5 December 2009

Payment refused based on where I am

My wife just encountered an increasingly common example of private sector Internet border enforcement. From our living room in London, England, she decided to purchase a gift for a US-resident family member. She logged into a US retail web site and entered her order. She specified a US shipping address. She then went to "check out" and tried to use her US credit card (i.e., a card issued by a US domiciled bank) to pay. Her credit card address of record is our family address inside the US.

So here she was: sitting in London, visiting a US web site for a US retailer, purchasing a product for shipment to a US address, and paying with a US credit card linked to a US address.

The result: an unhelpful error message stating "Unsuccessful authorization". Payment declined. Frustration ensued.

Deciding to test my "Internet Borders" hypothesis, my better half telephoned the US retailer help line. The help desk person confirmed that her payment had been denied for one reason only: the web server had (correctly) guessed that she was physically located outside the US when she entered her card details and made the payment request.

Now don't get me wrong, I'm not complaining about this retailer's behaviour. (All right, I am a little.) I can easily imagine why their online team have implemented this "block" on payments made from "overseas" (in the case, meaning outside the US). My guess: efforts to reduce credit card fraud.

Online retailers constantly face the problem of being used to harvest value from stolen credit card details. The usual path (according to my friends whose job it is to know about such things) is: stolen card details are collected and passed to a gang; the gang sells card details; the end-criminal uses the stolen details to purchase items with good re-sale value from an online retailer; the purchased products are then sold (at discount) and essentially converted to cash. (Consider this the next time you see an unlicensed vendor on the street with quality merchandise at prices that are too good to be true.)

Since this US retailer does not normally ship orders outside the US, they probably assume that any purchase request originating from outside the US is suspect. Statistically I suspect they are correct.

This sort of "online borders" strategy to reduce fraud is certainly not limited to US retailers. For example, this technique is also used by one of the larger charities in the UK. When I gave a version of my "Internet Borders" talk to a group of IT Directors for UK charities, one of them later admitted that his charity now refuses ALL online credit card donations if the donation appears to originate from a specific country (which I won't name: let's call it Ruritania). The problem they faced is that a criminal gang in Ruritania would gather a large number of stolen card details and then "test" these for validity by making very modest online donations to the charity. When the charity started to notice a ridiculously large number of small donations emerging from within Ruritania, they figured out that something was wrong. The simple fix: an embargo on all credit card donations if it looks like the donor is physically in Ruritania when entering payment details.

This looks like a legitimate risk reduction strategy. As more and more online retailers realise the value of this strategy, those of us who make cross-border purchases (like my wife) should expect increasing frustration. Sorry about that to all of my fellow ExPats.

Bottom line: for their own business reasons, people in the private sector are deciding to enforce geographic borders on the internet.