Should digital fraud really be the merchant's problem?
By Alex Zeltcer
The entire concept of liability, with respect to digital fraud, seems to have happened by mistake.
My claim? Online merchants shouldn’t incur (all) the cost.
This complete plot (in which the digital merchants are the unwilling martyrs) traces back to the 1950s and the introduction of credit cards (and the system of credit cards).
Before credit cards were accepted, there was one way to exchange payments for a product or service- cash.
Not so long ago, a person walking into a store to purchase furniture for an entire house, with a stuffed envelope of money, wasn't a reason to alert the authorities about a potential gangster in the house.
So, when a piece of plastic was first introduced, around 7 decades ago, card issuers had trouble convincing merchants about its legitimacy.
The merchants weren’t paranoid. They indeed had a lot to lose. It was the unofficial beginning of modern payment fraud as we know it today.
Plastic but not fantastic
Simply put, merchants didn’t believe that a resulting sales slip they would get after a purchase was the same as cash. So most refused to accept it as a valid payment method.
In turn, consumers were hesitant to switch to the new payment method.
Then, credit card issuers realized that if their concept was to work, they would have to provide guarantees for consumers and merchants.
In order to claim that their piece of plastic is as valid as a banknote, they had to be financially regulated and guarantee purchases with credit cards for both sides. And so, they became associated with banks.
The move eventually worked, ensuring rapid adoption and growth in the 60s.
However, soon another problem arose.
Before computer networking, the entire credit card system in the USA was very complicated.
Every time a consumer wanted to pay with his Diners, American Express, or any other card, the merchant would have to pick up the phone and call their bank. The bank then had to call the credit card company, where an employee had to manually look up the customer's name and credit balance.
The inconvenient nature of this procedure meant merchants would often skip some or all of the required steps and simply assume the risk.
In many cases, they accepted charges for smaller transactions. They also accepted purchases from known and trusted customers via phone, without verifying them first.
This reality led to new procedures and card not present (CNP) transactions were born.
For merchants, phone purchases were a great idea because they sped up the buyer experience and provided more convenience. All the customer had to do was provide their credit card number and make the pickup at the store.
But credit card companies refused to cover these types of transactions.
Because it was difficult for a merchant to verify that the actual cardholder is indeed authorizing a purchase, the transaction was susceptible to fraud. As such, the issuer of the card was liable for compensation, and they simply didn’t want to take that risk.
So, protecting their customers and themselves on CNP transactions became the merchant’s responsibility, one they carry to this day.
New way of shopping, old problems
The advent of eCommerce only amplified this issue.
Online transactions were grouped into CNP transactions because at their core, they were the same as phone purchases. The merchant had no way of identifying the buyer and couldn’t guarantee it was a legitimate purchase.
When online shopping emerged in the mid-90s, no one envisioned it would become the $5 trillion market it is today. No one gave a serious thought about the potential implications of CNP transactions down the line and how they might hurt online merchants.
Credit card companies took the easy way out and created a huge problem that is digital fraud, particularly in the digital goods space.
About 15% of online transactions are declined on a regular basis.
A third of those get declined by online merchants for legitimate reasons, meaning someone didn't type the number correctly, misspelled their name, didn't put the correct CVV code, or there weren’t enough funds available.
These mistakes happen, so let’s say merchants are right to reject these transactions. But what about the rest?
Well, 10% of online transactions are declined due to the card issuer's risk evaluation without any information regarding the reason for rejection.
In other words, card issuers deem the risk of the transaction being fraudulent too high and provide a ‘Do Not Honor’ code.
DNH code happens all the time because credit card companies don't know for sure the nature of the transaction. They want to offer the best possible service and protect their customers, but the lack of data to make an accurate decision means it’s easier for them to not approve it in the first place.
This puts the merchants in an unfavorable position because they are at risk of crossing the chargeback “safe zone”. As such, they can receive fines from payment networks for every transaction labeled as fraud and even get blacklisted from accepting online payments altogether.
The truly insane thing is that the loss of revenue from false positives will be close to half a trillion dollars by the end of 2021.
The fraud problem likely would have never escalated to this level if someone who understands risk management was responsible for it.
But since that wasn’t the case, now we have an anomaly where merchants are not responsible for their brick-and-mortar transactions but are responsible for their digital counterparts.
Why digital goods merchants have it worst
In all of this, merchants who deal in digital goods such as gift cards retailers and prepay vendors are at the short end of the stick.
You see, payment processors have realized there is money to be made on fraud protection for merchants, so they started marketing their services accordingly.
For instance, PayPal literally calls its policy ‘Seller Protection for Merchants’ that aims to protect transactions from chargebacks, reversals, and associated fees.
The problem here is that all of the above is true for physical goods. Digital goods - not so much.
It’s because payment processors can’t cope with the level of digital goods fraud, as simple as that.
Here is what bugs me. The concept of seller protection was one of the key selling points for PayPal, and arguably one of the major reasons why it’s one of the most popular payment processing companies.
Accepting payment online with no liability is a huge boon for businesses, but it’s marketed in a way that ignores an entire segment of digital goods merchants who are left behind, essentially.
From a business standpoint, companies such as PayPal cannot afford to be conceived as not safe enough, which is why it’s easier for them to sometimes just block merchants if the risk is too high. That’s not something they want to tangle with.
Reputation is extremely important in this industry, and because there is no regulation forcing payment processors to do something about it, they take the path of least resistance.
PayPal is making some steps toward digital goods protection but, in my opinion, it still has a long way to go (it’s a story for another time).
And so, digital goods merchants are left to fight payment fraud on their own, trying to solve one key challenge:
how to improve security without adding too much friction to the buying process and compromising customer experience.
Unfortunately, many digital goods businesses fall short.
Regulation to the rescue
It’s a sad state of affairs where borderless eCommerce is a profitable option for some merchants but less for others just because of the nature of the goods they sell.
I believe payment fraud shouldn’t be the online merchant’s problem.
They currently have a huge problem on their hands, and they’re limited in what they can do to eradicate it.
It’s my belief that eventually, this is going to become an issue for either the banks (issuing and acquiring banks that are the entities that run the credit card networks) or insurance companies that insure merchants.
And the solution is not going to come out of their own volition. The competitiveness of the market has already proven it’s not a strong enough reason.
The solution is likely going to be because of regulation.
Someone who understands financial risk management will recognize the magnitude of the problem and make concrete moves.
Whether that happens 10 or 20 years down the line, it’s bound to happen because the fraud problem in digital transactions is getting worse by the year.
There is already movement with PSD2 (Second Payments Services Directive), a European regulation for electronic payment services that mandates stronger security requirements for online transactions, but also recognizes and regulates third-party involvement.
The implementation of PSD2 is expected to motivate the issuing banks liable by this regulation to rehaul their business models. At the moment, they simply don't have enough data to provide accurate enough decisions, so the regulation will have to evolve further in order to actually solve the problem.
The good news is that we're seeing the first steps taken in regards to where the banks need to be in this equation.
There are still all sorts of loopholes and delegated authority that allow banks to avoid the risk, but the process has been put in motion, and that’s what counts.
What can digital merchants do?
Until proper regulation is implemented, online merchants can protect themselves by relying on this one thing
Predictive Artificial Intelligence.
AI has the ability to differentiate all the nuances between fraudsters and genuine buyers, and make accurate, real-time decisions without interfering with customer experience.
Because it’s able to continuously train and learn, it can keep up with whatever fraudsters are trying to pull off.
Anything else will be a step back