We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
business credit card fraud
sick2death
Posts: 65 Forumite
Hello MSErs.
First, if this is in the wrong forum, I apologise, to be honest I feel I may be grasping at straws posting here, but, no harm no foul.
I am essentially looking for any advice that I can get, as every turn seems to be drawing a blank at the moment.
The story...
I work in a family owned (I'm family) company, where the majority of business, in a nutshell, is selling reclaimed building materials. We sell around 75% locally, and around 25% nationally via our website and ebay.
Around 18 months ago, we had a telephone enquiry from a man wanting a quantity of reclaimed roofing slate. We had several phonecalls back and forth, and eventually agreed on a price - which was around £9000.
He paid over the phone with a credit card.
Now - I'll quickly have to explain this bit so it makes sense.
When you buy something over the phone, you have to provide the follwoing:
- Card number
- Expiray Date
- Security code (signature strip)
You optionally (at merchants discretion) can provide the house number and postcode of the house where the card is registered.
This information is put into the terminal. The terminal is handled by a merchant. The merchant will contact the cards bank, check the details are correct, and if they have enough funds available etc, and then provide you with an auth code.
This is, in a nutshell, what the visa machines do.
The auth code comes from the cardholders bank, and essentially, is passed to the card machine merchant, who in turn passes it onto the card machine.
If the data inputted into the machine does not match e.g. Entered postcode as XX19, whereas its XX12 - the terminal will report that the "data does not match".
So, we entered the customers details, including the house number and postcode - and we had a "data matched" code. Which basically means, his bank/cc company have confirmed the address and postcode we entered on the terminal, is the registered address for the cardholder.
We waited until the money from the transaction had arrived in our account, and then delivered the materials to the registered address (the one which matched on the card terminal).
The goods were delivered, signed for etc, no problem. Around 6 weeks later, we recieved a letter from streamline - the company who act as the merchant for the terminal, and the go-between for us and our customers banks, saying the transaction was fraudulent, and the money was being taken from our account. Which it did.
We immediatley disputed this, provided all the details we had, and we had our money back. It was again disputed, and the money went again.
From this there was quite a bit of back and fro'ing between streamline, and the "customers" bank (Barclaycard).
It turned out, the real card holder didnt live there, hadn't orderd slates, and obviously, knew nothing about this transaction. It was fraudulent.
There was police involvement, but is almost irrelevent, as nothing was recovered, or any prosecutions.
Streamline essentially blaimed barclays, as they just "pass the details across" Barclays blaimed streamline, as they said it was impossible for them to issue an incorrect code (AVS code).
We contacted the FOS. Who, long story short, said our contract was limited to Streamline (the terminal merchant) and as they have no control over codes issued etc, it really isnt there fault. We dont have a contract with the customers bank. We questioned this, and was told that this was a bit of a "grey area".
During the police investigation, they (the police) confirmed that the registered card holder, did not, and has not lived at the property, where we had the AVS code for, and subsequently delivered to. The card used was never registered at that property.
We passed this information onto our local MP, who then contacted barclaycard on our behalf.
Barclaycard got in touch with us, and explained how impossible it is for an incorrect AVS code to be issued. A bit more back and forth, and eventually they agree to do an internal investigation.
They came back to us, and confirmed an AVS code had been issued incorrectly. The details enetered into the terminal did NOT match the card holders details, so a "data not matched" code should of been issued, not a "data matched" code. Obviously not impossible then!
Whilst they have admitted they provided an incorrect code, they have not accepted liability. They have offered us a £1000 gesture of good will.
Admitadly, of the £9000, some of this is profit, and some can be re-claimed with VAT, so we are around £6000 down. We are a small company, in very difficult trading conditions, and to say this loss had a big effect on our business would be a massive understatement.
Sorry for the long post. I know its confusing, the situation isnt simple at all. If you did manage to understand, and have any advice or insights, I would be extremley greatfull to hear them.
Many thanks.
First, if this is in the wrong forum, I apologise, to be honest I feel I may be grasping at straws posting here, but, no harm no foul.
I am essentially looking for any advice that I can get, as every turn seems to be drawing a blank at the moment.
The story...
I work in a family owned (I'm family) company, where the majority of business, in a nutshell, is selling reclaimed building materials. We sell around 75% locally, and around 25% nationally via our website and ebay.
Around 18 months ago, we had a telephone enquiry from a man wanting a quantity of reclaimed roofing slate. We had several phonecalls back and forth, and eventually agreed on a price - which was around £9000.
He paid over the phone with a credit card.
Now - I'll quickly have to explain this bit so it makes sense.
When you buy something over the phone, you have to provide the follwoing:
- Card number
- Expiray Date
- Security code (signature strip)
You optionally (at merchants discretion) can provide the house number and postcode of the house where the card is registered.
This information is put into the terminal. The terminal is handled by a merchant. The merchant will contact the cards bank, check the details are correct, and if they have enough funds available etc, and then provide you with an auth code.
This is, in a nutshell, what the visa machines do.
The auth code comes from the cardholders bank, and essentially, is passed to the card machine merchant, who in turn passes it onto the card machine.
If the data inputted into the machine does not match e.g. Entered postcode as XX19, whereas its XX12 - the terminal will report that the "data does not match".
So, we entered the customers details, including the house number and postcode - and we had a "data matched" code. Which basically means, his bank/cc company have confirmed the address and postcode we entered on the terminal, is the registered address for the cardholder.
We waited until the money from the transaction had arrived in our account, and then delivered the materials to the registered address (the one which matched on the card terminal).
The goods were delivered, signed for etc, no problem. Around 6 weeks later, we recieved a letter from streamline - the company who act as the merchant for the terminal, and the go-between for us and our customers banks, saying the transaction was fraudulent, and the money was being taken from our account. Which it did.
We immediatley disputed this, provided all the details we had, and we had our money back. It was again disputed, and the money went again.
From this there was quite a bit of back and fro'ing between streamline, and the "customers" bank (Barclaycard).
It turned out, the real card holder didnt live there, hadn't orderd slates, and obviously, knew nothing about this transaction. It was fraudulent.
There was police involvement, but is almost irrelevent, as nothing was recovered, or any prosecutions.
Streamline essentially blaimed barclays, as they just "pass the details across" Barclays blaimed streamline, as they said it was impossible for them to issue an incorrect code (AVS code).
We contacted the FOS. Who, long story short, said our contract was limited to Streamline (the terminal merchant) and as they have no control over codes issued etc, it really isnt there fault. We dont have a contract with the customers bank. We questioned this, and was told that this was a bit of a "grey area".
During the police investigation, they (the police) confirmed that the registered card holder, did not, and has not lived at the property, where we had the AVS code for, and subsequently delivered to. The card used was never registered at that property.
We passed this information onto our local MP, who then contacted barclaycard on our behalf.
Barclaycard got in touch with us, and explained how impossible it is for an incorrect AVS code to be issued. A bit more back and forth, and eventually they agree to do an internal investigation.
They came back to us, and confirmed an AVS code had been issued incorrectly. The details enetered into the terminal did NOT match the card holders details, so a "data not matched" code should of been issued, not a "data matched" code. Obviously not impossible then!
Whilst they have admitted they provided an incorrect code, they have not accepted liability. They have offered us a £1000 gesture of good will.
Admitadly, of the £9000, some of this is profit, and some can be re-claimed with VAT, so we are around £6000 down. We are a small company, in very difficult trading conditions, and to say this loss had a big effect on our business would be a massive understatement.
Sorry for the long post. I know its confusing, the situation isnt simple at all. If you did manage to understand, and have any advice or insights, I would be extremley greatfull to hear them.
Many thanks.
My drinking club has a rugby problem
0
Comments
-
Have Barclays admitted in writing that they provided an incorrect response to the authorisation request?
If so, I believe that would almost certainly be considered negligence in their duty (contract or no contract) and you could take them to court. I really do reckon you would stand a good chance at winning this.
However, I would recommend the small claims route to be honest. Whilst this is limited to claims of £5000 or less, it would probably be fair easier and cheaper to go this route and you would (if successful) at least recover the majority of your losses.
They have made an offer of £1000 and even though this is called a goodwill gesture and no doubt has "without prejudice" slapped all over it, it cannot fail to look to a judge as though they are ultimately admitting responsibility for your losses.
I'm not a legal expert by any means but I definately think you should have a go at this.
And Barclays may even simply settle with you on reciept of the claim if they also believe they are on dodgy ground....0 -
It may also be worth naming Streamline and Barclays as joint defendants if you do decide to make a claim.0
-
Two things suggest to me that there has to be more to this than we (and perhaps the OP) are being told.
For the Barclays authorisation system to have returned the wrong response for a transaction that later proved to be fraudulent surely means there must have been something happening inside Barclays to recognise that when that authorisation request came in the correct response would be overriden (it could be a giant coincidence, but the chances of that are very remote).
And what happened to the slates that were delivered to the address given? Who signed for them? Where have they gone since then? I don't know what quantity £9,000 will buy but I wouldn't have thought you could just put it in the boot of your car and drive off. Sounds to me like the person who does live at that address could be involved somehow, in which case how did they get the card details? Is the cardholder also involved?0 -
Two things suggest to me that there has to be more to this than we (and perhaps the OP) are being told.
For the Barclays authorisation system to have returned the wrong response for a transaction that later proved to be fraudulent surely means there must have been something happening inside Barclays to recognise that when that authorisation request came in the correct response would be overriden (it could be a giant coincidence, but the chances of that are very remote).
Not at all - Bank authorisation systems are complex but they are not infalable by any means. Any number of things can occur that may result in the authorisation system providing a positive authorisation at the time
These authorisation systems are - at the end of the day - a network of servers and connections like any other - and like any network - they can and do sometimes go down or go slow, for some reason.
Many authorisation networks have failsafes processes in place to ensure that even if the core system goes down or it suffers unexpected slow downs, authorisations across the network can continue to be issued. It is perfectly feasible that the failsafes on Barclays network decides that if a connection goes down for a short period it will contnue to send back a positive authorisation to a transaction auth request, even if the network has actually timed out or been unable to get a positive data match. This is because when a network suffers unexpected down time, it is still better to enable merchants to continue to transact across the network - even if it results in you letting a percentage of fraud and other "bad" transaction slip through unnoticed.
When this happens however, a bank may not actually realise that it has affected a specific authorisation request until a dispute arises and they fully investigate their internal logs to ascertain the status of their network at the precise moment of authorisation.
I believe this could have been what has occured here, which is a) why a positive auth could have been given even though the post code was wrong and b) why Barclays insisted it was "impossible" until they investigated further.0 -
And what happened to the slates that were delivered to the address given? Who signed for them? Where have they gone since then? I don't know what quantity £9,000 will buy but I wouldn't have thought you could just put it in the boot of your car and drive off. Sounds to me like the person who does live at that address could be involved somehow, in which case how did they get the card details? Is the cardholder also involved?
All this is possible also, however it does not excuse Barclays providing a positive authorisation in the first place if the address details provided simply didn't match the CC billing address...
As above, if the Barclays network provided positive authorisation during a period of downtime, then they have to accept that and take the losses on the chin.0 -
Taking the OPs account of things as accurate, then I really do believe that in a small claims setting a Judge would take a very simplistic view of this.
1) Did the merchant act in good faith? (A. yes, he requested authorisation correctly and captured personal address information from the purchaser to verify his identity with the authorisng bank)
2) Did Barclays provide incorrect information in response to the merchants request to verify this information (A. yes - it appears barclays have admitted this in the outcome of their investigation and offer of £1000)
3) has the merchant suffered financial losses as a result of incorrect information being provided by Barclays (A. yes, he has)
I also think streamline are a bit of a red-herring in all this to be honest. At the end of the day, the authorisation is provided by Barclays to the merchant (even if that is through a streamline POS terminal) - and the chargeback request is also issued by barclays to the merchant (even if that is passed along by streamline). Still, I maintain that for completeness sake any claim should name them both as defendants.
In my experience, nothing p**ses off your average county court judge more than 2 big companies hiding behind "contracts" and "service agreements" whilst the little guy that has done nothing wrong gets screwed for thousands.0 -
MoneyMagic01273 wrote: »Not at all - Bank authorisation systems are complex but they are not infalable by any means. Any number of things can occur that may result in the authorisation system providing a positive authorisation at the time
These authorisation systems are - at the end of the day - a network of servers and connections like any other - and like any network - they can and do sometimes go down or go slow, for some reason.
Many authorisation networks have failsafes processes in place to ensure that even if the core system goes down or it suffers unexpected slow downs, authorisations across the network can continue to be issued. It is perfectly feasible that the failsafes on Barclays network decides that if a connection goes down for a short period it will contnue to send back a positive authorisation to a transaction auth request, even if the network has actually timed out or been unable to get a positive data match. This is because when a network suffers unexpected down time, it is still better to enable merchants to continue to transact across the network - even if it results in you letting a percentage of fraud and other "bad" transaction slip through unnoticed.
When this happens however, a bank may not actually realise that it has affected a specific authorisation request until a dispute arises and they fully investigate their internal logs to ascertain the status of their network at the precise moment of authorisation.
I believe this could have been what has occured here, which is a) why a positive auth could have been given even though the post code was wrong and b) why Barclays insisted it was "impossible" until they investigated further.
I agree that technically that could have happened, but what are the chances that it happened on a transaction that turned out to be fraudulent? Or are you suggesting that it's more widespread and is happening on all or a large proportion of transactions? That's why I said it could be a coincidence of a random error occurring on a fraudulent transaction, but the likelihood of that is extremely small.0 -
Where's chattychappy when we need him?
Are you for real? - Glass Half Empty??
:coffee:0 -
I agree that technically that could have happened, but what are the chances that it happened on a transaction that turned out to be fraudulent? Or are you suggesting that it's more widespread and is happening on all or a large proportion of transactions? That's why I said it could be a coincidence of a random error occurring on a fraudulent transaction, but the likelihood of that is extremely small.
Firstly - network downtime happens fairly regularly (not barclays, I mean just generally - any network). And fraud is much more common than people think it is. So imagine a network like Barclays could be handling literally thousands of authorisation requests every minute. You only need to have the system fail for a short period of time for thousands of transactions to be potentially impacted. Now, granted only a small percentage of those transactions occuring during a network failure may end up being fraud transactions that are accidentally approved - but even a small percentage of thousands of transactions means this isn't quite the "long shot" you may think it is.
But look, its just my theory (based on some knowledge of how these processes work). As I said - I don't believe a judge in a small claims court will really care to much about the technicalilities of how it could happen. I believe it could easily occur and if the OP really does have an admition from Barclays that they made an error (along with a "goodwill" offer) then my gut tells me he'd do alright if he made a claim against them.0 -
Hi S2D, (I can completely see where you got your name from!)
I don't understand how if the issuing bank has admitted it gave the wrong code, and that code is needed to continue with the transaction, that they can then deny liability...all other parties (except the fraudsters themselves) acted in accordance with procedures and in good faith...if the bank had done their job, the fraud could never have taken place, so again, how can they deny liability? I just don't get it!
Seems to me, they know they're liable and are just taking the chance that you will just take the hit and NOT do anything more about it, maybe hoping that you'll find it too expensive or you'll feel intimidated or something about taking on one of the biggies...
To that end, I think MoneyMagic01273 is absolutely right in everything he/she's said. Suing them seems the only way to go. I find it quite telling that PCI DSS validation isn't a requirement for issuing or acquiring banks.....says it all really.
Ultimately, if it comes to it, the bank should have audit logs showing what happened in relation to the transaction, though looking for that would be like looking for a needle in a haystack, but it does sound like they have already found somesuch evidence, otherwise why 'confirm' they gave the wrong code?
I think your case is pretty clear cut really and they're just banking (excuse the pun) on the fact you won't, for whatever reason, do anything about it.
I really hope you do sort 'em! I imagine you would have a HUGE amount of support from others if you do decide to.
MoneyMagic -
- not only CC judges either, try 99% of the population as well!In my experience, nothing p**ses off your average county court judge more than 2 big companies hiding behind "contracts" and "service agreements" whilst the little guy that has done nothing wrong gets screwed for thousands.
Good Luck S2D, I for one am right behind you on this.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.3K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.3K Work, Benefits & Business
- 601.1K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards