top of page

Understanding the Law & Fraud Prevention

The Payment Card Industry maintains a set of Data Security Standards (PCI-DSS) which any organization that stores, processes, or transmits cardholder data must comply with. Some the requirements include encrypting transmission of cardholder data across open or public networks and maintaining a policy that addresses information security.


The Payment Card Industry maintains a set of Data Security Standards (PCI-DSS) which any organization that stores, processes, or transmits cardholder data must comply with. Some the requirements include encrypting transmission of cardholder data across open or public networks and maintaining a policy that addresses information security.

In developing your fraud-prevention strategy, make sure you consult with your Legal Department about what information you collect, store and use to prevent fraud. Likewise make sure you have a clear understanding of how you need to word your responses back to the consumer to make sure you don’t have to meet other reporting and legal requirements for notifying the consumer.

So what legislation and legal points should you be following as a fraud practitioner? First and foremost make sure you understand the ins and outs of consumer data protection. From legislation such as the European Union Privacy Directive on Protection of Personal Data(EUPDPP) to privacy policies and appropriate use policies, what you do with consumer data can leave you open to very large lawsuits. Likewise make sure you understand how the Fair Credit Reporting Act (FCRA) and the Homeland Security Act apply to your vertical market and sales channels.

Fair Credit Reporting Act (FCRA)

FCRA mandates that agencies that are granting credit to a consumer and decide not to grant credit must send notice to the consumer of adverse action. FCRA was originally designed to help consumers understand why they weren’t approved for mortgages. The focus of FCRA was to explain to consumers the points of credit worthiness that were used in consideration of a loan, and why the credit was not granted.

The fact you decide not to sell someone something because you suspect fraud does not mean you have to send notice or have to follow FCRA. But if you word your denial in such a way that indicates or sounds to the consumer that you are denying them credit, you could be held liable under FCRA. If you are granting credit in any form (such as credit cards, same as cash), you should be prepared to meet FCRA requirements.

European Union Privacy Directive on Protection of Personal Data

The European Union Privacy Directive is actually a framework for legislation directing member countries to act upon the framework to state specific country requirements for obtaining consent from consumers on the use and storage of any personal data.

This directive has led to the implementation of country-specific acts, such as the United Kingdom Data Protection Act of 1998. The main point you need to remember about these acts is that each country will have different requirements on how you maintain and secure data associated with consumers from their countries. Privacy is the key concern of these acts.

If you are doing business internationally, make sure you check with your Legal Department about specific requirements for the countries you do business in.

How do laws and regulations, in the United States and abroad, affect online merchants?

When transmitting or storing consumer information their are privacy and protection requirements for businesses in the U.S. and EU. In this section I will discuss three major laws or regulations that have large implications for online merchants.

  • Fair Credit Reporting Act (FCRA)

  • European Union Privacy Directive on Protection of Personal Data

  • Consumer Data Protection Requirements

Always consult your legal department, or legal counselor, on all matters pertaining to laws and regulations.

Consumer Data Protection Requirements

There are a number of pieces of legislation out there about handling consumer data and how you have keep it secure as a merchant. Your Legal Department is the best place to find specific guidance. Saying that, remember that all of this legislation is dynamic and could change at any time. For example the McCain Legislation defines data handling and consumer redress mechanisms, exceptions for fraud checks and would override FCRA, but it could be years before it is enacted.

The Federal Trade Commission, using existing statutes such as, “Safe Harbor” for Internet companies, state that “if you have a policy, disclose what you do with data, and comply with your stated policy” and if you do this you’re OK. If you don't disclose what you do, or do something you’ve stated you don't do, you’re subject to federal prosecution.

Under statutes, such as the Unfair Trade Practices Act, you will find that you need to notify consumers what will happen with the data obtained in the purchase activity.

The issue of protecting consumer data is directly related to concerns of online privacy. Online privacy can be defined as a customer’s expectation that their online activities, transactions and preferences will be kept private, not used, misused or misrepresented, or otherwise used in unacceptable ways.

Consumers, government and businesses are concerned about the use of personal data. These concerns are the driving force behind the calls for legislation to protect this information. This, in turn, broadens the implications for businesses and scares consumers about fears of identity theft and too much government control.

The government is responding to the people, businesses are worried about implications for expanding e-commerce business and that leaves us all in a quandary. The Internet is not owned by any one country. The laws enacted by one country can affect merchants from other countries, so who has jurisdiction? Who do you call if you have a problem?

In a survey done by Harris/Westin in 1998 over 90% of the consumers surveyed were “concerned” or “very concerned” about threats to privacy. 60% of those surveyed wanted laws to govern how information was used on the Internet and 70% would favor industry efforts over regulation if companies and associations could implement effective practices.

Even with this overwhelming concern, each of us everyday agree to give up some of our privacy by trading information online in order to get some other information or service. From registering to view articles, to giving age and habit data to see our horoscope, we all make choices. In most of these cases our intent with sharing information is to get a more personalized experience on the web.

The promise of easier searches, simplified purchasing, free “stuff” and group buying power seem to lure us in. But what are these merchants and businesses doing with our personal data? Just how safe is it? Consumers are scared about identity theft, and they are scared about losing their transparency online as well. Who can blame them with the stories in the news and papers today? No one wants to live in a society that is watched 24x7 by Big Brother, but they also 

don’t want to be a victim.

The fastest way to lose revenue is to not take consumer privacy seriously. No amount of marketing, attractive pricing or convenience will entice a consumer to conduct business online or offline if they believe that in conducting that business, their personal information will be compromised.

If you do any business online today you will see that the use of a Privacy Policy is now the norm. This has not always been the case. As consumer awareness heightened with big stories on thefts of card data, business awareness also increased to make sure they were doing things to ease that consumer concern. Over the last ten years there have been a lot of third-party organizations that have entered the scene to attempt to enforce privacy policies, such as TRUSTe, BBBOnline and others.

Businesses today are not just concerned with soothing consumer concerns to keep them coming back, but they are also concerned about their ability to use consumer information in fraud prevention and investigations of crime. They are also concerned about the repercussions of using that data: In using it will it leave them open to future litigation? Will it instigate hacking attacks or spur some type of governmental investigations? None of these activities are good for business.

As a business today provide your consumer with choices, and as a consumer take the time to understand what you are agreeing to when you are exploring the web. We all need to hope that government will take a slow and deliberate path on any sweeping legislation to allow the new commerce channels, such as eConsumers, to grow up.

As for our law enforcement community, they will have to catch up and set up new techniques to combat the growing fraud issues with e-commerce, and all of us as merchants doing business online must be proactive in using the data we do collect to try to prevent fraud and abuse. Those businesses that don’t take this step won’t be around for long.

bottom of page