The Buck Stops. . . Where?

10 January 2001
Who is ultimately responsible for guaranteeing the security of consumer information and for assuring the integrity of credit card transaction data presented during the processing of an online sale?

Is it the customer? Is it the online merchant? Is it the transaction processor? It's a tough question to answer quickly and concisely--and yet it's a very important issue and one that must be carefully considered by all online gaming companies doing business today. Because oftentimes in the confusing new world of online commerce, and especially in the Internet gaming industry, it can seem as though each of these different participants in a transaction are standing in a figurative circle - looking around, scratching their heads, and defiantly pointing their finger somewhere else.

Moreover, the standards and practices that are becoming common in the industry are effectively putting Internet businesses between the proverbial rock and a hard place. The issuing banks are increasingly implementing "zero liability" policies for all of their customers' online charges, and the acquiring banks are more and more adopting "zero tolerance" policies for their online merchants with regard to chargebacks and even the slightest appearance of fraud.

So where should the buck stop, so to speak? The truth is that each of these players in the process has a unique role, each has unique ways that they can contribute and each should be shouldering at least some of the responsibility - so that at each stage of the process the highest levels of privacy and security are established and guaranteed.

First, although they are not free of any of the responsibility, clearly the burden should fall least on the consumer. They, of course, must be made fully aware of all of the very real and assorted risks involved in online transactions. They must, in turn, take the necessary precautions to make sure that their card and all relevant information is kept safely in their possession at all times and that they don't give out any of this information unless they are sure it is safe to do so - and they know exactly who they are giving it to.

That means that the transaction processor and the online merchant, working in tandem, must in the end take it upon themselves to bear the heaviest burden. Indeed, credit card information and related customer transaction data should be regarded as a joint fiduciary responsibility of both the merchant and the processor - and handled accordingly.

Given that neither the card nor the cardholder is present at the point of sale, online gaming transactions have a higher incidence of fraud associated with them than traditional retail transactions. Since the card is not present, many of the fraud detection and prevention devices built into credit cards cannot be used for these transactions, thus creating a greater need for Internet gaming companies to exercise care and to follow good risk control procedures when accepting credit cards as a means of payment.

The two most simple and effective means of meeting this unique responsibility are making sure that the processor utilizes a state-of-the-art Address Verification Service (AVS), and that the billing information that appears on the customers' credit card statements is instantly identifiable.

The Address Verification Service (AVS) is a risk management tool that provides important additional information about each transaction that is attempted. It was designed specifically for online, mail order and telephone order merchants to help them minimize the risks that are inherent in these types of non-face-to-face transactions. Using AVS allows an online merchant to verify the cardholder's billing address with the card issuer at the same time that an authorization is requested. The card issuer compares the address sent by the merchant to the billing address it has for that customer account and sends back a code indicating the results of that comparison

(e.g., exact match on both the street address and the ZIP code, no match on either, or a partial match on either the street address or the ZIP code). This additional information helps the merchant make a more informed decision about whether or not to accept and complete an online transaction.

Historically, merchants accepting online transactions have also accepted total liability in the event that they proved to be fraudulent. Although this standard remains in effect today, the advent of AVS has given merchants an important advantage. It may be possible to resubmit a "fraudulent transaction" to the acquiring bank if the transaction processor received an authorization approval and if the transaction received an AVS "exact match" response - meaning the address and the ZIP code both matched.

It is also very important that the customers of online gaming companies be able to recognize transactions made with the company when the charges appear on their credit card statements. It is imperative that, if nothing else, the cardholder is able to recognize the name of the gaming company. When cardholders don't recognize transactions, they call their card issuer to question or dispute the item. Usually these inquiries lead to chargebacks and to increased scrutiny of the gaming company.

To ensure that a company's name is recognizable to all of its customers, the merchant should request that the acquiring bank they are using show them how the name or "descriptor" appears in the settlement record. This is the way that the name will be passed through the processing system to the card issuer for posting to the cardholder's statement. All merchants should verify that the name appearing in the settlement record closely matches the name displayed on the Web site and on any promotional or marketing efforts identified with the company. It is also a good idea to include a toll-free customer service number for the company on the customer's credit card statement along with the name of the company.

Steve Fein has more than 14 years of experience in the merchant bankcard processing industry. For the past two years he has served as the executive vice president of sales for Signature Card Services, a leading provider of merchant processing accounts for online and other 'special risk' businesses. Prior to that he was with Merchant Choice Card Services, where he was instrumental in expanding their sales operations to include electronic commerce-enabled businesses. Steve is widely recognized as one of the key players in the pioneering effort that created eCash, he provided the first online gaming merchants with the ability to accept credit cards, and he continues to offer insight to the IGC on matters related to payment processing.