The New York Times has an interesting editorial running today by Joseph Nocera, about solving the identity theft problem. Nocera proposes making the banking industry completely responsible for identity fraud, the same way Senator William Proxmire held them accountable for credit card fraud in the early 1970s. From the article:
"When people ask me what can the average person do to stop identity theft, I say, 'nothing,' " said Bruce Schneier, the chief technology officer of Counterpane Internet Security. "This data is held by third parties and they have no impetus to fix it."
We've written about Schneier before. He is the author of several books about security, and takes a very pragmatic approach. In a recent post on his blog, he talks about the lack of responsibility the data warehouses take for their information links.
We're also starting to work with merchant account providers, and frankly, I'm quite appalled at the careless disregard the big processing services and credit card companies have towards credit card fraud.
Let's separate credit card fraud from identity theft for this discussion. Identity theft involves stealing your identity and using it to commit crimes, get around immigration laws, or generally hide the true identity of somebody. While that's a definite problem, especially if it's your identity that's been stolen, it's a different problem than the more simple credit card theft and fraud.
For any given credit card transaction, there are three groups of people involved:
- The consumer, who uses a credit card to make a purchase
- All of the middlemen who facilitate the process of moving money from the consumer's account to the merchant's account.
- The merchant, who sells the goods and receives payment from their processing service, and
Now, everybody's talking about the risk to the consumer of doing online purchases, and all of these recent information leaks are scaring people from using or having credit cards. But consumers really don't have any risk here at all, thanks to Senator Proxmire thirty years ago--if you use a credit card, you're not liable for more than $50 of any fraudulent activity on your account. We have strong protection for consumers, and this protection is completely effective today for consumers faced with credit card fraud.
In the current situation, the financial industry isn't affected much, either. When a consumer complains about fraudulent activity on their credit card, the processing service simply takes the money back from the merchant account at the other end of the particular transaction. On top of that, they charge the merchant a fee for processing the transaction reversal. And they probably charged the merchant a higher rate for the original charge, if there was anything fishy about the transaction. Furthermore, the more fraud that happens with a particular class of credit cards, the more justification the processing services have for charging a higher rate to cover the "costs" of the fraud.
In other words, each incident of credit card fraud actually generates additional revenue for the processing services!
Who pays? The merchant. Merchants sign up for credit card processing services because in most cases, businesses that start accepting credit cards typically see a ten to twenty percent increase in sales. But this additional sales comes with costs. There's a monthly fee for the service. You have to buy or lease the card swiping boxes. Each transaction costs 18 to 30 cents, depending on the plan. And then the account provider deducts anywhere from 1.8% to nearly 4% out of the total sales price as a commission.
Think you're getting a good deal on a processing service? Better look closer at that monthly statement. Quite often any advertised low processing rates a bank used to sell their service are added to cryptic fees and other sleazy ways they pad the bill so that their cut becomes bigger than it looks. It's surprising they can get away with such blatently dishonest practices.
Charges on a merchant account statement are broken into "qualifying" and "non-qualifying" rates. Qualifying transactions get the lowest rate, while non-qualifying transactions often cost twice as much. All sorts of things can make any particular transaction non-qualifying: the card swipe isn't read correctly so the merchant punches the number in manually; the consumer uses a business card at a merchant that is classified as more of a consumer account; the consumer adds more than 25% onto the bill as a tip.
And when these non-qualifying transactions turn out to be fraudulent, the entire transaction is reversed--the credit card processer withdraws the entire amount from the merchant's checking account, and charges a handling fee. Much like what happens when a check bounces.
Credit cards are great for consumers, but becoming more and more of a risk for merchants. Unless something is done to place the responsibility for credit card fraud more squarely on the financial services industry, we're likely to see more stores that no longer accept credit cards, the same way most have stopped accepting checks, for exactly the same reason.
Add new comment