Visa Warns of Suspect Web Marketers, Requires More ISO Disclosure

Visa Inc. is paying more attention to a broad category of merchants it dubs Internet direct marketers, according to a Visa security executive who spoke on Thursday to independent sales organization executives. These marketers bear many similarities to the often-suspect sellers of the 1980s and '90s who peddled their wares over the phone, but they work on the Web. Visa now ranks Web-based sellers of nutritional supplements, certain pharmaceuticals, and related products at the top of its list of risky Internet direct marketers, according to Bryan Baumgartner, business leader of Visa's risk-control programs for merchant acquirers and prepaid cards. Baumgartner was one of four payment card network executives who spoke at the Compliance Day conference in Chicago sponsored by the Electronic Transactions Association, the ISO industry trade group. Such merchants often far exceed the 1% transaction threshold for chargebacks that triggers more monitoring of a merchant by acquirers and Visa. “Most of the bad guys are ranging form 5% to 9%,” said Baumgartner. Online purveyors of government grants and “business opportunities” have risen to the No. 2 spot on Visa's watch list, Baumgartner said. In contrast to the sellers of what Baumgartner calls “nutraceuticals,” who at least have a physical product, these marketers sell little that's tangible. “We're really talking almost true fraud,” he said. Also high up on Visa's watch list are discount buyer and travel clubs and job-finding assistance services. Internet direct marketers can cause big trouble for acquirers that don't employ stringent underwriting and risk-management procedures. One merchant generated 150,000 chargebacks, Baumgartner noted. Visa and MasterCard Inc. have assessed “millions” of dollars in fines against offending acquirers, whose merchants also are attracting attention from the Federal Trade Commission and state attorneys general. “We've seen both acquirers and ISOs take some pretty significant losses this year,” he said. Baumgartner also reported on a Visa effort to give merchants greater clarity about the banks that sponsor ISOs into the Visa network. In addition to mandating that merchant applications clearly identify the sponsoring bank, Visa is requiring that the applications have on the first page, or as a page separate from the application, a listing of the bank's responsibilities in a merchant relationship and the merchant's responsibilities. ISOs often bury information about the bank's role well down in the application or within merchant contracts. “I know a few ISOs that don't have a bank-disclosure statement,” he said. Lack of such disclosures can lead to merchant confusion about who does what, especially the all-important functions of funding and settlement. Those functions are responsibilities of banks, though some ISOs have held merchant reserves unbeknownst to their sponsor banks, according to Baumgartner. That can be a big problem for the sponsor bank, which is liable for reserves, when the ISO goes out of business and takes the reserve fund with it, as has happened. “We get hammered on this by the feds all the time,” said Baumgartner. Visa won't require ISOs to throw away the blank contracts they've already printed, but it expects new documents to reflect the disclosure requirement. An ISO's failure to meet it could result in the sponsoring bank being fined $5,000 for a first offense. An American Express Co. executive, meanwhile, reported on two recent additions to AmEx's authorization process to reduce card-not-present fraud. The first, dubbed electronic verification, gathers more information from merchants about the cardholder's shipping address, e-mail address, telephone number, as well as the so-called IP address of the computer originating an online transaction, according to Kristin Hoyne Gomes, AmEx director of Global Fraud Risk Management. The data are matched against cardholder data AmEx has on file. Merchants may elect to approve the transaction even without matches. But AmEx has found that matches in the billing address are four times less risky than transactions with no match. Matches in phone numbers reduce risk by nine times, and e-mail address matches to reduce risk by 11 times. “It isn't a guarantee against fraud, but it is a very powerful differentiator” of risk, Hoyne Gomes said. The other service, which AmEx calls enhanced authorization, pools reports AmEx receives about suspect shipping addresses and other information into a database that can be tapped during the authorization process. Users are seeing average reductions in fraud of about 40% since AmEx implemented the system last year, she said.