Open in app

Sign in

Write

Sign in

What Every Online Seller Needs to Know About Chargebacks

David P Schwartz
16 min readMay 18, 2020

There’s a popular notion that filing a dispute with your credit card issuer is a simple way to get a refund. Disputes generate “chargebacks”, and chargebacks are not “refunds”. They’re called ‘claw-backs’ and the cost you a lot in both money and reputation.

In the vast majority of cases they are, in fact, FRAUDULENT CLAIMS. This is why they’re so often referred to as “friendly fraud”. Like “white lies”, fraud by any other name is still fraud. Sources have reported that as much as 90% of all such claims are considered “friendly fraud”.

As a merchant, I believe it’s important to take a very strong stand against each and every chargeback we get. I say, Assume it’s fraud! I’ve done that and never once lost counterclaim. It’s actually not that hard if you start from the presumption that the person has filed a fraudulent claim to begin with. (The bank assumes the customer is being honest, so never, ever take the bank’s claims at their word. NEVER!)

Did They Ask For A Refund?

One of the first things the bank wants to know when you file a claim is “Did you contact the vendor about a refund?” This is usually the FIRST LIE people tell. No, they probably did not, and the point is, they don’t want to. But if they say, “no” then the bank will usually require them to do so before proceeding, and include a copy of the request and all replies received.

Then most credit card processors will require you to file a form that you need to submit in writing via US Postal Service. It’s a legal document called an Affidavit … this is something that includes words to the effect: “I hereby swear under penalty of perjury that the information contained herein is true and correct to the best of my knowledge.” (I’ve been told it’s that “under penalty of perjury” part that makes it an Affidavit.) This is a LEGAL DOCUMENT. And it’s a Federal offense to use the US Mail to commit a fraud. Sending an Affidavit swearing your card was lost or stolen when it wasn’t in order to get a refund is … illegal. The FBI may not be interested in it, but the Postmaster General often is. Just so you know.

Don’t Take My Word For It! See For Yourself

As an exercise, I recommend you visit the website of everybody you have a credit or debit card with and find out what their requirements are for filing a dispute. In every case I’ve seen, they will require you to file an Affidavit that you have signed and dated, and send to them in the US Mail before they will proceed with your dispute. They may take the info online, but most will not proceed until they get that signed Affidavit in the mail. Don’t take my word for it tho … look at what your own banks require.

Most of these forms include some checkboxes where you attest that either:
(1) you lost your card; (2) the card was stolen; (3) that it was used without your knowledge or permission; (4) it may require you to include a report number that you filed with the police. And WHEN this allegedly happened.

The information required on these forms is laid out in statutes, so you’ll find that most financial institutions use the same general template.

Note that there is not a box that says: “I bought this thing and I decided I didn’t like it and am too lazy to ask for a refund, so I’m asking you to get me a refund regardless of the vendor’s refund policy.”

What Would You Do?

Question: if you really noticed that one of your cards was lost or stolen, what would YOU do? My wallet was stolen once, and the first thing I did was got online with every bank and creditor and reported my cards stolen and immediately took a snapshot of my charges and balances. Then I filed a notice with the credit bureaus notifying them to freeze my credit. (You only need to do this with one; they will notify the others.) It killed an entire Saturday.

What do you NOT do: continue using your cards for the next several weeks and when the bill comes and your spouse raises holy hell, you decide “OMG, I better deal with this FAST!” The most obvious thing is to LIE: “Oh, I think my card numbers must have been stolen!” Uh-huh. Right. So you call the banks and cry on their shoulder. They freeze your account and tell you to make a list of things and fill out one of those Affidavits and send the list to them with that Affidavit and they’ll take care of everything.

Yeah, there’s also not a box on that form that says: “I went on a buying spree and my spouse threatened to kill me, so I have no choice but to get a refund for this stuff any way I can.”

In fact, if you could see the account activity of a lot of people who file fraudulent claims, it would appear they DID go on a buying spree … only they say they discovered their card was allegedly stolen three weeks later, but then say it happened BEFORE the buying spree occurred. Kinda gives you whiplash if you’re trying to follow closely. So wait … who went on the buying spree? And why was all of this stuff delivered to THEIR OWN HOME or email if a thief made these charges without their knowledge or consent?

As a VENDOR, you have the right to QUESTION THE VERACITY OF THEIR CLAIM. And you damn well should because 90% of the time THEY ARE LYING!

Believe it or not, this is far easier when you’re working through a factoring agent like PayPal than if you have your own merchant account. People complain that it’s impossible to win a chargeback dispute with PayPal. On the contrary, it’s WAY easier!

You need to understand that their original position is always going to be that the customer is telling the truth. After all, they received an Affidavit filed by the customer, and it’s illegal to file a false Affidavit, so they have no reason to doubt the claim as presented. Nobody would file a false Affidavit, would they?

They also know that 90% of such claims are false, but they have no reason to doubt any individual claim or even investigate — UNLESS YOU RAISE A RED FLAG and demand an investigation! At that point, they MUST investigate — because now if they don’t, they can be charged with conspiracy to commit fraud if they fail to do anything and it IS shown to be a fraudulent claim.

And statistically speaking, THEY KNOW IT PROBABLY *IS* A FALSE CLAIM!

You cannot see the customer’s charge history, whether it’s PayPal or a bank. But you can recommend that they verify the claimant’s charge history and see if their charge activity is consistent with someone who’s card or card number was lost or stolen in the timeframe alleged.

I had a PayPal chargeback once in late January for a purchase that happened on Dec 22nd. That’s a great time to claim something. On Dec 23rd or 24th. Not on January 15th. And you don’t keep buying stuff, taking things back to the store and getting refunds and exchanges … you know … all of the normal holiday activities people engage in. Both PayPal and the bank can look at their history and see if it looks “normal” or not.

Here’s a curious thing a lot of these people don’t think about: let’s say you bought 10 things on your PayPal or credit/debit card over a 2-week period. Then you dispute ONE in the middle of that block of charges, claiming it was not an authorized charge.

If you report the card lost or stolen, then what about all of those charges that followed it?

Now I may be weird, but I check my accounts pretty much daily. I guess some folks don’t even read their monthly statements when they come in let alone check their online balances. So it’s hard to fathom if or when they’d ever notice if their card had been used without their knowledge or permission unless a payment was declined and they didn’t know why.

Card companies give you 60 days from a billing statement to dispute a charge on it. PayPal doesn’t send you statements, and if you use it regularly, you probably check the balance whenever you use it. I think you have 30 days from the charge to dispute it, but check your account for sure.

Either way, for most people, when they do discover something amiss, they’ll slam the door shut on that sucker IMMEDIATELY. They don’t wait weeks and continue using it! And in the middle of a holiday when most people are on a buying frenzy, they don’t simultaneously “lose” a credit card and continue buying things with it for a few weeks before reporting it stolen. That just does not happen! Especially if it’s a DEBIT card. (Consumers have bigger liabilities on Debit cards than Credit cards, and they have a more damaging impact on things if they’re ignored.)

THE “DELIVERY PROBLEM”

People can claim that a physical delivery went to the wrong place, and most of the time the delivery people are liable. You don’t need to file a chargeback. In most cases, you want them to send out a replacement item ASAP; if they’re out of stock, they’ll offer you a similar item or an instant refund. This is not usually contentious and does not give rise to false claims.

However, electronic / digital purchases and deliveries are in a class of their own, and most of the time they are sufficient to nail a fraudulent claim to the wall and the claimant has nowhere to turn. BTW, this is a hidden benefit of delivering content through MEMBERSHIP SITES. Most affiliate sites are membership sites — they require you to login using an email and track your activities pretty closely.

If you do your own fulfillment, you should do so from within a membership area, not a simple page with a download link. Or consider using an affiliate site like JVZoo, WarriorPlus, ClickBank, or something similar. You want the tracking afforded by a membership site in this case, rather than the protection they offer from illicit downloads.

If you buy something online, you provide one or both of two delivery addresses: your home address, and/or your email address. If someone steals your card and makes a purchase online, they do NOT send it to YOUR HOUSE! And they don’t use YOUR email address! Why would they (unless they’re members of your family or roommates)?

But here’s someone who claimed their card was stolen, and the thief curiously set up a new account with, say, HSN, and provided the cardholder’s same home address, phone#, and email address. And they even signed for the thing using your signature when it was delivered to your door — but it wasn’t you. Really? If someone is going to commit ID Theft, they’re going to change those FIRST. Just say’n.

Or here’s someone who claimed their card was stolen and the thief made a bunch of online purchases and used the cardholder’s PayPal account. Then the alleged thief logged-in to the download site to download the content, and used the cardholder’s email address to confirm their purchase. Then the membership site sent a login or download link to that email address. And maybe a 2-factor security thing was initiated where a code was sent to their email or phone, that was then entered correctly. And again, it wasn’t YOU? WTF? Are you nuts?

First clue it’s a fraud?

They reported their card was lost or stolen, and the thief used it to buy stuff on your PayPal account with your email, but they did not report that their email and PayPal accounts were hacked. Like … DUH!

Or someone filed an Affidavit claiming their card was “lost or stolen” and this purchase was made without their knowledge — except they are curiously filing the claim and interacting from the same email address used by the alleged thief to login and download the purchased items. Well, you don’t know for sure if this is part of a consistent pattern, but you can certainly ask the bank or PayPal to verify it.

(As the vendor, it’s even more helpful if you have a log of their activities along with their IP address history that can be traced back to their ISP or cell phone provider.)

One does not report their card actually lost or stolen and shut it down, then proceed with buying stuff and downloading it using their normal email account as if nothing happened. See my point? (I’d sure be suspicious enough to at least change my passwords!)

As a vendor questioning the veracity of a claim, you don’t need to prove “delivery” of a digital good. You need to allege they filed a false claim. A log of their activities subsequent to the date they claimed, along with proof it was THEIR email, THEIR phone#, THEIR IP address, and/or THEIR home address that was used, and they did NOTHING to hide those facts, is often quite sufficient.

People seem to focus on whether “something of value was delivered”.

Again, you want to prove that they lied and the claim is a fraud. Forget the download.

Once again, people file false claims because they are lazy and think it’s easier and LESS HASSLE than asking for a refund. Are you starting to see why it’s NOT if they want to get away with it in case someone actually questions the veracity of their claims?

In a case of ID Theft, PayPal would have been notified that their account had been compromised, and they’d probably change their password if not their email, right? How many other accounts would be tied to the same email? Oh, their BANK LOGIN! SMH! Did they report a change of address or email or password or ANYTHING ELSE to the bank that filed the chargeback??? Probably not!

Have you ever lost your wallet or had a card lost or stolen? If you’re careful, you spent HOURS over several days making sure you covered all your bases and didn’t leave any stone unturned in order to prevent anything further from happening.

People who file fraudulent claims think it’s just filling out a form and mailing it in, and that’s easier than contacting the vendor. HA!

Raise The Hassle Factor!

As a vendor, your job is to RAISE THE HASSLE FACTOR and tell the card company or PayPal that you believe this is a FRAUDULENT CLAIM and demand they advise the customer that it is a FEDERAL OFFENSE to use the US MAIL to commit FRAUD by sending a FALSE AFFIDAVIT to the bank in the first place.

Send them the logs and tell them to verify with the customer if this is an ID Theft or not; if they say no, then demand they explain the activities that took place on your server using their name, email address, and phone# that happened after the alleged loss occurred. Consider that two-factor authentication makes it nearly impossible to sustain these kinds of false claims. I mean … who else is able to access both their email and phone and yet has not reported either one stolen or hacked? Especially if it’s many days or weeks after the alleged loss happened.

You might even go so far as to suggest that the bank or PayPal should immediately disable the customer’s accounts until this apparent case of very subtle ID Theft be resolved, since the customer seems to be too inept or naive to realize they may be at severe risk of loss. They might be very happy to oblige because THEY may be liable for the losses!

Again, PayPal WILL INVESTIGATE — they DO have access to ALL of the customer’s records internally, and they can see if the actions taken are consistent with loss or theft, or if its someone trying to game the system.

They will not push back on the credit card merchant processors unless you first raise the specter that it’s a fraudulent claim. Then they WILL forward their own investigative results to the bank lest they be accused of conspiring to commit fraud.

You will probably hear nothing further for a couple of weeks, then just get a notice that the claim was “closed’ and your funds were quietly returned to your account.

What about legitimate fraud?

The only time this approach won’t work is for “legitimate” fraud. This is when someone uses a stolen a card# to initiate a transaction on your site or though your sales page. They are simply testing to see if the card# is valid and works. They will NOT download anything, or register, or go any further than verifying that the payment was accepted. They will then likely jump on another site and make a purchase they really wanted.

You will get a chargeback and that’s that. You can tell the difference by monitoring the activity on the account in your membership site’s logs. If there was no further activity after the purchase was made, it’s a legitimate claim of fraud. And these days, it will probably be initiated by the bank’s security / fraud unit and not the consumer.

What you can do today

Tell your host to keep your raw web log files for at least a year

I hope that you see that there’s some value here in having logs of your site’s activities. All web hosts keep detailed logs. If you have cPanel, there’s a place where you can tell it to retain your web logs for a while. By default it keeps detailed logs for 24 hours, then flushes them out after processing them for your log viewers like Analog and Webalizer.

What you want to do is change the setting to Keep All Logs. It then zips them up and stuffs them into monthly archives. This is important because all of the chargeback claims I’ve gotten have shown up several weeks after the items were purchased. You need to keep the logs around longer than 24 hours to see any benefit. But these are just the raw logs.

Use a membership site for digital fulfillment

It’s really easy to set up a web page and provide a link to a file stuck into your FTP uploads area or maybe even a Dropbox link. That’s fine for simple stuff. But if you’re selling things, you want to protect your downloads and communicate with your customers. A membership site is the best way to do this.

All membership sites keep some logs, if nothing more than login histories. But you really want those histories to include login date/time stamps, along with changes to their membership name and/or email and IP address. You also want to see records kept of DOWNLOAD requests — mostly they’re not interesting, until someone claims their credit card was stolen or PayPal account was hacked and someone bought something from you and now they want a forced refund.

You can say, “Uh, wait just a minute … is this your email address? Is this your IP? The whois system says it’s for this and such ISP” and you might even be lucky enough to get a geolocation on it near the home address they have on file.

NOTE: Be careful with the geolocation tack because it can work against you. If you’re on a mobile device, go to whatsmyip.com and see what it says. In particular, notice where it reports your location. I live in Phoenix, and I use an LTE data service from AT&T. My IP reports that I’m in Anaheim CA. I have not been to Anaheim in over a decade.

The thing to note is if they have any history on your site and if the IP is consistent. Also, reporting the IP in your response gives the bank an opportunity to compare it to their access logs, and they can see if it’s consistent or not. If their card was really stolen and used by someone else, that alleged thief is not likely to be using the exact same service and have the same IP or IP block to access accounts they claim were hacked. It further undermines their claim.

Finally, Don’t Trust What The Banks Tell You!

The banks behind the chargeback are operating on a good-faith representation made by their customer who claimed their card was stolen. That’s fine, stuff like that happens. Just not with the frequency folks want to believe. Assume the chargeback claim is false and investigate it on your end as extensively as you can. Check your logs, locate their payments, any emails or support tickets from the customer, anything you can find, both on your site and in your Paypal and/or your bank account. Note the dates, times, IPs, who logged-in, when, what they did, whatever else happened, etc. Lay it all out. Then see what else you can find.

Finally, reply to the bank and assert that based on your own records, you believe it’s a fraudulent claim. Explain your position and include snippets of your logs. Tell them you’re willing to file it as an Affidavit if needed. Above all, PUSH BACK! They will not investigate unless they have a reason to suspect fraud — you need to give them that reason. It does not need to be water-tight, just enough to make them take a close look at their own data.

They almost certainly have far more data on the customer than you do, and their own internal Fraud Department has way better tools at their disposal than you have. Let them do their job. They don’t want to sustain a dubious claim any more than you want them to. And they won’t tell you a thing. They’ll go silent. Then in a few weeks, they’ll simply tell you the case has been closed and you’ll be issued a refund of the clawed-back funds.

At the risk of sounding repetitive…

Online merchants seem to fixate on the question, “But they downloaded the goods!” If you want to beat most chargebacks, that is not a fruitful approach, because you put the bank in the position of defending either you or them. They will defend their customer. Period, end of story. That’s why so many vendors believe it’s a waste of time to bother fighting chargebacks. Yes, from that perspective, it is. Completely.

The industry KNOWS that up to 90% of all such disputes filed are FALSE CLAIMS. They’re LEGAL ACTIONS taken by consumers to assert their LEGAL RIGHTS AND REMEDIES, and the banks don’t want to put barriers in front of their customers who may be dealing with some rather catastrophic activities in their lives. I can understand that. But 9 out of 10 of those claims are LIES. The banks know it, they just don’t know which one in ten is legitimate. They’re erring on the side of the customer. Again, I understand and appreciate that.

Our job as vendors is to call their bluff — after looking over our logs and support tickets and whatever else we have and making a judgment as to whether any given claim looks legitimate or not. I use a jaundiced eye because 90% are KNOWN to be FALSE.

Come up with an explanation that would raise a question in the mind of a reasonable person that the claim might not be legitimate.

This puts the bank in the middle where they can NOT take sides without investigating more thoroughly. THAT is what you want them to do! You have statistics on your side, and they have a plethora of data they can fish through without any kind of search warrant or anything.

They won’t do a thing unless and until you (or someone else) gives them a reason to do so. Providing evidence of possible fraud is a far more effective tactic than saying, “But they downloaded the files!” I hope you can see that.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Credit Card Chargebacks
Friendly Fraud
Membership Site Benefits
Disputing Chargebacks

--

--

David P Schwartz
David P Schwartz

Written by David P Schwartz

100 Followers
93 Following

Professional software architect & developer for 40+ yrs; created & sold several unique software products online; passionate about guided meditation.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams