Visa is starting to crack down on Internet merchants. The move threatens the ability of all small web businesses to take credit cards.
The first step in the crackdown occurred out of sight – Visa had processors start identifying “card not present” transactions as Internet or telephone in May.
This allowed it to get real numbers on something it reported in February, namely that while overall fraud is down to 6 cents per $100 in transactions, it’s 15 to 20 cents in “card not present” environments and “the Internet-related part of that is typically higher.”
The last is the kind of vague statement you don’t usually hear from accountants. The fact is, Visa didn’t really know what its Internet fraud numbers were because they were lumped in with mail order and telephone transactions. With the May changes, they can soon be more precise.
The next step is aimed at your server. Welcome to the world of “Visa regs.” These are things you have to do in order to be a “player” in the world of transaction processing.
The two main requirements should be common sense: You have to encrypt all transaction data accessible from the Internet; encrypt it when it goes to your transaction processor and keep your antivirus software up to date.
You’ll also need to start changing passwords regularly, assigning unique IDs to each person with access to your transaction records and tracking who accesses the data by that unique ID; prove that you’ve tested security regularly; and report any suspected loss of cardholder data promptly.
The “whip hand” in all this will have to be held by your processor. Particular pressure will be placed on Paymentech, which dominates the Internet payments space. But work will also have to be done by commerce service providers like CyberSource and ICOMS. A lot of that work, however, will require getting into your systems to verify you’re doing things according to the regulations.
I’m already hearing complaints from small web merchants who smell a conspiracy. “The problem is that customers call their banks, deny accessing our service, write documents that claim they have canceled or actually spoke with someone in my customer service department (lies), and sign their names to this garbage,” wrote one. “The banks then hit me with a chargeback, with the reason code indicating ‘fraudulent transaction’! It’s enough to drive you crazy.” Chargebacks are the reversed transactions you get when someone returns merchandise or (as in this case) makes a claim that he or she never got it.
When I moderated a panel on transaction fraud at ISPCon in May, I heard many similar stories, especially from those merchants doing business in other countries.
Unfortunately, if the processors call you “high risk,” there’s not a lot you can do about it. When a bank processes your credit card transactions, it’s actually making an unsecured loan to you. You get your money long before the consumer pays his or her credit card bill. You can’t force a bank to do business with you (except in cases of rank discrimination), and the banks want to cut chargebacks.
If you think there’s a way out because I mentioned only Visa here, think again. MasterCard has implemented nearly identical rules (on a similar timetable), and American Express has already begun throwing out merchants with high chargebacks.