How do you protect your business from credit xard fraud? Well firt, it is important to understand different types and factors of fraud. There are many types of debit card fraud and credit card fraud. Traditionally, one of the most common forms was “card present fraud.” Card present fraud involves a criminal using a stolen credit card to make a fraudulent purchase. Because fraud can still be committed in person, card brands traditionally required merchants to check IDs on the back of cards against the receipt signature.
But with the advent of the internet and eCommerce, the science of how to stop credit card fraud has shifted to an invisible realm of tech-based practices. The elimination of certain traditional aspects of the payment landscape, like magnetic strips, is also cutting back on the viability of committing fraud with an actual stolen card.
Nonetheless, criminals are always hard at work. Online and eCommerce fraud prevention is primarily about anticipating the behavior of criminals and looking at behavior and trends. Take a look at some of these suggestions for preventing credit card fraud as a merchant.
Payment Processing Fraud Prevention Statistics
But first, a global outlook on debit and credit card fraud: credit card fraud was already costing businesses almost $28 billion in 2018 and is expected to surpass $35 billion by the end of 2023. Year after year, most fraud is perpetrated outside the U.S., which emphasizes the importance of remote, technology-driven anti-fraud measures.
Of the 650,500 cases of annually reported identity fraud, 42% are credit card fraud. And while younger people are more likely to report credit card fraud, older consumers suffer higher losses (the median loss being $448 for 20-29-year-olds and $1,600 for those over 80).
But the party that might suffer most from credit fraud are merchants. Merchants will not only lose the cost of the merchandise or services rendered but they will be hit by fees and fines from the banks and card networks. They will also suffer a reputational loss as consumers view them as a potential pitfall. That’s why preventing credit card fraud is so important.
- Have the Right Hardware
One of the first things you can do to eliminate identity theft is to protect customer data at the point of sale. And that means not accepting magstripe payments. The magnetic strip on the back of a card stores static (unchanging) credit card information. Such information includes the name of the cardholder and their credit card number.
Skimming is one of the most common forms of fraud that has plagued the payment landscape. Skimming is when a criminal installs a small device on a magstripe reader to “skim” data off the magnetic strips that pass through it. They can take this information from legitimate customers and manufacture fake cards. Or, they can use the payment information for online payments.
There is a reason that credit card networks like Visa and Mastercard will entirely phase out magnetic strips by 2033: they are the type of physical, in-person transaction most susceptible to fraud attacks. By contrast, EMV chips and contactless payments are more secure.
EMV chip insertions and contactless taps do not complete the payment using static information. Rather, they use randomly generated encryptions. These encryptions are meaningless pieces of information that represent underlying card and customer information. Only the card networks and banks can decode them.
In particular, the randomization of the encryption prevents skimmers from working. Each transaction has a unique signature that is worthless for future transactions. Even if a criminal could capture some of the encryption, they wouldn’t be able to use it for anything else in the future.
That’s why having the right hardware goes a long way toward in-store fraud prevention. And having the right hardware means having POS terminals that only facilitate EMV chip insertions and contactless payments—both card and mobile wallet payments.
- Issue Dynamic Passcodes to Customers
A dynamic passcode is a one-time code sent to a customer’s phone or email. The customer has to input this code to complete the purchase. Dynamic passcodes are arguably a form of 2FA or two-factor authentication. 2FA involves verifying someone’s credentials with two pieces of information. In this case, it’s the card for making payments, plus the one-time password.
The idea behind 2FA is that even if someone has stolen a credit card, they will most likely not have that person’s phone as well. And even if they do have both, they won’t be able to log on without their passcode or biometric indicator (like a thumbprint or retinal scan).
Card Not Present Transactions
Dynamic passcodes are particularly relevant for card-not-present (CNP) transactions, such as those made in eCommerce. You are not there in person to examine any suspicious activity, such as requesting an ID. Of course, the dynamic passcode only works if there is a pre-existing relationship with the customer or if they have a pre-existing relationship with a third party. Otherwise, a criminal could obviously provide their own phone number or email to “verify” a transaction.
That’s where solutions like Verified by Visa and Mastercard Secure, come into play. These applications have been around for almost two decades. They ask customers to verify themselves with a one-time passcode (OTP) sent to their phone number or email. Banks and card networks can compare those numbers and addresses to information they have on file for that cardholder. The transaction can proceed if everything checks out and the OTP is provided.
Some merchants have an in-house solution for sending customers an OTP. Amazon is an example of such a business. If you have an Amazon account but log on to a different device, Amazon will ask you to input a one-time code sent to your phone. Of course, this brings us to our next point: to ask your customers to create an account.
- Have Customers Create Accounts
Asking customers to create accounts might seem counterintuitive. After all, asking customers to store card data with you puts a whole lot of financially sensitive data in one place. But the truth is that for most SMBs, the card information will not be stored with you. It will be stored with your payment processor, which has the tools to protect all those card details.
When a customer is asked to create an account with your business, they will provide contact information (like a shipping address) and payment information. This information on file will expedite their purchasing and create a positive customer experience. But it will also become a convenient tool to prevent credit card theft.
That’s because the customer will become aware of every single transaction made with your business. Customer accounts become starting points for staying in touch with customers, which includes notifying them of any orders made with their cards. Once again, Amazon provides an excellent example of this.
Every time you purchase something from Amazon, they email you about your purchase. Didn’t download Trolls Band Together on Amazon Prime? It’s time to contact Amazon and see if one of your kids did—or if someone outside your household is using your account. Amazon is not the only retailer that does this. Most major retailers will issue email and/or text alerts to customers about their purchases.
Part of account creation can be encouraging your customers to be proactive about monitoring their financial profile, even outside of your B2C relationship. Many credit score monitoring companies will also provide notifications about identity theft. You can provide customers with resources to monitor their transactions.
- Review Every Transaction
Some active participation in the payment landscape can thwart a significant amount of online fraud. Granted, it’s a time-consuming form of liability protection to manually review each and every transaction, but there are workarounds to that.
Reviewing transactions means comparing card information like the billing address to the shipping address and the device’s IP address used to place an order. For instance, if all three of these things are in vastly different locations, that’s a red flag.
One way to effectively give yourself (or a designated person) time to review transactions is to place an authorization hold on a card until you finalize the transaction. This is commonly done in certain industries where the final charge amount is unknown…such as hotels, restaurants, and car rentals. But it can also be done for other businesses as well.
For example, a business shipping high-ticket items might place an authorization hold on the customer’s bank account. They can then review the transaction before finalizing the payment and shipping it to the customer who ordered it.
This process may become too burdensome for higher transaction volumes. This is where machine learning can come into play. Financial institutions increasingly use artificial intelligence to analyze customer purchasing patterns and determine if something falls inside or outside the scope of likely behavior.
The bank will then send the customer a text message. Did you recently use your card at Dotty’s Casino in Elko, Nevada? Reply Yes or No to unlock your card. Businesses can access similar types of applications through their payment processor. Payment processors and banks are increasingly working closer together to analyze purchasing trends and eliminate fraud by stopping transactions out of the ordinary.
- Train Your Employees To Be Vigilant
Trojan Horse attacks enable a significant amount of payment fraud. These types of attacks involve sneaking into the database of a business to steal important information. Small businesses are attacked the most because they are perceived (accurately) as lacking the infrastructure needed to thwart these attacks.
As many as 43% of cyberattacks aim at small businesses, and one out of two small businesses has suffered a data breach. While the financial impact of a data breach varies based on the business, the attacker, and the size of the event, it costs businesses an average of $200,000 per attack—enough to be a serious setback to some SMBs.
Common modes of attack include phishing emails. Phishing emails are an email meant to collect information. However, it appears as a legitimate form of inquiry. Phishing emails may coax an employee into providing login credentials to a criminal posing as a mobile app or cloud-based software your business uses.
The criminal can then use this login information to access the internal systems of your business. If you store card information somewhere in your stored data, they will access it and use it to commit payment fraud. Alternatively, they may sell the data on the dark web. The dark web is a sort of internet black market where criminals can buy (many things, but among them) consumer data.
Sometimes an email will get an employee to click on something so that malware can enter your systems and start poking around. Small businesses have the highest rate of malicious emails, at one in 323. You can train your employees to recognize the hallmarks of a suspicious email—long, odd, nonsensical email addresses, poor formatting, questionable unprofessional phrasing, and unrealistic threats are just a few hallmarks.
- AVS, Geolocation, and Proxy Piercing
An address verification service compares the billing address input during the transaction to what the issuing bank has on file for that cardholder. This is one of the most common tools used in card-not-present transactions. It’s a common-sense measure that is relatively inexpensive and accessible for small and midsize businesses to use.
Then there is geolocation. We mentioned OTP or one-time passcodes in an earlier section vis-a-vis online purchases. But an OTP can also be issued for in-person transactions, verifying that the person holding the phone is the one making the purchase.
Proxy piercing is built on similar principles to the AVS and geolocation methods. But it relates specifically to the device from which a customer is placing an order. Every device has an IP address or internet protocol address. Sometimes criminals will attempt to use a proxy IP to obscure their true location.
Proxy piercing is a type of technology that allows this veil to be pierced and determines the true location of the device in question. For example, suppose the proxy server (false IP) is pierced, and it is discovered that the device used to place an order is in Mexico, Ukraine, Hungary, Malaysia, Colombia, Romania, The Philippines, Greece, Brazil, or China.
These countries are red flags due to high concentrations of internet criminality. As such, the transaction can be paused until further verification is obtained.
AVS, geolocation verification, and proxy piercing are all security solutions that a payment processor can provider, either through their own applications or in partnership with other financial institutions like card networks or banks.
- Be Vigilant About Interna Fraud
Machiavelli once said, “Keep your friends close, and your enemies closer,” by which he meant to keep your eye on them. And while you don’t want to view your employees as enemies, you certainly do want to be vigilant against internally-sourced fraud. Employees may have access to sensitive customer data like card numbers.
That’s why you need to have internal controls that limit data access to only the most relevant parties. Employees who do access data points from a POS should each have a unique set of login credentials.
For one, it makes it easier to pinpoint the time of fraud (that is, during whose shift the fraud occurred). It also makes it easier to prevent former employees (perhaps disgruntled former employees) from gaining access to sensitive payment information.
Company insiders commit 57% of fraud, while 22% of small business owners have had employees steal from them. Current or former employees cause 20% of data breaches. And perhaps most shocking is the fact that employee fraud schemes last an average of 12 months. That’s right…employee fraud, on average, is a process occurring right under the nose of most business owners.
“How now, a rat?” exclaimed Hamlet before plunging the dagger into the curtain to kill his eavesdropper. Of course, you don’t need to do anything so dramatic or Shakespearian. But having a good set of best practices can go a long way toward reducing one of the most significant sources of credit card fraud: your own human talent.
- Think Like a Criminal
The best defense is a good offense, as they say. Sometimes credit card fraud prevention can be affected by knowing the techniques of credit card fraud. One particularly burdensome source of credit card fraud is so-called friendly fraud. Friendly fraud is when a customer pays for something, uses it, and then tells their bank they never got it or there was something wrong with it.
When a customer goes to their issuing bank to dispute a charge instead of requesting a refund from you, that’s called a chargeback. Chargebacks may cost merchants almost $118 billion by the end of 2023, and as many as 86% of them may be attributable to friendly fraud, which has been increasing by 41% every two years.
A friendly fraudster might place an order for a service or goods. Then, they’ll say they changed their minds and would like a refund. Only they’d like you to issue the refund as a check because they lost their card.
After pocketing your well-intentioned check, they’ll file a chargeback with their card issuer and hide behind the consumer fortifications provided by legislation like Regulations Z and E (Truth in Lending and Electronic Funds Transfer Acts, respectively).
Visa and Mastercard have fraud prevention tools and processes that payment processors and merchants are supposed to adhere to. Knowing these rules and regulations can help you avoid some fraud-related snares.
In this example, refunds for credit card payments must be issued back to the credit card—not issued as a check. If the card number truly has changed, there are workarounds to that which do not include non-card refunds.
- Have Secure Internet Connectivity
The wifi connection for your business is important to keep secure. If you want to reduce credit card fraud, you may be surprised to hear that securing your internet, software, and hardware is important.
But criminals searching for credit card information can exploit the weakest link in your system to access the data they want. Public wifi networks are decidedly not secure, and you should not use them to access your cloud-based services.
Your software should also have the latest anti-fraud, anti-viral, and firewall measures. Part of this involves having paid “hackers” find a way into the system in penetration tests.
When installing new software or security patches or your business physically moves, you should conduct a penetration test.
Hardware can also be a weak link to access systems. Sometimes hardware like a router will come with preset passwords. Avoid using these passwords, as they can be easier to pin down and exploit. In a related vein, avoid using personal information that criminals could find online.
Many acts of cyber-criminality these days are perpetrated by constructing a sort of “Frankenstein” identity of pieces put together—a birthday here, a location there, an email here…these pieces can be exploited to guess passwords or find more information.
One aspect of securing your connectivity is using the most up-to-date devices and software. Cybercriminals are always looking for proverbial chinks in the armor and will exploit outdated systems to find an easy way in. If you use cloud-based software, the service provider may automatically update the software to the latest version.
Protecting Your Business From Credit Card Fraud: A Wrap-Up
Brick-and-mortar and eCommerce credit card fraud prevention, have some overlap in terms of strategy. Protecting your network tools (avoiding public wi fi), using the most up-to-date hardware, and software-based strategies (geolocation, one-time passwords) are just a few of the preventative strategies you can engage in to prevent debit and credit card fraud.
The card networks also enact American Express, Discover, Mastercard, and Visa fraud prevention strategies to foil fraud. Working with a good payment processor will bridge the gap between you and the financial institutions that are hard at work proactively preventing the misuse of debit and credit card accounts.
If you have any questions about the best anti-fraud measures, don’t hesitate to contact us. We would love to learn about your business and what types of anti-fraud measures would be best suited to protect your enterprise.