Adam Penenberg covered a story on a green merchant who was dinged for thousands of dollars in fees because of his anti-fraud mechanism.

What I find most interesting about this article is what’s not mentioned in the story. Question one, why was this vendor targeted? This attack wouldn’t have been useful against a vendor who didn’t have this very unique method of verification. That twigs me to think that it was launched by a disgruntled customer—or more insidiously, by someone inside the bank who knew about the arrangement. And who also happened to have 30,000 credit card numbers from Bank One customers. The merchant bank isn’t mentioned, but wouldn’t it be interesting if this bank and Bank One had shared files which allowed some employee to have access to both?

Of course, if the merchant bank cared one whit about this, they’d have followed up on this. But far easier to stick the vendor with the bill and be done with it.

Meanwhile, Congress is moving quickly to protect credit card companies from fraud. Which should probably read, “from all the fraud for which, by law, we can’t shift the risk onto other people.” Consumers are a protected class, so let’s just ding the merchants.