Today, more than ever before, it is commonplace to shop and buy goods and services through the internet. Likewise, consumers and merchants are at risk for potential fraud and identity theft when they process a payment online or over the phone. The amount of risk and liability a consumer is exposed to differs depending on the payment method used, the type of transaction being processed along with multiple other factors. Meaning, the risk a consumer faces from using their credit card, bank account, or an alternative payment method such as PayPal, Google Checkout or Moneybookers online will vary.
For consumers it is often difficult to understand their risk and liability exposure when selecting an online payment method. When you take into account the many alternative payment options that exist in the market today, it can become downright confusing. Let’s face it, if you asked most consumers to tell you what their liability is for fraud if someone steals and then uses their credit card, most probably wouldn’t know. If you asked the same question about popular alternative payment methods such as PayPal and Google Checkout, most would probably respond with “that is a good question”. This article is intended to separate some of the fact from fiction when it comes to how much liability a consumer really has when their payment account information is used fraudulently by someone else.
Understanding Alternative Payments
The term “alternative payment” refers to a broad concept that includes many different payment types outside of traditional credit cards that are often used online. My company defines several distinct types of alternative payment methods and there are hundreds of alternative payment providers in the market. Alternative payments are a large and growing market, and they have been relatively free of the regulations and requirements expected of financial institutions and others. While this lack of regulation was likely paramount in the success and growth of early alternative payment players, chances are it won’t last forever.
Many alternative payment providers offer consumer liability protections today, but these protections aren’t backed by any legal requirements. It is difficult for consumers to properly assess and compare their fraud liability across alternative payment providers as each of these providers can have different policies and stipulations regarding unauthorized transactions and fraudulent charges. But as alternative payments are slowly becoming the face of commerce, the liability protections they offer consumers will likely diminish in general and overall. In the future, should any regulations be imposed on alternative payment providers, these providers will likely work to find ways to recoup lost revenue. Just as banks imposed new fees for checking accounts in response to debit card interchange regulation, alternative payment providers may suddenly change or remove promises related to consumer liability protections, as long as they still aren’t mandated by law.
Which payments options offer the best protection?
For consumers, credit cards offer some of the best protection with zero fraud liability in most reasonable circumstances. The reason is based on a federal law known as the Fair Credit Billing Act (FCBA) which stipulates the absolute most a consumer can be liable for is $50 in unauthorized charges on their credit card. However, if a consumer reports a lost or stolen credit card before it is used fraudulently, or if the credit card information is obtained by fraudsters but the consumer is still in possession of the tangible card, then the consumer is not liable for any of the unauthorized charges.
Debit cards do not offer the same level of protection; the laws governing the limit of liability for consumers with debit cards, ATM cards and bank transfers come from the Electronic Funds Transfer Act (EFTA), which may also be referred to as Title IX. Under Title IX a consumers liability when using these payment methods is contingent on how quickly they report the lost card or that their account has been compromised. Even if a consumer reports a debit or ATM card missing within two business days they can be liable for up to $50 in fraudulent charges or withdrawals, and if the consumer does not report the missing card within two business days their liability increases to $500. If the lost or stolen card isn’t reported within 60 days of receiving a bank statement that contains the unauthorized use, then the consumer will be completely liable for their losses. If an ATM or debit card is reported lost or stolen before unauthorized use or transactions occur, then the consumer will not be liable for any unauthorized charges.
The same applies for when a consumer is still in possession of their card but their account is compromised, the consumer cannot be held liable for additional fraudulent charges that occur after they have reported the unauthorized use. Many debit card issuers will boast statements like “Zero Fraud Liability,” but consumers should be wary about such claims. In most cases any liability protections an issuer offers that go beyond the requirements of Title IX only apply for signature based debit card transactions, not PIN based transactions, and these claims are not backed by law.
Understanding Alternative Payments Liability
A consumer’s risk and liability with regards to electronic transactions are also affected by the use of alternative payments. There are many different alternative payment methods consumers can choose from, and in using these alternative payments the consumer’s risk and liability may differ, even if they are ultimately using a credit or debit card to make a purchase through the alternative payment service. When evaluating how using alternative payments affect a consumer’s fraud risk there are two main factors to consider:
- How alternative payments affect the risk of fraud due to compromised account information
- How using alternative payments can affect the consumer’s liability for fraud or unauthorized transactions.
In many ways alternative payment methods can provide an additional layer of security in electronic transactions. This is true of payment aggregators, who process transactions on behalf of merchants, as well as with virtual credit cards. Payment aggregators, such as PayPal and Google Checkout, allow customers to make a purchase without sharing their payment information with the seller. The payment aggregator stores the consumer’s payment credentials and processes payment rather than the merchant. This reduces the consumer’s risk exposure of falling victim to fraud in the sense that consumers reduce the number of parties they have to share their payment information with. This means their payment information will be entered online and transmitted fewer times, thus reducing their risk to fraudsters stealing it. Keep in mind, each time a consumer has to enter in their payment information to pay online they are at risk of this data being compromised by malware, keystroke loggers and browser-based attacks.
While alternative payments can reduce a consumer’s risk exposure of having their identity or payment credentials compromised, they generally do not provide much additional protection in terms of the consumer’s liability for fraudulent or unauthorized transactions. PayPal and many other alternative payment providers have a system where buyers can dispute purchases that were faulty, broken or not as advertised, but these dispute systems generally don’t provide any additional protections to what a consumer would otherwise have through the chargeback process if they had just used a credit card. Certain alternative payment providers, however, may offer better liability protection to a consumer than if the consumer used a credit card, debit card or bank transfer directly.
PayPal, for example, has zero dollar liability for unauthorized transactions as long as the consumer reports the unauthorized access or transaction within 60 days. This liability is in place regardless of what funding source or payment method was ultimately used, so using PayPal to make a purchase being funded from a debit card or bank account can actually provide more consumer liability protection than if the consumer made payment from the debit card or bank account directly. Keep in mind, however, that this 60 day zero liability is a company policy, not a legal requirement, and can be taken away at any time. Other alternative payment providers may not offer any limits to consumer fraud liability outside of what is guaranteed behind a credit or debit card transaction. This is important to consider with alternative payment providers that offer ACH payments or stored value accounts as stored value accounts do not have any guaranteed liability protections.
These alternative payment providers, because they attract so many consumers and have access to consumers’ financial accounts, have quickly become the focus of attack for fraudsters. Fraudsters will attempt to take over accounts, run phishing campaigns, hack into these providers, cause data breaches and get access to this sensitive data. With the large number of data breaches that have occurred in recent years, every piece of a consumer’s personal or payment information stored by an organization should be considered at risk. Many merchants keep payment account information on file for at least one year, and anyone storing consumer payment information can be the target of hackers. One security benefit of going through an alternative payment provider is that it keeps a consumer’s payment information out of the hands of the merchant thus resulting in less data breach risk exposure for the consumer.
What Should Consumers Do?
For consumers, it is critical that they evaluate and understand their fraud liability requirements when they decide to setup an alternative payment option to credit cards online. While the law affords certain rights to consumers, the use of third party payment providers can remove or change a consumer’s rights in the eyes of the legal system. While this article focuses on some the more popular alternative payment providers, there are hundreds of alternative payment providers in the market, and a consumer’s liability can be very different from one provider to the next. Even in the case of higher liability protection, make sure you understand your rights and responsibilities to get access to that protection.
David Montague is the founder and President of The Fraud Practice. He has spent the last 14 years working in the eCommerce space, and is well respected for his business knowledge and thought leadership. His background includes an in-depth application of innovative solutions for preventing business to consumer e-commerce fraud. Prior to founding The Fraud Practice he held positions as the Director of Risk Solutions at CyberSource Inc and National Principal at IBM Global Services. Read more from Montague at the Council for Identity Protection’s website.