Credit-Card Fraud Has Become A Nightmare for E-Merchants

Wall Street Journal Interactive Edition
By JULIA ANGWIN
Staff Reporter of THE WALL STREET JOURNAL

It seemed like a valid order. A customer calling herself Amina Hadir visited Victor Stein's Web site in April and ordered a $700 collector's edition of The Billiard Encyclopedia, which Mr. Stein co-authored.

Once the transaction was authorized by Visa, Mr. Stein shipped the book to an address in Morocco provided by the customer and thought no more about it. After all, says the New York sugar broker who writes about billiards on the side, 25% of his sales come from foreign billiard enthusiasts.

But two months later, Mr. Stein found out the hard way that credit-card fraud is a growing problem for Internet merchants. According to bank documents provided by Mr. Stein, Ms. Hadir claimed to Visa a few weeks later that she hadn't ordered the book. She also disputed a number of other items on her bill that had been ordered from other Web sites, including Amazon.com. So at the request of Ms. Hadir's credit-card issuer, Mr. Stein's bank, Chase Manhattan Corp., took the money out of his account to reimburse the issuer, Credit Commercial de France, for its payment to Mr. Stein.

Never mind that Visa had authorized the credit-card transaction or that Mr. Stein could prove that he had shipped the merchandise to Morocco via the U.S. Postal Service. He couldn't prove Ms. Hadir had ordered the book because he didn't have her signature on the sale or the delivery slip, and he hadn't shipped the book to her billing address.

It isn't clear who committed the fraud in this case. A third party may have used Ms. Hadir's credit-card number to fraudulently obtain the book. Ms. Hadir couldn't be reached for comment, and Visa and Credit Commercial declined to discuss the situation. But in the world of Internet retailing, the customers are always right. As a result, whether customers are ripping off merchants or have been victimized themselves by credit-card thieves, it's the merchants who almost always end up losing money. "The misunderstood truth of payments on the Internet is that sellers are suffering, not the consumers," says Avivah Litan, a research director at Gartner Inc., a market-research firm.

The industry's name for a transaction that a customer disputes is a "chargeback." It was originally designed to help consumers combat misuse of their credit cards, such as charges for purchases they didn't make or for goods that weren't delivered. But it has also become an instrument of fraud on the Net. In some cases, customers order items and dispute the charges but still hold onto the merchandise. In others, thieves, often using stolen card numbers, order and receive merchandise. Either way, when the cardholder disputes the charge, the merchant must repay the cost of the item to the credit-card issuer.

First Data Corp., the largest credit-card processor in the country, says 1.25% of all Internet transactions are charged back, compared with 0.33% of catalog transactions by phone and mail and 0.14% of storefront retail transactions.

The problem appears to be worse for large retailers. Gartner Inc. surveyed 156 top retailers with median revenue of $250 million and found that 2.64% of their Internet transactions are charged back, compared with about 1.24% of offline retail transactions. Many of the merchants said they believed that more than a third of the Internet chargebacks involved stolen credit cards.

As shopping on the Internet increases -- Boston Consulting Group estimates online retail sales will hit $61.1 billion this year -- the problem of chargebacks is likely to become even more of a concern. "I call it electronic shoplifting," says Steven Peisner, founder of a Web site called nochargebacks.com (www.nochargebacks.com). He built a database of credit-card numbers that have charged-back orders. The database is now owned by Card Commerce International, which provides processing services, and is used by merchants to help them decide whether to proceed with a sale.

Fraudulent chargebacks are particularly painful for Internet retailers because they must usually reimburse the credit-card company that paid them the disputed charge, even though they have already shipped the merchandise. In the case of offline retail transactions, chargebacks are often absorbed by the credit-card issuer.

The difference is that without a customer signature, Internet retailers have a hard time proving that they sold their wares to the card holder rather than to someone else using the card number. MasterCard says that when there's a dispute and the merchant has already been paid, it will bill merchants who haven't obtained a signature and a card imprint. American Express says it will absorb the cost of the merchandise only if the merchant can prove it shipped to the card holder's billing address and obtained a signature proving the goods were delivered. Visa International says it decides on a case-by-case basis but concedes it's hard for merchants to prove their case without a signature. "A signed, imprinted sales draft is darn good evidence and will win just about every time," says Dave Richey, vice president of card operations at Visa USA.

The credit-card industry says it would like to be able to guarantee the validity of all Internet transactions, but the technology isn't there yet. "We're looking at using fingerprints, voice prints or even an iris scan" as a way to validate an online signature, says Joel S. Lisker, senior vice president of security and risk management at MasterCard.

Visa and MasterCard tried once before to solve the issue of chargebacks. In 1995, they teamed up to build something called the Secure Electronic Transaction system. It was designed to verify the identity of the person providing the credit-card number for a purchase through the use of a digital signature. But the cumbersome program never took off.

Until such a system is developed, Internet retailers say, they are often stuck paying the cost of fraud. "You can't win," says Alan Breitman, vice president of finance at Register.com, an online domain-name registrar. He says Register.com has won very few of its fights with credit-card companies over chargebacks, though it can pull back the domain name if the dispute isn't settled. The problem is so bad that Register.com created a reserve of 2% of sales for chargebacks.

Making matters worse, retailers and others who don't receive a card imprint and signature during the transaction pay a higher transaction fee to the credit-card company.

Many Internet merchants are scrambling to try to prevent fraud using different types of software. Some of them use software that checks whether the shipping address is the same as the card-billing address. Others use expensive programs that generate a score for each transaction showing the probability of fraud.

Bluefly.com Inc., an online apparel shop based in New York, says its chargeback rate was cut in half once it started using software that computes fraud probability. Now, it checks out questionable customers before completing a transaction. "If there's a thousand-dollar order, I'm going to manually look at it even after it goes through the fraud detection," says Chief Financial Officer Pat Barry. Even so, chargebacks still account for more than 2% of Bluefly's sales

At Efunctional.com, a small electronics retailer in Logan, Utah, two of the company's seven staff members spend their entire day sorting through orders looking for clues to fraud. One worker compares billing and shipping addresses, while the other calls every person who orders more than $100 of goods.

Even so, "we get two or three chargebacks a day," says Chief Executive Craig Munsee. "It's outrageous. We just had $3,000 to $4,000 of merchandise charged back in the last week."

One of the biggest victims of credit-card fraud so far has been Expedia Inc., the travel Web site founded by Microsoft Corp. The company took a $4.1 million write-off in May to account for the large number of disputed charges on its site. "It was an incidence of extreme criminal activity," says Suzi LeVine, marketing director for the site. She says the site was targeted by professional criminals who bought expensive airline tickets using stolen credit-card numbers and then sold them to travelers.

Expedia.com has developed a list of warning signals for possibly fraudulent transactions based on its past experience. One red flag: expensive airline tickets booked at the last minute.

X-rated Web sites have an even more difficult time with chargebacks, because they can't always prove that their digital goods -- usually photos and videos -- have been delivered. Steven Blaier, owner of several X-rated Web sites, checks customers' geographical addresses, computer addresses and the size of their downloads.

"We're doing as much as we physically can do without getting a signature," Mr. Blaier says. "Even with all that proof, we have absolutely no leg to stand on. The banks want a signature, but it's impossible for us to get a signature on an electronic transaction." Mr. Blaier says his firm, CSB Entertainment Group of Howell, N.J., has a chargeback rate of about 2%.

Some retailers have devised clever schemes to get around the chargeback issue. GetPlugged.com, a Westlake, Calif., electronics retailer, asks customers who want their wares shipped to a different address to call American Express and ask to have the alternate address added to their account. "Once they do that, then we as an e-tailer are not liable for the charges," says Sunil Mehrotra, the site's founder and chairman.

But an American Express spokeswoman says, "That is not our policy and we don't want to encourage that" because of the high cost of implementing such changes.