On the Internet, the Devil Is in the Exception Details
Norman G. Litell
Online merchants are understandably searching for lower-cost payments, and as a result many have been attracted to
PIN debit and the ACH. But an examination of how these systems handle exception items—which can amount to 2% of
a merchant’s payments—shows why signature cards are still the Internet retailer’s best bet.
No matter how you measure it, everyone agrees that Internet-based transactions are likely to generate more exceptions—and will
therefore be costlier to handle—than transactions made through other channels. Since the cost of exceptions is generally borne by
merchants, and most Internet transactions are made using signature-based cards, Internet merchants are understandably searching for
alternatives to these cards in an attempt to reduce their overall acceptance costs.
While there may be some circumstances in which other payment options make sense, it is this author’s opinion that the signaturebased card is still the best option for the majority of Internet merchants—as well as for the consumer. The reason is the signature card’s
unique capability to handle the wide variety of exception situations that arise in Internet retailing.
This article will outline how signature cards are able to handle these exceptions while the alternatives can’t. But first, let’s review a
little background.
The Payments Landscape
There are currently four payment-system approaches available for processing Internet-initiated consumer payments:
1. Signature-based payment cards (American Express, Discover, MasterCard, Visa, etc.);
2. PIN-based network settlement of ATM/debit cards (“PIN-less debit”);
3. Intermediaries such as PayPal;
4. Direct demand-deposit-account (DDA) transactions.
Direct DDA transactions (using transit/routing and account numbers of the consumer DDA account and posting directly to that
account) may be settled in several ways, including via the automated clearing house (e-checks) and the checking system (demand
drafts).
In addition, Internet-initiated payments may be divided into two broad categories:
►Bill-payment transactions
►Ad hoc purchase/payment transactions
There is also growing use of the Internet for account-to-account (A2A) transfers of various kinds. However, for purposes of this
article, we are ignoring transfers between accounts identifiably owned or controlled by the same person, and grouping other A2A
transfers (e.g., from one individual to another person or to an unregistered account such as a prepaid/reloadable debit card) with
purchase transactions. We will also leave discussion of intermediaries such as PayPal to another time.
Internet Bill Pay
When it comes to both exception rates and payment risks, there is a significant difference between bill-payment and ad hoc, or
spontaneous, transactions. With bill payment, the consumer has an established, ongoing relationship with the merchant or service
provider, and the merchant has typically assessed the consumer’s creditworthiness before agreeing to the relationship. When the account
is set up, the merchant biller generally captures and stores consumer payment information, minimizing the need for data entry in future
transactions. Payments are often made in advance, and the merchant has the option of canceling services—turning off the phone—if a
payment bounces or turns out to be fraudulent.
There are obviously greater risks and more exceptions with new clients than with established clients, including problems with
account setup, data entry, and the possibility of fraud. There are also more fraud risks with discretionary and non-critical services such
as DVD rentals than with critical, fixed obligations such as insurance and mortgage payments. Nonetheless, once a merchant has
underwritten the customer and the first transaction has been successfully processed, bill-pay risk is generally low, there are few
exceptions, and use of the Internet to initiate payments provides a cost and time saving to both parties.
Bill pay is a rapidly growing arena for both “PIN-less debit” and direct DDA transactions. Some PIN networks have recently
changed their rules to allow certain types of low-risk transactions (e.g., utility payments) to be processed over their network without a
PIN, and the ACH has seen rapid growth in Internet-initiated “WEB” transactions.
With low interchange rates for emerging markets such as governments, schools, insurance, pay/cable TV and utilities, signaturebased payment cards are also finding growing use in bill-pay environments. This option is particularly attractive to consumers as it
provides a convenient means of payment, reward-program benefits, and ad hoc access to credit where appropriate to pay important bills.
From the consumer-protection standpoint, there is little practical difference between payment mechanisms when using the Internet
for bill payment. If the consumer disputes some aspect of a bill, no matter how the bill is paid, this issue should be addressed with the
merchant biller before the bill is paid, not after, and not with the payment provider. While signature-based cards provide the consumer a
wide variety of chargeback rights, the ones most relevant in a bill-pay situation relate to payment-processing errors that the biller would
have to correct in any case.
In the bill-pay environment described above, the consumer receives a bill, in paper or electronic form, and takes a specific action to
pay the bill via an Internet transaction. This is not the same as the consumer signing up for an ongoing billing arrangement where the
merchant provides the bill in advance and automatically debits the consumer’s account for the amount of the bill.
Recurring transactions are often the subject of chargebacks when the service provider charges the consumer after the consumer has
cancelled the ongoing relationship, a situation found for example in the case of health-club memberships, ISP contracts, etc. However,
both approaches are similar in initial underwriting and setup issues, and both share a low rate of ongoing exceptions and fraud.
Ad Hoc Purchases
The ad hoc purchase environment is where the majority of exceptions and risks appear. And contrary to common belief, fraud is not the
source of most chargebacks in the Visa system. Nor is the situation likely different in any other signature-based card system (AmEx,
MasterCard, etc.).
Recent Visa experience shows distribution of chargebacks in the U.S. as depicted in the chart at left:
The table on page 44 lists chargeback categories used in the Visa system. Similar categories are used in the other signature-based
card systems.
This table illustrates the breadth of exception situations that occur with consumer payment transactions. While these exceptions can
occur in the card-present environment, they are more common in the card-not-present world—mail/phone (MoTo) orders and the
Internet (chart, page 43). Handling such exceptions is a core requirement for any merchant or bank. Many of these involve basic
consumer protections afforded by Reg E, Reg Z, and other Federal and state laws.
Chargeback Rate
Overall (Including eCom)
eCommerce
4 basis pt.
19 basis pt.
Chargeback Type No. of Tx $ Value
Fraud-related
Non-fraud
43%
57%
35%
65%
Source: private communication
Chargeback Rate as of Oct 2005; Chargeback Type (all transactions) as of July 2005. No separate breakout of Chargeback Type by internet vs. others.
Not Internet-Ready
While PIN-less debit may find limited use for bill pay, fraud risks preclude its use for ad hoc purchase transactions. And while Internetinitiated ACH transactions are growing rapidly, of the 1 billion consumer-initiated payments totaling over $350 billion settled via ACH
in 2004, only 1% were for online purchases. Nearly 81% were for bill pay, and the remaining 18% were funds transfers.
The basic reason that PIN-network and ACH payment options have found minimal use for Internet purchases is their lack of both
security and exception-management capabilities. But this should come as no surprise, as neither of these issues had to be addressed
when these systems were originally developed.
In short, neither the ACH system nor the PIN-debit network was built to handle spontaneous Internet transactions.
ACH and Demand Drafts
The ACH was originally developed as a low-cost means of handling recurring bulk corporate payments. These are inherently low-risk
transactions representing credits sent by governments, pension funds, payroll agents, etc., or debits for on-going relationship-based
services such as utilities, insurance, etc. Fraud is essentially non-existent with traditional ACH originators, and exceptions are relatively
few.
As with check clearing, the ACH network is operated by a set of independent but linked clearinghouses. In this decentralized, batchprocessing model, there are no systemwide tools to detect and deter fraud as it is happening, and no central support mechanism to assist
in resolving fraud and other exceptions.
As an open payment system, the ACH originally had no central authority to enforce system rules. While NACHA serves as a
membership-based rule-making body governing the ACH system and has recently increased its efforts to monitor participant
performance, enforcement of NACHA rules was historically based on one participant filing a complaint with NACHA about the actions
of another.
In addition to using the ACH, some merchants have begun to capture DDA information online and create demand drafts, which they
clear through the checking system. While this approach may have advantages in some special situations (e.g., last minute bill-pay
transactions), it has attracted much fraud and other abuse, including fraud by unscrupulous merchants.
ACH transactions provide the consumer with the protections of Reg E, whereas demand drafts are handled under check law, which
can be much less advantageous to consumers making purchases via the Internet. As a result, the Federal Reserve is exploring a variety
of options to increase regulation of demand drafts, and may either eliminate them entirely or bring them under the same level of
consumer protection and control as Reg E items. In any case, as with the ACH, the decentralized checking system provides no
centralized tools for fraud and exception management.
Selected Internet Statistics
► Nearly 10% of all online transactions are fraudulent vs. 1% of all credit card transactions in a brick-and-mortar environment.
Source: Meridian Research, Inc.
► The average credit card fraud rate for Internet transactions is between 25 cents and 28 cents per $100 vs. 7 cents per $100 dollars in brick-and-mortar
environments.
Source: Jupiter Media Matrix
► Chargebacks make up: 1.14% of Internet transactions, 0.36% of Mail Order/Telephone Orders and 0.09% of in-store transactions.
Source: Gartner/VISA
PIN Networks
Nor do PIN-debit networks offer a ready-to-hand alternative for ad hoc Internet payments. The ATM/PIN-debit network is a singlemessage electronic system that requires the card to be read by, and the PIN to be entered into, a device that encrypts the PIN before
transmitting the transaction record for authorization and clearing. This security process only works in a card-present environment with
an expensive and highly secure terminal.
Several approaches have been developed and tested for implementing equivalent security on Internet transactions, but all have
required additional hardware (e.g., PIN pads attached to a PC), custom access devices (e.g., the NYCE network’s SafeDebit CD-ROM),
or digital-certificate software to handle secure storage and entry of account information and a PIN or password. None of these
approaches has turned out to be commercially feasible, and all face significant challenges in adoption.
But more important, PIN networks have never developed significant support for exception management. The requirement that PIN
transactions be card-present means that consumers actually visit the merchant location. They generally see what they are buying and
generally take it with them. In addition, traditional limits on cash withdrawal and transaction amounts mean that PIN-based purchases
seldom exceed $500. If consumers have a problem with services or merchandise, or simply want to return an item, they return to the
merchant for satisfaction and receive a credit by entering their card and PIN in the POS terminal.
Without the card and PIN, the only way a merchant can reverse or adjust a purchase is via cash or check. This lack of capability to
credit a consumer on the Internet is a major issue with PIN-based systems. Overall, merchants credit back approximately 2% of total
purchases (2.5% of dollars) processed through VisaNet, and there is no reason to believe that this pattern would be any different if the
consumer used another form of payment.
Designed for Online
By contrast, signature-based card systems were designed at the outset to support the full range of issues associated with ad hoc
transactions. Specifically, the card associations have built sophisticated tools to manage fraud and exception items. These tools offer the
assurance of:
• Good Transactions: Assurance that purchasers are who they say they are and have authority to make transactions against the
designated account;
• Good Funds: Assurance that the merchant will be paid;
• Exception-Management Support: Systems that facilitate handling of the large number of issues and exceptions that inevitably arise
in commerce.
Of course, nothing is perfect. Fraud happens, and the merchant may be liable, especially in the card-not-present world. Other things
go wrong as well. But the key point is that no other payment system has the same capabilities to support the core needs of merchants
dealing with Internet transactions—in particular, exception management.
Building these capabilities from scratch would be an extremely difficult task for a new payment system, and the real costs to
merchants of operating with the limited ACH or PIN-debit system capabilities would be extremely high.
Take one example: credits. Creating and mailing checks for the 2% of purchases that would likely require credits would create
significant costs and fraud risks for Internet merchants, including issues of lost/stolen checks, forged checks, altered checks, counterfeit
checks, and ACH transactions generated using the account information from a legitimate check. With signature-based cards, none of
these issues arise.
Visa Chargeback Categories
Fraud
►
►
►
►
Fraudulent Multiple Transactions
Counterfeit Transaction
Fraudulent Transaction—Card-Present Environment
Fraudulent Transaction—Card-Absent Environment
Non-Receipt of Information
► Requested Copy Illegible or Invalid
► Cardholder Does Not Recognize Transaction
Authorization Errors
►
►
►
►
►
►
Account Number on Exception File
Declined Authorization
No Authorization
Expired Card
Incorrect Transaction Code
Non-Matching Account Number
Processing Errors
►
►
►
►
Late Presentment
Incorrect Transaction Amount or Account Number
Duplicate Processing
Paid by Other Means
Cancelled or Returned
► Cancelled Recurring Transaction
► Not as Described or Defective Merchandise
► Credit Not Processed
Non-Receipt of Goods or Services
► Services Not Provided or Merchandise Not Received
Of the many types of fraud and exception situations, little is unique to the Internet. And the same types of due diligence and fraudprevention methods used in many POS situations are equally applicable to MoTo and Internet transactions. If someone purchases a TV
from Sears and has it delivered, the purchaser can always claim it was not delivered, no matter how it was paid for. The real question is,
which system makes it easiest for merchants to handle such a situation—both to avoid it and deal with it if it happens?
One of the merchant’s largest Internet risks—fraudulent purchases—was largely eliminated when MasterCard and Visa
implemented 3-D Secure technology (MasterCard’s SecureCode and Verified-by-Visa). No such capability exists for ACH transactions,
and NACHA’s nine-year effort to develop secure Internet transactions (Project Action) illustrates how difficult it is to add this
capability to a payment infrastructure that was never designed with that requirement in mind.
The card associations have expended significant efforts in support of 3-D Secure. Integrated marketing and advertising campaigns
help drive consumer awareness, activation, and usage; implementation guides have been distributed to acquirers and merchants; and the
associations have worked with many of the largest merchant service providers to ensure they understand the value of providing this
capability to their merchant clients.
Unfortunately, not all merchants have adopted 3-D Secure, and many are pursuing other options despite the fact that it can actually
reduce the merchant’s interchange cost. Of course, 3-D Secure is not the total answer to merchant problems. But the fact that more
than half of all chargebacks are for reasons other than fraud suggests that merchants could also do a far better job of managing their
own back office operations, and communicating clearly, openly, and fully with their customers—Internet and otherwise.
Education Is the Remedy
Internet merchants vary greatly in size, sophistication, and the kinds of business they do, and these differences have a substantial impact
on their cost structure and their levels of fraud and exceptions. But two things seem to stand out in most discussions about these issues:
a general lack of merchant knowledge about the full range of capabilities and support functions available from signature-based card
systems, and a naive assumption that other options could work just as well at much lower cost than signature-based card systems.
With payment systems, there is a clear relationship between cost and value-added. Clearing and settling transactions is simple and
cheap. It is exceptions that cause the problems. And despite their surface appeal, inexpensive payment options do not provide any real
value-add in managing exceptions.
Merchants’ naiveté is not necessarily their fault. Despite significant efforts by card associations to develop educational materials and
programs, many banks and processors do a poor job of educating their merchant clients and supporting them with the full range of tools
available to manage acceptance costs and risks.
All of us in the payments industry need to do a better job in this regard. And when we do, it will become clear that we
should spend less time thinking about creating new systems and more time understanding and leveraging the systems we
already have.
Formerly an executive at Bank of America, Merrill Lynch, and Citibank, Norman G. Litell was most recently at Visa USA, where for
four years he was vice president of strategic planning.