Fraud 101

Learn about the payments ecosystem, chargebacks and fraud detection.

Why are ecommerce merchants liable for fraud?

When a merchant starts accepting online orders, they’ve officially entered the card not present world.

To a consumer, the decision between purchasing online or in-store is simply a calculation of convenience, price and availability.

To a merchant however, a purchase online versus in-store are two very different scenarios, especially when it concerns liability for accepting a fraudulent transaction.

Let’s dive into an example that will help illustrate the difference for merchants.

John Smith is a video-game enthusiast, eagerly awaiting the release of a new game. Release day has finally come, and he heads down to his local store to purchase it, happy to discover that he can grab a copy in-store.

For the brick-and-mortar merchant, this is a card present (CP) transaction, meaning the cardholder, John Smith, is physically present with the card at the point of purchase. When a consumer makes an in-person transaction with a physical card, the merchant has the ability to not only inspect the card but to ask for identification (such as a driver’s licence) and obtain a signature from the consumer. In addition, merchants require a secure form of payment such as paying with a chip-enabled card. Chip-enabled cards generate unique transaction codes for each purchase, making the payment information much more secure. If the merchant follows proper procedure such as requiring a chip-enabled card for purchase and getting a signature, the merchant does not hold the liability on the transaction. Liability rests with the bank that issued the cardholder’s card, and if the purchase is later deemed to be fraudulent, the merchant is not responsible for refunding the customer. (However, if a merchant does not have a chip-enabled card reader, and accepts the transaction, they are held liable for that purchase, as they did not undertake the proper updated security procedures.)

Now, say John Smith ran to his local store only to discover the game was sold out, and he needed to order it online.

For the ecommerce merchant, this is a card not present (CNP) transaction, meaning that the cardholder is not physically present with the credit card for the merchant to examine at the time of the order. Without the standard security measures such as checking identification and paying with a chip enabled card, an online transaction is deemed far less secure. Given the riskiness of accepting an online transaction, the liability of accepting a fraudulent transaction rests with the merchant themselves, and not the issuing bank. If a merchant accepts an order online that is later deemed fraudulent, it is the merchant’s responsibility to refund the customer. The cardholder’s issuing bank will collect on behalf of the cardholder.

Understanding this liability is essential for online merchants, most of whom are unaware of their responsibility to review their orders to weed out fraud that they are on the hook for.

It’s imperative that an online merchant implement online fraud detection measures to protect themselves from the costs of fraudulent transactions, for many reasons.

Firstly, the total cost to the merchant for accepting one fraudulent transaction is often more than twice the cost of the transaction themselves, since they cannot recover the original fraudulent shipment, and must also refund the scammed customer.

Secondly, the merchant’s bank (known as the acquiring bank, with whom the merchant stores their money) heavily monitors their customers for fraud acceptance, and may charge a fee for every chargeback received. And, should the merchant start to process a large volume of fraudulent transactions, an acquiring bank may not only raise card fees sharply, they may take steps to shut down an online merchant’s account.

To sum:

Card present transactions occur in-store, where the merchant can review the identifying documents of the cardholder for legitimacy and take other security steps, like using a chip-enabled card terminal, to further confirm the validity of the purchase. If they follow the process correctly, they are not liable for fraudulent purchases, the cardholder’s issuing bank is.

Card not present transactions occur online (or other non-present channels, like mail), where the merchant is unable to confirm the identity and validity of the purchase in-person. The merchant is liable for the acceptance of any fraudulent order, and the cardholder’s issuing bank will collect the customer’s refund from the merchant should a cardholder request a chargeback. If the merchant processes a large volume of fraudulent orders, and thus receives a large number of chargebacks relative to their orders, their acquiring bank will likely take steps to raise fees to penalize the merchant.