If you’re not worried about small-scale and large-scale fraud, you haven’t been reading the news. Businesses and payment processors do what they can to prevent fraud, and some have very sophisticated anti-fraud systems and tactics; but cyber-criminals, fraudsters and hackers are also constantly updating their skills and activities. At Merchant Broker, we are constantly analyzing the business and payment processing landscapes to stay up-to-date on the most recent fraud tactics and activities — of both the bad guys (fraud perpetrators) and the good guys (fraud preventers).
Here are a few points to keep in mind, and a few actionable steps you can take to prevent disruptions—and worse—to your business. Some are small, daily, staff-oriented things you can do, and some are business-wide tactics you can put in place. All of them are worth your attention.
1. Always Ask for the Security Code (Card-Not-Present Transactions)
The credit card security code is typically a 3 or 4 digit number printed on the back (or front) of the card. It will be printed separately—not stored on the magnetic strip or embossed on the card. Depending on the card, the code goes by different names, but honest customers who have their card in hand will know how to locate it quite easily. A “client” who does not have the security code to his/her card is giving you a good (although not unequivocal) indication this is a case of fraud, and that the fraudster does not have the card in hand. This type of fraud is called “card-not-present” fraud, and most often occurs when customers provide information online, over the telephone or on mail-order transactions.
As the business owner, you never actually see the card, and you have no way of verifying that the information is accurate; hence the name “card-not-present.” This type of fraud is popular among credit card criminals, because they can commit the fraud without the risk of going into a store and having to make a purchase themselves with a stolen, altered or counterfeit card.
2. Check the Billing and Shipping Addresses
Although different shipping and billing addresses are not a sure-fire sign of fraud, they can present reason for concern. There are honest people who buy gifts for others, and which case a different shipping address is necessary; but when there is a large order that makes use of two different addresses, there’s no harm in questioning the transaction, and making sure there is a reason for the two separate addresses.
3. Watch the Cards
All credit cards have built-in security features, but there is a wide range of cards on the market, and some of your staff may get fooled into thinking they are dealing with a valid card. Make sure that, at minimum, all your staff members check the basics. This includes making sure the account number and the other numbers on the card have not been tampered with, altered or re-embossed. Make sure the “Valid From” and “Good Through The Last Day Of” dates have not been altered.
Also, ensure that your staff does not accept a card used prior to, or after, these dates. If a customer is asked to sign a payment receipt, compare the signatures—not with a perfunctory look; perform a real inspection of both signatures. If the signatures are different, ask for further verification, and make sure your staff never accept unsigned cards.
4. Use Tracking Numbers and Ensure You Get Signatures
Tracking numbers are used to help prove that packages are shipped and delivered to their intended physical address. Tracking numbers come in useful if you happen to get into a dispute with a customer who denies they received a package, and you’re sure the package arrived safely. In the case of an expensive item, insist on getting a signature upon delivery of the package.
5. Match the IP Address to the Card
For online orders, watch for an overseas IP address that doesn’t match the one connected to the credit card used to make the payment. On some sites you can manually research IP addresses, which is an especially beneficial step when dealing with large overseas orders.
6. Suspicious Email Addresses
Double check the email address; some addresses can give you a pretty good indication that you’re receiving a fraudulent order. Does the email address read something like firstname.lastname@example.org? If so, there’s a good chance the order is fraudulent.
7. Keep Your Website Secure
Make sure you pay attention to the safety and security of your entire website, not just the individual transactions that are fulfilled. Start-ups and small businesses, and sometimes medium-sized businesses that have lax security, are seeing an increase in the number of fraudulent attacks. The reason is simple: smaller businesses often don’t have the security resources that large corporations do. As a primary measure, make sure that your services and systems are PCI-compliant. Some e-commerce sites make use of a security service (often marked by a “trust” or a “verified” logo), which performs daily scans for malware and other system vulnerabilities.
This type of service increases your likelihood of warding off fraudsters. These security services may also give your legitimate customers more confidence that you’re providing additional levels of safety and security. Your e-commerce service may also make use of advanced, integrated, regularly updated security measures as part of your regular service with them. Ask them if they do. If so, it’s beneficial to advertise that service or level of security on your website as well. Once again, we recommend doing whatever you can to ward off the fraudsters and increase the confidence your honest customers have in your business.
8. Secure Your Transaction Data
Any and all data you collect and send over networks or into the cloud should be encrypted. Make sure you do not store data on any of your systems – paper or electronic – that is not immediately required. When you’re finished processing the data, destroy it in a secure fashion so that it can never be used by anyone, including your current employees. If you do think your data has been stolen or compromised, report this to your payment provider immediately.
9. Secure Your Staff
If you’re in the retail space, your business is only as secure as your employees make it. Ensure that your staff never give out transaction information or other data over the phone. Unless they initiate a call, and know exactly who they’re talking with, the rule is simple: no numbers, no data and no transaction information is ever to be given out over the phone. In order to help protect your customer account data, make it a general rule to only give such access to employees on a need-to-know basis. Then take steps to provide the necessary training to ensure that your employees know they are handling sensitive information. This training should include teaching them to recognize potential fraudulent activities, and ensuring that they have a quick and efficient way to report any suspicions they may have. Whenever an employee leaves, or is fired, immediately revoke all their network and system access privileges.
10. Watch for Skimming
The term “skimming” refers to any fraudulent activity related to capturing account information from the magnetic strip of a debit or credit card in order to make a counterfeit card. Personal Identification Numbers – or PINs – can also be stolen. Here are a few steps to preventing skimming:
- Make sure you inspect your Point Of Sale (POS) and mobile Point of Sale (mPOS) equipment regularly.
- This includes any cables, wires, serial numbers, and the machine itself.
- Payment machines can sometimes get switched when you’re not looking.
- If the equipment looks compromised in any way, or unfamiliar, contact your payment provider immediately.
- Check the area around the location of your transactions in order to make sure there are no cameras in the vicinity.
- Ensure that your customers have enough room to conceal the pad when entering their PIN, and make sure your security cameras don’t capture customers entering their PINs.
- Never enter a PIN for a customer, even if asked to do so.
- Lastly, make sure the customer receives their receipt.
11. Other Unusual Things to Watch For
Sometimes fraudsters give away their intent through suspicious activities. We therefore recommend training your employees to watch for customers who:
- Make random purchases without real concern for price, size or style
- Buy a large number of expensive items
- Charge expensive items, or a large number of items, on a newly valid card
- Buy large items such as gaming devices, TVs or stereo systems, and then want to take the purchase with them, even when delivery is included in the price
- Are able to provide multiple cards to make a purchase after the first card (or two) is declined
- Cannot provide photo ID if requested
These fraud-prevention measures will not catch all possible swindlers, but they are a great start.
Remember: When it comes to customers you don’t know, or who have no history with your company, a bit of caution and a few simple security measures can save you major headaches down the road.
Working with numerous companies, we’ve found that many of them make merchant mistakes, costing them thousands of dollars each month.
By helping our clients avoid these mistakes, we’ve added more than $936,687 (and counting) to their bottom lines. Call 1.888.668.0733 or email: email@example.com to speak with one of our advisors to see how we can help you avoid costly mistakes.