Fraud is always evolving. As the payments industry grows and changes, so also do the tactics used by fraudsters to steal money. Whether in person or online, merchants must take a firm stance on fraud prevention. At the end of the day, stopping fraud in its tracks does not just help the targeted business, it keeps criminals from potentially cycling through multiple businesses and individuals.
To learn more about how to prevent fraud within the payments industry, and to provide education on fraud prevention, detection, and investigation, PaymentsJournal sat down with Carol Sawyer, Vice President of Risk Management at Agile Financial Systems (AFS), and Don Apgar, Director of Merchant Services Advisory Practice at Mercator Advisory Group.
Fraud: the state of the union
Fraud is a global issue. Where once fraudsters might have needed to act locally, the digital reach of the internet has exposed targets everywhere. “Perps have moved to online primarily,” said Sawyer, “so we’re constantly challenging ourselves to look for risk filters and rules to apply to all our merchant services processing to make sure that we’re protecting our merchants.”
Whether fraudsters are operating in person by card-present transactions or online by card-not-present (CNP) transactions, one of the fraudster’s early steps is card testing. “Fraud perps don’t always know what type of business they’ve infiltrated, so they are testing different MCC or SIC codes,” Sawyer explained. “They are trying to test and get authorizations to make sure that the stolen cards they have are still valuable.”
Before EMV chip cards became prevalent, fraudsters would manufacture fake cards with stolen credentials and make an initial small purchase. “That’s how they would see if the card was good, but chip cards have pretty much shut that down,” noted Apgar. “Now they have no choice but to use an e-commerce website to try to test cards.”
As a result of enormous data breaches in recent years, there are an abundance of stolen credentials for sale on the dark web, and those credentials are often inexpensive to acquire. Once criminals verify that the cards are active, they will run up huge amounts of credit on the card. Catching fraudsters in the testing phase is key to preventing the more substantial high-volume fraud from taking place.
How merchants can protect themselves
Fraud does not seem to be slowing down any time soon. “[Fraudsters] are constantly evolving and getting smarter,” Sawyer pointed out. “We need to do the same.” One of the strongest moves a merchant can make is to engage with AFS, which runs over 30 risk rules against all merchant processing and maintains thresholds that operate seamlessly behind the scenes.
“Merchants get nervous when you bring up, ‘Oh, I’m going to put a cap on the amount of transactions you can do a day,’” Sawyer clarified. “But that’s not what we do… you’re always going to have fluctuations in valid merchant processing… so you build in a little bit of cushion, so that there’s a protection layer or safety net.” AFS dives deep into the analytic history of each account. That way, if a merchant routinely sees an average of 100 transactions per day at an average ticket price of $25, anything significantly above those thresholds will be flagged so AFS can step in to check for fraud.
Card-not-present merchants should also watch their authorization data. Fraudsters will write codes or program bots to rapidly make test purchases on their stolen credentials. “You’ll see authorizations within seconds of each other, and it’s boom, boom, boom, boom – those are not valid sales,” said Sawyer. CNP merchants are much more susceptible to these types of fraud, but website controls can mitigate the damage. In addition to keeping an eye on high velocity purchases, CNP merchants should also:
- Utilize the Address Verification Service (AVS)
- Check CVV2 codes
- Track MCC and SIC codes
Conversely, card-present merchants should ask their processors to turn off the internet functionality of their payments terminals via the SSL socket layer. “If you’re a face-to-face business, you don’t need to have the internet open,” advised Sawyer. Obviously, online merchants rely on the internet to function, but if it is an unnecessary hookup, those connections will only serve as additional channels through which criminals can perpetrate fraud. On top of that, card-present merchants should always be swiping or using the chip card rather than keying in transactions, which runs a much higher risk.
Balancing customer experience and robust safeguards
When looking to implement fraud prevention tactics, one of the primary merchant concerns is that the added layers of security will add friction to the checkout process. “It’s kind of the Holy Grail, especially in e-commerce, to try and make the transaction as easy as possible for the consumer, to minimize cart abandonment, and maximize conversion rates,” Apgar elaborated. “Those objectives are always at odds with fraud prevention … you always want those [solutions] to run in the background and not be off-putting to the consumer.”
AFS runs seamlessly, sliding in easily between the customer and merchant ends of the transaction without affecting processing activity; data is scrubbed after the cardholder sale goes through, but before it is settled with the merchant. “The cardholder experience is very positive, and the merchant experience should be very positive too,” said Sawyer. If merchants remain vigilant on their end, with AFS watching out for them behind the scenes, fraudsters will be dead in the water.
Finally, it is worth noting that AFS is available 24/7 for merchants to call with any questions or concerns. Setting up multi-layered fraud protection means that merchants are keeping an eye on several different key pieces of information – and AFS is there with support at every crucial juncture. “Within 30 seconds, customer service will typically answer the phone or get in touch with us,” Sawyer concluded. “We’re here for the win-win.”