WePay

Platform Payments 101

Your service connects buyers and sellers, and you want to learn more about payments. WePay's Platform Payments 101 is written to help you discover the realities of facilitating payments on your platform.

Chapter 4 Types of Fraud and Loss

Most fraud prevention features are designed for card-present environments. Visa, for example, has deployed a number of anti-fraud measures designed to make card reproduction extremely difficult, including holograms and embossed security characters on the face of the card. Moreover, the signature and magnetic strip on the back of the card are designed to ensure that the person using the card is the actual cardholder. Merchants are not liable for fraud when card-present transactions are properly authenticated.

Online platforms, however, typically facilitate card-not-present transactions (card payments made without physically swiping a card). On a website, buyers enter credit card data into a form – they do not hand their card to a cashier. Unfortunately, card-not-present transactions are highly susceptible to fraud and abuse, for which merchants and payment facilitators are held liable.

Chargebacks

When a cardholder disputes a charge with their bank (the “issuing bank”), the bank may reverse the payment and refund the cardholder, after an investigation. This is called a chargeback.

Cardholders are protected from the financial liability of unauthorized credit card transactions by Regulation Z of the Truth in Lending Act and unauthorized debit card transactions by Regulation E of the Electronic Fund Transfer Act. Card Associations have even broader rules with further added protections. When fraudulent transactions do occur, a well-defined chain of liability determines who is ultimately responsible for making restitution to the cardholder.

Payment facilitators must recover chargebacks from merchants who generate them, or else write off the full amount of the chargeback as a loss.

For chargebacks resulting from card-not-present transactions, the issuing bank recovers the funds from the merchant’s bank (the acquiring bank), and the acquiring bank recovers the funds from the merchant.

Since most chargebacks are received weeks or months after the original payment, it is sometimes difficult to recover the funds from the merchant. This is why acquirers are so conservative in their underwriting: an acquirer will typically research the financial stability, creditworthiness, and underlying riskiness of a business; it will implement special funding policies (such as reserves or holdbacks) to mitigate loss; and it will require personal guarantees from business owners, whom it will hold personally liable for the business’s financial obligations.

Revenue accrues as tiny percentages of transactions, while losses occur as whole transactions.

Depending on the specific contract it has signed with its acquiring bank, a payment facilitator (not its sub-merchants) may be held responsible for chargebacks. The payment facilitator, therefore, assumes responsibility for recovering funds from the end-merchants and liability for funds that cannot be recovered.

In other words, payment facilitators must recover chargebacks from merchants who generate them, or else write off the full amount of the chargeback as a loss. This is perhaps the most important fact of life for a payment facilitator: revenue accrues as tiny percentages of transactions, while losses occur as whole transactions.

The distaste for aggregation amongst acquirers is not surprising given that the risk assumed by payment facilitators is equal to the aggregate risk of its entire network of sub-merchants. The acquirer must trust the facilitator’s policies, processes, and procedures for determining and mitigating loss since it has no insight into the risk profiles of individual sub-merchants.

Payment facilitators also interact with both merchants and their customers, so they must understand the risk associated with both. The four categories of risk include:

Merchant Identity Fraud

In this scenario, a fraudster establishes a merchant account on behalf of a seemingly legitimate business, charges a number of stolen credit cards, and disappears with the proceeds before the cardholders discover and reverse the unauthorized transactions. When the payment facilitator attempts to recover the funds, the fraudster is long gone, and the payment facilitator is liable for both the loss and any additional fees or assessments associated with the chargebacks.

This happens more often than you may think. Just recently, the Federal Trade Commission uncovered a four year operation in which fraudsters established more than one-hundred merchant accounts (using the Employer Identification Numbers of real businesses) to bilk cardholders and acquirers of more than $10 million.

Everyday, fraudsters are getting better at obtaining the information necessary to assume false identities (e.g. birth certificates, government-issued IDs, credit reports). It is impossible to definitively verify the identity of an online merchant, since any information that legitimate users present to prove their identities can be obtained by an imposter. The true identity of an online merchant simply cannot be ascertained with total certainty.

It is impossible to definitively verify the identity of an online merchant, since any information that legitimate users present to prove their identities can be obtained by an imposter.

In some cases, fraudsters use “money mules” to obfuscate their illicit activities. A typical scam involves the fraudster charging stolen credit cards and settling the proceeds to a mule. The mule keeps a percentage of the money and transfers the remainder to the scam operator, typically located in another country. Mules are often unaware that these funds are the product of illicit activity. They are usually hapless victims duped by get-rich-quick schemes or promises of legitimate employment. Unfortunately, they are complicit in the scheme, and they risk both criminal and financial penalties. When cardholders dispute the unauthorized transactions, the payment facilitator attempts to recover the funds from the mules bank account. In most cases, however, the mule has already transferred the funds to the scam operator.

Merchant Credit Risk

In this scenario, a legitimate merchant defaults on its obligation to fund chargebacks. Although payment facilitators do not issue loans, they do take credit risk by settling funds within the chargeback window. The chargeback window varies by card type, but it is usually at least 90 days, and payment facilitators are ultimately liable for all payments settled to merchants within that range.

Merchant credit risk is greatest among younger, less-established, or riskier businesses. Not surprisingly, these businesses often use payment facilitators explicitly because traditional acquirers are unwilling to take their business. Unfortunately, the hesitation to underwrite these businesses is not entirely unjustified, given the higher likelihood of excessive chargebacks and bankruptcy.

A website that connects homeowners with local service providers, for example, has no control over the quality or delivery of the services provided. The platform simply cannot guarantee that the service will be delivered on time and as advertised. If, for whatever reason, the service is unacceptable and the homeowner decides to charge back the payment, the facilitator must recover the payment from the merchant or eat the cost itself.

Traditional acquirers mitigate this risk by analyzing a merchant’s processing and/or credit history, but that involves a longer underwriting process and assumes that merchants have a pre-existing processing history or credit score.

Crowdfunding platforms that allow entrepreneurs to take pre-orders are particularly susceptible to credit risk.

Crowdfunding platforms that allow entrepreneurs to take pre-orders are particularly susceptible to credit risk. If the entrepreneur fails to deliver the product on time or as advertised (e.g. manufacturing is more expensive or time consuming than anticipated, etc.), customers will likely charge back their payments.

The payment facilitator is liable for these chargebacks if they cannot recover the funds from the entrepreneur. Even though the payment facilitator is not issuing entrepreneurs a loan, per se, it is incurring risk based on the creditworthiness of that entrepreneur or his business (presumably not that great, given the fact that most companies raising money on crowdfunding platforms are startups).

In July 2012, Pebble Technology raised $10.27 million on Kickstarter to develop and manufacturing its signature smartwatch. Fortunately, Pebble successfully manufactured the product and fulfilled the orders, but had they not, Pebble would have received a flood of chargebacks from customers that never received their orders. And if Pebble could not make good on these chargebacks, the payment processor (Amazon in this case), would have been liable for over $10 million.

Processors generally frown on young companies that accept pre-orders or deposits long before they fulfill orders because the greater the amount of time between payment and fulfillment, the greater the risk that merchants fail to deliver and the larger the financial liability. It is therefore not surprising that some payment processors are simply unwilling to support the use-case.

Buyer Identity Fraud

In this scenario, a fraudulent customer uses a stolen credit card (or a card established with a stolen identity) to purchase a product from a legitimate merchant. By the time the real cardholder discovers the fraudulent charges, the fraudster already has possession of the goods.

While cardholders may not be liable for unauthorized transaction, merchants have no such protection.

While cardholders may not be liable for unauthorized transactions, merchants have no such protection. When the real cardholder inevitably reverses the payment, the merchant is out the cost of fulfilling the order, the revenue of the sale, and the fees associated with receiving the chargeback.

Payment facilitators must address merchant credit risk in this scenario, since legitimate merchants may be unwilling or unable to refund payments for valuable goods or services that have already been delivered.

Furthermore, merchants selling goods or services through online platforms typically expect the platforms to protect them from fraudulent buyers - especially platforms that play an active role in connecting buyers and sellers. Take an auction site for example: a legitimate merchant lists a valuable collectible on the site, promptly ships the item to the highest bidder, and never receives payment because the buyer was a fraud.

Although platforms can hold merchants responsible for chargebacks resulting from buyer fraud, it may not be worth it. Most online marketplaces are highly motivated to protect the quality of their networks: the moment merchants doubt the integrity of a marketplace, they will look for a safer venue in which to conduct business.

These buyer-fraudsters can be very savvy in the techniques they use to prey on merchants. Imagine a scenario where a legitimate seller is trying to rent out his apartment on Craigslist. Out of the blue, somebody calls him and says that they'll send him the rental money via a payment facilitator like WePay. The seller sets up a WePay account, and receives "the buyer's" credit card number for one month's rent. The renter then "accidentally" overpays the seller or decides that they don't want to live in the apartment anymore. They ask the seller to refund them by sending a check or wiring the money (or by any other means other than refunding the credit card). The seller sends them the refund, and a few weeks later the real cardholder disputes his fraudulent charge. WePay is forced to target the innocent apartment owner (who unknowingly charged the stolen card).

Friendly Fraud

Friendly fraud is similar to buyer identity fraud save for a few important differences. In both cases, the merchant is the victim of a fraudulent buyer, but with friendly fraud, the buyer is actually the cardholder. The cardholder duly authorizes the payment, but reverses it once they have received the product or service. The cardholder gets the goods for free, and the merchant gets stuck holding the bag.

Friendly fraud is nearly impossible to detect because the payments themselves are actually legitimate. Worse still, merchants accepting card-not-present payments really have no way to prove that cardholders authorized the payments, since they never swipe a physical card or receive a signature from the cardholders.

The protections afforded to cardholders may play a role in promoting friendly fraud. Since there is such a low barrier to disputing “unauthorized” card-not-present transactions, cardholders can sometimes simply charge back a purchase to avoid paying for it.

Like buyer identity fraud, the cost of friendly fraud is even greater than the purchase price, since merchants also invest time and effort into finding the customer, fulfilling the order, and fighting the chargeback. In fact, LexisNexis reports that on average chargebacks cost merchants 2.33 times the amount of the original purchase. The additional cost includes interest/fees paid to financial institutions and replacing/redistributing merchandise.

Download the PDF