[tyingq]

>>In addition to fraud, credit card companies have to contend with the purchasing power of large companies

For online transactions, credit card companies have -0- liability for fraud. 100% of the costs come from the merchant's pockets.

It's really a shame, because they are the ones with the broad access to data that would enable tools to reduce it. Of course, since there's no incentive on their end, nothing is provided.

[MichaelApproved]

> 100% of the costs come from the merchant's pockets.

I get that you're referencing the cash part of the transaction but the card companies still have to maintain code that detects fraud early, hire staff to support customers and investigate fraudulent transactions. That's not 0 cost to them.

[tyingq]

>>still have to maintain code that detects fraud early, hire staff to support customers and investigate fraudulent transactions

In addition to sticking me with the bag for every online fraudulent transaction, they also levy an additional fee, which I assume offsets some or all of that cost. In fact, if it was a low-end purchase, they may make more on the chargeback fee than the original purchase.

I see no evidence of "code that detects fraud early", at least for online transactions. Any merchants ever get a call from a cc company, or issuing bank saying "hey, you know that transaction we approved a few days ago? you might not want to ship that." ? Nope.

[gist]

All true by my experience as a merchant.

But one other thing. Did you ever notice that there is no feedback loop where you can inform the issuer or bank that you have discovered a fraudulent charge? For what we do it's easy to spot a fraud charge. We void (or credit it) and move on (still a big pain of course). But the thing is there is no way to alert the credit card company (manually in some way or even by email) that we have figured out a card is stolen. Otoh, as a card user I've received calls from my bank from time to time when a particular purchase doesn't fit a pattern (and that pattern has never caught any fraud, only purchases that I have made).

[tyingq]

>>Did you ever notice that there is no feedback loop where you can inform the issuer or bank that you have discovered a fraudulent charge?

Great point. I end up just refunding the ones I find. In many cases I can tell 100% it's fraud, but there's nobody to tell.

[ChemicalWarfare]

The issuing bank is in business of keeping their cardholders happy not the merchants. That's just the reality of the situation. As a merchant however you have options to utilize the services of managed risk providers (obv there's an additional cost involved) to protect yourself from online fraud.

EDIT: some of these providers are either directly operated by or have very tight relations with cc networks so they do have access to enormous amount of data which they use to make their risk management decisions.

EDIT #2: at a risk of sounding like an ad - one example would be Cybersource who is owned by Visa.

[tyingq]

>>you have options to utilize the services of managed risk providers

Helps a little, but they are, of course, still dealing with a tiny fraction of the available data out there, and the cost is pretty high.

For small to medium sized players you're much better off just doing what you can with AVS, CVV2 match codes, known freight-forwarder addresses, ip geolocation, etc. That's all free other than a bit of dev time.

It's just a shame that the kind of improvements that could be made with access to data only the CC companies and issuing banks have aren't ever going to happen.

[tyingq]

>>EDIT: some of these providers are either directly operated by or have very tight relations with cc networks

Who is that? There's a couple operated by credit reporting services, which is not the same thing at all.

[thaumasiotes]

> I see no evidence of "code that detects fraud early", at least for online transactions. Any merchants ever get a call from a cc company, or issuing bank saying "hey, you know that transaction we approved a few days ago? you might not want to ship that." ? Nope.

They definitely do do this. But when they see a likely-fraudulent transaction, they call the cardholder, not the merchant. I have received calls of this type.

[tyingq]

>>when they see a likely-fraudulent transaction, they call the cardholder, not the merchant

Right. Which means the item gets shipped. Because...yep.

Edits: a) In the real world, the bank does not catch these things in between auth/capture. b) 3rd party companies are limited in what they can do. They don't have the full picture.

[ChemicalWarfare]

Not necessarily :) If the bank calls the cardholder on file and the cardholder tells them the tx is not his they will at least reverse the auth so the merchant can't issue a capture against it when shipping the actual goods. In some cases they call them before the auth is approved.

But again the banks are not in business of protecting the merchant. There are companies that are in that business however and as a merchant you have an option to use their services.

[jon-wood]

All the UK card issuers I've used decline the transaction at my end and then contact me to verify I was trying to make that payment. Once that's done I can try again and the transaction will clear.

[jon-wood]

Our card processor regularly puts a hold on transactions when they suspect possible fraud to allow us to investigate further.

[reviseddamage]

there is evidence some "code" but it's not very good.

[chrischen]

What's the incentive for them to do well on that part then?

[ChemicalWarfare]

>For online transactions, credit card companies have -0- liability for fraud. 100% of the costs come from the merchant's pockets.

Which credit card companies are you referring to? If you're talking about issuing banks then liability for the fraudulent transaction is shifted towards the bank vs the merchant in some cases including card not present txs.

[tyingq]

Not in the US. 100% of the cost of card-not-present fraud is on the merchant.

Edit:

a) In the US, currently, 3DS would reduce your conversion to the point it would useless if mandatory. If optional, use would be abysmally low.

b) "payment facilitator entity handling fraud liability on merchant's behalf" Never heard of this. Certainly, Stripe and their ilk don't do this.

[ChemicalWarfare]

This will depend on a couple of things. 3DS for example shifts the liability towards the bank. Another example would be a payment facilitator entity handling fraud liability on merchant's behalf.