Merchant’s Guide to Preventing Card-Present Fraud
Credit card fraud, for most people, conjures up one of two scenarios. First, there are data breaches à la Target or Home Depot, where thieves access the system and steal credit card numbers, names, and other data. Beyond that, you might think of online card fraud, where shady people use stolen card numbers (sometimes acquired in data breaches like the previously mentioned ones) to buy a whole bunch of stuff online. Even if you start digging into ways merchants can protect against card fraud, the overwhelming number of resources are targeted at eCommerce and online transactions, and ways to prevent fraud there. There isn’t much information at all about card-present fraud — that is, transactions that are still not legitimate but take place in a retail store, where the card is swiped or dipped.
Overall, card-present credit card fraud is a smaller piece of the pie than online fraud, which is likely why there’s a disproportionate number of resources regarding internet-based cons. But it’s still essential that merchants take every step they can to protect themselves. That includes understanding what risks you face in the brick-and-mortar environment.
Table of Contents
- Understanding the Types of Credit Card Fraud
- The Credit Card Fraud Game-Changer: EMV
- 6 Ways to Reduce Credit Card Fraud in Brick-and-Mortar Stores
- Conclusion: How Big a Risk is Card-Present Credit Card Fraud?
Understanding the Types of Credit Card Fraud
I’m writing this mostly to explain how to avoid fraud. I don’t want to get into all of the various scams and techniques that fraudsters use because you could write a small ebook on the subject. But generally, all credit card fraud (or debit card fraud) falls into one of three categories:
- Cloned/Counterfeit Card Fraud: This is a type of card-present fraud where the scammer forges a card with someone else’s account information and uses it in a brick-and-mortar storefront.
- Lost/Stolen Card Fraud: This type of fraud is most familiar to consumers, and likely a worry for many merchants: a scammer using someone else’s card to make a transaction (often a very large one). This can happen online or in a retail store.
- Card-Not-Present Fraud: Any sort of fraudulent online transaction falls into this category, simply by virtue of the card not being swiped or dipped. While there are some tools merchants can use to mitigate this risk, by and large, it is the easiest type of fraud to commit. CNP fraud makes up the majority of card fraud, especially as EMV has made it more difficult to clone or counterfeit cards.
It’s also worth noting there are a couple other types of fraud merchants need to be wary of:
- ATM Fraud: Scammers will use a few different tactics to get either money or card data from ATMs, including installing card skimmers (we’ll talk about those in a bit) or deliberately blocking the cash distribution mechanism. If you have an ATM on-site at your business, be aware of it as a potential target.
- Check Fraud: Checks are definitely on the decline. In fact, according to the Federal Reserve, the total number of check payments made in the U.S. fell on average 6.2 percent per year from 2000 to 2012, and from 2012 to 2015, fell by an average of 4.4 percent annually. In 2015, consumers wrote a total of 19.4 billion checks, which was a total decrease of 3.1 billion over 2012 numbers. However, the Fed also reports that the value of the checks risen has increased — meaning that while people are writing them less frequently, they tend to write them for increasingly larger purchases. Check acceptance isn’t universal, but if you do accept checks, using a digital service such as Telecheck to automatically convert payments and flag risky transactions is a good way to protect yourself.
I’m not going to really get into CNP fraud, as most of it relates to running an eCommerce store. This article won’t deal with ATM or check fraud in-depth because they don’t apply to the majority of merchants. Our focus is specifically card fraud at brick-and-mortar stores, be it debit or credit card related.
The Credit Card Fraud Game-Changer: EMV
Even before the EMV liability shift took place, fraud experts were predicting that CNP fraud would increase by a significant amount in the US because other countries that implemented EMV witnessed a similar pattern, and those predictions have held true. Credit monitoring agency Experian reported an increase of CNP fraud totaling 33% compared to 2015.
Part of the reason for increased CNP fraud is the growth of online shopping. As more people buy online, the total volume of credit card fraud is bound to increase. However, the rollout of EMV is also playing a role in the increase of card-not-present fraud.
Specifically, the chips in EMV cards are much more difficult to copy and reproduce than a magstripe card (which is based on technology straight out of the 1970s). So instead, scammers are switching to buying online, where there are no methods to physically authenticate the card. Instead, most security checks rely on the CVV or AVS checks to identify suspicious transactions.
That’s not to say cloned or counterfeited cards are no longer a problem at all. They are. EMV market saturation in the US isn’t 100%, and even if consumers have chip cards, that doesn’t mean merchants are equipped to accept chip cards. And even if counterfeited card fraud is on the decline, there’s still lost/stolen card fraud to worry about.
6 Ways to Reduce Credit Card Fraud in Brick-and-Mortar Stores
So, let’s say you own an antiques store. Someone comes in to buy some furniture for their new home. Two weeks and a couple of thousand dollars later, you find out that the card used was a stolen card. The cardholder has filed a chargeback, meaning the total transaction amount has been deducted from your account and placed on hold pending investigation. Not only that, but you’re out the actual merchandise, effectively doubling your loss.
Unfortunately, this can and does happen to merchants. While some industries are far more likely than others to be victims of card fraud, any and every business should be aware of the risks and take precautions.
Which industries are most at risk? According to a US Bank presentation, some of the MCCs (merchant category codes, used to identify the type of products or services a company offers) that are most targeted for fraud include the following:
- 5411: Grocery Stores and Supermarkets
- 5732: Electronics Stores
- 5812: Eating Places and Restaurants
- 5999: Miscellaneous and Specialty Retail Stores
- 4722: Travel Agencies and Tour Operators
- 5311: Department Stores
- 5661: Shoe Stores
So what can you do to protect yourself? First of all, you should be aware of whether you’re in the type of industry that is like to be targeted for card-present fraud. A dry-cleaning business or a coffee shop? Probably not so much. An art gallery, a furniture or electronics store, or any other business where consumers can drop hundreds or thousands of dollars in one go? Most definitely a target.
Second, make sure you implement policies and procedures that can help mitigate fraud. We’ll start with a really basic one, which I suspect a lot of merchants overlook:
1. Check Network Guidelines for Card Acceptance
I mention this a lot — and by a lot, I mean in almost every review I write — but READ YOUR CONTRACT. Know what you’re signing and what rules and requirements you are being bound to. It’s important to keep your merchant account open so you can keep accepting cards. But you should also look at the merchant guidelines that the various card networks (Visa, MasterCard, American Express and Discover) offer. They usually cover guidelines such as displaying marks of acceptance, surcharging, and minimum/maximum transaction amounts. Tucked away in those guidelines are also policies that cover security measures you are expected to take and what you should do if you think a card is fraudulent or the transaction otherwise appears suspicious.
2. Secure Your POS and Hardware
Apart from the threats posed by counterfeited or stolen cards, you should also be aware of the potential for a data breach. If someone is able to access your system and compromise your customers’ personal information, it could be devastating for you and your business. Data breaches can happen in many ways.
One of the obvious ones is skimming, where a scammer installs a device over your terminal or pin pad that captures the card data and stores it. Skimmers can take only seconds to install and are hard to spot unless you know how to recognize the signs. Scammers can also cause a data breach by installing malware on your POS system or otherwise hacking it. These are more advanced techniques and usually targeted at high-value targets, but they are a possibility you should be aware of, especially if you store any kind of customer data.
PCI Compliance: What You Need to Know
Technically, PCI DSS compliance (usually just referred to as PCI compliance) isn’t just about POS systems. It’s about your hardware, too. Most of the time that’s lumped in with your POS, though, especially if you have an integrated solution.
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a unified policy indicating the steps merchants need to take to secure their transaction data through hardware and the POS system, laid out by the PCI Security Standards Council. Merchants are sorted into one of four levels depending on the number and type of transactions annually. Most small businesses are Level 3 or Level 4, which have the fewest steps to take to maintain compliance.
There’s a very good chance that, if you didn’t build your system yourself, you’re already PCI compliant. Software and equipment vendors need to go through a certification process if they handle payment card information. However, if you store any customer data (especially in a database you create and maintain yourself) or route it through a website you maintain yourself, that may not be the case. You should talk to your merchant account provider or software vendor about what steps are required to ensure your compliance. You may be required to complete quarterly scans or self-assessments.
PCI compliance can be summed up into 12 points of action lumped into six categories. The explanation below is taken from the PCI SCC Quick Reference Guide.
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel.
For merchants, I think the key takeaway is that PCI compliance (and data security in general) is not a one-and-done type deal. You need to actively take preventive measures and monitoring your system, from updating software and firmware when updates appear to watching your employees and making sure they are educated on card security issues and proper procedures for handling.
Beyond PCI Compliance: How to Keep Your POS (and Data) Secure
Learning all of the ins and outs of PCI compliance is most definitely a challenge for anyone, even the experts! However, since, data security is not something you take care of once and never think about again, you should definitely take some time to learn about security.
Two of the big terms right now are encryption and tokenization. PCI DSS indicates that your POS and hardware should encrypt transactions. There are two major types of encryption, point-to-point and end-to-end.
Tokenization is not yet an industry standard, though it’s becoming more common, mostly thanks to NFC/contactless payments. Tokenization generates a one-time-use card number and substitutes it for the actual card number. Even if data is breached and decrypted, that tokenized number is useless to scammers. That is exactly how Apple Pay and Samsung Pay and Android Pay keep your card data secure: Your card number is stored in a cloud vault which your phone can access. Your phone generates the token and passes it onto the system, which verifies the number.
3. Capture Signatures, Even on Low-Value Transactions
Credit (and debit) cards have a space on the back for consumers to sign them because, in theory, merchants are supposed to compare that signature to the one on the receipt as a means of verification. The reality is few if any merchants actually do this.
In the interest of speeding along transactions, especially in environments where customers expect to be in and out of the checkout fairly quickly, the card networks have relaxed their guidelines and no longer require a signature on all transactions. Low-value transactions (under $25 or $50 depending on the network) often waive the signature requirement.
mPOS systems — Square, PayPal Here, SumUp, etc. — as well as some POS systems often allow merchants to disable signatures on low-value transactions. For mPOS systems, the threshold is usually $25. For full-fledged POS systems, that threshold is sometimes at the merchant’s discretion.
Realistically speaking, quick-serve restaurants and cafes, grocery stores, etc., where you’re going to encounter low-value transactions, aren’t a huge risk. And the losses, unless you’re experiencing a giant string of fraudulent transactions, are minimal. It’s not that you absolutely must enable signatures on all transactions to protect yourself. That’s simply not true. But if you do want to maximize your protection and don’t mind the extra time to collect a signature during the checkout phase, you can enable them.
For high-value transactions, you should absolutely be collecting signatures on everything. In fact, for very large transactions, signed invoices are a great way to protect your business and defend against chargebacks.
4. Ask for Customer Identification
Some consumers, instead of signing the backs of their cards, choose to write “SEE ID” in that space. This tells merchants they should ask for a photo ID and compare it to the name on the card.
This is a great practice. Not all merchants do it, especially as we see more and more consumer-facing PIN pads and terminals where the cashier never handles the card.
But there is just one small problem:
A merchant can ask to see a photo ID for a transaction, but legally, the consumer isn’t obligated to provide it. Visa’s guide, 5 Important Visa Rules That Every Merchant Should Know, explains it like this:
“A Merchant may request cardholder identification in a face-to-face environment. If the name on the identification does not match the name on the card, the merchant may decide whether to accept the card. If the cardholder does not have, or is unwilling to present, cardholder identification, the merchant should honor the card if they have obtained proof of card presence, a valid authorization, and a valid signature or PIN.”
So if a customer offers an ID that doesn’t match the name on the card, the merchant can choose to decline the transaction. If the customer refuses to provide an ID or does not have one, Visa’s rules state that you should process the transaction, provided you have the card in hand and they sign or enter their PIN.
That said, asking for ID is still generally a good policy. Just be aware of the card networks acceptance rules (see point #1 above).
5. Avoid Keyed Transactions
It’s story time!
A long, long time ago (OK, more like eight years ago), when I worked as a cashier in a place that shall not be named, I remember occasionally having to put a card in a plastic grocery bag and swipe it to get the POS to read it. I’m still not sure why this worked, but it did. The cards that had this problem were usually old and worn — sometimes worn to the point that the raised numbers weren’t nearly as raised as they should have been, and the whole card seemed thinner, even stretched. They usually came out of worn-down, overstuffed wallets, and so I just generally assumed the wear was the result of where the card was stored. Sometimes, though, even that didn’t work, because the card would have a split in it over the magstripe or it just wouldn’t read. In those cases, I could (and did) manually enter the card.
I don’t know if any of the cards I processed this way were fraudulent, but I do know now that this was a risk. Card network guidelines, as well as most other security experts, recommend that you inspect the physical card for signs of damage or tampering before you process a transaction. Damaged cards — especially if they don’t swipe — can (but don’t always) indicate counterfeit or cloned cards. Keying in the transaction means the POS doesn’t have to physically check the card, because it’s treated as a card-not-present transaction.
First, keyed transactions always cost more than swiped or dipped ones. PayPal and Square both charge 3.5% + $0.15, which is well above the 2.7% and 2.75% (respectively) that they charge for swiped or dipped transactions. Traditional merchant accounts will also assess a higher fee, though it varies more.
Second, having too many keyed transactions is often a red flag for a merchant account provider. It suggests that someone might be processing cards that aren’t even physically present in the store, which is, obviously, a big no-no. A certain number of keyed transactions are to be expected, but too many can lead to a hold, freeze, or termination.
So do your best to avoid keying in card information, as this will protect your business. Most security experts also recommend looking at your processing history and making note of any patterns — whether these transactions happen at a particular time consistently, or if one cashier is more prone to keyed transactions than others.
6. Switch to EMV Acceptance
If you don’t already have a POS and hardware that accepts EMV transactions, it’s high time you make the switch. No exceptions, no excuses. Yes, it can seem expensive, and yes, the EMV rollout has been rather slow in part because of the backlog on software and hardware certifications. But there are plenty of EMV-certified software and hardware available to merchants. If you’ve been putting off the switch, just get on with it already. It’s one of the most important ways you can protect your business from credit card fraud.
Like I said earlier, it’s a lot harder (not impossible, but very, very difficult) to copy a chip card. That’s why many scammers are moving to CNP fraud. On October 1, 2015, liability for fraudulent chip card transactions shifted from the banks to “the least-secure party,” which in this case means merchants who aren’t equipped to accept EMV.
Think back to the example I started with, with the antique furniture. Say the person buying the furniture has a counterfeit chip card. But you, the merchant, only have a magstripe reader. If you’d had an EMV reader, it would have been able to detect that the card was fraudulent. But instead, you processed the magstripe transaction — which leaves you entirely on the hook for the whole mess.
The situation would be different if the scammer had a stolen EMV card and used it at an EMV terminal. In that case, the liability would fall on the card issuer.
If you haven’t already, get EMV-capable card-readers and make sure your POS is EMV certified, too. It’s absolutely worth it, and all of our top-rated merchant providers offer EMV acceptance, as do all of our top-rated mPOS providers.
Conclusion: How Big a Risk is Card-Present Credit Card Fraud?
Realistically, merchants who sell online face a much bigger threat than brick-and-mortar merchants. That is largely due to the EMV liability shift and rollout of chip cards. Unfortunately, even chip cards can’t protect against lost or stolen card fraud. And until EMV market saturation hits 100%, there’s still a threat of accepting counterfeit cards.
Fortunately, you can take measures to protect yourself and your business. Knowledge is power, especially in the payments industry. So read up on your processing contract, the card networks’ rules and guidelines, and the legal matters that affect your industry. Make sure that you keep your POS secure, and don’t overlook simple defenses such as collecting signatures or requesting IDs, and keeping keyed transactions to a minimum. Implementing EMV, if you haven’t already, is one of the most significant ways you can protect your business.
If you’ve got questions, we’d love to answer them! Check out our comment guidelines and then leave your question in a comment. Thanks for reading!