E-commerce grew 20% for Costco in fiscal 2015—20 times faster than store sales.
Paycom Billing Services Inc., which specializes in processing card transactions for web merchants, sues MasterCard claiming that the policy that charges back virtually all fraudulent transactions to online merchants is unfair.
No sooner had MasterCard and Visa capitulated in a suit by major retail chains challenging a card association policy than MasterCard was hit with another lawsuit-this one challenging a MasterCard policy toward online transactions.
On the eve of trial, MasterCard and Visa agreed to drop their accept-all-cards policies and pay damages. Within days, Paycom Billing Services Inc., which processes card transactions for web merchants, sued MasterCard claiming that the policy that charges back virtually all fraudulent transactions to online merchants is unfair.
Although Paycom processes mostly for adult entertainment sites, which are more susceptible than other e-retailers to chargebacks, attorneys who represent other types of retailers say the issues raised by Paycom could affect a broader range of merchants.
Dennis Ehling, Paycom’s attorney in the MasterCard case, says the suit contends that the card association imposes overly strict rules that result in web merchants paying excessive fees to cover fraud, even though web merchants are required to absorb losses related to chargebacks, the process by which MasterCard and Visa return fraudulent or suspected fraudulent transactions to a merchant. He adds that MasterCard hasn’t done enough to persuade more credit card issuers to participate in the SecureCode program, which is designed to shift liability for chargebacks to issuers from merchants.
Five so far
Bruce Rutherford, MasterCard’s vice president of e-business and emerging technologies, says the card association has signed up Navy Federal Credit Union, a major issuer of credit cards, to participate in SecureCode and that it expects 2,000 more credit union card issuers to join this year. By the third quarter, most of the largest U.S. card issuers plan to implement SecureCode, Rutherford says.
Only five merchants have agreed so far to participate in SecureCode, but Rutherford says MasterCard is working with processors VeriSign and WorldPay to help sign up some of their tens of thousands of merchant clients.
The SecureCode program, like Visa’s Verified by Visa program, requires consumers to enter a personal identification number when making an online payment. The program depends on participation from credit card issuers, who must offer card accounts with SecureCode PINs and then be able to respond to a request for authorization when a PIN-protected transaction comes through, and from web merchants, who must modify their checkout pages to prompt for PINs.
Ehling contends that MasterCard focuses too much on imposing heavy fines rather than on improving security. He notes that MasterCard’s policy is to impose penalties starting at $25 per chargeback when a web merchant’s monthly rate of chargebacks reaches 1%; if that rate is reached in consecutive months, the penalty rises to as high as $100 per chargeback, Ehling says. MasterCard declines to comment on its penalty policy.
By contrast, Ehling says, Visa U.S.A has a more realistic policy, charging the same range of penalties but only when the chargeback rate reaches 2.5%. “That’s justifiable, because the average chargeback rate for Internet transactions is 2.1%,” Ehling says. In the offline world, retailers faced with chargebacks absorb fewer losses because they usually have the documentation in the form of a signature to back up the transaction.
Ehling adds that several other types of web merchants, such as sports and music sites that sell digital content, are also prone to high chargeback rates and may also be subject to higher penalties. Although Ehling represents several types of web merchants, however, he says he knows of no other intentions to sue MasterCard.
Raising the comfort level
MasterCard has also introduced its Site Data Protection service, offered by Brussels-based Ubizen, which scans a web site platform for security breaches and directs a web merchant where to get the necessary security patch. The service, which will be offered soon by other technology firms, costs merchants a one-time fee of $2,000.
Merchant experience with SecureCode is thin so far, but some merchants believe the comfort such a system provides to skittish consumers outweighs the extra step the process imposes during checkout. “The liability shift is gravy,” says David Dierolf, vice president of IT at Crutchfield.com. “The real value is raising the comfort level of online shoppers. I don’t want to put anything in the way of a customer wanting to do business with me.”