Bank didn't do enough to prevent online credit card fraud, Montreal merchant says

Credit card fraud forced a Montreal businessman to close his online business, and he blames his bank for letting it happen.

Thieves, using stolen credit cards, bought thousands of dollars worth of cell phone and computer parts from Vincenzo Lingordo's web site,the now-defunct Lingordoiparts.com.

• Compromised bank cards lead to few answers from Canadian banks

Three months after opening the site, Lingordohad to lay off his employees and shut down his web site.

"I lost everything," saidLingordo.

Originally from Italy,Lingordosaidhe saved for years to come to Canada and spent months getting his dream business off the ground.

He said its failure sent himspirallinginto a depression.

Lingordo saidthe purchases were approved by TD Canada Trust, even though key information was missing from the online transactions or not entered at all.

"Their system should be able to match the info and be able to pass or decline the transaction, not me," said Lingordo. "So what is secure here?"

Bythe time the bank notified Lingordoabout eachfraud in some cases, weeks laterhe'd already shipped the goods.

"You're trusting a good service from a good bank," Lingordo said.

When payments continued to bemadewith stolen cards which weren't immediatelyflaggedby the bank's transaction software,Lingordo saidhis bank told him his business was attracting criminals.

He estimates he lost $50,000 in merchandise, refunds, charge-backs and time.

While he blames TD Canada Trust for his losses, a bank spokeswoman said responsibility for the frauds rests with him.

Online security not guaranteed

When TD Canada Trust notified Lingordo about the first fraud, he thought it was a one-off.

The bank asked him to make his web site more secure, so he had the site encrypted.

He said the bank alsotold him to be more cautious about sending products in cases in whichthe shipping and billing addresses didn't match.

• More from CBC Montreal Investigates: Montreal student responding to text ends up on hook for $4K in advertising scam

Lingordo saidthe bank also pointed out ways he couldreduce his fraud risk, by going into his merchant profile with the bankand ticking off a few more security featureson how transactions were to beapproved.

Lingordo saidhe followed the bank'sadvice.

Based on the security features Lingordo saidhe added, transactions weren't supposed to be approved unless the cardholder's proper billing address was entered. That billing information issomething fraudsters don't usually have access to.

He saidhe also chose to make it mandatory for customers to enter the security code on the back of their credit card. It, too, had to be entered correctly beforeatransaction couldclear.

But when Lingordo later looked at his transaction details, 10purchases, all in the month of January, were approved for more than $13,000 U.S.,even though the addresses either weren't provided or didn't match the cardholders' billing addresses.

Another two went through with all the right information entered.

Weeks later, Lingordo said,all twelve of these purchases were flagged as fraudulent.

Lingordo tried to figure outwhat had gone wrong, running his own tests using TD's software.

He deliberatelyentered incorrect credit card information or left mandatory fields empty to see what would happen. Each time, he said,the transaction was approved.

"I could put any name, any security code, any number, anything, and they were passing," said Lingordo. Believing the software wasn't working properly, hetook his evidence to TD Canada Trust.

The bank deniedthere were any shortcomingswith its credit card-processing software.

However, Lingordocan't believe he's the only business that encountered such problems.

"They have thousands and thousands of customers using their services," said Lingordo.

E-commerce risky for small retailers

The president of the Canadian Federation of Independent Business (CFIB), Dan Kelly, hasn't heard of a case just like Lingordo's before.

But Kellysaidfraudulentonline payments are a big problem for many small business owners,who are shocked to discover they are on the hook for them.

Many small retailers are "sitting ducks," he said, because there is no way to know for sure that a credit card used online is valid andbecause they don't have thefinancial wiggle room to bounce back from fraud.

The CFIBrepresents nearly 110,000 merchants across the country, and Kelly said many of them are jumping into e-commerce to stay competitive.

But it's risky, Kelly said.

According to the Canadian Bankers Association, credit card fraud from online salesor phone and mail orders cost banks and merchants nearly half a billion dollars in 2015.

"If you're a small business just getting started in online sales, especially if you have larger purchases, that can be make it or break it for some firms," said Kelly.

E-commerce also costs small merchants more in bank fees than big companies pay, he said, as larger firms are often able to negotiate a better rate to process online transactions.

Kelly thinks for their money, small merchants should be getting better protection.

"That higher cost should actually pay for something," said Kelly. "It should pay for some degree of assurance."

Kelly saidthe banking industry has to better educate retailers about the dangers of e-commerce and how to protect themselves.

Bank says retailer ultimately responsible

TD Canada Trust would not get into specific details of Lingordo's case, but in an email, Fiona Hirst, a spokeswomanfor the bank said this:

"Our system processes the transaction and if incorrect information is entered, these transactions are flagged for the merchant to review. Ultimately, it's the merchant's decision to accept the transactions."

Hirst said fraudulent transactions continued to be accepted by Lingordo without engaging in "additional security measures" which the bank had suggested he take.

Those additional measures include signing up for Verified by Visa or Mastercard SecureCode, which are highly recommended for e-commerce.

Lingordosaidthose steps were never suggested to him.

New rules needed?

Lingordoappealed to the bank's ombudsman twice, to no avail. Lingordonow feels burned and has no plans to return to e-commerce.

Meanwhile, Kelly is pushing the federal government to change the rules of the game. He sits on a federal finance committee that includes card processors, credit card companies and banks.

He saidsmall businesses that do everything right including regularly reviewing their transaction history and taking steps to double check if the cardholder's identityshouldn't be left holding the bag.

Share your story with CBC Montreal's investigative team. Leave a message on our confidential tipline(514-597-5155), send us anemailor contact us onTwitter.

• More stories from the CBC Montreal Investigates team