X

As Net fraud grows, so do e-tailers' fears

E-tailers worry they can't defend against growing online credit card fraud, which has put an added burden on an already vulnerable industry.

Greg Sandoval Former Staff writer
Greg Sandoval covers media and digital entertainment for CNET News. Based in New York, Sandoval is a former reporter for The Washington Post and the Los Angeles Times. E-mail Greg, or follow him on Twitter at @sandoCNET.
Greg Sandoval
6 min read
A slew of online merchants say they are fighting a lonely battle against Internet scam artists as credit-card fraud continues to mushroom on the Web.

Many Web retailers present anecdotal evidence that the increased fraud has coincided with rule changes the card companies implemented just over a year ago, requiring Web merchants to have a copy of the customer's credit card or signature. Unless they do, the merchant is liable for the charge should a customer dispute it.

E-tailers, which conduct Web transactions in a virtual environment instead of in the traditional face-to-face manner, have few ways to obtain that kind of proof, and in most cases, when a customer disputes a charge, the e-tailer is the one stuck with the financial responsibility.

Although credit-card fraud is certainly nothing new, few industries are being hit as hard as e-commerce. Analysts and industry insiders say fraud is costing many e-tailers as much as 5 percent of sales--a devastating figure at a time when many e-commerce companies are striving to hit profitability.

That figure "may not sound like much, but if you're operating on a 15 percent gross margin, it's enormously painful," said Overstock.com's Patrick Byrne, chief executive of the online liquidation company.

E-commerce companies operating on gross profit margins of 5 percent or 10 percent--calculated as gross profit divided by sales, equal to each sales dollar left after incurring the cost of goods sold--will never survive in that kind of environment, Byrne said.

Many e-tailers blame the credit-card companies for throwing the doors open to fraudsters. Not only have Visa and MasterCard not found an answer to the problem, critics assert, but the two largest credit-card companies have also made it harder for e-tailers to protect themselves against online fraud.

"Anybody who knows the system can defraud online merchants," said Brian Roemmele, a former executive at a credit-card processing company who runs his own Web-security company. "That is because Visa and MasterCard say: 'Mr. Net merchant, unless you have a copy of the customer's signature or their credit card, you are unprotected.'"

Visa and MasterCard, acknowledge that online credit-card fraud is rising and that merchants do incur most of the costs. But both say they have launched programs that, once off the ground, will allow merchants to quickly authenticate a credit-card holder's identity.

But critics argue that both programs are a long way from frightening the bad guys.

An enormous undertaking
For one, the success of the programs hinges on the public's willingness to voluntarily turn over personal information to the credit-card companies. This is an enormous obstacle considering how fervently many Americans guard their privacy. Fears about security breaches on the Internet are alive and well and continue to plague e-commerce companies, analysts have said.

Brian Bergeron, chief financial officer for online luxury-goods store Ashford.com, said he thinks there is little incentive for the credit-card companies to find an answer.

"Right now, those companies get all the gravy," he said. "All the costs go back to the merchants."

What is virtually undisputable, however, is the fact that credit cards are the dominant currency used to make purchases online. More than 90 percent of all online transactions are made with a credit card, Visa says.

But credit cards were designed for face-to-face transactions, decades before the birth of the Internet. For that reason, many industry analysts say credit cards and the rules that govern their transactions do not meet and have not caught up with the demands of online commerce.

Visa and MasterCard are organizations of member banks that either issue credit cards to consumers, or for merchants, process the transactions. "Merchant" or "acquirer" banks process credit-card sales for a fee.

When a customer disputes a charge, the acquirer bank is supposed to investigate to determine whether a refund is warranted. Should the bank side with the consumer, it will issue a refund, or what is known in the industry as a "chargeback," something that most often comes at the merchant's expense.

Though many e-tailers say banks are too quick to side with consumers, the banks argue that the customer must be protected. The credit-card companies say the amount of chargebacks coming from online merchants is staggering.

Consider this: At MasterCard, e-commerce purchases make up just 4 percent of total retail transactions but account for 40 percent of all chargebacks, said Stephen Orfei, the company's senior vice president of e-business.

Same thing at Visa. As a percentage of sales volumes, chargebacks are about 12 times greater for e-commerce transactions than for face-to-face transactions, said Mike Yakel, vice president for eVisa.

And besides forcing e-tailers to deal with the cost of lost sales, credit-card fraud plagues these companies' finances in other ways. Web retailers wind up paying merchant banks more than traditional retailers do, analysts said.

For example, Visa mandates that a merchant's chargebacks must not exceed 2.5 percent of total monthly dollar volume or 50 chargebacks a month. If a retailer goes over that limit, it risks being charged a $5,000 "review fee." If the chargebacks continue to go over the limit, fines can climb as high as $25,000. MasterCard's fees can hit $100,000.

Finding e-tailers willing to talk about their chargeback troubles is difficult. But a revealing story is that of online electronics retailer Buy.com, which in August was almost forced out of business when its acquirer bank threatened to sever ties, a move that would essentially make the company unable to accept credit cards.

"Inordinate number of chargebacks"
Though it is unclear why the bank wanted out of its deal with Buy.com, sources close to the company said Buy.com had suffered an "inordinate number of chargebacks" for more than a year. Scott Blum, the company's founder, cut a deal to renew Buy.com's agreement with the credit-card processor a few days after the bank's warning.

A man who admitted to being a "carder," someone who perpetrates credit-card fraud online, told News.com that Buy.com is one of his favorite targets.

"Bigger stores are easiest to hit because some of the smaller stores are more scrutinizing and verify more detail," said the carder, who requested anonymity.

The carder said he ordered merchandise from Buy.com four times using a fake credit card, hauling away about $25,000 worth of goods, that he sold later for $5,000. The carder said he was eventually arrested, but put into words the grim realization that many are coming to: "It's seemingly easier to commit fraud over the Net."

Flooz.com, an online currency company that suspended operations last month, said in a bankruptcy filing last week that Internet fraud played a part in its demise. The company also said that its processing company, Chase Merchant Services, was keeping about $1 million of Flooz's money in a frozen account.

Roemmele, the former executive, says banks stash customers' money in such a way as to protect it from future chargebacks. When an e-tailer goes out of business and is unable to pay chargebacks, the merchant bank is the one left on the hook.

Representatives from Flooz and Buy.com did not return repeated phone calls seeking comment.

Many in the e-tailing community say the fees the banks make on chargebacks are one reason Visa and MasterCard have yet to clamp down on online credit-card fraud, something both companies deny.

"That couldn't be more wrong," MasterCard's Orfei said. He maintains that the credit-card companies lose transactions because of fear about Internet fraud. All the credit-card companies want to see is the Internet become a secure business channel so American stores open up sales overseas, he said, something they are afraid to do now because of fraud.

"Make no mistake, authentication means more business for us: more transactions and fewer costs," Orfei said.

Visa's Yakel said Verified by Visa, its new program that enables Visa card issuers to validate the identity of their cardholders during online transactions, is a good first step.

Each time cardholders make a purchase at a participating online store, they're automatically presented with a Verified by Visa window where they enter their personalized password. MasterCard's program is similar to this.

The credit-card companies say they plan to offer customers incentives, like giveaways and contests for signing up.

As for the public's fears about privacy, Orfei said: "In places overseas, a credit-card holder is held a lot more responsible for where and how they use their cards."

"In the United States, you have zero responsibility," he said. "But it is the cardholders who have to participate to help protect their accounts."