I received some chargebacks on my merchant account. Supposedly they are not really chargebacks, however if I do not provide the information requested on the form back the bank within 25 days, they can take the money out of my account.
The reason listed on the piece of paper I received in the mail from my bank (Bank of America) is this: 32-Cardholder Does Not Recognize Transaction.
I contacted the cardholder and they told me they never reported any problem with the transaction to their bank. Someone is initiating this response, it is not the cardholder and therefore it is fraudulent based on the response on the document I have.
Worse yet, the document asks me to fax the account number, expiration date and all the information including a signature from the sales draft to their fax number.
Just by reading this it looks as if I have to provide the ENTIRE account number, expiration date and the customer's signature. Hmmm. Is this secure to be faxing this stuff around? When I called in they said I could just give them the last four digits. I do not even store the full card number anywhere for security reasons. (So if you're hacking my server - you're wasting your time).
Finally when I explain this is potentially a fraudulent scam and someone should look into it and try to crack down on this there is nothing they can do. They just blindly send the requested data to any bank that asks for it in any country (this is an international web site) to resolve the issue. Supposedly they would not send the information "to just anybody" but I wonder how tight that security is, based on this whole scenario, on validating where they are sending cardholder data and who has access to it.
Here's the potential: Someone, be it at Bank of America, the third party bank, or a hacker, could be intiating the charge back to me and if I miss it, the money is taken out of my account. But guess what, the cardholder never said they didn't recognize the transaction in the first place...think about it...where did that money go?? Someone's pocket - and not the right one.