Credit Card fraud - who is liable?

Credit Card fraud - who is liable?

Didn't find your answer?

A client of mine recently had an enquiry from an overseas company for some goods, which in their business is nothing unusual. They insisted on payment before despatch as it was a new contact. The purchaser duly proffered a credit card to settle the amount due. The credit card was processed and an authorisation code given. As it was a new customer our client also went to the effort of telephoning the credit card company to ensure there were no problems. They were told to wait three days for the money to appear in their bank account before despatching the goods.

Three days passed and the money appeared so the goods were despatched. Several days later my client was contacted by the credit card company who informed them that the credit card number used was not legitimate (either a stolen card number or a cloned card). The credit card company then informed the client that they would be recovering the money by taking it out their bank account.

The client has taken legal advice and although there are some avenues to be considered the basic fact seems to be that the credit card company is perfectly within its rights to do this.

Firstly, it seems to me that no fraud has been committed upon my client (they received money and despatched the ordered goods). If a fraud has been committed the victim is surely the account holder of the cloned card or the credit card company. Indeed my client only has the credit cad company's word that a fraud has been committed at all!

Secondly, when my client reported it to the police they said they wouldn't even give it a crime number! So much for all our reporting to NCIS.

Most importantly when my clients and I asked our associates that use credit card facilities whether they knew that they were liable for losses due to CNP fraud, not a single one did. Merchants are being made to carry all the risk of CNP fraud and they do not even realise it. My message is to make sure all your clients realise the risks and act accordingly.

Bruce Roberts

Replies (8)

Please login or register to join the discussion.

avatar
By User deleted
19th Sep 2005 21:15

Three digit security code
My credit cards have a three digit security code printed on the signature strip.

This is usually requested when making payment over the telephone or web.

I thought this was added security, ie. not part of the credit card number, only known to those physically in possession of the card.

Did this security measure either (a) Not get used by your client or (b) Get used but prove to be of no value ?

Thanks (0)
avatar
By AnonymousUser
20th Sep 2005 09:52

My understanding.
Until recently I had an owning interest in a couple of shops using streamline for CC processing. Neil is correct in that with Chip and Pin the liability for fraud now resides with retailer but that only relates to customer present transactions. Most retailers, us included, are not licensed for customer not present transaction and these will always be at the risk of the retailer. If the more expensive option is taken (CNP)then I believe that the address of the card user is checked on line before authorisation is agreed and goods will obviously only be delivered to this address.

Thanks (0)
avatar
By neileg
19th Sep 2005 13:05

Doesn't seem right
I understood that since January 2005, the retailer took liability for fraud, unless they have operated chip and pin correctly, in which case they are protected.

It wouldn't be the first time that a bank has ignored the rules in order to protect their own position. I would be taking this up with the bank and make a stink about it.

Edit: After a bit of research online
http://www.streamline.com/New_to_Streamline/Additional_products_&_services/Chip_&_PIN/Liability_shift/default.htm
This states:A change occurred in who bears the cost for fraudulent transactions on the 1st January 2005. This change means that the liability for fraudulent card transactions in situations where the card is counterfeit or has been lost/stolen will pass to the party that is not chip and PIN compliant. Where all parties are compliant, then fraudulent transactions should not occur, but any fraud will be the responsibility of the card issuer/cardholder. It should be noted that this only applies to transactions where the cardholder is present at the time the transaction is carried out.

Thanks (0)
avatar
By User deleted
20th Sep 2005 11:06

Thank you
Thanks for all those who have commented so far.

Just to clarify:

Chip and Pin would not have helped in this case as it requires the presence of the cardholder. The credit card companies do take responsibility in these cases.

The three digit number on the back of the card was utilised in the security check before an authorisation number was obtained, so presumably the card had been seen by the fraudster at some point. I do not know how the credit card company's use this information.

Steven - why do the credit card company's not authorise some businesses for card not present transactions? From my client's experience it would seem that the retailer is the one at risk anyway?

Thanks again for the comments. I am hoping the risks will be more widely understood.

Thanks (0)
avatar
By neileg
20th Sep 2005 17:08

Ah
When you said The purchaser duly proffered a credit card to settle the amount due, that suggested the purchaser was present.

It's not C&P fraud, though, is it? It's just credit card fraud, and the liability did pass to the retailer in January 2005. I wouldn't have been happy to process the transaction, but I guess that if I had seen the money in the bank I would have assumed it was all OK.

However, the situation here is the same as with cheques. A cheque never really clears in the case of fraud, despite what we are led to believe.

Thanks (0)
avatar
By tomtrainer
21st Sep 2005 11:02

"The credit card was processed and an authorisation code given"
What is the point of the credit card company providing an authorisation code if it does not provide authorisation to carry out the transaction? Does it not owe the retailer a duty of care in providing such authorisation, and if so, does it not bear some responsibility for the fraud?

Thanks (0)
avatar
By Swimmingagainstthe Tide
21st Sep 2005 16:50

Good points
You are right Neil, it is exactly the same with cheques. The bank can take the money back a long time after it has allegedly cleared.

Tom; the authorisation code, according to the bank, merely confirms that there are funds available in the card holder's account and that the card has not reported stolen. Neither were the case for my client's transaction.



Thanks (0)
avatar
By User deleted
22nd Sep 2005 20:28

What happenned to CV2/AVS & VBV ?
I've just found some Credit Card fraud prevention information from November 2003.

CV2/AVS = card verification to address system, fee for this service quoted as flat fee of £10 per month.

VBV = verified by visa - installation fee £250 and then a fee of £10 per month.

These services were stated as being provided by Visa (not Mastercard). I think I recorded the screen shots I have from a Working Lunch programme (Around 12th Nov 2003). However I've never heard anything more about these services, [specific for mail order assurance], since.

Thanks (0)