Online credit card fraud against small businesses

Kate Charlton and Natalie Taylor
ISBN 0 642 53846 8 ; ISSN 1326-6004
Canberra: Australian Institute of Criminology: 2004
(Research and public policy series, no. 60)

Section 1 : Introduction

Why the need for this report?

In recent years, the online computing environment has afforded exciting new opportunities to buy and sell goods and services for both businesses and individuals. At the end of 2003, there were 4.5 million household subscribers and 696,000 business/government subscribers to the internet in Australia (ABS 2004). Moreover, the number of credit card transactions processed in Australia increased from 42.9 million in 1999 to 85.6 million in 2003 (Australian Payments Clearing Association 2003). In the United Kingdom, the number of people making internet card payments (using a credit or debit card) increased 50 per cent between 2002 and 2003, to 18 million (APACS 2004). This growing customer use of the internet and credit cards has provided businesses with the chance to expand their customer bases, provide quicker and more efficient service and reduce overheads.

With such a dramatic uptake of online trading, however, have come increased risks of online credit card fraud (Smith & Urbas 2001). In particular, businesses that trade online are more vulnerable than ever before to the risk of credit card fraud and associated losses. However, for online traders, not only do the risks of fraud increase, but their liability also increases. Because online transactions are of a 'card not present' nature, financial institutions are reluctant to cover such losses, thus the burden falls on the trader (Gibbons 2001; Lang 1999; Parliament of Victoria 2002). However, no serious attempt has yet been made to quantify, within clearly defined parameters, the nature and extent of online credit card fraud against businesses (particularly small businesses). The present report is intended to fill this gap.

Why are businesses that trade online at risk of online fraud?

The anonymous nature of online transactions can make the trading environment vulnerable to credit card fraud (Attorney-General's Department & OSCA 2000; Gibbons 2001; Shankar & Walker 2001). This type of crime is easily facilitated by the lack of any personal contact between the retailer and customer (Gibbons 2001; Smith 1999; Westpac 2000) during an online transaction. In an attempt to entice customers to trade online, the practice of protecting customers from being held financially responsible for fraudulent use of their credit card has been favoured. Assuming the transaction was reported as fraudulent to the customer's financial institution and it has been agreed that the customer did not contribute to the losses (Abru 2000), financial institutions do not generally hold customers liable. This has understandably occurred in order to encourage consumers to purchase goods online and to have confidence that they will not be held liable for fraud.

Fraudulent transactions, however, have to be paid for by someone. In the physical environment there are three standard procedures that can protect retailers to some degree:

• the customer's signature can be matched to the signature on the card;
• the card is swiped through an EFTPOS terminal meaning that the card is physically present (evidence of the purchase); and
• an authorisation code is automatically obtained from the customer's financial institution where approval for the purchase means that sufficient funds are available in the customer's account and the card has not been reported as lost or stolen.

These three processes together provide the business with a degree of protection. Fraudulent purchases that arise from this process are generally not considered the responsibility of the retailer (Gibbons 2001).

In the case of online transactions there is no signature and the actual card is not sighted or swiped through a terminal. Generally, all that the customer provides over the internet is the credit card number and expiry date. While an authorisation code may still be sought and obtained by the trader through a web link-up using a bank-operated internet payment authorisation service, this authorisation simply means that the card is still 'active' and has sufficient funds to cover the purchase. It does not confirm the identity of the customer or that the customer is the owner of the card (Westpac 2000).

What happens when online fraud occurs?

Financial institutions are unwilling to accept the additional risks associated with online credit card fraud. This means that the losses associated with fraudulent online purchases are borne by online traders who accept payment for goods online (Gibbons 2001; Lang 1999; Parliament of Victoria 2002). When a cardholder claims that a purchase was fraudulent and not undertaken by them or an authorised party, their financial institution generally takes them at their word and the retailer is required to submit to a chargeback (a refund of the price of the goods from their bank account to the cardholder's) even though they do not receive the goods back in return. The only recourse for online traders who receive a chargeback is to try and pursue the matter privately with the customer - a difficult, costly and time-consuming process.

How widespread is online credit card fraud?

Although some research has been conducted in relation to online credit card fraud against businesses, it is sparse, contradictory and often methodologically flawed. In particular, there are two key pieces of information needed to determine risks or prevalence of online credit card fraud:

• the number of businesses trading online within a particular business type; and
• the number of online traders within that type who have experienced fraud.

There have not yet been any studies internationally or within Australia examining this issue through sampling businesses randomly from a known sampling frame that would allow for reliable estimates to be derived. Figures that have been published may be estimates of the proportion of online transactions which are fraudulent and these are usually provided without an explanation of their source or its reliability (Abru 1999; Attorney-General's Department & OSCA 2000; Shankar & Walker 2001). Other figures may have been derived from empirical sources, but sampling frames and methods vary considerably and few sample randomly from defined populations (Cybersource 2003; Experian 2001).

In summary, sources estimate online credit card fraud at between five and 25 per cent of all internet transactions (Abru 1999; Attorney-General's Department & OSCA 2000; Cybersource 2003). Although risk factors for fraud have not been widely investigated, it has been suggested that since fraudsters are likely to provide incorrect details relating to the name, billing address or delivery address of the cardholder, businesses that do not undertake confirmation of this information are at an increased risk (Experian 2001). Online traders overseas have been surveyed with respect to their fraud prevention efforts and it has been found that 55 per cent of online traders in the UK employ various manual screening techniques (Experian 2001) and 71 per cent confirm address details using the formal address verification service in the United States (Cybersource 2002).

Why do we need to identify the levels of risk of online fraud?

Knowledge relating to the prevalence and risks of online credit card fraud will allow businesses to make informed decisions about whether or not to trade online. Such knowledge can also feed into policy by providing a solid empirical evidence base about how widespread fraud might be, what percentage of online traders are at risk and the potential extent of losses. Without such knowledge it is difficult to determine how much attention and/or funding should be allocated to the prevention of online credit card fraud, or which types of online trader need to be targeted for added protection.

The aims of the empirical study

The central research questions in the present study were:

1. How many (and what proportion) of each type of business currently accept payment for goods over the internet?
2. How many (and what proportion) of online retailers in each business type experienced at least one incident of online credit card fraud during (a) 2002, (b) 2001 and (c) since trading online?
3. What are the financial losses suffered by retailers as a result of online credit card fraud in Australia?
4. How many incidents of online credit card fraud are reported to police in Australia?
5. What factors influence the business to decide to sell goods online?
6. What are some of the risk factors associated with online credit card fraud?
7. How many (and what proportion) of retailers are aware that losses associated with online credit card fraud are borne by online retailers?
8. On average, how long does it take for online credit card fraud victims to be advised of an incident of online fraud?
9. To what extent do retailers employ preventive measures to reduce the likelihood of online credit card fraud and what types of preventive measures do they use?
10. What are retailers' perceptions of online retailing, financial institutions and online credit card fraud?