44 comments

[ 3.7 ms ] story [ 99.1 ms ] thread
Can someone who understands how chargebacks work please explain:

1) If this such an obvious case of massive fraud, isn't there any kind of protection for the seller? If they provide proof that the product keys were delivered to the customers, how can customers still arbitrarily have their requested chargebacks accepted?

2) Are chargeback fees always on the order of $22? That seems unbelievably high. Is this just a way that credit card operators take advantage of businesses, because they don't have much other choice?

I totally understand penalizing businesses for excessive chargeback levels, when it's "widespread" and due to the business's own products.

But I don't understand why credit card companies aren't going to work with businesses in case of chargeback fraud, instead of working against them. Do they really have so much monopoly power that they have no incentive to?

I work on an online game also.

In the case of virtual goods, you will never have a chargeback side with the seller. Never. You are at the complete mercy of every customer. All you can do is ban the account after there has been a chargeback.

We get reasons like "I need to pay my rent so I want the money back" or "I played the game for a few days and I don't want to play anymore". You can supply email evidence like that as part of the chargeback claim. You will still be decided against.

For virtual goods, the credit card system is just broken.

Chargeback fees tend to be around $15, but you also lose the cost of the purchase.

Isn't this fraud? If you have evidence that customers are ripping you off, why not report to law enforcement?
I don't think it would be economically viable for most independent developers or small companies to spend time and money that could be used for productive stuff to deal with a few individual chargebacks every now and then, with no guarantee that you'll make your money back anyway. Plus what happens when you lose?

When it's on a massive scale like in TFA, they will probably work with law enforcement but 1) will they find the responsible? 2) even if they do, would the payment processor agreements with the various banks cover getting the chargeback fees cancelled? I don't know but it doesn't seem a given.

You raise a good point about the cost of pursuing these cases.

From my naive understanding, this type of fraud would have both criminal and civil penalties. For the criminal component, determining jurisdiction might be an issue, so there ought to be a federal agency to report cases to. The civil components might be "sold" to specialized firms, e.g., debt collectors.

The point is to disincentive fraudsters and recompense victims.

If you can provide evidence that the charge was legitimate, the CC processor will undo the reversal of the charge (which means the charge will be placed back on the customer's bill). YMMV outside of the US, but the CC processors have lost enough court cases in the US on this point to settle the issue.
At least PayPal doesn't cover digital purchases at all for sellers.

It would basically be your word against the credit card holder anyway since there is no physical proof so I can understand why they can't. Anyone could make up some proof. The root problem is with the banks: it's their system that is being used fraudulently and they should be the ones paying for it so that they have an incentive to improve it.

Paypal does cover digital purchases for US sellers. I know this for a fact because I have used Paypal as a merchant of digital goods and been in this situation. Paypal's service was exemplary; I simply provided a receipt of the transaction, the customer's IP address, and logs showing that the same IP address downloaded the software. Paypal never charged back the transaction and handled the dispute for me with the customer's bank. If the customer's bank refused to undo the chargeback, then Paypal swalled the loss on my behalf.

Anyone could make up some proof.

Well, yes. But people generally don't go through the trouble of making up proof for relatively small transactions (<$100, from the merchant's perspective). It's simply not worth the time and effort to fake up proof for something less than a $100 unless the work would take a minute or two more than simply collecting the evidence supporting the transaction.

Was this recent? Did you sign up for a particular PayPal service? I use the basic Express Checkout myself so maybe some of their more expensive plans cover that?

Anyway, from my own recent experience and what I heard from several indie devs, even after providing server logs & screenshots, PayPal can't do anything (and I'm not blaming them, I'm sure they do fight the charge if at all possible)

EDIT: Oh, just saw you wrote "US seller". I'm not in the US so that might have something to do with it maybe.

This hasn't been my experience with PayPal, or with any other provider. We legitimately try and provide that kind of evidence.

For PayPal the user has to supply a chargeback reason. We had a user type in "I need money to pay my rent". That was the exact text. The customer has admitted fault, but paypal still decides against us.

Edit: We have a US company and paypal account so it isn't that.

The product keys were delivered to the purchaser (i.e., perpetrator of fraud), not the account holder (i.e., victim of fraud).
It's up to merchants to ensure fraud is prevented, that is: refund anything sketchy before it becomes a chargeback. As for them being that high: $22 does seem excessive considering the purchase price of natural selections but I've seen higher.
22$ for a 25$ game? So they lose out on the 25$ sale and get charged 22$. I feel like this amount is a little excessive.
1) From my understanding, the purchases were made en masse using stolen credit card info, and the game keys were then sold (maybe several times?) until they ended up in front of everyday customers looking to save a bit of money by buying one from a shady website.

The people who requested chargebacks are people who had their credit card info stolen and didn't make the purchase. From their point of view, it's completely legitimate to ask for a refund.

2) Chargebacks are in the $15-30 range I think. PayPal and similar services will fight a chargeback for you against the bank, but digital purchases are not protected so you end up loosing every time.

The big issue is that the merchant is the one bearing the risk. I recently learned that some banks allow customers to request a chargeback months or even up to a year after purchase. I had a customer do that more than 60 days after purchase. One can buy a digital good, use it until they don't want it anymore and then get their money back... and the merchant ends up loosing money on it, in addition to giving them their money back.

From my point of view, the merchants shouldn't have to pay for fraud in the banking system. The banks don't even have an incentive to secure credit card transactions if they make money on it (or at least break even)!

> The banks don't even have an incentive to secure credit card transactions if they make money on it (or at least break even)!

This may be changing a bit. At least in Europe, we now have Chip-and-pin for offline transactions, and 3DSecure/Verified by Visa/MasterCard SecureCode for online. One of my banks now requires these schemes for online purchases, and I can't use their card on any online stores that don't support it. I believe Chip-and-PIN shifts the burden of fraud onto the consumer (if you leak your PIN it's your fault), and I wouldn't be surprised if it's the same for 3DSecure (or my bank wouldn't have any incentive to require it)

Indeed, same here (France) and it's definitely a move in the right direction. For cases similar to Unknown Worlds' though, it's important that the whole world moves to something more secure, otherwise bad guys will still be able to get their hands on less secure credit cards and use those against them.
1) There are a couple of protection for sellers. a) a floor limit - where visa/mc/etc cover the chargeback if it's under a certain amount ($5-20 is common)... if it is in your contract at all, it's limited to physical stores. Ecommerce/card-not-present is explicitly excluded.

b) if they can prove the keys were delivered to the card holder, and the cardholder is not claiming fraud/misrepresented goods/etc, then you can usually dispute the chargeback. This is harder than it sounds, because you need to ship to the billing address via a trackable service and obtain a signature from the cardholder when it is delivered. If you've ever shipped via UPS/FedEx then you know they will often not collect the signature, or they will collect it from another person at the address, or leave the package at the door, or the signature is illegible, etc, etc, etc.

2) I've seen chargeback fees between 10 and 50$ (25-30 is common). This is a fee from the bank that provides your merchant account.. so it varies. It's a fee for handling the chargeback.. keep in mind the bank must receive the chargeback, forward it to you, accept your response, send it to the customer's bank, etc. Does that cost $22? Definitely not.

Merchants are responsible for verifying the card is not fraudulent, and they accept the risk of fraud when they accept the order. If the merchant does not control the level of fraud, they'll see their merchant account terminated. The threshold varies by merchant bank.. I've seen as low as 0.2% up to 1%... but merchants usually don't get to see this number.

This is why you would use a service like Paypal: the contract with PP does include digital goods, and in fact Paypal is very good about backing the merchant in situations like this, so long as you can provide evidence of the purchase (including, for example, evidence that the customer used the purchased digital good after the challenged transaction).
My experience here is from running an ecommerce store.. so we actually ship the product to the customer.

I believe banks would accept digital proof as long as it established: 1) the cardholder made the purchase; 2) the cardholder received and/or used the digital goods.

But that is really only useful if the cardholder says they did not receive the license key/digital goods. If they say you misrepresented the item, or they did not make the purchase (because their card was stolen), then I can't imagine how you would dispute the chargeback.

And in that regard, PayPal is the same. If the PayPal user says their PayPal account was hacked, and they didn't make a number of transfers.. PayPal will undo the transactions.

Where do credit card companies NOT make money? The businesses who use them pay a fee on each transaction. Their cardholders pay them interest on the balance of their account and apparently businesses are charged for fraudulent charges, even though it was the credit card company that authorized said charges. How is no one fixing this industry?
"How is no one fixing this industry?"

You can, and many people do, live a no-credit-card lifestyle. Need something from an online store? Amazon and other retailers offer store accounts with direct billing (search for "Amazon.com Store Card") and more favorable terms.

If you find the practice shady, you as a customer can choose not to use a credit card. Use a debit card, or just pay cash. The problem is that customers like credit cards: it lets you buy stuff now!

Debit cards aren't really any better.
How come?
Visa and/or Mastercard (two of the Credit Card companies) are involved in most debit card transactions
Until the consumer banking stuff passed under Obama you really had no choice but to participate. Card companies enforced merchant agreements which wouldn't let merchants charge people less for not using a card (though some states banned such agreements prior to the federal change).

Merchants would lose business if they didn't accept cards, and card companies were basically able to squeeze them until such loss of business was barely more painful than just going through with it.

A slight market correction came in the form of competition between card companies to give cash-back deals. This essentially rebated some of the fee back to the consumer (if an Ayn Rand nutjob saw a government bureaucratic scheme half as complex they would explode with anger).

People with cash couldn't opt out; they still had to pay the same as card users, but now those merchant agreements have been restricted by law.

Cash discounts have always been allowed by most/all merchant agreements. Dodd-Frank forced merchant agreements to allow minimum purchase requirements (boo!) and to allow discounts for other forms of payment (e.g. debit cards) and not only cash.
>most/all merchant agreements.

Typically only in states that had their own law enforcing that restriction on merchant agreements.

But thats missing a LOT of the point. The fact that credit card companies are taking so much out of the economy makes the economy much less efficient, this isn't solved by one simple action from little old me.
I believe this is one reason that credit card companies haven't moved to two-factor authentication for credit card transactions.

In my opinion, every credit card should have an e-paper tag on it with a 6 digit code that changes once every 10 minutes or so (to reduce power requirements). Code should be required for all in person and online transactions.

However, since they make money off fraud, they have no incentive to reduce it.

They are adopting EMV smartcards in the US in 2015, but that won't help with card-not-present fraud. (Unless they plan to issue card readers to consumers, but I suspect not.)
1) The government grants a de facto monopoly through excessive regulation and licensing requirements.

2) People love credit cards and buying shit they can't afford.

Credit cards can simply be a convenience. I pay off my cards every month but I use them so I don't have to carry cash and for ease of transactions.

I know that Dwolla is trying to get into this by allowing transactions directly from bank accounts (no credit) with very low fees ($0.25/transaction).

Dwolla, like all online banking startups dealing with real money, is just a front-end on a classical banking institution. The costs to really start your own bank, which itself would probably not even give the level of control desired, from scratch are far too excessive for a typical startup. All of Dwolla's stuff is processed by Veridian Credit Union, and they have no control after you start a transaction moving. Dwolla takes 2+ weeks to move money around.

Their FiSync product is vaporware. They won't give out the documentation. Veridian, whose system they're already specially linked to, is the only user.

But that addresses one of the many costs, interest payments for the consumer. It doesn't address merchant costs through the percentage the cc company takes for card transactions and it doesn't address companies dealing with chargebacks.
2) People love credit cards and buying shit they can't afford.

Actually, I like the abstraction layer. I don't even have the ability to carry a balance on my credit card: every month, the balance is due in full. In exchange, I'm spending the bank's money, so if there's a problem, it's their money that's gone, and they pay their lawyers to get it back. (And I get "rewards", but I know I'm just paying for those myself.)

Interestingly, I use my brokerage for checking, and they let me write checks to borrow against the securities in my account. So checks can be borrowing money, and credit cards might not be. Some people might like borrowing money, but I like credit cards because they are very convenient and easy to use.

I'm also on board with credit cards for the abstraction. Doesn't matter what bank or brokerage which of my funds are in.

Also, although the gains are pretty trivial, I find it satisfying to leverage the grace period.

> 1) The government grants a de facto monopoly through excessive regulation and licensing requirements.

This is a HUGE problem. The oligopoly that runs banking now is never going to innovate in certain ways because its contrary to their profit incentive, because they have no competitors willing to implement better feature sets (because newcomers are basically disallowed).

Our currency is hard linked to banking processes. There are some things that are nearly impossible to extract even if we do get competition going (which won't happen).

The only way out of this is something like Bitcoin and/or total collapse of today's banking system.

They don't make money every time a person chooses to purchase something without using a credit card.
It's actually a lot more complicated than that. This is going to be an oversimplified explanation.

To understand the situation, you have to identify all the players in a credit card transaction and the risk each take.

In a typical credit card transaction, there are usually six participants (Might be less, if say 4 and 5 are the same entity):

1) The Customer

2) The Issuing bank (The bank that backs the credit card the customer uses)

3) The network (Mastercard, VISA, Amex, Discover, etc.)

4) The Payment Processor (Chase Paymentech, etc.)

5) The Acquiring bank (The merchant's bank)

and lastly,

6) The merchant

Everyone sandwiched between the customer and the merchant takes on various risk and each takes a cut of the transaction.

The details are complicated and most of it covered with private business agreements.

Most people think that most of the fees go to VISA, Mastercard, etc. But this is incorrect.

Let's start with the issuing bank. If you have a Chase credit card, the issuing bank would be Chase. In credit card transactions, they usually take most (~60-80%) of the transaction fee. Why? Because they take on the risk of offering the customer a line of credit. The customer could default on payment, the card could be fraudulently used, etc. In addition to taking a big cut of the transaction, they also charge the customer interest on credit not paid back in full.

Next you have the network. They operate the network that binds all the banks together. They also take a cut of the fees.

Next you have the payment processor. They are responsible for verifying and checking payment details received by the merchant from the customer. They might also operate point of sale systems if it is a physical transaction. In either case, they make sure the transaction goes smoothly and the merchant is protected.

So finally, you have the acquiring bank. They are the bank the merchant uses to get paid. They also get a cut of the fees. Why? Because they take on the risk of the merchant's business. If charge backs happen often enough, the acquiring bank is fined by the network. This fine usually gets passed to the merchant by the acquiring bank, as in the case here.

So generally, the interest the customer pays goes to the issuing bank, the transaction fee is paid by the merchant, which is usually split between four entities, with the issuing bank taking the by far the biggest cut. 

So why is this complicated system needed?

Simply because banks don't trust its customers and banks don't trust other banks. Everyone takes on risk and demands to be compensated for it. Think of all the thousands of banks in the world. They all do business differently, and they might not trust each other. The network provides the glue that binds them together, and the fees allows banks to take on the risk of doing business.

What about alternatives?

What if you want to cut out the middlemen? What if the merchant wants to deal with the customer directly? If you are a bigger company, this is indeed possible with 'store cards'. You are basically providing line of credit directly to the customer.

Yes, you skip paying fees to the banks and the network. However, you take on the big risk of providing customer credit. They can default, credit be used fraudulently, etc. Additionally, you would need underwriters to do credit checks on potential clients. This both impacts the customer's credit score and extra hoop to jump to purchase something on credit. Since the transaction fee is transparent to the customer for credit card transactions, you would need to provide incentive to the customer to jump through the hoop. This is usually done through attractive financing terms, gifts, rewards etc.

What about debit cards? There's still fees to the merchant because there is still risk involved in the process. Yes, the customer is not buying on credit, but all other risks are still present. Additionally, there is also infrastructure cost that must be compensated. From the merchant point of view, if customers are restricted by how much money the...

It is a real pity banks are externalizing the fraud risk to merchants, who are not in the position to improve security in a meaningful way.

This can really be only possible in a monopolistic environment...

If VISA associated an email address with the card when the card is created and digital purchases always went to that email address, then the allure of digital fraud would be decreased since if you bought digital goods with someone else's card, you would not get the goods.
Submission title was changed from "Unknown Worlds faced with $30.000 in chargeback fees from fraudulent purchases" to "Beware Discount Steam Keys".

I thought it was interesting for Hacker News people to discuss it based on the merchant angle, not from the point of view of a consumer choosing to buy from a shady discount website, that's why I submitted it with such a title. I think the title change makes the submission that bit less valuable/tailored to the community.