Credit Card Fraud Protection for Merchants: How to Lower Risk

Retail credit card fraud isn’t fair, but it’s sadly a problem retailers can’t afford to ignore. 

The 2023 Credit Card Fraud Report from Security.org found that:

• 65% of credit card holders have been victims of fraud at some point in their lives
• 44% of credit card uses have reported multiple fraudulent charges
• A small, but still significant, number of credit card users had recurring fraudulent charges from the same merchants

It seems fraudsters are always finding new ways to make credit card transactions for criminal gain. To bring you up to speed, this article will explore:

• What is credit card fraud?
• What causes credit card fraud?
• What happens after retailers suffer credit card fraud?
• Who pays when retailers are victims of credit card fraud?
• How to prevent credit card fraud
• How to report credit card fraud

What is credit card fraud? 

Credit card fraud happens when a lost card or stolen card details are used to make unauthorized purchases. 

Fraudsters can steal credit card numbers and expiration dates and then use this information to buy products over the phone or online. Organized fraudsters are also known for interfering with payment terminals or ATMs to acquire credit card information, which they then use to build counterfeit cards. 

What causes credit card fraud?

“Credit card fraud typically occurs when retailers lack a strong detection plan, both in terms of shopper behavior and on their payment processor,” said Brigitte Hodge, a retail export at Fit Small Business. 

“Retailers can look out for things like damaged cards, agitated shoppers, avoidant behaviors around signing the receipt, signature discrepancies between the card and receipt and unusually large purchases to help detect fraud before it happens,” she added.

Credit card theft: how it happens and leads to fraud

The most straightforward, though not always the most common, cause of credit card fraud is theft. Fraudsters steal either a physical card or the information on a card, then use that information to make purchases. Someone may not even be aware they’ve been the victim of theft until the fraudulent charges come through.

Lost or stolen credit cards or mail

Maybe a wallet was set down somewhere it shouldn’t be. Maybe someone went through your mail. Maybe you left your card behind in a store, or were even mugged—your credit card is gone, and unless you put a stop payment on it immediately, you might have fraudulent charges coming your way.

This kind of theft is not a very sophisticated way of performing credit card fraud, and is far more likely to be detected early compared to other methods. Still, since it is a risk, you should always train employees to ask for ID and cross reference it against the name on the card. 

Credit card skimming

Despite the widespread use of tap and chip cards, the practice of credit card skimming continues. Skimming costs victims up to $1 billion a year.

Skimmers are devices that steal information from a credit card’s magnetic strip. Scammers often install these devices in ATMs at retail stores and gas stations. The information is then sold to other scammers or used to create charges on the card.  

Social engineering: what it means and how it causes card fraud 

Many instances of credit card fraud are caused by something known as social engineering.

Social engineering attacks are scams that trick unsuspecting victims into divulging personal information to thieves; these include email scams known as phishing, phone scams known as vishing, and text message scams sometimes known as smishing.

“Social engineering frequently involves persuading people to violate standard security processes and best practices to gain unauthorized access to systems, networks, or physical location or to earn a financial advantage,” said Kathryn McDavid, CEO of Editor’s Pick, a beauty and wellness ecommerce company.

Malware

One of the most common social engineering attacks in retail is malware, according to Morgan. “The attacker visits a retail store disguised as a customer or as an interviewee and leaves behind a USB. Unknowingly, an employee tries to find the owner of the USB by plugging it into the store computer,” he said.

The malware is then automatically installed onto the computer without the employee ever finding out. “The hacker’s attack begins the moment the USB is seen by an unsuspecting worker,” said Morgan.

Phishing attacks

The most well-known social engineering approach is phishing. 

A phishing assault motivates its victims to act by sending them an email, a website, a web ad, a webchat, SMS or a video. Phishing attacks can imitate a bank, delivery service, or government agency or they might imitate a specific department within the victim’s firm, such as HR, IT or finance.

A call to action is included in phishing attack emails, that asks the victim to visit a fake website or click on a malicious link that includes malware.

What happens after retailers suffer credit card fraud?

If your store is breached and sensitive credit card information is stolen, you may be held liable. And that can mean:

• Fines from card associations
• Forensic investigation
• Banks recouping re-issuing costs
• Litigation and government fines

The most common result of credit card fraud is a chargeback, according to Mike Cannon of Chargeback Gurus. “When the victim discovers the fraud and contacts their bank, the bank may hold the merchant liable for the fraud, especially if it was an online purchase. The funds will be taken out of the merchant’s account and they will be charged an additional fee.” 

Who pays when merchants are victims of credit card fraud?

If your business ends up as the victim of credit card fraud, bad news: you might be on the hook for the cost.

The credit card owner is rarely the one who ends up having to pay fraudulent charges. Banks and/or merchants have to cover them instead. 

As a merchant, you’re more likely to have to foot the bill if:

• It was a card not present transaction
• You’re using a swipe terminal instead of a newer chip and pin one

Banks are more likely to have to pay if it was a card present transaction and your business is using the most up to date payment terminals.

Beyond just monetarily, fraud costs you your good reputation with processors and banks. Chargebacks due to fraud can contribute to your chargeback rate—your total chargebacks per month divided by your total transactions per month. If this rate gets too high, you’ll be labeled a high risk merchant and have a hard time dealing with most payment processors.

That’s why it’s important to invest in preventing credit card fraud.

How to prevent credit card fraud as a merchant

To stop this from happening, retailers need to address the most avoidable cause of credit card fraud: inadequate fraud prevention tools. Here are some steps you can take. 

1. Train retail staff about fraud

Most people think credit card fraud only happens online, but they’re just as frequent offline. “It is best to train your entire staff on fraud detection and take cyber security measures as credit card fraud can seriously impact your business’s bottom line,” said Hodge.

When accepting a credit card, there are some essential processes to follow. Staff should verify the cardholder’s identity by comparing the credit card to the sales receipt:

• Check if there is a match between the signature on the credit card and the signature on the sales receipt.
• Check if the credit card’s last four digits match the last four digits listed on the sales receipt. This is the most reliable method of detecting a tampered (counterfeit) card. Experienced fraudsters may have a matching identity to go along with the credit card, so if these numbers don’t match, you know it’s a fake. 
• Tell the person you need to call for authorization—at this point, the fraudster will likely realize they’ve been caught and will leave the store.

But it’s often just as much about the purchase, as the person making it. 

2. Halt suspicious purchases

“Certain items are more vulnerable to fraudulent credit card purchases than others,” said Adam Wood, co-founder of Revenue Geeks, which helps ecommerce businesses understand their fulfillment by Amazon (FBA) options. 

“Jewelry, video and stereo equipment, computer hardware, shoes, and men’s clothing tend to be vulnerable to credit card fraud. That’s because they are things that are easily resold,” he said. 

• Tell your staff to be wary of transactions involving many fraud-prone items (such as two tablets, three gold chains and so on). 
• Keep an eye out for transactions with large dollar amounts—a transaction value that is significantly higher than your average transaction value is a tell-tale sign. 

Although not all high-dollar-value transactions are fraudulent, they should be investigated.

3. Use PCI-compliant payment processors

• The Payment Card Industry Data Security Standard (PCI DSS) is a data security standard designed to aid financial organizations in securely processing card payments and reducing fraud. 
• PCI DSS was established by the PCI Security Standards Council (SSC) to protect cardholder data. 
• Every retailer who accepts card transactions must adhere to these standards in order to do business with credit card companies, banks and payment processors.

“Compliance with PCI DSS ensures all companies that accept, process, store or transmit credit card information maintain a secure environment by requiring card processors to meet a set of security standards and rules,” said Hodge. 

4. Use the right point of sale hardware

In addition to training your staff on signs of fraud, it is also important to have a payment processor that includes fraud detection and prevention measures, she added. 

“These include address verification, two-factor authentication, card verification value (CVV), device identification, large purchase flagging and payer authentication.”

Integrate your POS setup

Software matters, which is why it might be a good idea to consider integrating your point of sale with your payment processing and accounting software. 

A POS system integrated with Lightspeed Payments will be secured with PCI compliance and end-to-end encryption, giving you a layer of protection against fraud in your stores. Secure payment providers like Lightspeed also offer 24/7 server security monitoring. 

(As a bonus, integrated payments cut down on the potential for human error when processing payments, as the terminal and point of sale automatically communicate without any manual input.) 

Integrated payments don’t just help in person. They’re useful for combating fraud online as well.

“In ecommerce, payment processing software that includes even the most basic fraud checks can spot many low-effort fraud attempts, such as stolen credit card numbers without the correct billing address,” said Cannon.

5. Accept EMV payments

“Payment processing software and hardware can certainly minimize the risk of credit card fraud,” according to Christopher Morgan, CEO at Credit Help Info. 

“Retailers must switch to EMV acceptance. This will reduce their risk of fraud and shift liability away from them. They should also transition to contactless payments and tokenization, which help secure a customer’s data through encryption.”

Cannon agrees. “Using payment terminals that can read EMV chips will eliminate many of the older, easier methods of credit card fraud,” he said.

How to report credit card fraud as a merchant

Sometimes, despite your best efforts, the worst happens. Here are the steps involved with reporting credit card fraud as a merchant.

1. Contact your payment processor 

If you suspect a fraudulent transaction has taken place in your business, contact your payment processor with as many details as possible. 

Chances are, if a fraudster has successfully used a card in your business, your payment processor will catch the fraud or the chargeback request before you do—in which case, they’ll reach out first and let you know what you need to do.

2. Contact your legal counsel

Let your legal counsel know your business has been the victim of fraud. If there’s anything extra you need to do or watch out for, they’ll let you know.

3. Contact the police

Finally, if advised, contact police local to the location that was defrauded and let them know what happened. 

Stay one step ahead of fraudsters

Modern payment processing software and secure POS hardware can be key lines of defense against credit card fraud. 

Talk to an expert to learn more about Lightspeed Payments, a modern, secure payments solution that integrates seamlessly with a retail commerce platform designed to save you time running your business.