My wife’s just had her Mondo card details used by a fraudster and, all credit to Mondo, they’ve been absolutely brilliant about it and a new card is on it’s way. Luckily she only had a small balance on the card so the fraudster’s £400 and £100 purchases failed and they “only got away” with ~£10 worth of fraud.
However, this card had only been used at 3 retailers (all internet/CNP ones) previously - 2 of which are Amazon and HeartInternet: so unlikely to have been “leaked” from them (but not impossible).
I’m therefore wondering who actually investigates card-data/fraud breaches: is it the card issuer (Mondo or Wirecard), Mastercard themselves, the merchant’s bank/provider or “nobody”.
I’m especially interested as a few months ago my MBNA card was used to purchase car insurance (over the internet) after staying an an “apartment” in London - where I suspect the card data was exposed and whilst I told MBNA of my suspicions, they didn’t seem too particularly interested…
Normally it’s down to the bank or credit card company to investigate.
If you feel like they haven’t acted in your best interest then you can always go to the financial service ombudsman. They will act as a independent investigator, they will look to see if the company isn’t acting with your best interest or fairly. http://www.financial-ombudsman.org.uk/
They raise a dispute with the company that provides card services to the merchant (called the acquiring bank) - e.g. Worldpay etc.
The acquiring bank deals with the dispute following detailed rules set out in the Mastercard scheme
The acquiring bank will then either agree with your bank’s dispute on the basis of the evidence and the rules and give the money back, not agree but take the hit personally and write off the amount in their books, or disagree.
If they disagree, the case can then be escalated through Mastercard’s arbitration process but this can be a costly process to both sides and therefore most parties attempt to resolve prior to this stage.
I hope you understand that I can’t talk in detail about our systems and procedures for dealing with fraud as knowledge of how they work could aid a fraudster in evading them.
We have only had a few cases of third party fraud (where one of our customers gets defrauded). The limited dataset makes it difficult to try and draw any conclusions about how the card details could have been compromised. We also only get a limited amount of data from our card processor, for example I’m unaware of a way that we can tell whether the merchant sent a CV2 code for verification.
Once we are fully operational and have access to more data I’d like to experiment with having a different PAN (card number) for contactless / chip and pin / mag stripe /online. This would give us greater visibility into how card details were being compromised and also reduce fraud exposure as a PAN that a fraudster could obtain via contactless would be useless to them.
I’m currently working on an improvement to our top up flow, the majority of which is a bit of a refactor on the backend to make the code simpler. It will also mean that fewer top ups will have to go via 3DS (MasterCard secure code / Verified by Visa) and those that do won’t require the card details to be reentered every time.