What is this credit card provider fraud department doing?
June 4, 2016 6:35 PM Subscribe
The fraud department of a US-based credit card provider and card services provider got in touch with me via Google regarding fraudulent use of their customers' cards on one of my (non-US) employer's websites. I do not understand why they are doing this - surely there is a better way to contact a merchant regarding disputed payments?
I was contacted by someone in the fraud department of a bank which, according to their website, both supplies credit cards to consumers and provides merchant processing services. Apparently, some of their customers have had their cards fraudulently charged to my employer's website. As this does not relate to my area of work, I asked why this person had contacted me and they explained that they Googled my employer and clicked on the first contact link. (It is actually plausible that my contact details would appear at the top of a search.)
I initially suspected this enquiry was phishing or some other sort of scam, but closer inspection of the email headers showed that the email did indeed originate from an IP block owned by the bank in question and the email address I'm replying to is also at the correct domain. I'm still cautious, but let's assume for the sake of the question that it's genuine.
I am going to pass them onto our financial and security teams on Monday, but I am baffled as to why the fraud department would need to try to contact a merchant by Googling the name that the charges appeared under. I have only a lay understanding of payment cards, but I believe that getting a merchant account requires supplying the payment service provider with a huge amount of identifying information to avoid fraud. I assumed that in the event of fraudulent charges, there was a system whereby the card provider, the acquiring bank etc. exchanged information so that the merchant and cardholder can each make their case.
I cannot understand why a bank's fraud team would need to resort to Googling the name on the transaction statement and sending an email - and why they imagine it would be successful. Can anyone explain?
I was contacted by someone in the fraud department of a bank which, according to their website, both supplies credit cards to consumers and provides merchant processing services. Apparently, some of their customers have had their cards fraudulently charged to my employer's website. As this does not relate to my area of work, I asked why this person had contacted me and they explained that they Googled my employer and clicked on the first contact link. (It is actually plausible that my contact details would appear at the top of a search.)
I initially suspected this enquiry was phishing or some other sort of scam, but closer inspection of the email headers showed that the email did indeed originate from an IP block owned by the bank in question and the email address I'm replying to is also at the correct domain. I'm still cautious, but let's assume for the sake of the question that it's genuine.
I am going to pass them onto our financial and security teams on Monday, but I am baffled as to why the fraud department would need to try to contact a merchant by Googling the name that the charges appeared under. I have only a lay understanding of payment cards, but I believe that getting a merchant account requires supplying the payment service provider with a huge amount of identifying information to avoid fraud. I assumed that in the event of fraudulent charges, there was a system whereby the card provider, the acquiring bank etc. exchanged information so that the merchant and cardholder can each make their case.
I cannot understand why a bank's fraud team would need to resort to Googling the name on the transaction statement and sending an email - and why they imagine it would be successful. Can anyone explain?
From the way you wrote the question, it sounds like you're not in the States. If your business is both small and old enough that the merchant account was set up by an individual (who has since left the company), it's possible that the combination of a) outdated info and b) not-in-US so there's no convenient "ask the Secretary of State for the corporate agent" and c) zealous fraud management department came together and resulted in the Google search.
I agree that it's not the brightest idea but the provider may also be medium-sized and have figured that they'd exhausted their other options.
posted by fireoyster at 7:04 PM on June 4, 2016
I agree that it's not the brightest idea but the provider may also be medium-sized and have figured that they'd exhausted their other options.
posted by fireoyster at 7:04 PM on June 4, 2016
I used to be a merchant providing stuff via eCommerce, and this process sounds legit (although your company will have to do their due diligence as to this specific request). The lines of communication between merchant, merchant banking system, and the consumer whose card got used are really pretty pathetic. As a merchant I had no way to warn a consumer whose card was apparently being used fraudulently on my site (I could decline the transaction and avoid a chargeback, but that was it*), and when I got a chargeback notification my first notification generally came by postal mail on a baffling form that required me to do detective work to backtrack and figure out what transaction we were talking about.
*hopefully the fact that I declined the transaction at least alerted the cardholder's bank's fraud department, but I had no way of knowing...
posted by randomkeystrike at 8:19 PM on June 4, 2016 [2 favorites]
*hopefully the fact that I declined the transaction at least alerted the cardholder's bank's fraud department, but I had no way of knowing...
posted by randomkeystrike at 8:19 PM on June 4, 2016 [2 favorites]
Response by poster: Card payment processes are like sausages and laws, then! I shouldn't be surprised. Thanks all, for the useful answers so far.
I suppose I drew a direct connection between the fact that payment by credit card is seen as relatively safe and the fact that obtaining a merchant account can involve providing a lot of safeguards, where in fact it's a lot messier than that.
A couple of supplementary questions, if I can push my luck:
posted by Busy Old Fool at 2:00 AM on June 5, 2016
I suppose I drew a direct connection between the fact that payment by credit card is seen as relatively safe and the fact that obtaining a merchant account can involve providing a lot of safeguards, where in fact it's a lot messier than that.
A couple of supplementary questions, if I can push my luck:
- If it's so easy for crooks to get a merchant account, why is there a big business in redeeming stolen card numbers via gift vouchers etc.?
- Why is the card provider, not the acquiring/merchant bank on the hook for fraudulent charges?
posted by Busy Old Fool at 2:00 AM on June 5, 2016
I don't really understand your first question, as it's like asking why people drive cars when they could drive trucks.
posted by palomar at 4:50 AM on June 5, 2016 [1 favorite]
posted by palomar at 4:50 AM on June 5, 2016 [1 favorite]
As for your second question, the merchant bank is on the hook for fraudulent charges IF the issuing bank can prove the charges were fraudulent. Visa/MC don't make that easy, their policies are heavily weighted in favor of merchants.
posted by palomar at 4:53 AM on June 5, 2016
posted by palomar at 4:53 AM on June 5, 2016
CC payment is seen as relatively safe because V/MC require issuing banks to have a zero liability policy for cardholders. So as the consumer, you're not on the hook for fraud, and your bank will refund you. But your bank may not be refunded by V/MC.
posted by palomar at 4:57 AM on June 5, 2016
posted by palomar at 4:57 AM on June 5, 2016
Response by poster: OK, so now I understand that in cases of fraud, the card association policy is that cardholders are not impacted, but that in a merchant bank vs. issuing bank dispute, the card association policies are pro merchant.
I don't really understand your first question, as it's like asking why people drive cars when they could drive trucks.
I assume this means that both approaches have different strengths and weaknesses. I always believed that the reason criminals cashed out via gift or pre-paid cards rather than through a merchant account was that an account was hard to get, but obviously it's something else.
posted by Busy Old Fool at 4:02 PM on June 5, 2016
I don't really understand your first question, as it's like asking why people drive cars when they could drive trucks.
I assume this means that both approaches have different strengths and weaknesses. I always believed that the reason criminals cashed out via gift or pre-paid cards rather than through a merchant account was that an account was hard to get, but obviously it's something else.
posted by Busy Old Fool at 4:02 PM on June 5, 2016
This thread is closed to new comments.
Yeah, uh... that information is often very fraudulent itself. For instance, the scads of Chinese garment companies that offer prom/bridesmaid dresses on the internet? All fraudulent, and yet somehow they all have Visa/MC merchant accounts. Having a merchant account does not mean it's fraud-free.
I used to process chargebacks for fraudulent purchases. The only information we can get ahold of is whatever the consumer provides us regarding their purchase, and the very very bare-bones information that comes through in the authorization details from Visa/MC. So yes, frequently, we would have to Google merchant information and try to make contact ourselves.
posted by palomar at 7:04 PM on June 4, 2016 [2 favorites]