Posted: Thursday, 9 July 2009 @ 16:45
In the past 2 weeks I have been the victim of large scale internet fraud on 2 credit cards, and so I have taken a keen interest in liability and in ways to protect against future fraud.
I have been very careful to use only on line stores who encrypt customer details, but fraudsters have still managed to obtain my credit card details including security number, as well as my address, telephone number, date of birth. This can only be a result of sophisticated hacking, or criminal activity by an employee of one of the stores. The feedback from the coalface is that there has been a huge increase in on line fraud in the last 12 months, no doubt prompted by the success of Chip and PIN. It is not only cardholders but merchants who need to protect themselves.
The first question I wanted answering was to what extent I was liable. For orders placed on line or by telephone, the answer is quite simple. These are so called CNP (cardholder not present) transactions. The burden on proving whether a card transaction has been authorised by the card holder falls on the bank that issued the credit card. If the bank cannot prove it then the customer must not lose out. The transaction must be credited back. This applies to credit and debit cards. This is straight forward for on line and telephone orders. The only possible risk for the customer is where they have been negligent in failing to report the theft of a credit card, which has then been used for telephone or internet transactions.
In most cases the bank will recover the transaction value from the merchant and charge them a fixed penalty in accordance with their terms and conditions of use. If the merchant operates additional security measures to verify a transaction, such as Lloyds TSB Clicksafe®, then the burden of loss will normally return to the bank.
What did surprise me was the number of merchants willing to allow a new account to be set up on line, and goods with a high value to be delivered immediately, to an address different to the billing address of the credit card holder. In my opinion that is an invitation to fraudsters. Normally the card holder will not lose out, but it is a huge inconvenience having a card stopped as often it can take 7 to 10 days to get a new one issued and delivered. It is also possible that the credit limit be restricted until all paperwork has been completed, and in my experience this can take at least 3 or 4 weeks. However, it is the merchants who will have to bear the loss on the transaction and chargeback penalties to the banks. This could be crippling for SME’s, and many have stopped offering on line shopping for this reason.
There is no established law that merchants have a duty of care to cardholders generally. It will take a court decision to establish such a duty, and any slipshod procedures could then be targeted as negligent. Only then could a cardholder who has been the victim of fraud, and who has suffered loss in some way, recover compensation from the merchant.
In the meantime my advice is as follows:
Cardholders
1. Use only websites that have proper security measures in place with customer data encrypted.
2. Check the merchant’s web site address.
3. Always print out the order confirmation.
4. Log out at the end of every session.
5. Delete dormant accounts.
6. Report lost or stolen cards immediately.
7. Register your cards with an on line shopping protection service such as Lloyds ClickSafe® (for Lloyds TSB customers), or Verified by Visa or MasterCard® SecureCode
8. Choose passwords carefully. Do not use family names. Use different passwords for different accounts. Change passwords frequently.
9. When out and about never let your cards out of sight. Most skimming takes place at restaurants and petrol service stations. Keep an eye out for suspicious activity.
10. Subscribe to on line banking and check your statements regularly. Look out for a small transaction which is designed to go through unnoticed, and if successful will be followed by a large scale fraud, as the merchant will then be off guard.
11. Never respond to e-mails requesting bank details, personal information, and passwords, PIN numbers or card security numbers.
12. Never give out your PIN number.
13. Never keep your PIN number with your cards.
14. Before binning shred all paper with personal details, including statements, receipts, and even junk mail addressed to you.
15. Get insurance to cover card theft and fraud as well as identity theft. This may be provided on your household insurance policy but check the terms and cover provided.
Merchants
1. Use only the most up to date and sophisticated web security utilising encryption of all customer personal data.
2. Do not accept orders by e-mail with credit card details.
3. Use an Address Verification Service.
4. Obtain the Card Security Code from the customer.
5. Check the Industry Hot Card file
6. Check all details with the issuing bank.
7. Never ship goods on a first order to an address different from the card holder’s card billing address.
8. If in doubt write to the card holder’s billing address quoting a unique code and suspend any order until the card holder has responded quoting the code.
9. Sign up to the available verification schemes offered by the banks, such as Lloyds ClickSafe, Verified by Visa, or MasterCard SecureCode as these will provide an additional layer of security and should in most cases protect you from chargebacks.
For advice on liability for credit card fraud and dispute resolution contact:
Nigel Musgrove
Business and Litigation Solicitor
For free advice on this topic please call us on 0845 003 5639.
This blog is not intended to constitute legal advice, nor is it intended to be a complete and authoritative statement of the law, and what we say might be out of date by the time you read it. You should always seek legal advice to confirm whether or how any information in this article applies to your particular situation. We offer a
free telephone consultation to discuss your particular circumstances.