When I started The Fabulous Vodka Company it was immediately apparent that I would need to be able to take credit card payments, and for the website I would need to be able to take online payments. My bank offered their card payment service, and this could be expanded to run my website card capture system, for this I would use one of the worldwide payment systems, who would debit the payments taken directly into my business account. This means that like most online small businesses that card payment is taken by someone else. without me getting to see the card details or being involved at all, which is great as the customer gets to see a familiar name on the payments page, and is assured of the card security measures that are in place. I use a global card capture company for the card capture and the security system, which I was assured was secure, they are a global business handling millions of secure transactions per week, they put in layers of security so that the card holder is fully protected against online fraud or theft. For my customers that’s what I wanted, absolute security, and a name they can trust, as well as for me, a company that I could have confidence in and that would look after me and protect my business. When I set up the website and the payment system I was told that the levels of security offered were industry leading, I was protected against fraudulent card use, and lack of funds availability, The card capture company check the card’s security and validity, they supply the details to the bank card system who then take the money and I would only be notified of a transaction once the card had been accepted, and the funds taken. This sounded great to me, I made the delivery once I’d been notified that the card had been processed and the payment had been taken. All went well for the first two years, Internet sales were beginning to grow, and I’d never had a problem of any kind with the payment system. Christmas 2011 was an extremely busy time for me, with internet sales running at about sixty-five to seventy bottles sold per week, which was fabulous, but then after Christmas, as is usual in the spirits industry, it all calmed down, to about six to eight bottles a week, which I was still happy with! Then one week in early March I sold 54 bottles online, mostly in blocks of 4 or 5 bottles, one chap ordered 4 bottles of Caralicious and 4 bottles of Perivale Dry Gin, obviously I was delighted, but slightly concerned as they were all going to one small area of east London, so I phoned the card capture company’s helpdesk and asked whether this was all ok. The helpdesk man said that all card payments were being honoured so there was no problem. Somewhat relieved, I packed up the bottles and sent them off. I even received a phone call from my website designer and administrator who had noticed the surge in sales to check that all was ok, even he was re-assured by the conversation that I’d had with the helpdesk. The following week the sales rose to 69 bottles, all to the same area, all in mixed packages of 6 to 8 bottles, but by now I was seriously worried, some people were spending £350 on gin and vodka in a week! So I contacted the card capture company’s helpdesk again and they again said that they didn’t see a problem, but why not call my bank and check with them, after all it was them that took the funds. I called the card processing arm of my bank, and they immediately said that all those transactions were fraudulent, there were unspecified problems with the cards used, but as they didn’t do the security checks, that was down to the card capture company, they could do nothing but charge the specified card for the amount stated. When I stated that the card capture company were happy that the cards were valid I was told that the card capture company will not check the validity of a card unless I specifically asked them to, and that I would be liable for any chargebacks incurred as it was my duty to check the cards. I went back to the card capture company and questioned their security and they agreed that they did not check the card user against the address held or CVC number unless I paid them more money, and that the default setting on card capture accounts appears to be, don’t check just accept all cards. At that point I specified that I wanted what I was told that I’d had all along, the highest level of security possible, the helpdesk man put a temporary system in place until I could email the relevant department and request that they upgrade the account, which is what happened. The following day when I contacted the security department to set up the extra security they led me through the security system, and whilst we were both looking at the account (it was still live, but partially protected) there was someone online trying to buy £198 worth of gin and vodka, and he had his payment rejected 13 times, on the 14th try it went through, when I queried this the security man said that the user had tried lots of different cards and different addresses until he found one that worked! I now have a security system that won’t allow this to happen, all cards are checked for card holders address, and the CVC number is authenticated. It transpires that all the fraudulent cards originated in Canada, where apparently they don’t have chip and pin cards, they use the old magnetic strip system. The card holders had had their cards skimmed and the details passed on to a criminal gang in London, who used the cards online and used false names and addresses over in the UK.
The upshot of all this is that this month I’ve had numerous chargebacks from innocent Canadian card holders who have not received anything from me, although I’ve sent out lots of gin and vodka, and both my bank and the card capture company say there’s nothing I can do about it, I am liable because I didn’t set up the enhanced security on my account, which I think is a bit harsh, as I thought that I had a secure system from the start. I won’t say how much it’s cost me, but my company is on a knife-edge now as a result of it, I’m very angry for a number of reasons, firstly, my company has been made to look bad in the eyes of a lot of people who’ve been defrauded of a lot of money. Secondly, I relied on a global business to look out for my interests, I, naively, expected them to set accounts to secure as their default setting. I’m paying for this! Thirdly,I’m bloody angry with myself for being daft enough to think that any large company will do anything other than the least that they can get away with. After all, the card capture company received their fee whether the cards were fraudulent or not, in fact fraudulent cards earn them money as they get paid a percentage of each transaction taken, a rejected card means no payment and earns them no fee, I was stupid enough not to realise this.
- The History of Payment Systems (blogdotsybrindotcom.wordpress.com)
- Global Payment Systems delisted by Visa (mckeay.net)
- Visa axes Global Payments support after hackers access up to 1.5 million card numbers (thenextweb.com)
- PayPal brings mobile payments to the UK (pcpro.co.uk)
- Over 1.5 million Visa, MasterCard credit card numbers stolen? (zdnet.com)
- How to Tell If Your Credit Card Was Hacked in the Global Payments Breach [Security] (lifehacker.com)
- Secret Service confirms credit card hack investigation (slashgear.com)
- Canadians may be affected by U.S. credit card hack (ctv.ca)
- Credit card breach: Visa drops payment processor after card data stolen (shortformblog.com)