In this post I will protect some of the names/information of the people and businesses involved for obvious reasons, and ONLY the innocent were protected. But rest assured your credit card company is screwing everyone, including you!
On January 1st 2014 an ecommerce store received and order for $120.19 (which is about average). This payment processed through Authorize.net without any filter problems, errors or issues.
Later on January 1st 2014 the same store received another order from the same user without issue for $179.31. This is also not unusual and the merchant set out to contact them and let them know that they would be combining their orders to save money for them on shipping.
After several emails and phone calls in which the merchant left messages about combining the orders…. the customer did not respond.
On January 5th 2014 the same store received a $171.74 order from the same user, again without issue. At this point the merchant attempted to contact the customer more than 10 times via email and 2 different provided phone numbers in the orders… all to no avail.
At this point the merchant contacted Authorize.net for advice. Authorize.net advised the merchant that there was nothing they could do and the merchant should consider cancelling the orders after 24hrs if they do not hear from the customer.
On Jan 5th the merchant cancelled the orders and refunded all 3 transactions to the shopper.
On January 7th the same store received a $1,089.34 order from the same customer and again no fraud filters were set off by the transaction. The merchant began searching Google and DNS records for more information on the customer and found:
- The customer is a real live person and both the shipping and billing addresses used are listed as their winter/summer home addresses.
- The customer’s name, phone numbers and other information is also spot on correct.
- The customer is elderly.
- The customer uses Road Runner Internet Services and does NOT have a dedicated IP address (so we cannot just block the customer for the merchant)
On January 8th the same store received another order from the same customer without issue for $926.92.
On January 13th the same store received another order from the same customer for $844.76, again without setting off even the slightest fraud filter.
On January 13 the merchant had voided/refunded all of the orders and set out to report this to Visa or whomever as fraud. To hopefully help protect the customer’s credit and identity.
Here is where the story will make you want to cut up your credit cards!
Step one was to contact Authorize.net who instructed their was nothing they could do. They additionally provided no other information.
Next the merchant set out searching on Google for things like “Report fraud to Visa”. The searches helped the merchant find Visa’s fraud information (http://usa.visa.com/merchants/merchant-resources/report-card-fraud.html) which is useless and the list to the acquirer list is broken even. Then a few more searches located a helpful blog which instructed them that a “Code 10” was what they needed to do. A Code 10 is used to provide authorization to verify additional information on a suspicious transaction.
So the merchant contacted their merchant services bank to “do a Code 10”. The merchant’s provider is Bank of America. Bank of America merchant services instructed the merchant that they could not help and transferred them to the “Loss & Fraud” department.
The Loss & Fraud department said there was no way they could do anything as the merchant (per PCI/DSS requirements) had only the credit card’s last 4 numbers.
The merchant hung up and called Bank of America Merchant Services back. This time they told the CSR that the loss department was the wrong department and insisted they needed help to report this fraudulent activity on this woman’s card. The CSR responded that unfortunately the tools and abilities they have, “haven’t yet caught up to the PCI/DSS Standards” and their was NOTHING they could do. This CSR then hung up…. or the call was miraculously dropped right after he finished saying their was “NOTHING they could do”.
The merchant, now pissed, called Bank of America Merchant Services back and demanded to speak to a supervisor. The young female CSR responded, “okay, but can I try to help you first”….. ahhh progress!
The merchant and the female CSR went through about 10 minutes of verifications including batch transaction data and then she put the merchant on hold and went to speak with her supervisor.
Upon returning to the call she instructed the merchant that she could now release the full credit card number and the customer’s bank contact information.
The merchant then called Bank Fia Card Services and began what turned out to be even less reassuring as the process had been thus far!
A female CSR at Bank Fia Card Services said “there is nothing we can do”.
The merchant insisted, demanded even that she do something… so she went to speak to her supervisor.
Upon returning, (10 minutes later) she still insisted there was nothing they could do, but offered to have their fraud team “peak” at the card holders account soon. She also inquired to the merchant if their was some reason they didn’t want Ms. Cardholder’s business. The merchant responded, business yes… fraud not so much.
At this point the merchant, thinking about this elderly lady whose credit card is clearly compromised, used a very direct and offensive move. The merchant said, “fine, then I want to report this card holder for placing fraudulent transactions at my business”. The Bank Fia Card Services CSR responded….. “uuuuum…, ugh, hang on, ugh… please hold”. Nice huh?
When the Bank Fia Card Services CSR returned to the line she said, “we have looked at Ms. Cardholder’s account and placed a fraud alert on it, she will not be able to use this card until she contacts us”.
FINALLY… what a bunch of crap! A merchant may know your card has been compromised and cannot even report it! You are NOT safe as card holders and the banks don’t give a rat’s ass about you, your identity or anything else for that matter! This merchant went above and beyond to help protect this card holder…. but you can bet that many would not and moreover most do not have 3 hours to dedicate to something like this. You should also know that the merchant is out about $500 in stock ordered for the first few orders, that they will not recover…. Just a $500 loss and the ability to sleep at night is all the merchant gets!