There are generally 3 types of fraud that merchants have to contend with:
- Cloned/Counterfeit Card Fraud: This is a type of card-present fraud where the scammer forges a card with someone else’s account information and uses it in a brick-and-mortar storefront. This is primarily limited to magnetic swipe cards, but chips enabled cards can also be susceptible.
- Lost/Stolen Card Fraud: This type of fraud is most familiar to consumers, and likely a worry for many merchants: a scammer using someone else’s card to make a transaction (often a very large one). This can happen online or in a retail store.
- Card-Not-Present Fraud: Any sort of fraudulent online transaction falls into this category, simply by virtue of the card not being swiped or dipped. While there are some tools merchants can use to mitigate this risk, by and large, it is the easiest type of fraud to commit. CNP fraud makes up the majority of card fraud, especially as EMV has made it more difficult to clone or counterfeit cards.
Ways to Reduce Credit Card Fraud in Card Present Transactions
Secure Your POS and Hardware:
We have all heard of the large card holder and customer identity breaches that occurred within companies like Target and Equifax. It’s important to note that scammers may also attempt to infiltrate smaller business networks as well. The Payment Card Industry (PCI) compliance standards have laid out best practices to help mitigate network risks.
- Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters. - Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks. - Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications. - Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data. - Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes. - Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel.
Ask for Customer Identification
With the advent of EMV and Pin #s, viewing a customers ID has become less common. However, if you suspect there may be fraud, especially with a large value purchase, viewing the customer ID can offer a good fraud deterrent.
Keep in mind that the card network rules do not obligate the customer to provide an ID. If they offer and EMV or Pin# as card validation, the merchant is instructed to process the transaction:
“A Merchant may request cardholder identification in a face-to-face environment. If the name on the identification does not match the name on the card, the merchant may decide whether to accept the card. If the cardholder does not have, or is unwilling to present, cardholder identification, the merchant should honor the card if they have obtained proof of card presence, a valid authorization, and a valid signature or PIN.”
Avoid Keyed Transactions
Always swipe or insert (EMV) a card vs keying in the card number. The card networks inherently view these keyed transactions as riskier and thus more expensive. It suggests that someone might be processing cards that aren’t physically present in the store, and may not be able to use proper Card Not Present fraud best practices. Should there be a chargeback or fraud, the liability rests on the merchant for Keying a card that should have been swiped or inserted. A certain number of keyed transactions are to be expected. But they are likely monitored by your processor and too many can lead to a hold, freeze, or termination.
Switch to EMV Acceptance
This is the most obvious manner to drastically aid in lowering a merchants fraud experience. Depending on the POS system in use, there will be some costs associated with equipment, software upgrades, and possible downtime during implementation. However, the benefits of card security, peace of mind, and chargeback savings are likely to far outweigh any setup costs. Granted EMV enabled cards can still be counterfeited. But it is much more difficult, and the liability is weighted toward the card issuer. Scammers generally prefer the much easier to infiltrate the Card Not Present environment.
Fortunately, you can take measures to protect yourself and your business. Make sure that you keep your POS secure, and don’t overlook simple defenses such as collecting signatures or requesting IDs, and keeping keyed transactions to a minimum. Implementing EMV, if you haven’t already, is one of the most significant ways you can protect your business.