De Telegraaf reports today that a number of webshop-owners face financial losses as they delivered goods to Indonesian buyers that used credit-cards. Those cards weren't reported stolen by the owners, simply because the owners had not received them (yet). The crooks intercepted the cards (or card data) in the mail, after the cards had been issued.
In the Netherlands this does not work, given that new credit-cards need to be activated before use. But other countries work differently. The result is that the webshop owner believes he can deliver services but is faced with a chargeback a couple of weeks after the transaction (when the legitimate card holders see a transaction they did not do).
Now, although the credit-card companies have such conditions that the shop owner pays the losses of the chargeback, we might wonder if the legal basis for doing so is not getting a little weak. Mail fraud with credit-card has been around so long that it could be considered best practice to have a separate activation procedure. Why should the merchant pay if an issuing bank is too sloppy in its issuing procedure?
I think that, although some of the merchant may have been somewhat naive, they might have a legal case and may hold the issuing bank responsible. Meanwhile everyone is best advised not take any large-value orders from Indonesia or Russia without sufficient risk assessment. Or choose a procedure in which irrevocable payment by money transfer precedes delivery.