The number of consumers falling victim to fraud has steadily increased over the last decade.
However, despite the warnings, most consumers assume that, should they be affected, their losses will be covered. Unfortunately, the picture is not as simple as it seems.
While banks do pick up some of the tab for credit card fraud, merchants do too. And, eventually, that trickles down to — you guessed it — you and me.
The cost to merchants
U.S. cardholders have the assurance that, by law, their liability for credit card theft is limited to $50 for stolen physical credit cards, as long as the fraudulent transactions made with the cards are reported within 60 days of receiving the credit card statement. (Most card issuers don’t even charge that amount, but simply remove the charges.) If the credit card information itself is compromised through, say, an online security breach, cardholders have zero liability.
Most consumers know that their card issuer absorbs their loss. However, few are aware that banks are not alone in taking the hit, say experts. Depending on the nature of the crime, part or all of that loss is passed on to the merchants who accepted the stolen card.
“More often than not it’s the merchant that ends up paying for fraud losses,” says Brian Krebs, a former Washington Post reporter, who now works as an independent investigative journalist and runs the blog, Krebs on Security. “The bank will eat the fraud in limited cases if it can be shown that it wasn’t the merchant’s fault. However, that’s hard to do.”
When merchants follow all standard practices for a safe transaction, Krebs says, the card issuing bank bears the loss. If not, the merchant is required to cover the fraud loss and any associated fees.
Needless to say, liability issues around credit card fraud losses are a sore point for retailers. At the heart of the issue are the PCI Data Security Standards (PCI DSS).
The PCI standards involve more than 200 security requirements, which are intended to deter hackers from breaking into computer systems to steal stored credit card information.
The National Retail Federation has long taken issue with the standards, arguing that they are too onerous and confusing for retailers to follow.
“PCI is little more than an elaborate patch,” said David Hogan, Senior Vice President and Chief Information Officer at the National Retail Federation in a Congressional testimony in 2009. “While PCI can reduce some fraud — at extraordinary cost — it is not nearly as effective as a redesign of the card processes themselves.”
It doesn’t help that PCI DSS is managed by an independent group, the PCI Security Standards Council, which was created by the major credit card companies, Visa, MasterCard, American Express and Discover.
How much is at stake for retailers? According to a 2010 study by LexisNexis Risk Solutions, fraud losses cost retailers more than $139 billion in 2009. Most of those losses were from identity theft-related fraud and so-called ‘friendly fraud,’ in which a consumer purchases an item (typically online) and then claims he or she didn’t receive the item and requests a charge-back on their credit card.
While fraud losses did decrease in 2009, the greatest number of fraudulent transactions were suffered by merchants who accepted mobile payments (which are expected to become increasingly common going forward). In addition, actual fraud-related costs are much higher than the direct costs. Adding the costs associated with replacing lost or stolen merchandise and other costs, the true cost of retail fraud is more than $310 for every $100 in fraudulent transactions, according to the LexisNexis report.
“Fraud continues to be a $100 billion problem for retail merchants,” said Jim Rice, director of Market Planning for Retail and E-Commerce Markets at LexisNexis Risk Solutions in a press release. “While the total cost of fraud has gone down since last year, retailers still lose more than three dollars for every one dollar lost due to a fraudulent transaction, and online or mobile fraud is a growing threat.”
Costs passed on to consumers
Not surprisingly, faced with losses of that magnitude, merchants tend to pass on fraud-related losses to consumers in the form of higher prices.
“Consumers generally pay for fraud ultimately,” says Krebs. An estimated 2 to 4 cents per dollar is built into the cost of everything you buy to cover fraud costs.”
Add that amount to the controversial credit card interchange fees that merchants already pass on to consumers in the form of higher prices, and some might argue that using plastic ends up being rather pricey indeed.
Critics argue that the current U.S. credit card system, which is based on magnetic stripe technology, makes U.S. consumers and merchants unnecessarily vulnerable to credit card fraud. In contrast, the EMV (chip-and-PIN) credit card technology used in Europe, Canada and Asia has been shown to dramatically reduce the risk of fraud, say experts.
Luckily, the prospects for EMV technology on this side of the Atlantic recently received a significant boost. Visa announced last week that it is taking steps to accelerate the migration of chip-and-PIN credit cards to the United States.