Friendly Scammers - Know Your Merchants

Authentication is nearly ubiquitous and true card-not-present fraud should be a thing of the past.

Merchant scams and authorized transaction fraud, on the other hand, are a growing, but by no means a new problem. Authorized fraud used to be called “friendly” or “first party” fraud. We used this term because we assumed that the customer knew what they were doing and later regretted the purchase and used the chargeback system to get their money back.

The payment schemes had no reliable statistics about the scale of the problem. Nobody truly knew how many card-not-present chargebacks were “friendly” fraud vs. justified chargebacks. I now believe that during my time in the payment industry, we did not differentiate sharply enough between actual payment fraud, malicious cardholder chargebacks and merchant scams.

On the sending side we lumped it all together under Card Not Present fraud and tried to cure it with more authentication (3D) and liability shifts.

On the receiving side (aka merchant), we managed the problem through chargeback programs. We thought that merchants with high chargeback numbers must do something borderline criminal. Maybe they “trick” customers into purchases that the customer would not have done if the product or services had been presented correctly.

We used to call these merchant schemes “akai berry schemes”. These schemes were symptomatic of the general problem. They offered free sample packages for Akai berry products and started charging for a subscription that the customer did not realize they had agreed to. A common tactic was to "pre-tick" the checkbox for a 12-month subscription and to hide it at the bottom of the window. Customer could not cancel the subscription and resorted to chargebacks instead.

Authentication did not play a part in this because both sender and receiver did not dispute their participation in the transaction. This was no payment fraud in its true meaning.

The chargeback programs did not go as well as we had hoped. They did not address the root cause, which, in my opinion, was that the payment schemes participants did not know the merchants they sign up well enough. Of course, there was also the tension between business and enforcement of rules. Nobody was willing to give up entire markets by being firm with customers who brought in the all-important transaction volume. It was so much cheaper to send "risk managers" to conduct training or attend conferences, none of which made much of a difference. After all, everybody already knew exactly what they were doing and had done their own cost/benefit analysis.

There are plenty of KYC processes and authentication on the sending side of the transaction. However, on the receiving side there are so many layers between the scheme’s acquiring participants and the actual receiver of the money that it looks more like a money laundering operation (layering) than a genuine business. For most customers this becomes obvious when they try to match the merchant names on their card statement with the purchases they have made. Even if they know the merchant, it is often near impossible to contact the merchant for an inquiry or to cancel a subscription.

Today with account compromises under control and near ubiquitous strong authentication of sending customers, the payment industry is still facing the same problem which has nothing to do with the security of the payment. The payment part works just fine.

In fact, I believe that a large part of so-called “payment fraud” in the past fell into the same category and wasn’t payment fraud either, but that is water under the bridge.

This means that authentication is now shifting to the receiving side. But who is actually doing the authentication and what identity is authenticated?

Since we do not deal with payment fraud, it won’t help if some obscure service provider, deeply embedded within one of the many layers, authenticates the receiving side. On the receiving side, the authenticity of merchant and financial accounts has never been in question.

Instead, authentication needs to help the customer to identify and authenticate the merchant (or receiving side in general). The key is complete transparency on the receiving side. There should be nothing on the merchant side that is confidential or inaccessible to the customer: office location, staff names and pictures, pictures of their location and office, working phone numbers, email addresses, social media accounts and so forth.

The only role the payment industry has to play here is to close accounts that violate any of the transparency rules and even to ban the players involved with such a merchant. If the payment service provider is not able to help the customer successfully contact any merchant within 24 hours, then this service provider needs to be put on notice.

Note that I do not advocate for yet another chargeback program. I am advocating for merchant transparency programs.

If a transaction or a merchant looks suspicious, then the sending service provider has to put the transaction on hold and get in touch with the customer. I am not talking about chatbots, obscure text messages and emails. I am talking about real humans with access to all merchant information getting in touch with the customer to discuss the transaction in a timely fashion that allows the transaction to continue successfully when everything checks out.

A payment provider who sends automated emails, uses completely useless chatbots, forces customers to spend hours on the phone with service representatives who have not enough information to help, is not serious about protecting their customers.

To make my position very clear – transparency applies to the merchant side only! There should be no information about the customer that goes to the receiving payment service provider or the merchant. The only information the merchant has a right to receive is the confirmation that the money in connection with a transaction reference number has been deposited into the account of the merchant. That’s it.

Of course, even transparency is not enough. Customers should be in control of their payments, not the merchant. Subscriptions or regular payments need to be set up on the sending side, not on the receiving side. The customer should have full access to all subscriptions in one place. The customer should also be able to decide whether they want the payment to go out automatically or whether it needs to be initiated manually. Even automated payments should give the customer time to veto the payment before it is triggered. I covered this aspect in another post.