If a business receives a fraudulent online order and ships the merchandise, is the company responsible for the cost?
The editorial content below is based solely on the objective assessment of our writers and is not driven by advertising dollars. However, we may receive compensation when you click on links to products from our partners. Learn more about our advertising policy.
The content on this page is accurate as of the posting date; however, some of the offers mentioned may have expired. Please see the bank’s website for the most current version of card offers; and please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.
My company was victimized by online credit card fraud. A stolen credit card was used, and we shipped our product to an address different than the billing address of the credit card. We reported this to our local police. Our credit card processor says that we are responsible, but I don’t trust that answer. – Shai
I’m sorry to hear that your business was victimized by fraudsters. Sadly, there are so many online crooks out there that every business owner needs to be very vigilant about fraud.
You’re wise to get a second opinion on what the merchant processor told you. To find out what your responsibilities are, I checked with Jen Lee, an attorney with offices in San Ramon and Tracy, California, who frequently advises clients on debt-related matters and is a co-author of “Preventing Credit Card Fraud: A Complete Guide for Everyone from Merchants to Consumers,” a book that will be published in March 2017.
She recommended that you review your merchant services agreement with an attorney to see what it says about liability for fraudulent transactions. If the agreement shows you are not liable, you and your attorney should have grounds to dispute the processor’s contention that you are responsible for the fraud.
However, it does seem likely in this case that the merchant processor is correct.
“Generally speaking, for online transactions where the merchant does not see the actual card, the merchant ends up assuming the liability for fraudulent transactions and ends up losing out twice – once for the shipped merchandise that is likely forever lost and then having to pay back the bank for the fraudulent charges,” Lee said in an email.
Steps you can take
As you already know, fraud can be costly. So what can you do to prevent it in the future? First, I’d take a look at the fraud-prevention guidelines for merchants issued by Visa, Mastercard and any other cards you accept. Visa, for instance, suggests that merchants processing “card-not-present” transactions confirm orders sent somewhere other than a customer’s billing address by reaching out to the customers through a point of contact associated with the billing address, not the ship-to address.
Visa points to several red flags that may suggest fraud: a first-time shopper, a larger than normal order, an order that includes several of the same item, an order with many big-ticket items, rush or overnight shipping requested and shipping to an international address.
Other possible warning signs of fraud, Visa notes, are transactions with similar account numbers, transactions placed on multiple cards that all ship to the same address, multiple transactions on one card over a short period, multiple transactions on a single card with one billing address that are being sent to multiple shipping addresses, multiple cards used from a single IP address and orders from internet addresses that make use of free email services.
Of course, there’s an element of judgment here. If you sell holiday gift baskets and a regular customer is sending three baskets to different addresses, they could well be legitimate transactions. Nonetheless, it wouldn’t hurt to confirm the transactions with such a customer at the phone number or email address normally associated with the billing address. Many consumers have been victimized by identity thieves and will appreciate the efforts you take to protect them from unauthorized use of their card.
If you want to add an extra layer of scrutiny of credit card transactions, technology can give you an assist. Online merchants can join Verified by Visa and Mastercard SecureCode, services that verify the identity of consumers who have opted in for the programs.
“These are both products that assist in helping merchants detect non-authenticated customers using a card that has been compromised,” said Seth Ruden, senior fraud consultant at ACI Worldwide, which provides electronic banking and payment solutions for financial institutions, merchants, billers and processors. American Express offers a similar product called SafeKey.
It should get easier for online merchants to verify ecommerce solutions in the near future, thanks to advances in areas such as biometrics. I’d recommend paying close attention to news of new fraud-prevention technologies. They could end up saving you a bundle.
See related: What to do if you suspect fraud by a customer