January 21, 2022

What financial losses does the merchant incur when a stolen credit card is used to purchase something?

Who Pays the Bill for Theft? Who is responsible for the financial loses when a stolen credit card is used by a criminal? The criminal usually has a short-term financial gain. The issue then becomes how to allocate the financial loss associated with the theft. Who pays for the criminal’s gain? Is it the card holder (you), card issuer (your bank), credit card company (e.g., Visa®), or merchant (the retail store)? Many people errantly believe it is the credit card company. It turns out that the merchant is almost always forced to absorb the loss. In addition to the financial loss associated with the stolen merchandise, the merchant may also be “penalized” by the credit card company if the merchant was responsible for the loss of customer data. The purpose of the fine is to cover costs related to additional operating costs and subsequent fraudulent charges. In one case, Visa levied a $13 million fine on Genesco Inc. for losing customer credentials and credit card information.22 Genesco, a Nashville-based corporation with subsidiaries who sell footwear and sports apparel, had the $13 million seized by its banks, Wells Fargo and Fifth Third Financial, and remitted to Visa. Genesco subsequently sued Visa for failing to follow its own rules, claiming they had not proven accounts were actually stolen. According to Visa’s rules and procedures banks are not liable for losses related to a data breach unless the following criteria are met:

1. At least 10,000 accounts are stolen.

2. The merchant committed a PCI violation that allowed the theft to occur.

3. Amount of counterfeit fraud on the stolen accounts exceeded the amount of fraud that normally would occur on a card. Genesco argued that Visa had not proven that any account information was stolen; only that it was possible accounts were stolen. Genesco did find packet-sniffing software installed on its network, but says that frequent rebooting of its servers would have wiped the logs that contained the possibly stolen account information. Genesco also argued that they were not presented with evidence that there was additional counterfeit fraud above normal. This lawsuit is interesting because it is one of the first times a merchant has sued a credit card company for wrongfully seized funds. It raises questions about procedural oversight and who should be able to levy fines for data loss or fraudulent activities. Could businesses be summarily fined without oversight by a third party? Given the amount of internal corporate fraud that currently exists, it is possible that a disgruntled employee could install a packetsniffer on a corporate network and monitor traffic. The corporation could then be liable for any financial losses and the associated fines, even if there were no proof that data were stolen. In the Genesco case, the attacker was not identified. The following are key findings from the Association of Certified Fraud Examiners’ annual Report to the Nations on Occupational Fraud and Abuse.23 These findings provide insight into the quantity, severity, frequency, and form of fraud seen in corporations around the world. These findings are especially relevant to corporations involved in manufacturing, banking, and finance. Financial Losses—Survey participants estimated that the typical organization loses 5 percent of its revenues to fraud each year. Applied to the 2011 Gross World Product, this figure translates to a potential projected annual fraud loss of more than $3.5 trillion. The median loss caused by the occupational fraud cases in our study was $140,000. More than one-fifth of these cases caused losses of at least $1 million. Fraud Detection—Occupational fraud is more likely to be detected by a tip than by any other method. The majority of tips reporting fraud come from employees of the victim organization. The frauds reported to us lasted a median of 18 months before being detected. Forms of Fraud—As in our previous studies, asset misappropriation schemes were by far the most common type of occupational fraud, comprising 87 percent of the cases reported to us; they were also the least costly form of fraud, with a median loss of $120,000. Financial statement fraud schemes made up just 8 percent of the cases in our study, but caused the greatest median loss at $1 million. Corruption schemes fell in the middle, occurring in just over one-third of reported cases and causing a median loss of $250,000. Fraud Controls—The presence of anti-fraud controls is notably correlated with significant decreases in the cost and duration of occupational fraud schemes. Victim organizations that had implemented any of 16 common anti-fraud controls experienced considerably lower losses and time-to-detection than organizations lacking these controls. Perpetrators—Perpetrators with higher levels of authority tend to cause much larger losses. The median loss among frauds committed by owner/executives was $573,000, the median loss caused by managers was $180,000, and the median loss caused by employees was $60,000. The longer a perpetrator has worked for an organization, the higher the fraud losses tend to be. Perpetrators with more than 10 years of experience at the victim organization caused a median loss of $229,000. By comparison, the median loss caused by perpetrators who committed fraud in their first year on the job was only $25,000. Targets—As in our prior research, the industries most commonly victimized in our current study were the banking and financial services, government and public administration, and manufacturing sectors. The vast majority (77 percent) of all frauds in our study were committed by individuals working in one of six departments: accounting, operations, sales, executive/ upper management, customer service, and purchasing. This distribution was very similar to what we found in our 2010 study. Identifying Fraudsters—In 81 percent of cases, the fraudster displayed one or more behavioral red flags that are often associated with fraudulent conduct. Living beyond means (36 percent of cases), financial difficulties (27 percent), unusually close association with vendors or customers (19 percent), and excessive control issues (18 percent) were the most commonly observed behavioral warning signs.