Fraud charges hit replacement cards, frustrating consumers

Recent customer anecdotes serve as a reminder to issuing banks to flag fraudulent merchants to prevent recurring, unauthorized transactions when banks issue replacement cards.

Visa Account Updater, or VAU, and Mastercard Automatic Billing Updater, or ABU, both allow merchants to prevent payment declines when issuers replace expired, lost or compromised cards. However, some recent instances involving compromised cards have resulted in unauthorized charges reappearing on newly issued cards.

Specifically, a handful of Chase customers have taken to Reddit and personal newsletters to vent about frustrating experiences in which the bank sent a replacement card after an unauthorized transaction on the previous one, but soon after the customers received the new card, more unauthorized transactions appeared on the replacement.

"I had barely received the new card, when another fraudulent charge hit," one customer complained. "How could he use my credit card number? I just got a new one."

"Recently got a scam charge, cancelled credit card, got issued new number," another said. "Have not received my new card yet and there's a new unauthorized charge."

Visa and JPMorganChase did not immediately respond to requests for comment.

In these and other cases, customer support representatives often tell customers that this happens because of a system that sends updated payment information to certain merchants. When the customer has authorized a merchant to charge their card for recurring payments, that merchant receives updates when the customer's old card number information is canceled or expires and a new set is issued.

Some users responding to these complaints about unauthorized charges on new cards concluded that the new charges went through because of an error by the bank.

"Usually when you have your card replaced due to fraud, the bank is supposed to opt the old card out of the account updater services such as VAU/ABU, and unenroll it from any digital wallets before replacing it," one user said. "The person you talked to just didn't do that for whatever reason."

Indeed, Visa does offer issuers the ability to manage which merchants receive updated information.

An issuer can block a merchant from receiving updates

The VAU Issuer Stop Advice API allows issuers to prevent specified merchants from receiving updated payment credentials. This functionality can prevent a specific merchant from receiving any automatic VAU updates for a particular account, for example, after fraud has been reported, while still allowing other merchants to receive updates.

Visa's documentation of the API says it can help "break the cycle of repeated fraud." It notes that Stop Advices only block automatic credential updates and are different from stop payment orders, as they only stop merchants from receiving updates to payment credentials. Merchants can still receive payments from existing credentials they have saved unless a stop payment order is placed.

How account updater services operate

Account updater services like VAU and ABU facilitate the electronic exchange of updated account information between card issuers, networks and participating merchants.

American Express and Discover also host account updater services. These services function similarly to VAU, aiming to keep card-on-file information current for participating merchants.

When an issuer reissues a card due to expiration, loss, theft or other changes, they submit the new account number and expiration date to the updater service.

Participating merchants, typically those with credential-on-file business models like recurring billing or subscription services, submit inquiries through their acquirers for information from the updater. In some cases, merchants can subscribe to get real-time updates to payment credentials.

The service processes these inquiries and provides updated details to the acquirer, who then forwards them to the merchant. Merchants are typically required to update their customer databases with this new information within a few days of receipt.

The purpose of account updater services

The primary reason for VAU, ABU and similar services is to combat authorization declines experienced by businesses, particularly those with recurring payments, due to outdated card information.

Card information changes frequently due to expirations, cards being lost or stolen and reissued, account closures, or upgrades. These update services help businesses reduce involuntary churn, avoid lost revenue, decrease operational costs associated with managing declines and improve authorization rates.

For cardholders, the services are intended to provide a seamless payment experience and avoid service interruptions, late fees for declined payments, and the need to manually update card details with multiple merchants. Account updaters are considered a tool for merchants to reduce false declines and mitigate fraud risk associated with card-not-present transactions.

Payments

Visa develops a gen AI model to combat card-testing fraud

May 7, 2024 8:01 AM

Automatic enrollment and opt-out options

Cardholders often get automatically enrolled in VAU and ABU. For example, Regional Federal Credit Union automatically enrolls its members, as does Community West Bank and Merck Sharp & Dohme Federal Credit Union. Banner Bank automatically enrolls its members in ABU.

Cardholders generally have the ability to opt out of VAU and ABU services, but not always. For example, multiple customers report that Bank of America, which issues Visa cards, does not support VAU opt-out.

Other issuers direct card networks on the behalf of the consumer to opt accounts out of VAU and ABU. Opt-out status then remains with the chain of accounts for subsequent reissuances.

Specific opt-out methods include contacting customer service, completing a form or using online or mobile banking — all through the issuing bank rather than through the card network itself.

Regulatory considerations

Federal regulations like Regulation Z and TILA provide safeguards for credit card users regarding unauthorized charges and billing error resolution. Cardholder liability for unauthorized use of a credit card is generally limited to $50, though many issuers have zero-liability policies.

Cardholders must notify the issuer of unauthorized charges or billing errors, typically within 60 days of receiving the statement. Regulations also outline consumer rights regarding stopping preauthorized electronic fund transfers, requiring notification at least three business days before the scheduled transfer.

Additionally, laws such as California's Automatic Renewal Law, or ARL, require businesses to obtain clear consent for recurring subscriptions, clearly disclose terms like cost, frequency and cancellation method, and provide post-purchase confirmation and renewal reminders.