de-value the points/miles on a regular basis and often expire them as well.

link