Understanding Payment Fraud in iGaming

by Florian Tanant
The payment ecosystem is notoriously complex.
And nowhere is this more apparent than when it comes to issuing chargebacks. Who should do it? Why?
As we will see, with liability shifts, the answer isn’t always straightforward. Let’s shed a light on things below.
A payment liability shift happens when new rules or regulations update who is responsible for issuing a chargeback.
Chargeback requests often lead to refunds, which is why neither merchants nor card issuers want to absorb the losses. The liability falls on different participants depending on the payment scenario, the technology used, and the security measures put in place.
The chargeback regulations are designed to improve the security of payments in both card-present and card-not-present (CNP) scenarios. Stakeholders will attempt to minimize risk by enforcing the use of security technologies, such as EMV chips or 3-D Secure.
The critical point to understand is that every time a new payment regulation comes into place, you can expect the liability of issuing chargeback refunds to shift. The responsibility to pay the chargeback will fall on whomever is considered the weakest point in the long and complex payment chain.
Throughout the history of online payments, the responsibility for processing chargebacks has been passed back and forth between card issuers and merchants – whether those chargebacks come from fraudulent payments or not.
Let’s look at a few key dates:
Let’s break down the two fundamental liability changes in more detail below.
The EMV liability shift was a noteworthy change in the rules that covered payment terminals between 2015 and 2021.
Before the deployment of EMV chips, which generate a new authentication code for each transaction, these point-of-sale debit and credit card payments were deemed risky. Europay, Mastercard, and Visa worked together to increase the security of these payment channels, which shifted liability onto the merchant in case of a chargeback refund.
Here are examples of some of the rules put in place:
The idea was to be more strict about the specific situations where merchants, issuers or acquirers had to take care of the chargeback.
Another liability shift happened during the launch of the Strong Customer Authentication (SCA) regulation, part of the EU’s PSD2 directive from 2015.
It encouraged the deployment of the 3-D Secure protocol, designed to improve the security of online card payments.
A direct consequence of 3DS was that the chargeback liability shifted back to the acquirer. While there are concerns about the added friction for the customer, the extra authentication step is shown to reduce risk for the merchant.
Note that effective from October 2021, 3-D Secure was updated to a second version. This does not affect the last liability shift.
The European Commission is also in the early stages of a new update to the regulation, PSD3.
At the moment, there is no single answer. The liable party for a fraudulent payment depends entirely on the payment use case or method used.
Payment Method Used | Liable Party |
Chip and PIN (card present) | Card issuer |
Magnetic stripe (card present) (if the terminal can’t accept chip and PIN or isn’t certified for it) | Merchant/Acquirer |
Contactless (card present) | Card issuer |
Online CNP using 3-D Secure | Card issuer |
Online CNP not using 3-D Secure | Merchant/Acquirer |
Telephone, mail order, and other offline CNP | Merchant/Acquirer |
As a merchant, you will want to study the above table to better understand and promote those methods that allow you to risk the least.
If the liable party is the card issuer, this means the merchant is less likely to face issues down the line.
For example, you can see that without 3-D Secure, it’s the merchant who becomes liable for online payments using a stolen card. However, 3-D Secure also introduces friction – so it’s a balancing act.
What will the next liability shift be? There is no way to tell. However, whether you are a payment provider or a merchant – or anyone accepting online card payments, for that matter – the key is to be prepared.
And being prepared in the CNP space means one thing: understanding and reducing fraud and chargebacks.
Here are a few strategies to put in place today:
So, how much are chargebacks likely to be costing you today? Use the calculator below to get an estimate.
SEON combines multiple data enrichment modules to gain as much information as possible about a customer and transaction without adding friction.
This includes an innovative device fingerprinting solution that captures hundreds of parameters, allowing you to get a better idea of who is paying for the transaction – and especially who is trying to pay using suspicious configurations of software and hardware.
All this data is fed through risk rules, which allow you to get a concrete idea of how likely you are to deal with chargeback fraud or even first-party fraud. The system then lets you automatically approve or decline the transaction, or flag it for manual review.
SEON also allows you to deploy two powerful machine learning modules to analyze your transaction and user data, as well as suggest risk rules that are relevant to your business only.
All of the above is available via easy-to-integrate granular reporting, REST APIs, pay-per-call pricing, and outstanding support and documentation – as well as an end-to-end platform, for those who prefer a holistic solution.
Partner with SEON to reduce fraud rates in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.
Ask an Expert
EMV is a technology standard created by Europay, Mastercard, and Visa – and is inspired by their names. Europay has since been acquired by Mastercard. The idea remains the same: to enhance payment security at point-of-sale terminals, in particular via the electronic chip you find on many payment cards today.
When a new rule, law or technology is deployed to reduce payment fraud, the responsibility of issuing chargebacks may shift. This liability may shift to the merchant, issuer, or acquirer, depending on the scenario.
Who has to process a chargeback refund varies depending on which security measures were put in place at the payment stage. This is why the liability may shift from merchant to acquirer or issuer depending on the circumstances. Generally speaking, when all of the available authentication measures are in use, the liability tends to fall on the card issuer.
Showing all with `` tag
Click here
Communication Specialist | Florian helps tech startups and global leaders organise their thoughts, find their voices, and connect with customers worldwide.
The top stories of the month delivered straight to your inbox