Skip To The Main Content

Card Fraud: How Do I Protect My Business?

  • 06 June 2019

Card use in the UK hit a tipping point in 2017, with debit card payments surpassing cash for the first time.[i] While businesses are right to embrace digital transactions to meet customer expectations and streamline the experience at the till, there are new risks in the form of card fraud. Card-not-present (CNP) fraud, including phone and mail order as well as web-based scams, climbed 24% year-on-year to exceed £506m in 2018, with over two million cases recorded, a 47% rise from 2017.[ii]

Fortunately, there are things small business owners can do today to reduce risk in this space, even as fraudsters continue to adapt and evolve their techniques.

What are the risks?

Excessive payment fraud could lead to monetary losses and impact customer confidence, potentially driving churn.

While your liability is reduced in the event a cardholder-present transaction is disputed, the same is not necessarily true of CNP transactions. You will be liable for mail and telephone order (MOTO) transactions if they are disputed by the authorised cardholder, for example. And if your website doesn’t utilise 3D secure authentication checks you may also be liable for disputed transactions online. In fact, new ‘strong customer authentication’ rules brought in by  PSD2 and which aim to reduce online fraud  mean that  online retailers accepting payments must use 3D Secure for cardholders in the EEA from 14 September 2019.

Fraudsters are looking to take advantage of the fact that, in a CNP scenario, you’re not able to physically check the card or meet the cardholder. They want to use stolen details to obtain goods for resale. While you don’t want to deny any legitimate purchases, it’s important to monitor closely for fraud. In the event a fraudulent transaction is approved, your business not only loses a sale and any associated products, but it will also be required to reimburse the chargeback amount for the legitimate cardholder.

Some common scams

CNP fraud accounted for 76% of total fraud losses in 2018 versus 61% in 2009.[iii] Here are some common tactics:

  • Sometimes a fraudster will make a payment over the phone or online using a compromised card and then request to collect the goods via a courier service, or friend/relative. This is because their address doesn’t match the legitimate cardholder’s.
  • Often the payment is for a large order — possibly larger than you’d normally accept — and sometimes split over several cards.
  • Also, be aware of last-minute changes to the delivery address and requests to send items to hotels, guest houses or PO boxes.
  • Be aware of scams in which your business may be approached to with a ‘business opportunity’ to process transactions on behalf of a third-party through your terminals, in return for a cut of the funds.
  • Fraudsters may also contact your business claiming to work for your payment service provider (PSP). They may claim there’s a problem with your terminals and request card transactions be processed via the phone with their ‘operatives’ – including full details.
  • They might even send an ‘engineer’ who arrives unannounced and requests previous card transaction details to perform ‘checks’ on the machines.
  • In a face-to-face environment, fraudsters may even try to bypass chip and PIN and magstripe checks by using damaged cards.

What can I do?

To reduce the risk of fraud losses, always follow the prompts on your terminal, train staff regularly in anti-fraud measures, and follow your instincts. If something seems dubious, it probably is. That could mean:

  • Multiple cards being used for one payment
  • Orders way above your usual transaction amount
  • Customers with multiple delivery addresses
  • Requests for collection via a courier
  • Multiple declines on different cards

Remember, card authorisation doesn’t mean a transaction is fraud free, merely that the card hasn’t been reported lost or stolen and that there are funds in the account. Any customer insisting on collecting items in store should produce the card used. You should cancel the original CNP transaction and process a new chip and PIN sale.

Implement 3D Secure authentication checks on your website to reduce online fraud and liability and comply with PSD2, and partner with a PSP that runs its own fraud checks in the background for every transaction. Address Verification Service (AVS) and Card Verification Code (CVC) — also known as CVV, CSC or CVV2 — are also useful checks to make for CNP transactions.

I’ve been hit, what next?

If the worst happens and you are hit by fraud but have been unable to recover your money, report it to Action Fraud, the National Fraud & Cyber Crime Reporting Centre. This will provide you with a Crime Reference Number (CRN) which will enable the police to look into the case. That same CRN will allow you to update the report with any new information.

Action Fraud also has a list of resources designed to help businesses protect their revenue and reputation, and streamline the reporting process.

With fraud losses on the rise, it pays to stay alert in order to protect your business profits and reputation. But if you do get hit, reporting it will at least ensure the authorities gain a clearer picture of fraud patterns up and down the country. This improved insight will help us all in the long run.