May 16, 2005

Adam Pennenberg Column Republished: With Credit Card Fraud The Merchant Pays

This is open sourced journalism.. Adam wrote this column but he can't run it on Wired because his column is on online media and this is not an online media issue. So here is it.. published openly.

Please republish at will.

With Credit Card Fraud The Merchant Pays
By Adam L. Penenberg

Lawrence Comras, owner and operator of Greenhome.com, figured out an elegant solution to credit card fraud. Unfortunately it worked so well, he almost went out of business -- and therein lies a cautionary tale for any merchant who has set up shop on the internet.

Greenhome, founded five years ago, is a small scale Bed, Bath and Beyond for the environmentally conscious (think Mother Jones readers). Products include appliances "that keep your home free from toxins and pollution" and "minimize your energy consumption;" apparel (loads of hemp); furniture constructed from "sustainably harvested trees" or "post-consumer plastics;" and for the kids: toys, bedding, clothes and art supplies that are free of toxic chemicals. With a low overhead -- Comras runs Greenhome out of his Bay Area garage -- and a growing demand for all natural products, he has created a nice niche business.

But as any online merchant can tell you, there is an awful lot of credit card fraud. And who pays? Unfortunately, the merchant. So while you have to hire a bank to authorize credit card transactions, if the card turns out to be phony, you're the one stuck with the bill.

For instance, in 2002, Greenhome got fleeced for a few thousand dollars in fraudulent charges. Someone purchased three flat screen computer monitors ("They take a tenth of the materials to make, Comras says, which means "they take up less space in landfills.") Only later did Comras find out that the card had been stolen. When Comras reviewed the transaction, he learned that the zip code didn't match. But it went through anyway. That's because all it takes for authorization is for the credit card number and expiration date to match. Even if the street address and Zip code don't, the bank typically OKs the transaction.

Before this, Comras hadn't given much thought to credit card fraud. But he realized he faced a significant problem. The approval process was completely binary: yes or no, yet he didn't have access to all the data he required to ensure a smooth transaction. Comras realized there was almost no limit to how much money he could be liable for if he were hit with a flurry of fraudulent transactions.

But being something of a geek, Comras came up with a way to combat the
problem. He set up a system that would rely on preauthorization, much like the system hotels use when they ask for a credit card when you check in. In Greenhome's case, it would ping the credit card account for $1. Of course, almost everyone will have $1 available in his account. But in the process, Comras would learn whether the zip code and address match the credit card number and expiration date. If it didn't, Greenhome would reject the transaction.

In a sense, Comras was able to code a program to instantly pre-authorize transactions before the bank authorized them. And all it cost him was 35 cents a transaction – the same the bank charged to authorize them. For 70 cents a sale, plus the usual 3 percent credit card charge all merchants pay, Comras thought he was protected.

It worked well -- for a while. Then earlier this year, Bank One customers started calling, asking why they were being charged a $1 transaction fee. Someone was running stolen credit cards through his system at the rate of about one a minute. It was very methodical. Maybe automated, maybe not. The perpetrator ran about 30,000 of them through the site in one month. And for each one, Comras was charged 35 cents. That wiped out every penny of profit he earned that month.

He called his bank, which had helped him engineer his credit card fraud solution in the first place, and demanded it not charge him this fee. Greenhome had been proactive, trying to help prevent fraud, he argued. Yet his bank refused to let him off the hook.

Comras' theory is, "It's possible that the banks have done the calculus and it's more in their interest to force the merchants to put whatever they want through because the banks can charge more when there is not a match." What he means is that the banks charge a slightly higher rate for transactions when the zip code doesn't match, yet they don't inform the merchants.

In other words, the banks don't care, since they make more money on
fraudulent transactions anyway.

So let the seller beware

Posted by Mary Hodder at May 16, 2005 10:47 AM | TrackBack
Comments

Skotos has a similar "pre-auth" technique. However, if there are more then X attempts to validate a credit card from a single IP address, we stop allowing them to try. I think X = 3. We have a few other tricks that we do to prevent fraud.

Posted by: Christopher Allen at May 19, 2005 10:33 AM