How retailers can stay ahead of constantly emerging credit card fraud threats

If there was such a thing as true deterrence to cybercrime and credit card fraud, criminals would just give up. The problem is, there isn’t a tried-and-true way to eliminate the threat—as soon as a possible solution to one method of attack emerges, criminals simply change tack and try another modus operandi. It’s a problem for every industry, but credit card fraud specifically is a big and growing problem for retailers in particular.

According to a LexisNexis study, retailers paid $3.13 for every dollar lost to credit card fraud, on average in 2019—a 6.5 percent year-over-year increase. For retailers of all kinds and sizes, from convenience stores and gas stations to department stores and supermarkets, credit card fraud risks their profitability, reputation and, potentially, even their business viability.

The good news: Retail technology providers have had plenty of practice developing a wide range of countermeasures that are catching up to criminal threats faster every day.

Below, we discuss the risks, challenges and resources available to combat credit card fraud.

This type of credit card fraud, which involves physical credit cards, comes in many forms that can originate from outside or inside the retailer’s store:

• Lost or stolen cards (fraud occurs ‘outside the business’ even when a customer finds a lost card and doesn’t try to return it, or steals it from another customer at a retailer’s location).
• ‘Account takeover,’ i.e., A cardholder unwittingly gives their account information, such as their card number or home address, to a criminal, who then contacts the cardholder’s bank, reports a lost card and change of address, and obtains a new card in the soon-to-be victim’s name.
• Counterfeit cards, i.e., ‘cloning’ a card from another and then using the clone to make purchases
• ‘Never received’—A new or replacement card is stolen from the mail and never reaches its rightful owner.
• Fraudulent application—A criminal uses someone else’s name and information to apply for and obtain a credit card from a bank.

• Malware—Criminals install malware on a retailer’s POS system software
• ‘Multiple imprint’—A single transaction is recorded multiple times on an older credit card imprint machine known as a ‘knuckle buster.’
• Collusive retailers, i.e., employees conspire with criminals to defraud banks.

Card-present fraud criminals target some types of retail businesses for credit card fraud more than others:

• Grocery stores and supermarkets
• Electronics stores
• Miscellaneous and specialty retail stores
• Department stores
• Shoe stores

CNP fraud involves internet, phone and mail-order transactions or activity. The actual fraud occurs after criminals steal card information by hacking, skimming or phishing. Predictably, this category of credit card fraud has begun to outpace card-present fraud in recent years as e-commerce transaction volume has proliferated.

According to a 2018 study by the Federal Reserve, the amount of card-present fraud in the U.S. declined from $3.68 billion in 2015 to $2.91 billion in 2016, while the amount of card-not-present fraud jumped from $3.4 billion to $4.57 billion during the same period. Also, a study by Javelin Strategy & Research the same year revealed that CNP fraud is now 81 percent more likely to occur than card-present fraud.

Hacking appears to offer criminals the greatest potential to steal massive volumes of credit card information at one time. Having achieved this, the criminals can make the data, such as card numbers, available on the so-called dark web. Due to their widespread adverse impacts on both cardholders and retailers, the largest credit card data breaches in history have received a great deal of publicity in recent years.

A major objective of credit card data theft is identity theft, a crime that exponentially increases the impact of credit card fraud on victims. It’s possible for a perpetrator of identity theft to literally steal most of what a victim owns or earns. Besides possibly ruining consumers financially, identity theft has the potential to greatly increase retailers’ liability.

Retailers that offer online transactions cannot even expect the issuing bank to cover the charge-back fraud, also known as friendly fraud. If they install chip readers to read chip-enabled cards issued by the bank and get signatures for transactions and fraudulent charges still occur, the bank must cover charge-backs. The same security measures are not in place for CNP transactions, so the retailer, not the bank, must refund the amount of the fraudulent transaction.

Credit card companies offer some early-warning protection for fraudulent activity in retailer accounts. They detect fraud by monitoring accounts for unusual activity, e.g., amounts charged, stores and locations where purchases are made, etc. Each card issuer uses increasingly sophisticated fraud detection algorithms to monitor massive amounts of credit card number data collected from millions of cardholders. The detection of suspicious charges triggers a fraud alert and the card issuer contacts the cardholder via phone or, increasingly, texts to verify the transactions.

It’s also possible to use customer data including credit card numbers to mitigate credit card fraud risk—a form of fraud detection. Predictive analytics systems use the data to predict possible fraudulent activity.

But consider credit card fraud detection a last line of defense and instead prioritize implementing tools that offer fraud protection. Doing so not only will enable you to avert potentially costly fraud—your brand will also establish a reputation for safe commerce and low potential as a staging ground for identity theft.

That reputation is important to consumers who, though protected against fraudulent charges, have legitimate concerns about the security of their financial information. In a given case of fraud, the credit card company, the bank or possibly the retailer is liable for charges beyond the $50 maximum for cardholders.

Protect them and your business by investing in fraud prevention tools and strategies, like the below.

Minimizing card-present fraud involves making a conscious effort to adhere to procedures and invest in enhanced fraud mitigation solutions:

• Read your contract and understand your card acceptance requirements. Among the major credit card companies’ merchant contract requirements are security measures you are expected to take and procedures to follow in cases where cards or transactions appear fraudulent.
• Switch to EMV acceptance. On October 1, 2015, liability for fraudulent inside-the-store chip card transactions shifted from the banks to “the least-secure party,” i.e., retailers who haven’t upgraded their systems to accept EMV transactions.
• Gas stations will assume liability for fraudulent pay-at-the-pump transactions after the deadline for EMV compliance passes on April 17, 2021. Upgrading their outdoor fuel payment terminals with EMV-compliant solutions like OPTIC combat card-skimming and tampering in real time, drastically improving fraud prevention.
• Use data encryption and tokenization. By encrypting data on the sender’s system and enabling only the recipient to decrypt the data, end-to-end encryption (E2EE) prevents third parties from accessing the data. Tokenization replaces customers’ primary account numbers with a unique, transaction-specific number.
• Accept payments via emerging digital technologies. One example is contactless, aka tap-and-go cards, which rely on tokenization. As a result, they improve security while offering greater transaction speed, choice and convenience. Also, mobile payments and digital wallets, which use mobile phone apps for payments, are more secure than physical credit cards.
• Keep your POS software and hardware regularly updated for security patches and bug fixes. Frequently check your payment terminals and PIN pads to ensure that hard-to-detect skimming devices are not installed. Also, make sure your anti-malware is up to date for your POS systems and check with your payment systems vendors to ensure their systems comply with the Payment Card Industry Data Security Standard (PCI DSS).

Card-not-present fraud is any fraudulent transaction that takes place when the criminal and card are not physically present in the store. This can include online, mobile and social shopping, phone orders and mail-order purchases.

• CNP fraud prevention requires more processes to verify the cardholders are who they claim to be. Consider the following steps:
• Request extra authentication. KYC, i.e., a ‘Know Your Customer’ verification process, comes in multiple forms including email analysis, IP analysis and device fingerprinting. If these measures uncover red flags, use additional authentication measures, such as ID verification, two-factor authentication (2FA) or credit card preauthorization.
• Collect appropriate customer information, which can include credit card information like CVV code, billing address, information about the device used to log in, IP address and phone number.
• Use data enrichment. This process uses dedicated tools to instantly aggregate data points used in external sources, e.g., an email address used for social media profile registration.
• Follow data protection best practices. PCI DSS dictates the use of online security tools such as SSL, especially on pages that collect sensitive information such as card numbers, social security numbers and addresses. Also, encrypt data as efficiently as possible.
• Be vigilant for unusual behavior. The most common red flags include unusual numbers of charge-back requests, hundreds of login attempts on one account, mass password reset requests and use of the same IP or device by multiple customers.

Watch for very small transactions. Occasionally, criminals test a card with very small purchases before buying more expensive items with it.

There’s no doubt, credit card fraud is a sophisticated threat to your retail business, and no sector is immune, whether supermarkets, department stores or gas stations. Think of it like a chronic illness with no cure: you have to remain vigilant, educated on the risks and keep learning as much as you can about new, more powerful treatments that are emerging all the time. Fraud protection must be one of your top priorities. Your business’s future—and your customers’—depends on it.