Credit and debit cards came into common use in the United States in the late 1950s, and were introduced in the UK by Barclays Bank in 1966. Their use expanded very rapidly in the 1980s, perhaps stimulated by the growing disparity between the amounts for which cards could be used and the more modest amounts covered by cheque guarantee cards.
Card transactions do not involve cheques, with the result that section 24 of the Bills of Exchange Act 1882 does not apply. Card issuers (referred to here for convenience as banks) are therefore free to apply different rules from those governing the risk of forgery of cheques, and the rules embodied in the terms and conditions on which they issue credit and debit cards are indeed different. (In some circumstances the voucher signed by the customer might in law be a cheque, with the result that section 24 of the Act would override the contractual rules; but we are not aware of any case where this has been argued.)
Although banks’ terms vary in their details, the general rule is that the customer is responsible for:
all transactions carried out by the use of the card with the customer’s authority; and;
for all other (i.e. fraudulent) transactions carried out by the use of the card, up to a limit of £50. This limited liability for fraudulent transactions ceases when the customer informs the bank that the card has been lost or stolen. These rules reflect the provisions of sections 84 and 171 of the Consumer Credit Act 1974 and the regulations made under it relating to credit cards.
By comparison with the case of cheque forgery, this régime transfers to the customer a limited part of the risk of fraudulent use of the customer’s card. Such use of the card depends on physical possession of the card, however, and the customer can reduce the risk by taking good care of the card and by promptly reporting its loss. Taking care of articles like cards or keys is largely a matter of common sense (to be contrasted with the precautions required to protect electronic systems, as discussed below). The £50 exposure can be seen as providing an incentive to the customer to take care of the card and report its loss promptly.
The balance of the risk that is not carried by the customer is borne by the bank or the merchant. The terms governing the relationship between the merchant and the bank determine this allocation. Where the cardholder is present at the transaction, and where the merchant has not been plainly careless in accepting a non-conforming signature, and has complied with limits on the amount of an individual transaction and other applicable rules, the bank normally carries the risk. Merchants therefore have an incentive to take appropriate care in accepting card transactions, but are guaranteed payment by the bank if proper care has been taken, just as if they had accepted a cheque with a cheque guarantee card (and with the advantage that much higher amounts can be covered).
This analysis deliberately ignores the rôle of banks acting as card transaction acquirers, who function as financial intermediaries between the merchant and the card issuing bank, because in considering where risk falls as between customer, merchant and the banking system, it is immaterial which component of the banking system is involved.
It is clear from this discussion that possession of the relevant card plays a substantial role in authenticating a card transaction, and that signature verification is much less significant than in the case of cheques. This conclusion is supported by the fact that in the UK signatures are usually made on multi-part forms, with the customer retaining the top copy. In any subsequent dispute, the copy or copies of any voucher available for expert examination will bear only ‘carbon’ copies of the customer’s (or alleged customer’s) signature. Forgeries are an order of magnitude more difficult to detect from carbon copies.
Cards may also be used in transactions where the cardholder and the merchant do not meet, and no voucher may be signed. Examples are the use of a card for mail orders, by telephone, by electronic mail or through a web page. (Such transactions are classified as ‘cardholder not present’ or sometimes as ‘MO/TO’, meaning ‘mail order or telephone order’. We refer to them for simplicity as remote card transactions.) The incidence of risk in remote card transactions is quite different from that where the card is presented by the customer to the merchant.
In a remote card transaction, the customer provides the merchant with information apparent from the face of the card: its type (typically Visa or Mastercard), its number, its expiry date and the name of the cardholder. (Except in the case of mail order, the customer provides no signature; and in mail order the merchant cannot compare the signature with that on the card.) The ability of the customer to provide the card information does not depend on possession of the card: it is available to anyone through whose hands the card has passed in the course of earlier transactions, perhaps to the cardholder’s family and friends, and to anyone who may have received or intercepted the information as it was transmitted by telephone or through the Internet. (It would not be difficult to establish a website purely for the purpose of obtaining cardholder information, by offering transactions at favourable prices which the site owner has no intention of concluding.)
Where the purpose of a remote card transaction is to order goods for delivery, the merchant may be able to check the address of the cardholder through the bank, and can decline to deliver the goods except to that address. Where available this procedure provides some protection from fraudulently placed orders (except for goods ordered as third party gifts, like flowers, where this procedure cannot be followed; but such cases are usually of comparatively small value). Where the order is for online services, however, such as the downloading of software or the provision of access to online databases, no such precaution can be taken. In these cases there is very little impediment to fraud (either by the customer falsely repudiating a genuine transaction, or by an imposter using the customer’s card details without authority). (We have disregarded the process of ‘authorisation’, where a merchant complies with a requirement to check with the bank whether a transaction may proceed. The reason is that while this process enables the bank to check that the customer has not reported the card stolen or is not exceeding a credit limit, for example, it does not enable the bank to check that the card information is being used by the customer rather than an imposter. It does not guarantee payment where the customer is not present at the transaction, and therefore does not alter the balance of the risks under discussion.)
The liability régime is simple, although its implications do not seem to be widely understood. If the cardholder denies having entered into a remote card transaction in which the relevant card information was provided, and there is no evidence of delivery of goods to the customer or voucher signed by the customer, the bank has no basis on which to debit the customer’s account. The mere use of the card information is not enough to show that the customer authorised the transaction, because of the wide class of other persons to whom the information is available. Merchants are of course members of that wide class, possessing card information in abundance: for the merchant, ‘forgery’ of a remote card transaction is a trivial task. Faced with apparently unmanageable risks of this kind, the banks have adopted the simple approach of requiring the merchants to carry the risk. If a cardholder repudiates a remote card transaction for which there is no evidence of delivery of goods to the customer, or voucher signed by the customer, the bank makes a ‘chargeback’, i.e. obtains reimbursement from the merchant of anything paid to the merchant in respect of the transaction (and may also make an administrative charge). The merchant is in practice unable to transfer this risk to anyone else, since he is unlikely to be able to prove who initiated the relevant transaction.
The banks naturally appreciate the perilous position in which this régime places the merchants. They are sometimes unhelpful to cardholders who repudiate remote transactions, by refusing to reverse the repudiated debit and responding that the cardholder must resolve the dispute with the merchant; but they are aware that this stance is unsustainable where the cardholder denies having participated in any transaction with the merchant, and in the face of persistence by the cardholder they will accept that the transaction must be reversed. (This is not to say that customers face no problems: in some cases they have required considerable persistence in the face of evasions, and faced long delays; in others they have suffered foreign exchange losses where debit and credit of the same amount in foreign currency has left them with a shortfall.)
The greatest risk to the merchant obviously arises from the provision of online services. Although this is not a new risk, the merchant’s risk from fraud has therefore been highlighted by the growth in commerce carried out over the Internet. Although online services can be provided in response to a telephone card transaction (by the supply of information, for example), the range of services which can be provided online has expanded greatly with the commercialisation of the Internet. The problem of managing the resulting risks for merchants may well prove to be a growing impediment to the growth of electronic commerce in online services.
For transactions carried out by the cardholder using a web browser to connect to a supplier’s web page, it is possible to establish a secure connection so that the card information is delivered in encrypted form (using protocols such as TLS or SSL (Dierks99)). This procedure is widely followed, and provides some welcome protection against interception of the card information in transit. It cannot affect the wide availability of card information from other sources, and since the procedure cannot provide evidence that the supplier of the card information is authorised by the cardholder to conclude the transaction, it does not materially reduce the merchant’s risk.
Visa and Mastercard have promulgated a standard for Secure Electronic Transactions, referred to as ‘SET’ (SET99). It would enable the merchant to check that the bank will accept the cardholder’s authority as genuine, and would thereby presumably remove the risk from the merchant, or at least reduce it. The SET standard has not gained acceptance, perhaps because it is over elaborate and its implementation would be burdensome and expensive. The SET specifications do not deal with the legal régime covering relations between the bank, the merchant and the customer, presumably because this is a matter for individual banks and because the existing régime is expected to continue to apply. If the merchant’s risk of chargeback is to be removed or reduced by treating the customer as present in a SET transaction, it therefore seems probable that the customer will be precluded from repudiating a SET transaction which appears to have been authorised by that customer. But the risk to the customer of losing control of the means of authorising SET transactions (which consists of information stored in electronic form) is very different from the risk of losing a plastic card, as we explain below.
With the spread of availability of strong cryptographic products and services outside the United States, and the possibility of a single market in the European Union in such products and services, the banks will need to revisit these liability and security issues. Small and medium sized enterprises are among those which can derive the greatest benefit from access to selling over the Internet, but can least afford exposure to the risks which remote card transactions place on merchants. Provision of online services is one of the most effective uses of the Internet for electronic commerce, and is a valuable sector for just such enterprises, but when payment is made through existing card systems it attracts the greatest risk to merchants.
As electronic commerce grows, and merchants experience increasing levels of chargeback from the use of conventional card information in the new electronic medium, it is likely that there will be growing pressure from merchants for the adoption of procedures to lessen their exposure. But for the reasons explored below, any temptation for the banks to use the adoption of new technical security procedures to transfer those risks from the merchant to the customer should be sternly resisted, not only in the interest of the customers but in the wider interest of public confidence in electronic commerce.
Some card transactions in the United Kingdom have the benefit of section 74 of the Consumer Credit Act 1975, with the result that if the merchant defaults on his obligations to the customer, the bank is jointly liable for the default with the merchant. This is an extremely important protection for the consumer, especially given the difficulty for the consumer of knowing who he or she is dealing with on the Internet. Its extension to all card transactions, and the removal of doubts about its applicability to transactions with overseas merchants, where the Government and the banks have expressed opposite views, would do much to give consumers justified confidence in electronic commerce. But merchant default of this kind is not fraud in the sense under discussion in this paper.