There is no situation in which Visa is left on the hook for accepting a fraudulent payment. AFAIK, they have zero liability. Customers have no direct relationship with Visa in which they can demand money for misuse of their card, they have only a member agreement signed with the card issuing bank that makes such anti-fraud guarantees. So the bank is on the hook.
Except not really. The bank passes on full liability to the merchant that accepted the payment. When the chargeback occurs, the payment is taken back from the merchant, plus a bunch extra as a chargeback fee to cover the costs of pushing around the forms between banks and taking the report from the cardholder over the phone. Knowing this only works when the merchant still has the money to take back, any hint of a merchant going over 1% of their monthly volume in chargebacks will generally trigger the bank to start holding back some or all of their payments in a reserve fund to cover the potential chargebacks.
The only way for the bank to be on the hook is if the merchant (like Wikileaks) passes the risk assessment enough to start accepting cards, and has a clean chargeback record up until the point a massive number of them come in, AND when the bank tries to recover that money, the merchant's already drained their bank account so there's nothing to recover.
If that happens, the bank's screwed, but Visa's still perfectly happy having taken 1-4% of every charge, even the fraudulent ones, with no liability for the stolen cards.
Why bother expanding on that tidbit? Because if Visa has zero liability, then why would Visa corporate be telling anyone not to accept cards from Wikileaks? That's not normal. The people that decide who can accept Visa cards are the underwriting departments at individual banks that back merchant service providers, not employees at Visa Inc.
The 1-4% you mention is the interchange rate. This is collected by the issuing bank, and not Visa. Visa typically receives a separate flat fee per transaction. Although often payment processors will charge the merchant a flat percentage fee which includes the interchange fees, acquiring bank fees, association fees, and the payment processors fees.
Visa Europe (a separate company from Visa USA) would likely have to assume liability for chargebacks in the event that the acquiring bank went out of business without transferring it's Visa business to another bank. I'm not sure if such a situation has ever happened though. In general the liability goes: Merchant -> Payment Processor -> Acquiring Bank -> Visa.
I think I knew that, but forgot. I have no real direct experience with this other than once signing up to be a merchant, but my girlfriend once worked for a processing company. Visa still has incentive to prevent fraud, though, right? Even if just for its own reputation? Banks probably won't issue Visa cards if they can't trust they won't be used fradulantly? If Visa has zero liability, then why would Visa corporate be investing in fraud protection at all?
Anyway, I didn't mean to speculate on motivations. I just wanted to explain that this is just some small Icelandic card processing company that got sued by a small data hosting company after they both conspired to funnel Wikileaks payments through as payments for data services and Visa and Mastercard objected.
It's far from the WIKILEAKS DEFATS VISA headline, especially since neither were party to the lawsuit.
Except not really. The bank passes on full liability to the merchant that accepted the payment. When the chargeback occurs, the payment is taken back from the merchant, plus a bunch extra as a chargeback fee to cover the costs of pushing around the forms between banks and taking the report from the cardholder over the phone. Knowing this only works when the merchant still has the money to take back, any hint of a merchant going over 1% of their monthly volume in chargebacks will generally trigger the bank to start holding back some or all of their payments in a reserve fund to cover the potential chargebacks.
The only way for the bank to be on the hook is if the merchant (like Wikileaks) passes the risk assessment enough to start accepting cards, and has a clean chargeback record up until the point a massive number of them come in, AND when the bank tries to recover that money, the merchant's already drained their bank account so there's nothing to recover.
If that happens, the bank's screwed, but Visa's still perfectly happy having taken 1-4% of every charge, even the fraudulent ones, with no liability for the stolen cards.
Why bother expanding on that tidbit? Because if Visa has zero liability, then why would Visa corporate be telling anyone not to accept cards from Wikileaks? That's not normal. The people that decide who can accept Visa cards are the underwriting departments at individual banks that back merchant service providers, not employees at Visa Inc.