The history of battling fraud within rules set by the card networks has been a somber one for merchants. And the picture isn’t likely to brighten any time soon.
It used to be when a merchant got an authorization—an approval from a card-issuing bank resulting from a request by the merchant—the merchant got paid. Not any more!
After squeezing as much money as possible out of merchants by charging them excessive, supra-competitive interchange fees and shifting most of the burden of network overhead from issuers to merchants, it evidently occurred to the networks (some of which are issuers themselves) that helping issuers get rid of one of their biggest costs, fraud losses, was virgin territory.
Most of us recall the days when merchants could legitimately expect to be paid when they received a positive response to an online payment-authorization request—or, before that, a positive response to a phone call to the issuer. All the merchant had to do was to simply check the hot-card list to make sure the name on the prospective buyer’s card was not on the list.
Things got better when all transactions were authorized online, guaranteeing that every transaction—big or small—got checked by the issuer prior to authorization or denial. The prevailing wisdom was that the issuer is in the best position to make an informed decision on whether or not to authorize the transaction. So, in the event of fraud, the issuer ate the loss.
One exception was mail-order/telephone-order purchases, in which the merchant actually sold goods by mail or by phone to its customers. For these so-called MOTO purchases, the merchant was required by the card schemes to pay higher interchange and accept the risk that the cardholder wouldn’t pay.
While there may have been some logic to this, it’s hard to see any justification for charging the merchant a higher rate when the merchant was taking the risk of not being paid!
Over time, MOTO transactions were replaced by Internet transactions. Unfortunately for Internet merchants, the old MOTO paradigm—higher interchange coupled with accepting the risk of not being paid—was transferred to Internet transactions. No doubt, issuers rejoice as more and more purchases occur on the Internet. They get paid more for doing less!
Another development, PCI, came into play in the early 2000s. According to its Web site, “The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate, and assist with the understanding of, security standards for payment account security.”
In reality, PCI does not function as a forum for the industry to come together. Instead, it is a closed body through which the global card schemes exercise complete dominion. The same is true of EMVCo, for that matter. Most of the “industry” is excluded from voting on the pseudo-standards published by EMVCo and PCI. Only the global schemes get to vote.
Merchants, consumer representatives, regulators and other “industry” stakeholders can pay handsomely to come and voice their grievances, but they can also be ignored or summarily dismissed. Blatantly, many of the networks are also issuers, which provides them with every motivation to shift fraud, and the costs of preventing fraud, from the issuers to the merchants.
A Bum’s Rush
Contrary to conventional (though somewhat contrived) wisdom, the coming of EMV to the United States actually hurt rather than helped merchants with respect to fraud-related expenses. Although merchants were required to pay for most of the costs to move to EMV, issuers received almost all of the benefits.
EMV has undeniably reduced the losses associated with counterfeit fraud, but that cost was largely being borne by the issuers, not the merchants. The rushed EMV timelines in the United States (for example, four years compared to nine years in Canada) predictably—and likely intentionally—led to merchants getting stuck with fraud through an associated liability shift.
This shift occurred when issuers converted to EMV cards but merchants had not yet converted to EMV at the point of sale. While it sounded reasonable, it was not. The costs and complexities for U.S. issuers to move to EMV pale in comparison to the costs and complexities borne by merchants.
This bum’s rush has been the bane of merchants, but it was exacerbated by a chargeback fest that created a huge windfall for both the issuers and the card schemes. The issuers were able to transfer to the merchants one of their biggest costs of operation, that is, fraud, while the schemes collected fees to process the deluge of chargebacks.
Overnight, a completely new industry was created to help merchants cope with the chargebacks, which the merchants again, of course, had to pay for.
Finally, unsuspecting merchants were shocked to discover (even after they thought they were EMV-compatible) that the testing and certification process was faulty, leaving them liable to nit-picking issuers that could lean on liberal chargeback rules to dump even more chargebacks on merchants.
More recently, the two major global card schemes unveiled plans to overhaul their chargeback platforms. As usual, scheme spokespeople hail their plans as adding efficiency, customer service, and merchant economies to the payments ecosystem.
Frankly, we are suspicious that the final result of this latest move will be a continuation of the pattern of history in which merchants pay more, issuers pay less, and schemes benefit by having created another revenue stream.
—Mark Horwedel is strategic consultant at CMSPI.