The Legal Line
Dear Ed:I operate an e-commerce business for the retail sale of prepaid IP phone and VoIP service to consumers. We sell our customers a basic IP phone (or gateway) along with all the necessary prepaid long distance services via the Internet. We maintain a website for sales, and handle promotion from New York, provisioning from Texas, and customer service/support through a call center in the Caribbean. Since our first day of operations, we have depended heavily on credit cards and debit cards as a payment method for consumer sales of both our products and LD services. One problem that continually hits us hard in the pocketbook is the issue of fraudulent credit card chargebacks. I kid not when I say that we have lost as much as 8%-10% of quarterly sales to fraudulent charge-back reconciliation from ID theft, consumers denying they sought the credit authorization for services, fraudulent cards due to hacked and duplicated accounts, and etc. Our attorneys have our website set-up with a terms and conditions sheet that seems to maneuver around any chargeback by the consumer, but the credit card issuers keep pulling the monies from our account as if this has no bearing on them. I have recently contacted a few of the credit card providers that we accept to see what we can do about this. There has been no reply except for one asking about our fraud policies. We don’t have any policy like this except for what the call center provides as a part of its customer support service package. My question to Legal Line is what are these “fraud policies”? Are they tailored to each credit card or are there actual standard ones we can use in our website to reduce chargebacks? Thank you.Being-Charged-BackDear BCB:Let’s start off by being clear that your question is not specific to telecom or prepaid calling. It’s really about being an e-commerce business, and the realities of credit card fraud and chargebacks when you sell over the Internet. Many in the industry are wrestling with similar problems; recent years have seen telecom and prepaid providers migrate their sales to the Internet to reach broader audiences, lower overhead, and limit exposure by direct sales to consumers in multiple jurisdictions. A natural result of this migration is that Prepaid Calling Cards, PINs, DIDs, and retail VoIP Phone services now face fraud issues that were once limited only to mail order and telephone order businesses selling goods. The problem is that those in the prepaid industry are not usually versed on fraud detection, how credit card fraud rings operate, and how the credit card industry protects itself from fraud. They tend to just accept the chargebacks as a part of business without understanding what they are, and what they are supposed to protect. Let’s begin by talking about the culprits, and what they know that you may not. Credit card fraud through the Internet is not a random type of criminal activity – it is a highly organized crime that often operates through structured fraud rings. These rings may be composed of several different sub-groups working to steal identities to create bogus cards, steal card numbers, “phish” numbers from cardholders over e-mail, purchase numbers from independent divers or skimmers, or even directly hack or password attack processors for numbers. They target weak or unprepared e-commerce businesses. These rings are versed on the transactional and security procedures that are associated with “Card-Not-Present” credit authorizations, the primary way most e-commerce businesses obtain credit card authorizations. These rings tend to operate outside the U.S. (Canada, U.K., Eastern Europe, etc.) while targeting consumers and e-commerce businesses in the U.S., making the chase after being defrauded a long and often complicated legal jurisdictional question. To further such type of international endeavors, fraud rings often need an anonymous mode of communication to be able to call into e-commerce businesses to give their ill-gotten card numbers. Here’s where you and your services come back into the picture, BCB. You operate a VoIP phone service – a hot commodity for a credit card ring. With a VoIP gateway and your service, obtained through a stolen or hacked credit card, a fraud ring might be able to make hundreds of calls and fraudulent transactions with other merchants before you get the notice of your chargeback from the issuing bank or credit card provider. They know this, and this is why they target prepaid communication services. Not all fraudulent credit card chargebacks that target prepaid and telecom businesses are the result of organized rings. There are also “cybershoplifters” that target prepaid services and calling cards sold online. These individuals will make purchases, consume the service in its entirety and then file a chargeback with the credit card provider. Although U.S. credit card providers have the regulatory obligation to investigate any cardholder that they feel may be wrongfully contesting a charge authorization with a merchant, or have a pattern of doing so, many other countries, such as Canada, have strong pro-cardholder regulation and do not carry the same obligations for chargebacks. While troublesome, cybershoplifters are usually independents working on an occasional basis and do not pose such a threat as credit card rings. The pervasiveness is by no means a small problem limited to the U.S. According to Merchant 911, http://merchant911.org/index.html “In 2005 there were well over 55 million credit card numbers stolen, hacked, or at risk”. Though a global figure, the organizations affiliated Blog, http://preventchargebacks.blogspot.com, has an even more startling figure when it comes to 2006: 100 Billion credit card numbers. Now, in terms of your specific questions, there are Card-Not-Present standards that the major issuing banks and providers implement with their ISO (Independent Sale Office) and accepting merchants to detect a suspicious or fraudulent authorization attempt. Perhaps the best known of these are “Code 10” procedures. This is a procedure wherein a triggering event (such as a mail order business being requested to ship overseas by the cardholder) alerts the loss prevention department to contact the issuing bank to ensure that the card number has not been reported stolen or is otherwise compromised. Should a risk concern be assessed, and then loss prevention would call the mail order business and attempt to cancel shipment. The problem with trying to implement a “Code 10” procedure in a prepaid or telecom e-commerce business is the issue of timing. Most e-commerce sales are pushed hard and equipment is dispatched ASAP to ensure the revenue is collected. Thus, it boils down to a coordination issue between the issuing bank/credit card provider, and you as the merchant. This is where defining that triggering event can be so critical. Loss prevention departments of credit card providers will not be chasing every authorization you seek as being worthy of a fraudulent transaction investigation. You must pick your battles and help the provider by defining what may or may not be suspicious types of transactions for your business. They may also want to know if you are cross checking the credit card number and cardholder data with an IP Geo-Location identification system to weed out some fraud related to the Card-Not-Present. This may be what the credit card company was asking of you in relation to your fraud policies – clarify this point with them, BCB. If not, ask them directly what were they referring to when they asked for that information.As a preventative measure, I would also recommend that you have a sit-down with your attorneys and map out a good fraudulent charge prevention policy for your own benefit. If you have such a heavy dependency on credit card transactions, you may need to have more than a terms and conditions limitation to address fraudulent chargebacks. Honestly, 8-10% is a lot of quarterly chargebacks. To assist in this process, I have included a number of key concepts in this article from Merchant 911 related to credit card fraud. It may be a good point of venture for you and your legal counsel. I hope it helps.Good Luck and Success in the Industry.Send your questions email@example.com.