In this post I will protect some of the names/information of the people and businesses involved for obvious reasons, and ONLY the innocent were protected. But rest assured your credit card company is screwing everyone, including you!
On January 1st 2014 an ecommerce store received and order for $120.19 (which is about average). This payment processed through Authorize.net without any filter problems, errors or issues.
Later on January 1st 2014 the same store received another order from the same user without issue for $179.31. This is also not unusual and the merchant set out to contact them and let them know that they would be combining their orders to save money for them on shipping.
After several emails and phone calls in which the merchant left messages about combining the orders…. the customer did not respond.
On January 5th 2014 the same store received a $171.74 order from the same user, again without issue. At this point the merchant attempted to contact the customer more than 10 times via email and 2 different provided phone numbers in the orders… all to no avail.
At this point the merchant contacted Authorize.net for advice. Authorize.net advised the merchant that there was nothing they could do and the merchant should consider cancelling the orders after 24hrs if they do not hear from the customer.
On Jan 5th the merchant cancelled the orders and refunded all 3 transactions to the shopper.
On January 7th the same store received a $1,089.34 order from the same customer and again no fraud filters were set off by the transaction. The merchant began searching Google and DNS records for more information on the customer and found:
- The customer is a real live person and both the shipping and billing addresses used are listed as their winter/summer home addresses.
- The customer’s name, phone numbers and other information is also spot on correct.
- The customer is elderly.
- The customer uses Road Runner Internet Services and does NOT have a dedicated IP address (so we cannot just block the customer for the merchant)
On January 8th the same store received another order from the same customer without issue for $926.92.
On January 13th the same store received another order from the same customer for $844.76, again without setting off even the slightest fraud filter.
On January 13 the merchant had voided/refunded all of the orders and set out to report this to Visa or whomever as fraud. To hopefully help protect the customer’s credit and identity.
Here is where the story will make you want to cut up your credit cards!
Step one was to contact Authorize.net who instructed their was nothing they could do. They additionally provided no other information.
Next the merchant set out searching on Google for things like “Report fraud to Visa”. The searches helped the merchant find Visa’s fraud information (http://usa.visa.com/merchants/merchant-resources/report-card-fraud.html) which is useless and the list to the acquirer list is broken even. Then a few more searches located a helpful blog which instructed them that a “Code 10” was what they needed to do. A Code 10 is used to provide authorization to verify additional information on a suspicious transaction.
So the merchant contacted their merchant services bank to “do a Code 10”. The merchant’s provider is Bank of America. Bank of America merchant services instructed the merchant that they could not help and transferred them to the “Loss & Fraud” department.
The Loss & Fraud department said there was no way they could do anything as the merchant (per PCI/DSS requireme