34

I'm an online merchant based in the USA, and I received an order that failed my fraud checks. I believe the "customer" is using a credit card that doesn't belong to them. I don't want to ship an expensive order only to get an unauthorized-use chargeback.

Would it be a good idea to call the bank providing the card, and ask them to notify the real card owner, and maybe ask if they did authorize the purchase. Would they/could they do this? I don't have a full card number, but I can supply the gateway provided transaction ids.

toastifer
  • 443
  • 4
  • 6
  • 4
    I assume it depends on the country/issuing bank but it's worth a try. Their fraud department might appreciate it. – 0xFEE1DEAD Nov 16 '22 at 19:36
  • 3
    @0xFEE1DEAD in most (all?) rule-of-law countries one is in fact required by law to try to prevent or at least report any criminal act they become aware of. Details vary, of course. – fraxinus Nov 17 '22 at 09:34
  • 2
    @fraxinus not all; you're not required (but you certainly are allowed) to report or prevent crimes in most places in the US. (I'm not a lawyer; this is not legal advice.) There are exceptions, e.g. teachers and child-care workers are often required to report signs of child abuse, but the general rule is that you can simply ignore a crime that you see unless you're subpoenaed after the fact. – Someone Nov 17 '22 at 21:49
  • If you are doing things according to PCI-DSS standards, you have no way of knowing which bank issued the card, and therefore would be admitting to a serious CHD violation and likely jeopardize your ability to continue processing card-not-present transactions in the future. – SnakeDoc Nov 18 '22 at 20:33
  • @SnakeDoc: The last sentence of the question explicitly addresses that he hasn't retained cardholder data. OP is asking whether he can make a report having only the gateway transaction authorization/confirmation numbers. – Ben Voigt Nov 18 '22 at 20:49
  • 3
    @BenVoigt OP seems new to this stuff, otherwise they wouldn't' even be here asking how to handle online fraud. They seem to be confused about what data they actually possess. The gateway provided transaction id's are probably unique and not the same ones the customer received on their statement. OP has no way of contacting the issuer for any particular card without knowing the full card number... and even then it's an exercise in futility because the ultimate solution is to refund and move on. OP isn't going to single handedly stop fraud or something... – SnakeDoc Nov 18 '22 at 23:08
  • You can always notify the bank.

    To notify the card-holder directly might not be impossible, but you would need to go through some preposterous complexity like using a PayPal account to send the holder a payment, including a notice…

     – Robbie Goodwin Nov 19 '22 at 21:41

2 Answers2

38

From BNG Payments - How to Report Credit Card Fraud as a Merchant

Contact the Customer or Issuing Bank Contact the customer by email or over the phone to ensure the order is authentic. You can also contact the card-issuing bank; they can reach out to the customer for verification.

Additional information from MasterCard - Do you suspect fraud?

A Code 10 authorization request alerts the card issuer to suspicious activity — without alerting the customer. During a Code 10 call, your acquirer may ask for transaction details. Your call will be transferred to the card issuer's special operator who will provide instructions on any necessary action.

[...]

If a fraudulent transaction occurs, contact the following entities for assistance:

  • Your bank or payment processor
  • Your legal counsel
  • Your local police department or U.S. Secret Service office
Community
  • 1
0xFEE1DEAD
  • 8,498
  • 2
  • 22
  • 28
1

I don't know how much you already know, but for the general audience is nothing else: normally, when there's a chargeback for an unauthorized charge, the chargeback doesn't go back to the merchant; if the issuer authorized the charge, then they're on the hook for it. The main exception is for Card Not Present (CNP) transactions, where the liability is on the merchant. However, if you follow the 3D Secure protocol, the liability will once again fall on the issuer. This is simpler than trying to contact individual cardholders.

Acccumulation
  • 10,331
  • 19
  • 45