To the best of my knowledge, anybody taking a credit card will lose a chargeback if they don't have a signature.
It's not quite as simple as that. The customer authentication problem is what programmes like MasterCard SecureCode and Verified by Visa are supposed to solve. The trouble is, their implementations are so clunky that a lot of merchants/payment services don't use them, which in turn means a lot of end customers don't expect or understand them either, damaging legitimate conversions. I've heard that they are also not widely used in the US for whatever reason(s), though they're somewhat common here in the UK now.
In theory, these mechanisms should fix much of the underlying weakness in the current card payments model, because the end customer never gives the extra security information to others, only to their own bank/card provider. And there really are (or at least were the last time I checked) payment services that will eat the fees for chargebacks on transactions that were authorised using these kinds of 3-D Secure mechanisms given reasonable evidence that the merchant did provide whatever was being paid for. Unfortunately, I'm not aware that any of the new generation of online payment services offers 3-D Secure yet, which I expect to become a significant headache for them as more horror stories like the one we're discussing here come to light.
As a point of interest, much the same arguments apply to two-factor authentication schemes for cardholder present transactions, such as Chip-and-PIN, which has been almost universal in the UK for a long time now but again doesn't seem to have had as much take-up in some other countries. It's normal to consider a PIN-authenticated transaction at least as safe as one confirmed with a written signature. But again, these technologies don't seem to be universal in some other countries yet for whatever reason(s).
It's not quite as simple as that. The customer authentication problem is what programmes like MasterCard SecureCode and Verified by Visa are supposed to solve. The trouble is, their implementations are so clunky that a lot of merchants/payment services don't use them, which in turn means a lot of end customers don't expect or understand them either, damaging legitimate conversions. I've heard that they are also not widely used in the US for whatever reason(s), though they're somewhat common here in the UK now.
In theory, these mechanisms should fix much of the underlying weakness in the current card payments model, because the end customer never gives the extra security information to others, only to their own bank/card provider. And there really are (or at least were the last time I checked) payment services that will eat the fees for chargebacks on transactions that were authorised using these kinds of 3-D Secure mechanisms given reasonable evidence that the merchant did provide whatever was being paid for. Unfortunately, I'm not aware that any of the new generation of online payment services offers 3-D Secure yet, which I expect to become a significant headache for them as more horror stories like the one we're discussing here come to light.
As a point of interest, much the same arguments apply to two-factor authentication schemes for cardholder present transactions, such as Chip-and-PIN, which has been almost universal in the UK for a long time now but again doesn't seem to have had as much take-up in some other countries. It's normal to consider a PIN-authenticated transaction at least as safe as one confirmed with a written signature. But again, these technologies don't seem to be universal in some other countries yet for whatever reason(s).