By Jonathan Bick

THE AUTHOR IS AN ADJUNCT PROFESSOR OF LAW AT RUTGERS LAW SCHOOL AND PACE LAW SCHOOL AND PRACTICES WITH BICKLAW.COM. HE IS THE AUTHOR OF 101 THINGS YOU NEED TO KNOW ABOUT INTERNET LAW (RANDOM HOUSE 12/00).

Credit cards used on the Internet perform the function of cash and checks in traditional transaction. Without credit card services, e-commerce could not thrive. Credit card services are governed by merchant service agreements. Now that e-commerce is a mainstream activity, attorneys and their clients need to know about Internet merchant service agreements.

For e-commerce to succeed, Internet businesses must be able to obtain reliable information to ensure payment. Internet consumers must be confident that they have recourse in the event their e-goods or e-services are not satisfactory. The use of credit card service on the Internet provides both.

The Internet is changing the way people buy and sell everything from music to electronic equipment and from data to news. Increasingly businesses are using the Internet to reach customers, process orders and receive payment. Credit card services are the only practical means of securing payment for goods and services offered over the Internet. Credit card services agreements are known as “merchant services contracts”. Merchant service agreements result in sharing a bank account with the credit card issuer or their agents. Sharing bank accounts results additional legal rights and obligations for all parties.

Typically, merchant service agreement allows each party to withdraw thousands of dollars without advance notice for a variety reasons including but not limited to payment disputes. In some cases, such agreements allow the common account to be frozen. It is therefore prudent to review merchant service contracts with Internet transactions in mind.

The use of a credit card system offer Internet merchants the same conveniences, obligations and legal protections that they are accustomed to receiving when making credit card purchases by telephone or mail order. Thus, before discussing the use of Internet credit card use, it is useful to review the tradition use of credit cards.

A traditional merchant is paid by its own bank after the bank receives the credit card sales draft from the merchant. The merchant’s bank is referred to as an "acquiring bank" because it "acquires" credit card transactions from the merchant. The bank, which sends the acquiring bank money to pay the merchant, is the bank that issued the credit card used by the merchant’s customer. This bank is referred to as the "issuing bank" because it issues the credit card.

It normally takes from three to four months for the merchant's acquiring bank to receive money from the issuing bank. The delay is usually because the issuing bank does not transfer funds to the acquiring bank until it receives payment from the merchant’s customer who used the credit card. However, the acquiring bank pays the merchant before the issuing bank has paid the acquiring bank. The payment of the merchant by the acquiring bank before being paid by the issuing bank effectively results in a line of credit to the merchant in an amount equal to the credit card payment.

During the time between the merchant’s request to receive payment from the acquiring bank and the related payment by the issuing bank to the acquiring bank, a person whose credit card was used in the transaction can dispute a credit card transaction. A dispute will typically arise in the event the cardholder's card has been stolen.

The immediate result of dispute claim by a cardholder is that the issuing bank will notify the acquiring bank that it will not pay the merchant's bank. Upon such notice, the merchant's bank will reverse the transaction by processing a "charge-back" against the merchant's account. Acquiring banks generally require the merchant to maintain a balance in its bank account in a sufficient amount to cover charge-backs.

Settlement fees are deducted by acquiring banks from the credit card transaction amount before paying the merchant. The difference between the amount paid to the merchant and the credit card amount is the amount of revenue earned by the acquiring bank. In the event that a cardholder disputes a transaction and does not pay the issuing bank, which in turn does not pay the acquiring bank, the acquiring bank does not receive its settlement fee and incurs the cost of processing a charge-back against the merchant.

Historically, charge-backs have occurred more often when cardholder are not present during a transaction. This fact has resulted in acquiring banks charging a higher settlement fee for the so-called credit card hold not present transactions also know as "mail order/telephone order" transactions. Typically, acquiring bank may charge one to three percent for transactions where the cardholder is present and 2 to 5 percent for transactions where the credit card holder is not present.

Frequently an acquiring bank uses a credit transaction processor to receive and process credit card drafts from merchants. The processor usually receives credit card transaction data from merchants electronically or by mail.

Internet commerce uses credit cards to process payments in a variety of ways. From a legal and financial prospective, e-credit card transactions should be viewed from two perspectives depending on whether the merchant or the purchaser initiates the credit card transaction.

In the event of a merchant initiates the credit card transaction, such as when a customer sends credit card information to a merchant and the transmits the credit card information to a processor, acquiring banks charge the higher settlement fee associated with credit card holder not present transactions. However, when the purchaser / customer initiates the credit card transaction, such as when purchaser sends credit card information to a merchant’s processor directly acquiring banks charge the lower settlement fee associated with credit card holder present transactions.

The same result occurs when a customer uses the Visa / MasterCard the Secure Electronic Transaction ("SET") protocol. SET uses software in the same manner as the purchaser-initiated systems, merchants processing transactions using SET will normally pay the lower settlement fee associated with a card hold being present.

The federal law and the credit card issuers' rules define most of the significant rights and responsibilities of credit card users. Thus they must considered as part of any Internet merchant service agreement. The most important issue that these laws and rules address is who bears the cost of unauthorized credit card use.

The federal statutes most often used to prosecute credit card fraud include the Truth in Lending Act, the Credit Card Fraud Act, and the mail fraud and wire fraud statutes. In particular, the federal government first attempted to penalize credit card fraud in 1970 when it amended the Truth in Lending Act by adding the Consumer Credit Protection Act. As amended, the Truth in Lending Act prohibits the use, attempted use, transportation, or selling of a "counterfeit, fictitious, altered, forged, lost, stolen, or fraudulently obtained credit card." In addition, the Truth in Lending Act prohibits the receiving, concealment, use, or transportation of money, services, or anything else of value which was "obtained with a counterfeit, fictitious, altered, forged, lost, stolen, or fraudulently obtained credit card."

Credit card holders benefit from these laws and rules because they limit the holder's liability for unauthorized use and providing other protections designed to make it easier for the holder to challenge unauthorized transactions. Since no special regulations have been created for credit card use on the Internet, presumably the same laws and rules that govern credit card transactions in the physical world apply to Internet transactions. Consequently, the legal benefits protections, together with credit cards' ease of use and consumer familiarity, are some of the more important reasons that credit cards have become the most popular payment instrument for purchases on the Internet.

Part of the Truth in lending Act, required the Federal Reserve Board to promulgate Regulation Z, which provides consumers with a variety of protections regarding consumer credit marketing and under what terms and conditions such credit may be provided. These provisions are most significant for electronic commerce because they provide guidance with respect to liability limitations, error and dispute resolution, and disclosure.

Regulation Z limits a cardholders' liability for unauthorized credit card transactions to a maximum of fifty dollars. Nevertheless, merchants bear the same high risk of fraud when accepting credit cards on the Internet, as they do in the physical world.

Just as in the case of traditional credit card holder, those who use their credit card on the Internet must report an error on an account statement within 60 days after the first statement containing the error was mailed. Likewise, the credit card issuing bank when dealing with these e-commerce transactions must investigate to either correct the error or explain to the cardholder why the statement is correct within two billing cycles and not later than 90 days after the issuing bank receives notice of the error. Just as in the case of traditional credit card transactions, during the investigation period, the e-commerce credit card user can withhold payment of the amount in question.

Normally, if an Internet credit card user encounters a problem with merchandise or services that were paid for via a credit card, and the Internet consumer has made a good faith effort to resolve the problem with the merchant, the e-consumer has the right to withhold payment from the card issuer. One exception which is particularly relevant to e-commerce transaction is that in the event the credit card used by the e-consumer is a bank card not issued by the merchant, the consumer can withhold payment only if the purchase exceeds $ 50 and occurred in the consumer's home state or within 100 miles of the consumer's billing address.

Regulation Z also is helpful to Internet credit card users because it requires certain disclosures so that consumers can discover unauthorized transactions and errors and take appropriate action. In light of the difficulty associated with the verification of the identification of parties to Internet transactions, Regulation Z information is particularly useful for resolving legal difficulties. Error resolution procedures must be provided to cardholders upon the receipt of their cards and on an annual basis thereafter.

Using credit cards on the Internet do not normally involve traditional banking functions, thus financial system regulations do not usually apply. In addition, most e-commerce systems are simply a means of transporting data related to a credit card transaction over the Internet; these systems do not involve money transmission. Therefore, providers of these services are not subject to the current or proposed requirements of the Bank Secrecy Act.

Due to the lack of traditional financial system protections, both users and providers need to be concerned about the use and protection of the credit card data that flows through e-commerce. In merchant-initiated systems, the information is best protected by limiting its availability to an encrypted form to both the merchant and the payment provider. In purchaser-initiated systems, the information is available only at the payment provider, which can also be encrypted. During the past several years, there have been scant use of effective encryption, so there have been may instances where hackers have stolen thousands of credit card numbers from merchants and service providers operating on the Internet.

To facilitate the use of Internet credit card services, many merchants use an Internet service provider as a "host" of their storefronts. If hosts are used with a merchant-initiated system, then an additional party (the hosting service) has access to the credit card information. In such an instance, merchants are well advised to get a broad indemnity from the host for improper use of financial data by the host's employees. Insurance is also available to limit the risk of using storefronts.

Today, data protection and privacy is largely governed by private contract. For example, users of Internet services get most of their data protection rights from the agreements to which they agree when they sign up to receive services. Effective Internet merchant service agreements address data protection and privacy issues.

Credit card data is generally considered protectable data. Most governments are still not certain how to protect data that is sent via the Internet and what role government should take in creating these protections.

The U.S. Federal Trade Commission is concerned about the privacy of data collected on the Internet, including credit card related data. Other countries have set standards for the protection and use of data. For example, the European Union ("EU") is requires all non-EU firms to provide legal safeguards for "personal data" about individuals that is "processed" by EU firms. Consequently, merchants and payment system providers based in the U.S. may need to comply with a variety of different data protection requirements if they are using the Internet to do business with people located in the EU.

In addition to credit cards, the financial services industry has provided "stored-value cards" (also referred to as prepaid or value-added cards) to consumers. Stored value cards are favored by e-consumers who are not comfortable using their credit card on the Internet. These cards maintain a "stored value" of funds available to the consumer for access primarily at retail locations however; some may be used in the same way as credit cards on the Internet. In order to use a stored value card on the Internet, the Internet access must be able to interact with the card. In short, the balance recorded on the card must be debited at an Internet terminal when the consumer makes a purchase.

Some stored-value systems are targeted at low-value uses (public transit, pay telephones, or photocopiers, for example); the amount that can be stored on the card is limited; and the card is disposed of once its value has been used up. Other stored-value systems can involve large transactions and permit consumers to store value in the hundreds of dollars on a card. These cards may have multiple uses, and there may be multiple card issuers and multiple card-accepting merchants and are authorized by communication between a terminal and a central database.

Stored-value card services are also subject to agreements that are similar to “merchant services contracts”. Such agreements have elements of debt card agreements in them as well.