Why VISA/MC Drives Me Nuts!
Tired of being manipulated, penalized, and discriminated against by the major credit card companies simply because you are an online merchant - and worse yet - in the porn business? Well, so is Doug, and if you’re like him, you’re shaking your head and wondering why…
I think at this point that anyone who is not scrubbing for fraud in transactions is asking for severe trouble. And it makes no sense that VISA/MC will not share their data on stolen cards with the processing gateways. But what we have seen this year for fraud is quite a bit more disturbing, and points in my mind to a fundamental need for better general security in cards and an end to the conflict between card companies and legitimate webmasters through finding win-win solutions that benefit and grow both parties' business. Virtual VISAs are one good solution... But the reality is, while the concept of virtual VISA is great, 99.99% of users will rely on their tried and true plastic.
The adult industry is in the spotlight as being a "bad risk" in their eyes, but I strongly disagree. If you eliminate the "friendly fraud" incidents and factor in that (unlike I suspect most of the "traditional" online processors) adult merchants almost unilaterally use fraud scrubbing/negative databases, require CVV2, and billing address verification, that says we've taken steps to the maximum possible limit under current technology. We stop thousands of dollars of suspicious transactions weekly because of these checks (believe me, I've checked, it's a depressingly high number). Our affiliate program has gone one step further; I've written a fraud scrubbing database for our webmasters which runs numerous checks and will not activate webmasters' accounts if there is something fishy.
So what happens in a real-world situation where we find clear-cut fraud and try to thwart it? I'll give you one recent example. We began receiving a high number of chargebacks linked to one affiliate. I immediately cancelled the affiliate and refunded every single transaction that they processed that had not been charged back. There was no question upon detailed review of the transaction that they were not legitimate, though nothing in looking at daily signups would have aroused suspicion.
Conversions looked a little good, but then again, lots of our webmasters whom I know are legitimate were converting just as well. But they still made it through our gateway's fraud database and address verification, and, much more disturbingly, almost all of them had CVV2. Coming across a hundred transactions designed to bypass every defense disturbed me greatly, especially since they had CVV2 in most cases... to me this smacked of an organized operation with a database of stolen information. I immediately contacted VISA and told them I had strong evidence that someone had a database of cards including CVV2, address, phone number, and that none of the cards were cancelled. I gave them the name and address of the webmaster responsible and told them they had successfully cashed their affiliate check, as well as the social security number.
They transferred me to Internet Support who wanted to walk me through my network settings! Obviously the persons I spoke with had no clue what any of what I described - fraud scrubbing, etc. - meant, and had a reaction of "well, it sounds like something internetish so I'll forward them there." I got transferred to someone else after that who told me, "Well, that's interesting, we can't really do anything, you'd need to go to the issuing banks." I asked how to do that and the response was vague - there was probably a different issuing bank for every card, I'd have to somehow determine what bank issued the card, and different banks had different procedures for handling this, but there was nothing VISA/MC could do. They did not even seem concerned about it! I offered them every assistance - IP addresses (there were actually only two, from a broadband ISP in Brooklyn), even going so far as to get a photocopy of one of the checks he cashed.
If they were so concerned about fraud, why would they not consider nailing this scumbag a major victory? We're a small program and I would be willing to bet he ran this scam on dozens of other affiliate programs, and probably hit quite a few of the major third party billers with lots of chargebacks as well, and those guys processing hundreds of thousands of transactions a day would have real difficulty detecting and stopping the source.
We actively tried to pursue a clear-cut case of fraud with lots of evidence supporting it and there is no way even with all of this to do what we supposedly as adult webmasters are not concerned with, stopping fraud. Who wants a fishy transaction much less a series of them? We lose the cost of the transaction plus fees and chargebacks. We even failed to reverse some of the chargebacks in cases where we had refunded the original transaction! Stopped at every turn.
The card companies need to look hard - not at adult merchants, but at the reality that *all* online merchants are in a paperless environment and that is the future of credit cards. CVV2 does not cut it. What happened to SET?
I know for a fact I can go into any store in my town and buy something with a credit card without ID. Pretty much everywhere that is the case. How is this much more secure? Because they get a signature? Offline merchants are in reality no more secure in their nature than online – they may have fewer chargebacks maybe because the perception is that they are though. Carbon copies with complete credit info thrown in the trash, clerks making $4 an hour handling hundreds, even thousands of dollars a day where they could easily get information necessary to steal that card. Compare buying books at the local bookstore with buying them through one of the online e-tailers:
Offline. Hand them your card. They have signature and date, usually no confirmation of ID. If it's not swiped, then they have a nice carbon of your card which probably is thrown in the trash by a minimum wage clerk without being shredded, then it's handed off to trash where anyone could sift through and find it.
Online. Date, originating internet address (which ISPs can in most cases easily use to track back the exact location of the transaction), customer's complete billing address, CVV2, we even get originating country as reported by the browser, language of the customer who is browsing. The only card number record is stored in a secured database behind an encrypted administrative interface along with this information.
Much more documentation online to intelligently re-examine if need be later. Just because you can look a person in the eye when they buy from you does not mean you can trust them. Jeffrey Dahmer seemed like a nice person to most people who met him, you know?
I would suggest that there be an automated internet response set up by card companies that webmasters can submit fraudulent transaction details - as many as we have to offer, which is usually substantial - and have them research it. Not just for adult but for all online businesses. Perhaps create an additional incentive for webmasters actively using the service in cutting a half-percentage point off of their rate or factoring this into their chargeback percentage scoring in their favor as a way of saying, "Hey, we were wrong about these internet sites, I can see from all the data they're giving us that they really do believe in being ethical merchants."
Stopping "friendly fraud" is a more daunting task but that also could be worked into the reporting system. Instead of putting us under review, put customers who chargeback excessively under review. "Uhm, Mr. Smith, we realize you may have a valid reason to charge this back, but we'd like to talk with you because we can see from your file that this is beginning to be a pattern." Ethics are a two-way street. Suspend customers' cards if they exceed 1% chargeback volume in a month!
Get rid of the whole reason code scheme for the most part as it applies to online. Sure, I can see fraudulent transaction, but "card not present"? "Cancel recurring billing"? If a customer can't find how to cancel when it's on our main members' page, the page they joined the site with, a customer service site, and an automated responder, most of which are in as many as ten languages, how on earth can that be my fault? How can this person find food at night? Is it reasonable to expect that when the system is 99.99% automated for cancellation that I have to walk every single person through a painfully simple process or do it for them?
And someone stop these foreign banks from charging back dollar transactions in Euros. I didn't feel quite as annoyed about that until Euro and dollar switched positions in exchange rates – Sorry about the book, these things drive me NUTS! ~ Doug