In part I of this two-part series, we will discuss the growing issue of credit card fraud for card issuers, card holders, and merchants, including how card data is being obtained and used by today's advanced attackers.
Who bears the cost?
Credit card fraud has been an ongoing problem for online merchants for many years now. When ordinary users shop online, credit card purchases are indemnified by the card issuer, meaning the individual card users are not responsible for fraudulent charges made on their card as long as the user reports those charges in a timely manner, typically within one billing period. In fact, US Law limits cardholders’ liability to $50.
Due to the popularity of online shopping, card issuers have well-established programs to communicate card holder liability. What is less commonly known is that when a criminal completes a successful online purchase, and the card issuer later reverses the charge, the merchant is often responsible for the loss. Most merchants have resigned themselves to writing off this fraud as a cost of doing business online. However, loss from stolen cards can place a significant financial drain on merchants who may only make a small markup on goods. In particular, fraud loss is especially high for goods that are easily fenced or resold on Craigslist/eBay.