[registrars] Credit Card Proposal

["Michael D. Palage" <michael@palage.com>]

Unfortunately we did not have the opportunity to discuss credit card fraud
during Friday's meeting. One of the reasons for Friday's joint meeting was
to identify common positions between registries and registrars when
possible. Additionally, in the case where a common position cannot be found,
hopefully through intelligent discussion a middle ground could be found on
controversial issues.

With regard to credit card fraud this is how I see the various perspectives,
please excuse any over simplifications:

Defrauded Credit Card Holder: Someone stole my credit card and I want to be
made whole, remove the charges.

Registry: Registrar is required to obtain reasonable assurance of payment
per the ICANN Registrar Accreditation Agreement. They added a registration
to the registry database for x years, after the 5 day grace period, they are
required to pay for what they requested. This is a cost of doing business,
and registries are not in the best position to combat credit card fraud
since they are prohibited from having contact with the registrant.

Registrars: The majority of ICANN accredited registrars are small to
mid-size businesses trying to make a living in a highly competitive market.
In the case of credit card fraud, they are the ones left bearing the full
cost of the fraud. The card holder is made whole; the registry keeps all the
funds for services it may/may not have to provide; and the credit card
company access penalties to the merchant. One of the interesting statistics
from last weeks FTC meeting was the fact that there are over a 100 million
charge backs a year with a $10 to $20 fee imposed by the credit card
companies. WOW


I would submit that a potential middle ground in this dispute, would be the
following approach.

In the case of a fraudulent multi-year credit card charge, the registry
would refund all registry fees in excess of the first year. Therefore, in
connection with a 10 year fraudulent registration, the registry keeps $6 and
the registrar is refunded $54 dollars. An additional requirement for the
registrar to obtain this refund would be the demonstration that the
registrar employs a certain minimum level of fraud prevention mechanism,
i.e. CVV2, address verification, etc. Although these mechanisms are not 100%
reliable, the registry and other registrars should not have to bear the
burden of those registrars that refuse to employ reasonable fraud prevention
safeguards.

Obviously, registries and registrars could come up with more extreme
positions, but I believe this proposal is not unreasonable and would help to
alleviate some of the inequities that registrars must bear in the current
credit card fraud scenario.

Any thoughts?

Mike