Cavete vendit

Posted: July 27, 2014 by Bill Cunningham in Legal, Money, Operations, Startup, Technology

bill-cunninghamCaveat emptor, which means “beware the buyer,” resonates with anyone who buys goods or services on the web. The credit card industry has created a safety net where we feel that providing our credit card information for web purchases is probably safer than giving a credit card to an unscrupulous waitress or bartender.

However, as a merchant that sells over the web, the words “Cavete vendit” should ring clear in your mind meaning “Seller beware.” Merchants carry a tremendous of risk in taking credit cards and you need to plan accordingly.

I experienced a frustrating run with a credit card scammer and learned how vulnerable merchants are in the process. The experience also showed us where the gaps were in our security and gave us pause as to why we hadn’t taken these measures in the first place.

Our scammer had stolen various credit cards and placed orders online with our website.  First of all,  we were excited that our Google AdWords campaign generated four orders on Monday and then twelve more on Tuesday. All of the orders passed through the credit card system without a problem. However, most of our customers do not order that often and certainly not in the amounts that this customer had ordered. We dug into the credit card reports and found that they were using many cards from various states. They all had the correct address, but it was unusual for someone to have a credit card with a  billing address in Massachusetts, Wisconsin and Texas at the same time.

We contacted our credit card processor, and they recommended refunding all the money immediately prior to having chargebacks filed against us. Chargebacks automatically take money out of your bank account and are held in escrow until the issue has been settled.  By the way, the merchant pays a $30 fee for the chargeback, even if the merchant has done everything correctly. In our situation, since it was fairly obvious that all the transactions were fraudulent, we agreed to the refunds to avoid the chargebacks. Unfortunately, eight of these orders for shipping goods had already been picked up. We were able to stop them and have them returned to the original sender, but we ended up paying the shipping for both ways — a significant hardship for small businesses.

Here’s what we could have done better. When we implemented the credit card software, we did not check to make sure all the security features were enabled — features like matching the billing zip code or verifying the security code that could have rejected some of the cards. We worked with our credit card provider to add their IspyFraud™ software that helps us find patterns of credit card abuse. For a very small fee ($1/month plus a penny per transaction,) we can now be alerted to potential fraudulent use of our services. Lastly, we tested all the security features by “buying product from ourselves.”  We put in incorrect security codes, zip codes, expiration dates to test the system. We plan to do that monthly just insuring that the system is in working order.

As consumers, we have become very comfortable using our credit cards for online purchases. The credit card companies make us feel secure that if a card is stolen, you will not be liable.  This is not the case with merchants, and is the exact opposite. You, as a merchant, are completely liable for the transaction. Even if the card is approved using the most secure software features, if it is found to be fraudulent later, you will have to return the money. When you read your merchant agreement, there is usually one last warning that states the merchant would be liable for any chargeback in “any other situation in which a transaction has been charged back to us in accordance with the chargeback rules established by the Card Association.” The translation to this legalese is “the merchant holds all the liability.”


For more information, here’s a great article on merchant liability:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s