What prevents web shop owners from misusing credit card data?

The liability for a disputed transaction falls upon the merchant for Card-Not-Present transactions. Essentially, if you dispute a transaction, if the merchant doesn't have your signature, then if you persist they will end up footing the bill. By the same token, when a CNP merchant double bills you, they're going to end up paying when you dispute the bill.

As @DavidFoerster points out, the processors and card companies track chargeback rates. They eye the statistics and, when a merchants is having too many chargebacks, they get cut off. (Usually they get booted from their processor, and go find another processor who'll charge them more for the higher risk).

The same is true with stores that re-abuse cards elsewhere. The card brands look at fraud reports and determine that these 20 fraud report cards all had Bob's Web Shack in common as a past transaction. They will then investigate Bob's Web Shack - both because it might be a bad shop owner, and because it might be a shop that's compromised. And - again - if a shop is a source of problems, they'll get cut off.

That's what prevents web shop owners from abusing the cards. They'll lose any disputes, and then they'll get dropped and be unable to process cards.


If you do it on a large scale, you get found out

As with most crimes, there's really nothing that prevents you from doing it if you're determined, other than the risks and consequences of being found out. For small and rare events, it gets written off by the CC companies as a cost of doing business. For large or frequent scenarios, people get found out and they go to jail.

Common point of purchase

Analyzing fraud patterns is done seriously, a lot of talented people and financial resources go into doing it properly. All those risks are not new - before web shops were common, employees at various physical stores had the capability to do the same. For example, a restaurant waiter has access to a lot of cards and can misuse their data.

If it's a single time, then there are no patterns to be found out, but it's ongoing then it's not that hard to automatically determine that a bunch of misused cards share a common point of purchase and then audit that location - depending on the fraud scale this may result in actions by police or simply blacklisting the company and other future companies with same owners or management.

Furthermore, those risks are part of the reasons why it's not trivial to start a web shop where you actually get access to CC data. Often banks don't allow random small companies to accept cards online directly - they accept it with a condition that all the authorisation goes through a trusted payment gateway and your company simply gets a signed token "payment of $xxx accepted" and not the full card data. If you want to handle CC data yourself, get ready for various compliance checks.


To accept payments many credit card processing companies require that the code of the client be PCI compliant. I am not sure all the rules but, I do believe that it requires someone that did not write the code to look over it. With others, such as Stripe and PayPal, the credit card data never touches the shop owner's server. In the case of Stripe JavaScript submits it to them and then returns a token to the shop owners server that states that they've paid, it's gone through, and can be used for refunds.

See:

https://www.controlscan.com/support-resources-qa.php

https://www.controlscan.com/support-resources-qa.php#6

Tags:

Credit Card