This is the experience you get with traditional merchant accounts (what every business had before 3rd-party processors like Square and PayPal, and most large and B&M businesses still use). You get chargebacks, you lose the money immediately, you often lose the disputes even if you shipped items, and if your CB rate is over 1% of your monthly volume for a few months, your account gets closed. Period. The only way to stay in business if you're a target for fraud is to become very good at screening orders, whether it's through systems or manual review, because nobody else is going to protect you.
This is the value of PayPal's Seller Protection Program, which people probably undervalue since they've never dealt with a real merchant account. If you sell with PayPal, and ship a tangible to the address on the buyer's PayPal account, and have proof of shipment, you have 100% liability protection. Someone charges back the payment, and it's PayPal's problem, not yours; even if they lose, you don't lose your money.
Paypal's Seller Protection only works if the use has a Paypal account, and has a confirmed address. It doesn't work if you use Paypal Pro or the Paypal REST API to accept straight credit cards without an account.
I agree. The headline should have been, "Screwed by Thieves that used Fraudulent Credit Cards". It perhaps should have had a subtitle of, "My Education on Implementing Adequate Anti-Fraud Measures at my Company."
I'm not sure I understand why he thinks Square screwed him.
Well, he alleges that Square cancelled his account without notice, and describes how that affected his business because he had made efforts to drive customers to use the Square payment method. He also admits that he should have developed a more robust solution, but rationalizes that he stayed with Square due to good prior experience.
Even if Square is perfectly in the right based on their user agreements they may be throwing good money away, and chasing off good customers. It's not hard to understand why a retail business owner would appreciate a little notice before an account cancellation.
"We provide you with this disruptive new service that's really cool. Oh, it doesn't work for you? We also provide you with absolutely zero support."
Sometimes this means you lose business for a few days, realize you were dumb for building your business on top of a company that can't even be bothered to give you a phone number, and move on.
Sometimes the company takes the money out of your bank account and gives you absolutely no recourse.
If Alex had time and money, he could bring charges against Square. Not that he'd necessarily win, but he'd at least get himself on their radar (and hopefully get a settlement just to get him off their back). Thanks to Square, he has too little of both right now.
It's stories like this that make me realize how grateful I am for companies like Zappos, whose big selling point was (and still is, reputedly) "we're not jerks". I had to contact their customer service back when they were still independent, and I was very pleased with the experience. I still shop there, even when it feels like I'm paying a premium, because a company that treats me decently is worth it.
This sounds like more of an issue with our card payment systems rather than individual merchants. All it takes is 16 digits to fraudulently use somebody else's money and the merchant is typically liable in case of that. And to add insult to the injury, they add a $20 chargeback fee on top. The banks and processors aren't taking responsibility and instead forcing merchants whose core focus is on selling and shipping rather than the intricacies of payment handling.
Due to this lopsided arrangement, banks and processors have no reason to change the system. We should force them to take the risk of fraud; it's the only way to make the system better for everyone.
At our company, we use Authorize.net. Auth.net has something called Address Verification System[1]. I think it just matches zip codes but I might be wrong.
If we get AVS check fails on billing address, we automatically reject the order. If AVS check passes but shipping address is different and based on some other criteria like order history, order amount; we have someone double check on the order.
I think every merchant should implement these basic checks.
Not sure if it is possible with Square but I would assume they do provide something similar.
The exact number of digits you need to know isn't relevant. The problem is that you can spend someone else's money just by knowing their digits, the recipient is expected to reject that money if it's not your digits, but is given no way to truly verify identity or ownership.
The problem is that you can spend someone else's money just by knowing their digits
That's part of it. The other parts are that unlike a PIN or password, people routinely tell others what those digits are, and that the system works as a pull (the merchant decides when to collect the money and informs the customer's bank via the payment processing system) instead of a push (the customer decides when and where to send the money and informs their own bank).
Most of the problems with security, fraud, chargebacks and related areas in the card payment industry ultimately start from this fundamentally flawed model.
"The exact number of digits you need to know isn't relevant"
The number of digits doesnt matter but CVV vs. no CVV does make a difference. CVV is the way to verify that you are allowed to use the given credit card number (its actually the second V in the initialization).
CVV is completely separate from the way the credit card number is generated. If someone else has your card number and CVV it implies:
Either your numbers were stolen directly from your card or your information was stolen from some third party server.
If your information was stolen from, say a merchant's server, it implies that they did not properly encrypt your credit number and that they stored CVV which should not even be in their database to begin with.
With traditional merchant accounts, it's up to the merchant how much they check. As long as the 16 digits are correct, the processor will process the transaction. All of the other data (CVV, exp date, name, address, etc.) is optional.
Not square at all, this is a fundamental problem with credit card processing. As long as the costs of fraud are borne by the individual merchants I doubt it will be fixed. Fundamentally flawed system design / perverse incentives.
To the best of my knowledge, anybody taking a credit card will lose a chargeback if they don't have a signature. And you never have a signature in an ecommerce transaction, so you will lose all disputes. (I know the very large company I used to do the CC processing for routinely lost our chargebacks for ecommerce transactions, and at our volume we should have been able to find a system for not losing if one could be found.)
The only current "solution" is to do a good job of filtering up front and rejecting suspicious transactions, which can be helped by requiring AVS and CVV2 matches and phone calls for large orders - but there isn't really a good system for handling this at all. The best I've seen so far is a company that would verify new customers by calling and asking them a question about their neighborhood from google maps. And it's a shame that each individual merchant has to come up with something convoluted like this, and the payment processors don't provide technical help or financial guarantees for the transactions they authorize. But that's just how it is right now, and it isn't Square's fault.
To the best of my knowledge, anybody taking a credit card will lose a chargeback if they don't have a signature.
It's not quite as simple as that. The customer authentication problem is what programmes like MasterCard SecureCode and Verified by Visa are supposed to solve. The trouble is, their implementations are so clunky that a lot of merchants/payment services don't use them, which in turn means a lot of end customers don't expect or understand them either, damaging legitimate conversions. I've heard that they are also not widely used in the US for whatever reason(s), though they're somewhat common here in the UK now.
In theory, these mechanisms should fix much of the underlying weakness in the current card payments model, because the end customer never gives the extra security information to others, only to their own bank/card provider. And there really are (or at least were the last time I checked) payment services that will eat the fees for chargebacks on transactions that were authorised using these kinds of 3-D Secure mechanisms given reasonable evidence that the merchant did provide whatever was being paid for. Unfortunately, I'm not aware that any of the new generation of online payment services offers 3-D Secure yet, which I expect to become a significant headache for them as more horror stories like the one we're discussing here come to light.
As a point of interest, much the same arguments apply to two-factor authentication schemes for cardholder present transactions, such as Chip-and-PIN, which has been almost universal in the UK for a long time now but again doesn't seem to have had as much take-up in some other countries. It's normal to consider a PIN-authenticated transaction at least as safe as one confirmed with a written signature. But again, these technologies don't seem to be universal in some other countries yet for whatever reason(s).
> As long as the costs of fraud are borne by the individual merchants I doubt it will be fixed. Fundamentally flawed system design / perverse incentives.
Sure, but be sure to empower consumers against the banks if you make the banks liable instead.
I've always found this case study from the classic "Why Cryptosystems Fail" fascinating:
In some countries (including the USA), the banks have to carry the risks associated with new technology. Following a legal precedent, in which a bank customer's word that she had not made a withdrawal was found to outweigh the banks' experts' word that she must have done [JC], the US Federal Reserve passed regulations which require banks to refund all disputed transactions unless they can prove fraud by the customer [E]. This has led to some minor abuse - misrepresentations by customers are estimated to cost the average US bank about $15,000 a year [W2] - but it has helped promote the development of security technologies such as cryptology and video.
In Britain, the regulators and courts have not yet been so demanding, and despite a parliamentary commission of enquiry which found that the PIN system was insecure [J1], bankers simply deny that their systems are ever at fault. Customers who complain about debits on their accounts for which they were not responsible - so-called `phantom withdrawals' - are told that they are lying, or mistaken, or that they must have been defrauded by their friends or relatives.
The most visible result in the UK has been a string of court cases, both civil and criminal. The pattern which emerges leads us to suspect that there may have been a number of miscarriages of justice over the years.
* A teenage girl in Ashton under Lyme was convicted in 1985 of stealing £40 from her father. She pleaded guilty on the advice of her lawyers that she had no defence, and then disappeared; it later turned out that there had been never been a theft, but merely a clerical error by the bank [MBW]
* A Sheffield police sergeant was charged with theft in November 1988 and suspended for almost a year after a phantom withdrawal took place on a card he had confiscated from a suspect. He was lucky in that his colleagues tracked down the lady who had made the transaction after the disputed one; her eyewitness testimony cleared him
* Charges of theft against an elderly lady in Plymouth were dropped after our enquiries showed that the bank's computer security systems were a shambles
* In East Anglia alone, we are currently advising lawyers in two cases where people are awaiting trial for alleged thefts, and where the circumstances give reason to believe that `phantom withdrawals' were actually to blame.
Finally, in 1992, a large class action got underway in the High Court in London [MB], in which hundreds of plaintiffs seek to recover damages from various banks and building societies. We were retained by the plaintiffs to provide expert advice, and accordingly conducted some research during 1992 into the actual and possible failure modes of automatic teller machine systems. This involved interviewing former bank employees and criminals, analysing statements from plaintiffs and other victims of ATM fraud, and searching the literature. We were also able to draw on experience gained during the mid-80's on designing cryptographic equipment for the financial sector, and advising clients overseas on its use.
Everybody's talking about how this kind of thing is baked into the credit card system. Even a few days back there was the article about processors changing to a system with PINs like in Europe or something.
What I don't get is why you can't do something much more simple.
Wouldn't 99% of these problems be fixed by something as simple as a credit card companies just requiring transaction approval from the card holder?
It could be handled by text message or an app and show up as on your phone within 5 seconds of running your card.
Swipe, okay it on your phone, done, forget giving everyone new cards with some sort of complex PIN # system.
Heck, you could even go a step further and make a barcode on your smartphone scan as a credit card at checkout, and then hit okay on your phone to complete the transaction.
Get an alert for something you aren't buying? Hit deny, it doesn't go through. No fraud, everyone's happy.
I'm guessing the reason there's not a system like this is that most credit card terminals are too archaic and dumb to have a live link to the Internet to handle something like this in real time? (Or the more obvious reason of not being able to use it without a cell phone?)
Almost every credit card transaction in India goes through this kind of system. At a POS terminal you need to enter a pin (same thing in Europe).
For e-commerce you need to enter a password after you enter all your CC details. It's called Verified by Visa or Mastercard Securecode, depending on what card you have.
The downside is that apparently the user agreement states that if your password gets stolen (as well as your credit card details) then all liability is on you.
Shopify might be worth considering, they have a pretty good POS system (http://shopify.com/pos), and probably more experience dealing with these sorts of shenanigans, plus you can get them on the phone.
I wonder if Shopify actually has any input into the chargeback process and risk evaluation of accounts. Shopify Payments are "powered by Stripe" rather than something they run themselves. They do have a nice integration and you get a discount compared to using Stripe directly without any minimum volume.
I don't like the trend of businesses becoming less and less easy to reason with. If an algorithm, or even a person, decides to cut you off, that's it. There's little recourse in situations like these.
I had a similar problem with eBay and the only way to get them to respond in a timely fashion was a similar rant that made it to the front page of Hacker News.
Customer support via blog post. Not the most effective method I can think of.
Here's hoping a Square employee (or someone that knows one) reads this. It'll keep happening to the small guys as Square scales - they need to tackle this sooner rather than later.
I thought Square was supposed to be one of those "disruptive" startups. If they continue the status quo and don't try to improve their customer service then why should I use them?
I am not knowledgable enough about Square itself to know what they are "disrupting", but their chargeback section in their sellers agreement is no different than that of a standard merchant account. Seller liable for all chargebacks; they reserve the right to hold an unknown reserve; charge a larger fee; or close the account.
Do they try to differentiate themselves via customer service?
They're also not a PayPal that's willing to provide buyer or seller protection. They just facilitate the transaction. The responsibility for verifying the transaction falls entirely on the vendor.
Even if it is, Alex had an awful experience and feels like a victim. If Square can't do anything about the outcome, they can at least offer a better explanation and tips going forward. Communication seemed to be the biggest issue here.
How about simply "Talking to the customer" for a start? These types of posts would be very different if someone had talked to them in person from day one, and actually kept them up-to-date.
>>Please visit our Help Center if you would like further information around the dispute process: https://squareup.com/help/en-us/article/3882-understanding-c...
If you have further questions, feel free to reply to this email. We would be glad to help.<<
He never mentions following up with them or how he took them up on their offer and what their response was.
> A Google search unearthed a number, but it was literally nothing but a recording, directing the listener to go to their web site.
> So to the website I went, sending them the following message through their web form
> When I came into work on Monday, one of the first things I did was to fill out their chargeback response form again
> I received none of the “updates throughout the process” that they promised
So, he's followed their rules, and used their channels of communications. Their response was an automated "we cannot divulge the reason for your account termination ... our decision is final."
Past articles from people who encountered the same problems have posted the response to challenging these to be "stop contacting us, your account is closed, our decision is final".
Paypal does the same. Blocked mine with 30k in it for 6 months and destroyed my business with it. We had to sell stuff from our house to pay providers (~20k) to survive that month. We lost subscribers and our business recovered in almost 1.5 years out of that "High risk" ban.
To them "high-risk" often means "you put too many questions" or "we don't have time to actually support you properly". By simply banning you they get rid of businesses that require more attention instead of hiring more capable people. That list of capable people should grow along with the customers list but they stop at some point and that's when they can't deal with you.
It's good that stripe is not available in my country because I really wanted to pick them after Paypal nightmare. I think I would have killed myself at round 2 with this type of support and bans they throw at you when you need help.
Customer service is a cost center to most companies, even internet darling companies like Square. So you won't get any because it's cheaper to piss off a few customers than to invest in actual service. Until they feel some financial pain they don't care about you. Which would make a nice new startup, someone who actually worked with both customers (in this case sellers) and service providers to provide actual service. But I won't hold my breath as there is probably no financial reason to do this.
Thanks for sharing. For nearly 10 years I managed and engineered a large e-commerce site. I learned a ton in the process. These posts always hurt. I feel the pain.
Most of the comments here seem to be that this normal practise, and he should have known in advance to check for fraud or else he would lose money and have his account closed.
If this is so obvious, why doesn't Squaree explicitly spell this out in a help page? Is this some magical knowledge that can only be learnt first hand, and never officially stated?
Square screwed him over by not being more transparent with their policies.
AVS and CVV do not do much to detect fraud. Anyone that's bought a stolen credit card has the address and CVV code too. Square isn't keeping any money either -- that money is going back to the account it was stolen from (the owner of the stolen credit card). It left Square's bank account before Square was even notified of the chargeback; that's how the system works. The fact that they don't immediately deduct the funds from the merchant, as a merchant account would, is actually a nicety, as their own books are missing money until that chargeback is resolved.
>Anyone that's bought a stolen credit card has the address and CVV code too
Yeah, but for a shipped physical good, only being able to ship to the original cardholder's address doesn't do you much good. That $1800 package isn't going to you, unless you are physically close enough to steal it off their doorstep which is pretty risky.
So either it's the correct address, which points to the cardholder defrauding, or it's a different address, which should be caught by the processor. Or they shipped to a different address than the billing address, which would be totally the fault of the seller.
I bought a camera and tried to have it shipped to my father's house. It was understandably difficult with them actually looking up my home phone and calling me to verify the information before shipping. They called my Dad too to make sure he was ok with it.
These are/ should be normal precautions when shipping expensive equipment
Different shipping addresses from billing addresses are absolutely standard practice. I don't know why you'd think that a seller would disallow shipping to something other than the billing address.
Back in the days when I worked at Newegg, average order values were in the thousands from all of the custom gaming rig builds so fraud was taken very seriously. Newegg did not allow shipping to an address that was different than the one on file with your credit card company so the only way to do that was for the customer to call the credit card company and add the new shipping address. I'm sure they lost some customers who didn't want to deal with that but they also severely limited their exposure.
It's a high risk practice. For instance, PayPal won't protect you if you do it, unless the person has verified the shipping address also.
If I had a small business with large dollar amount purchases, it certainly doesn't seem worth the risk to allow it. One bad transaction and you are out a lot of money.
Was that easy to dispute? I wonder if you were placed on a red-flag list after that, like how UPS treats people who have packages that they show as delivered but that went missing.
My bank noticed before I did, but apparently never told Dell. I haven't had any issues since then. I just got a new credit card in the mail a few days later.
One thing I learned is that I should also contact the vendor next time. I am not sure who lost in my case, but after the information I heard today I think it is Dell.
Dell still thinks I am a good customer. I can't get them to stop sending promotional junk mail since the incident.
Maybe with that merchant. There's no reason for banks or other card issuers to keep a "red flag list" for payment disputes, as payment disputes don't cost them anything. They can even be a revenue generator, as not only do reversed funds come right back out of the seller's account, but also a chargeback fee that covers the cost of someone being on the phone with the card holder for a few minutes.
AVS does at least allow you to manually hold orders billed to a totally different zip than the shipping address. I haven't used Square's web store solution so I'm not sure if they provide this data.
Can't he use Strip for the online portion of these transactions? I don't know if their customer service is any better, but at least he doesn't have to use Paypal.
This is the value of PayPal's Seller Protection Program, which people probably undervalue since they've never dealt with a real merchant account. If you sell with PayPal, and ship a tangible to the address on the buyer's PayPal account, and have proof of shipment, you have 100% liability protection. Someone charges back the payment, and it's PayPal's problem, not yours; even if they lose, you don't lose your money.