The scam was not my fault!

Wayne’s online business successfully applied to a card issuer to accept payments as a merchant from the issuer’s customers’ cards in April 2019. Wayne used a third-party eCommerce payment processor to handle online credit card transactions, so he had very little day-to-day interaction with the card issuer.

Between December 2020 and March 2021 the card issuer told Wayne that nine fraudulent transactions had occurred. The card issuer said that Indonesian cards had been fraudulently used to pay for products to be shipped from Wayne’s business to various addresses in Auckland. The cardholders had disputed the transactions and requested a chargeback (where the transaction is reversed and the merchant bears the cost). The card issuer told Wayne that the transactions would be reversed, and the amounts deducted from his account. Wayne responded disputing the chargebacks.

The card issuer rejected one cardholder’s chargeback request and recredited the amount to Wayne’s business. Eight chargeback requests were upheld, and approximately $12,700 was deducted from Wayne’s account. Wayne did not believe that his business should bear responsibility for the fraudulent transactions and complained to FSCL.


The card issuer said that Wayne could have protected his business from liability by either checking that the delivery address matched the cardholder’s address for each transaction or signing up for the card issuer’s online transactions protective measures programme (the protective programme).

Wayne said that the card issuer should have flagged Indonesian credit cards being used for transactions in New Zealand as suspicious. He said that he had no way of knowing that the transactions were fraudulent as the eCommerce payment processer did not send him address information. Wayne said he had not received a copy of the card issuer’s terms and conditions and did not know that he would bear the risk of fraudulent transactions. Further, Wayne said he was never told about the protective programme and considered that it should have been enabled automatically for all merchants. Finally, Wayne objected to the card issuer’s lack of notice when debiting his account, particularly as the letters sometimes did not arrive until after the debit had occurred, despite the card issuer being required to give 10 days’ notice.


In commercial relationships, the parties can agree how risks will be allocated between them and the card issuer’s terms and conditions placed the risk of fraudulent online transactions on the merchant (in this case, Wayne). Wayne said that the terms and conditions were unreasonable by placing an unfair burden on merchants, but FSCL could not shift the risk to the card issuer by overturning the agreement. Wayne agreed to the allocation of risk regarding fraudulent online transactions when he accepted the terms and conditions in April 2019.

When Wayne became a merchant for the card issuer in 2019, he was given online access to the card issuer’s terms and conditions. Further, Wayne signed a declaration agreeing that he had received a copy of the terms and conditions.

The card issuer had reasonable grounds for concluding that the disputed transactions were fraudulent, so they were entitled to reverse the nine disputed payments. The agreement between the card issuer and Wayne did not require the card issuer to prove any wrongdoing by the merchant. This was not a reflection of fault on Wayne’s part, but simply how the parties agreed to allocate risks associated with online transactions.

The card issuer took adequate steps to ensure Wayne was aware of the benefits and protections available through the protection programme. The protection programme was included in the terms and conditions, which Wayne agreed he had received. Further, information about the protective programme was available on the card issuer’s website.

The card issuer was not obligated at law to provide the programme by default, despite its competitors doing so. Further, the card issuer had good reason for not enabling the protection programme by default. The programme placed onerous obligations on the merchant so it was reasonable that it was an opt-in programme.

However, the card issuer’s communications about the disputed transactions could have been better. The card issuer sent correspondence by post from Australia to New Zealand. The letters that Wayne received failed to include “New Zealand” in his business address. It was entirely foreseeable that letters prepared exactly 10 days before the debit was processed would not reach him in time, particularly due to the address being incomplete and the letters going from Australia to New Zealand. We recommended that the card issuer pay $350 as compensation for this inconvenience and frustration.

The card issuer processed several chargebacks without advising Wayne of the final outcome. Only five of the nine chargebacks had letters sent regarding the outcomes. Wayne was left to assume that the remaining four chargebacks were granted. Further, the card issuer issued two identical chargeback notification letters two weeks apart for the same request. This lack of consistency was frustrating, and we did not consider the communication to be up to industry standards. We recommended a further $350 as compensation for the inconvenience.


We found that the card issuer should pay Wayne a total of $700 for the frustrating and inconvenient process of notifying Wayne of the chargebacks. We were satisfied that there were no grounds for compensation for financial loss, as Wayne had agreed to bear the risk of online fraudulent transactions in his agreement with the card issuer.

Both Wayne and the card issuer accepted our decision.

Insights for consumers and participants

Consumers and merchants should carefully read the contract’s terms and conditions before agreeing to a commercial relationship. Card issuers should ensure that any issues, including chargebacks, are communicated clearly and in a timely manner.