Card use in the UK hit a tipping point in 2017, with debit card payments surpassing cash for the first time.[i] While businesses are right to embrace digital transactions to meet customer expectations and streamline the experience at the till, there are new risks in the form of card fraud. Card-not-present (CNP) fraud, including phone and mail order as well as web-based scams, climbed 24% year-on-year to exceed £506m in 2018, with over two million cases recorded, a 47% rise from 2017.[ii]
Fortunately, there are things small business owners can do today to reduce risk in this space, even as fraudsters continue to adapt and evolve their techniques.
What are the risks?
Excessive payment fraud could lead to monetary losses and impact customer confidence, potentially driving churn.
While your liability is reduced in the event a cardholder-present transaction is disputed, the same is not necessarily true of CNP transactions. You will be liable for mail and telephone order (MOTO) transactions if they are disputed by the authorised cardholder, for example. And if your website doesn’t utilise 3D secure authentication checks you may also be liable for disputed transactions online. In fact, new ‘strong customer authentication’ rules brought in by PSD2 and which aim to reduce online fraud mean that online retailers accepting payments must use 3D Secure for cardholders in the EEA from 14 September 2019.
Fraudsters are looking to take advantage of the fact that, in a CNP scenario, you’re not able to physically check the card or meet the cardholder. They want to use stolen details to obtain goods for resale. While you don’t want to deny any legitimate purchases, it’s important to monitor closely for fraud. In the event a fraudulent transaction is approved, your business not only loses a sale and any associated products, but it will also be required to reimburse the chargeback amount for the legitimate cardholder.
Some common scams
CNP fraud accounted for 76% of total fraud losses in 2018 versus 61% in 2009.[iii] Here are some common tactics:
What can I do?
To reduce the risk of fraud losses, always follow the prompts on your terminal, train staff regularly in anti-fraud measures, and follow your instincts. If something seems dubious, it probably is. That could mean:
Remember, card authorisation doesn’t mean a transaction is fraud free, merely that the card hasn’t been reported lost or stolen and that there are funds in the account. Any customer insisting on collecting items in store should produce the card used. You should cancel the original CNP transaction and process a new chip and PIN sale.
Implement 3D Secure authentication checks on your website to reduce online fraud and liability and comply with PSD2, and partner with a PSP that runs its own fraud checks in the background for every transaction. Address Verification Service (AVS) and Card Verification Code (CVC) — also known as CVV, CSC or CVV2 — are also useful checks to make for CNP transactions.
I’ve been hit, what next?
If the worst happens and you are hit by fraud but have been unable to recover your money, report it to Action Fraud, the National Fraud & Cyber Crime Reporting Centre. This will provide you with a Crime Reference Number (CRN) which will enable the police to look into the case. That same CRN will allow you to update the report with any new information.
Action Fraud also has a list of resources designed to help businesses protect their revenue and reputation, and streamline the reporting process.
With fraud losses on the rise, it pays to stay alert in order to protect your business profits and reputation. But if you do get hit, reporting it will at least ensure the authorities gain a clearer picture of fraud patterns up and down the country. This improved insight will help us all in the long run.
[i] BBC, https://www.bbc.co.uk/news/business-44496513
[ii] UK Finance, https://www.ukfinance.org.uk/system/files/Fraud%20The%20Facts%202019%20-%20FINAL%20ONLINE.pdf
[iii] UK Finance, https://www.ukfinance.org.uk/system/files/Fraud%20The%20Facts%202019%20-%20FINAL%20ONLINE.pdf