Credit Card Hacked, Again?

Someone hijacked my credit card over the weekend–the seventh stolen card number I’ve encountered in under three years. CapitalOne detected the fraud instantly and notified me by text, email, and phone call. My card was cancelled and re-issued within minutes. It happens.

The credit card industry is broken and in dire need of change. Visa, Mastercard, AMEX, and Discover know that fraud is increasingly rampant and are forced to dedicate enormous resources to combat the problem. Before suggesting a solution, let’s examine how the industry currently operates.

The Real Cost of Chargebacks

A card holder files a chargeback to remove unauthorized charges to their account. Chargebacks are a mess for everyone involved.

  • Merchants have full liability for authorized, fraudulent transactions. It is solely a seller’s responsibility to identify and cancel fraudulent transactions.

    When a seller delivers goods or services to a hacker and the card holder issues a chargeback, the sale amount is deducted from the seller’s bank account in addition to chargeback fees. Merchants are thus incentivized to avoid fraud. But scam artists have a job to do!
  • Credit Card Networks, Gateways, and Processors experience minimal liability for fraudulent transactions. When a consumer reports fraud, the merchant foots the bill. About $50 in fees collected from the merchant covers overhead of the network’s constituents to issue a new card. New cards cost approx. $12.75/ea + shipping.
  • Issuing Banks have even smaller liability than CC networks. The bank can only lose from fraudulent activity in the unlikely event that a merchant’s bank account has insufficient funds to process a chargeback. Issuing banks are safe as long as a merchant stays in business and continues generating revenue.
  • Card Holders have zero liability, aside from the temporary frustration incurred by credit card theft.

You may be questioning my security practices. Please do. Each time my Visa has been compromised, the physical card has been in my possession. I always work behind firewalls. My devices are free of malware and viruses. As a merchant, I’m cognizant of PCI compliance requirements, and only offer credit cards to reliable suppliers (the card in question is held by a business account).

In most cases, merchants successfully cancel bad transactions. While “Dwayne” in Chicago, IL managed to obtain my credit card credentials, he will not receive the $700 in electronics and luxury shampoo he hoped for. Dwayne’s time was wasted, my time was wasted, and CapitalOne lost some time and money issuing a new card. If Dwayne bought my credit card number on the black market, he may be out another $5-10.

Merchant’s Perspective

Most of the fraudulent orders my company observes present perfect AVS and CVV2 results. AVS presents a number of security flaws:

  1. Merchants have no ability to verify the card holder’s name, street name, city, or state. Only zipcode and street number are verified.
  2. Legitimate consumers often forget their billing address, or cause false declines due to inconsistent apartment and/or street numbering.
  3. AVS is generally unavailable for cards issued outside of the United States.
  4. Hackers easily find billing information once a name and card credentials are obtained.

Thanks to the power of Braintree, we’ve implemented proprietary security logic which keeps our chargeback rate 30% below the US average, and we’re often able to proactively inform those whose cards have been compromised. Details of our logic must be omitted here to maintain security.

By the Numbers

Consumers prefer to pay via credit card. Meanwhile, the financial industry profits, and merchants carry the burden:

  • Americans use credit and debit cards for over 80% of consumer spending.
  • Consumers with excellent credit can receive cashback incentives of up to 1.5% for paying via credit card; businesses receive up to 2% cashback.
  • Over 1 Billion financial records were compromised in 2014
  • Merchants pay about 2.5% for Visa/Mastercard and 3.5% for AMEX card-not-present transactions.
  • Combined income of Visa + Mastercard + AMEX + Discover (2015) = $17.4B
  • Estimated cost of fraud to Merchants (2009) = $190B

Shifting the Industry

We have supercomputers in our pockets, capable of voice recognition, facial recognition, fingerprint recognition, reporting user position via GPS coordinates, and of course providing instant access to data networks worldwide. Payment via smartphone is a logical evolution to personal finance and security. Starbucks’ payment app has excellent, growing adoption, and Chinese consumers now prefer Wechat Wallet and Mobile Alipay over credit card and cash, which have also gained popularity due to customer rewards.

Secure mobile payments will become standard within the next generation. As we move towards smarter payment methods, it will be fascinating to see how the financial industry rearranges. Hundreds of billions are at stake.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.