Q Our online store recently had a flurry of chargebacks from customers who said their PayPal passwords had been stolen. What should we do?


When it comes to chargebacks, 90 percent of the time it's you, the online merchant, who gets burned. That's because credit card companies have "card not present" terms that allow them to avoid responsibility for fraudulent charges made online. So when a customer contests an Internet purchase, retailers like you must pay a fee--typically about $15--to the credit card company for the privilege of giving back money for a product you've already shipped. And, of course, you lose your merchandise to the password-swiping scofflaw.

But what's happening to you is not just a cost of doing business, it's a crime. Stolen password scams--including "phishing," in which bogus e-mails are made to look like they come from a financial institution to trick people into giving up their passwords--violate statutes on computer hacking, fraud, and identity theft. The first step is to report the problem to PayPal and the authorities. Some city police departments have computer crime divisions. If yours doesn't, call the state police. And lodge a complaint with the FBI's Internet crime unit by going to ic3.gov. Unfortunately, unless your losses are in the tens of thousands of dollars, your case may not be investigated. "There's less of an incentive for the government to step in when the majority of Internet shoppers get their money back," says Ken Dreifach, a partner at New York City-based law firm Sonnenschein Nath & Rosenthal and former head of the New York state attorney general's Internet bureau.

Still, there are ways to prevent chargebacks. You can take advantage of chargeback protection policies, which some processors provide for just this sort of unpleasantness. PayPal's, for example, offers up to $5,000 per year in chargeback protection. There's no sign-up fee, but a couple of strings: To be reimbursed for both the chargeback and your merchandise, you must ship to the cardholder's billing address and obtain proof of delivery. If $5,000 isn't enough, Google Checkout provides $10,000 per year in chargeback protection or 1 percent of annual sales if sales exceed $1 million. Google Checkout also scans for dubious orders and verifies the three- or four-digit credit card security code.

Though they can't help you with PayPal orders, other payment processors offer more aggressive scam scouting. CyberSource uses fraud detection tools that flag suspicious orders and credit card usage, says Dave Jevans, chairman of the Anti-Phishing Working Group, an association that tracks Internet fraud and phishing scams, and CEO of IronKey, a data security start-up in Los Altos, California. Plus, most major credit card companies offer additional security policies, such as Visa's Verified by Visa, which has cardholders create a special password for online purchases. Merchants who offer their customers enrollment in Verified by Visa won't receive chargebacks when someone pays with a Visa.

The danger, of course, is that some of these tactics will repel not only con artists but also consumers. Your challenge is to simultaneously protect and serve.

Intellectual Property

Q Most of our customers are a lot bigger than we are. In this age of litigation, how do we protect our ideas without breaking the bank?

Jonathan Bragdon
Chattanooga, Tennessee

For companies like yours whose customers are other companies, the best--and cheapest--way to protect your ideas is to not let new products out of the house without a well-wrought contractual bodyguard. Such contracts typically assert ownership by the idea's originator; the burden is on the client to insert a clause transferring those rights. Consequently, the devil is in the revisions. "A client may say, 'I'm going to try to stick something in the agreement that says I own whatever you create for me," says John Lanza, an intellectual property attorney at Boston-based law firm Choate Hall & Stewart. So be careful: Contents may shift during negotiations.

Trade secrets (defined as special knowledge or information) can be protected by nondisclosure agreements, which most attorneys will draft for a negligible one-time fee. Customers privy to the design process, formulas, and similar competitive edges should sign NDAs as part of contract negotiations.

Filing for a patent, on the other hand, is a long and expensive process that--depending on your industry and the degree of novelty in your invention--may not be practical. Between the filing fees, issuance fees, maintenance fees, and legal fees, you could spend anywhere from $5,000 to $20,000 for 20 years of exclusivity. In rapidly changing fields like technology, the product may be scrapheap-ready by the time the patent is issued, says Glen Whitman, associate professor of economics at California State University, Northridge. Worsening your odds, the Supreme Court in April increased the burden on filers to demonstrate that their products are truly innovative rather than mere modifications of existing ideas. So if you've invented the next big thing, by all means file. If you've designed a new carrying case for the last big thing, save your money.


To see Visa's 12 signs of card-not-present fraud, go to usa.visa.com/merchants/
. For practical insights about patents, NDAs, and contracts, visit the IPWatchdog at ipwatchdog.com. Have a thorny business question? E-mail us at askinc@inc.com.