Monday, July 16, 2012

Merchant charges

My American Express card number got "stolen" and used for a fraudulent transaction this morning (caught by fraud detection and declined after I was contacted). Last month it was my Visa debit card. What annoys me is that this doesn't have to be possible. Right now it's possible because our system expects me to give the merchant my account number and have them initiate a charge from my account. But why does it have to work that way?

Suppose instead it worked thusly:
  • The merchant gives me a merchant account number, transaction code and amount.
  • If I'm making a purchase on-line, I go to my bank/issuer's Web site and enter an order to send a payment for the amount in question to the merchant's account, referencing the transaction code.
  • If I'm making a purchase in the store, I hit my bank/issuer's app on my cel phone and do the same thing.
  • If they don't have an app, I use the phone's browser to go to their mobile Web site and do the same.
  • If I don't have data/Web access from my phone, I call an automated phone line and do the same (phone number verified by the automated billing info on the call).
  • The bank/issuer sends the payment to the merchant.
  • The merchant verifies the payment was received, and gives me my merchandise.
Now it's all but impossible for a fraudster to use my card. Merchants don't need to know my card number, so there's nothing stored on their systems for anyone to steal. My bank/issuer site login information's stored on my systems, they're under my control so it's a lot easier to take steps to prevent compromise (and if they're compromised they were under my control so it's a lot easier from a legal standpoint to justify saying that I'm responsible for the problem, and I can change passwords in just one place so it's easier to fix any compromise). It doesn't even require any infrastructure, banks and credit-card companies already have the networks in place to do electronic funds transfer (it's how they already handle the daily settlement with merchants and how they handle charging your card). So why do we accept fraud and the attendant problems when there's an alternative available?

Of course, there's always the case where you don't have a phone or any other way of initiating a transaction. But we have physical cards, and identification. Standard swiped transactions can continue to work, although they'd be considered a higher-risk transaction. Just go back to where we were when I was starting out in the world: when you present a card the first thing the merchant asks is "Photo ID please.". That'll cut down on card-present fraud, it's harder to fake two forms of ID and the fraudster has to balance the cost of a good forged driver's license against the amount he can purchase without tripping red flags. And we're reaching the point where even kids have cel phones with data plans. That adds another layer: someone who normally does bank-initiated payments suddenly doing a card-present swipe is abnormal activity and a big red flag saying "Potential fraud! Contact the cardholder to verify.". That adds another hurdle for the fraudsters: they don't just have to fake the card and photo ID, they have to have a card that's regularly used for swiped transactions. Merchants don't have to store card information for swiped transactions, so it limits the fraudsters to skimmers or compromising merchant point-of-sale systems. In the process it also gives me, the account holder, the option of removing myself from any risk of compromise by getting a suitable cel-phone and avoiding swiped transactions entirely. I can still leave myself open to fraud, but it's my choice and I get to balance the cost vs. the risk instead of depending entirely on merchant security.

So why are we still open to card fraud?