How to steal online

Say you order some food on Hopscotch with a credit card. It comes, you eat it, and all is well with the world. Now you decide, scoundrel that you are, that you don’t want to pay for it. So two days later, you call your bank and tell them that you’d like to challenge this strange transaction that has appeared on your statement.

Let me tell you what will happen next. Hopscotch will receive an email from our bank, indicating that one of our card transactions has been “charged back.” We will have a week to write a response.

Until then, I was a man running a food delivery company. Suddenly, I’ve become a private detective. I’ll search through our records and find the offending transaction and associated food order. I’ll call the phone number on the order, hoping to reach you and discuss the situation.

When your phone rings, you may say almost anything that pleases you. You might say that you’ve never heard of Hopscotch, much less used our service, so you filed the chargeback. You might say that you placed the order, received the food, and didn’t file the chargeback. You might say that you used your girlfriend’s card and ordered for both of you, but you’ve since had an acrimonious breakup and she filed the chargeback out of spite. It really doesn’t matter what you say, and of course, you can simply hang up and say nothing.

I will write a response to the chargeback, detailing the results of my investigations, and forward it to my bank. My bank will forward it to your bank. Someone at your bank, in my imagination wearing a robe and wielding a gavel, will decide whether your card was used fraudulently.

Chances are, they will side with you. It’s your word against mine, and they don’t give a damn about me. You are their client, and they want to keep you happy. Besides, your bank will always be made whole: If it upholds the chargeback, my bank will pay them by debiting my account. All this means that the merchant’s chargeback response is, it seems to me, nothing more than a perfunctory exercise.

If they do uphold your chargeback, I can effectively appeal, through an arbitration administered by the credit card network. But the fee for this is so exorbitant that it would only make sense for very large transactions. Visa, for instance, charges the losing party $500 USD per transaction. Considering that I will have no new evidence to present at the arbitration, that is unlikely to be worth the risk. If I choose not to arbitrate, the process ends: Your bank refunds you, and my bank charges me.

My only remaining recourse is the law. I can drive to the police station with all the paperwork, spend several hours with the Fraud Squad (yes, that’s their real name) filing a report, then wait several months for the wheels of justice to turn. Barbados being what it is, I may have to grease those wheels myself, by intermittently hounding the officers assigned to the case.

Of course, unless there’s a small fortune at stake, I am very unlikely to arbitrate, much less turn to the police. I imagine that most merchants simply write off the loss. So in practice, winning yourself a free meal (or a free anything that costs less than several thousand dollars) requires nothing more than unscrupulousness. Cardholders can also charge back transactions up to 4 months after they occur, meaning that dishonest people have a long window in which to buy items before claiming fraud on the whole bunch. As far as I can tell, merchants have no defense against this, at least not before the fact, no matter how ridiculous the customer’s claims.

For example, one customer of ours recently filed 3 chargebacks, totalling about $150. Unable to reach her on the phone, I ended up driving to her house, only possible because I live on a small island. She claimed she placed the orders but never received the food.

In her presence, I video-called the drivers who had carried out the deliveries. They recognized her and remembered the orders. One of them even recalled a conversation they had had with her, because they needed further directions to her house. It was clear that her lie was unravelling. Nevertheless, she stuck to her story and her bank found in her favour. It made no sense to run the financial risk of losing $3000BDS in an arbitration to potentially recoup $150BDS, so we accepted the chargebacks.

The bigger problem is when there’s more at stake. Last year, we accepted chargebacks filed by one customer totalling more than $7,000 from almost 40 transactions. She claimed she gave her card information to another person, who continued to use it for months afterwards without her consent. She said she didn’t notice because she didn’t have access to her bank statements during this time (her card issuer was an American bank). We have no way of verifying these claims, and in any case, I doubt it would matter if we found them to be false beyond reasonable doubt. Once again, arbitration was out of the question: Had we lost, it would have cost us about $40,000. But given the large cumulative value of the transactions, we reported the incident to the police. Several months later, there has been no movement in the case, as far as we can tell.

There does seem to be some hope. Companies like ClearSale, Vesta and Forter sell insurance designed to mitigate chargeback risk. It seems to work in the following way. When a customer pays by card on your site, your web application (or your gateway processor) sends information about the transaction in real time to the insurer. The insurer analyses it and either appoves it or flags it, if it’s suspicious. The insurer will then reimburse you for any transactions charged back because of fraud. The fee for this service varies with your volumes, but for a small business seems like it would be about 1% of approved transaction amounts.

Importantly, at least some of these companies, in addition to insuring merchants against card theft and misuse, also provide coverage for what is often called “friendly fraud.” These are transactions carried out by the cardholder herself or by someone to whom she has willingly handed over her card information. In this case, the cardholder files a chargeback either because she wants to avoid paying the merchant or through good-faith error — for instance, because she doesn’t recognise the transaction on her bank statement. The term “credit card fraud” may call to mind images of hackers with reams of stolen card data, but in fact friendly fraud appears far more prevalent. So far, every single chargeback at Hopscotch has been of the friendly fraud variety.

I’m still investigating these products, to see whether the benefits outweigh the costs. The costs include not just the fee, but also of integrating their system into our web application, which will require software development. It’s still an open question whether that’s even possible, given that we delegate all transaction handling to our gateway processor. My initial conversations with ClearSale and Vesta have suggested that their products are primarily targeted at multi-million-dollar corporations, which not only have far more to lose from fraudulent transactions, but also probably have the resources to process cards more directly.

Until I get some definitive answers, I can only await notification of the next chargeback. And of course, when it eventually happens, pay up.