11 ways to stay on the front foot of fraud
Every business needs to be aware of and prepared for fraud. From chargebacks to Funds Transfer Fraud, it’s important for merchants to refresh their knowledge. Here are ten ways to stay on the front foot.
- Understand “Chargebacks”
- Know the meaning of “Authorisation”
- Never refund to an alternative card or by another payment method
- Protect payment card data at all times and avoid Account Data Compromise (ADC) events
- Never process payments for others
- Avoid Funds Transfer Fraud
- Avoid authentication by-pass techniques
- Safeguard your EFTPOS machine
- Know the risks of Mail Order/Telephone Order (MOTO) hand-keyed transactions
- Know the risks of eCommerce transactions
- Avoid card testing
1. Understand “Chargebacks”
The chargeback framework provides a process for cardholders to dispute transactions processed by merchants, most commonly because their card was used without their consent or the merchant didn’t provide the goods and services the cardholder expected.
There are two types of main chargeback types – fraud chargebacks and non-fraud chargebacks.
Fraud chargebacks occur where the cardholder claims that their card was used without their consent. The merchant must then prove the cardholder, and not another person in possession of the card or card details, initiated and completed the transaction.
Non-fraud chargebacks happen where the cardholder claims that the merchant did not provide goods and services as described. The merchant must then prove the goods and/or services were provided in accordance with the agreement between the two parties.
For eCommerce merchants, it is particularly important to ensure that Tyro website requirements are met and all appropriate information is made available to cardholders when making payments. Further information on Tyro website requirements can be found here
Chargebacks are managed in accordance with the regulations set by each card scheme, for example Mastercard and Visa, and they make the ultimate determination of financial liability. Where the regulations permit, Tyro will take steps to defend chargebacks and seek to shift liability from our merchant to the cardholder.
Tyro’s Chargebacks Guide can be found here
2. Know the meaning of “Authorisation”
The authorisation process undertaken by an EFTPOS machine or eCommerce solution confirms that the card used in the payment transaction has not been blocked by the card issuer and has sufficient funds to cover the transaction value.
Authorisation may return an “approval”, however this does not mean that the card is being used by the genuine cardholder, and this is an important consideration when processing Mail Order/Telephone Order (MOTO) and eCommerce transactions. Chargebacks may still be received, even when authorisation/approval is provided.
3. Never refund to an alternative card or by another payment method
When providing refunds, only refund to the card used in the corresponding payment transaction and never provide a refund for more than the value of the corresponding sale.
If a merchant processes a payment on a card and then refunds to a different card or by another payment method such as a bank transfer, the different card or other payment destination has immediate access to the funds and a chargeback may be received against the card used in the corresponding payment transaction, leaving the merchant out-of-pocket.
Before refunding card present transactions, always check the value of the transaction on the EFTPOS paper receipt and never refund to a value above this amount.
FRAUD TREND ALERT: Cash Refunds
There has been an increase in fraudsters pressuring merchants for cash refunds, as well as refunds onto a different card than the one used to make the corresponding payment. It’s important to be vigilant and we encourage you to insist on refunding to the card from which the corresponding payment was made.
4. Protect payment card data at all times and avoid ADC events
An Account Data Compromise (ADC) event occurs when a third party gains unauthorised access to card data held in a physical and/or electronic form. This stolen card data may then be used to commit fraud.
ADC events can be detected in different ways, with the most common way being via a Common Point of Purchase (CPP) event. A CPP occurs when card issuers detect abnormal levels of fraud activity on their cards and triangulate this fraud to a common identifier, for example a specific merchant facility. When CPP events are observed, card issuers and/or card schemes will notify Tyro and require steps to be taken depending on the context.
ADC events have broad-ranging impacts on the compromised merchant, cardholders, acquirers, card issuers, and damage the brand and integrity of the card payments eco-system. Depending on the nature and extent of the ADC, the card schemes may warrant that a forensic investigation is required to identify the cause of the compromise and the amount of card data that has been placed at risk. Once an ADC event has been contained, Tyro will prescribe steps required to be taken by the merchant to achieve Payment Card Industry Data Security Standard (PCI DSS) compliance and/or allow card processing to re-commence, which may include compliance validation by way of a Qualified Security Assessor (QSA).
The PCI DSS applies to any entity that accepts or processes payment cards, which importantly includes merchants and their chosen service providers, and is described as the global standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data.
Larger transacting merchants are required to validate compliance with the PCI DSS on a periodical basis, however all merchants should take steps to protect card data by ensuring that their systems and those of their service providers, including eCommerce shopping carts, are regularly reviewed for malware and unauthorised access, patched, and virus protected to maintain the integrity of card data being stored, processed, and transmitted. Merchants should avoid storage, processing, and transmission of card data wherever possible.
Use of a Hosted Payment Page (HPP) provided by a PCI DSS compliant payment gateway reduces the scope of the PCI DSS for merchants, however does not eliminate all security threats.
Further information on the PCI DSS can be found here
FRAUD TREND ALERT: Compromised Data
Fraudsters are targeting eCommerce shopping carts as a means to capture card data and use this data to commit fraud. Merchants should ensure that patching is maintained on shopping carts and systems environments are regularly reviewed for malware and unauthorised access, patched and virus protected.
5. Never process payments for others
If a merchant processes payments on behalf of a third party, the merchant wears the liability for those transactions. This might include chargebacks and financial penalties that result from fraud, non-delivery of goods/services, or compliance breaches relating to the sale of illegal goods or engagement in financial crimes.
6. Avoid Funds Transfer Fraud
Never increase the value of a payment transaction to cover monies owed by a cardholder to an unknown third party such as a courier service, and never make payments to these third parties via money or bank transfers.
Fraudsters use Funds Transfer Fraud as a mechanism to extract cash from merchants, generally by placing larger value orders over the phone. This often results in monies being transferred to (say) a courier engaged in the fraudulent activity and a fraud chargeback being received because the card used in the payment transaction was stolen.
FRAUD TREND ALERT: Funds Transfer Fraud
There has been a notable increase in fraudsters targeting restaurants, cafes, event managers, pharmacies, and motor mechanics with this fraud method. If you’re asked to inflate the value of a transaction to cover a third-party payment for a courier, florist, caterer, wedding planner, musician, celebrant, vehicle transporter, etc. and if this is an add-on cost to a higher value Mail Order Telephone Order (MOTO) transaction, then please be aware that this may be a scam.
Further information for merchants using EFTPOS machine:
7. Avoid authentication by-pass techniques
EFTPOS machines have security features to protect merchants from fraud. To benefit from these security features, always tap or dip the card and refrain from using MOTO functionality when the cardholder is present.
If a card fails to be read by the EFTPOS machine when tapped or dipped, request a different card from the cardholder.
A magnetic stripe transaction should only be processed when directed by the EFTPOS machine. Please ensure the card looks genuine and is being correctly tapped or dipped into the EFTPOS machine before allowing use of the magnetic stripe, as the cardholder may be seeking to by-pass authentication provided by contactless and dipped transactions.
Note that transactions should never be split into smaller amounts, especially when this is requested by the cardholder, as this may result in chargebacks.
8. Safeguard your EFTPOS machine
When merchants dip the card and ask the cardholder to key their PIN, they should maintain focus on the EFTPOS machine at all times and never allow the cardholder to operate the EFTPOS machine when unattended. This will prevent the cardholder from cancelling the authenticated chip transaction, engaging the MOTO functionality on the EFTPOS machine if this is enabled, and processing a card not present transaction that leaves the merchant vulnerable to fraud chargebacks.
When unattended, specifically out of business hours, ensure the EFTPOS machine is stored safely to avoid theft and manipulation and check the EFTPOS machine each day for any signs of tampering.
FRAUD TREND ALERT: EFTPOS Machine Manipulation
There is evidence of fraudsters pretending to tap their Smartphone on the EFTPOS machine to give the impression that they are performing a contactless transaction, whilst pressing buttons on the EFTPOS machine to activate MOTO and hand-key the transaction. It’s important for merchants to maintain control of their EFTPOS machine at all times and avoid being distracted when cardholders are asked to key their PIN. If you have Mail Order Telephone Order (MOTO) enabled on your merchant facility and would like to have this functionality removed, please contact Tyro Customer Support on 1300 966 639.
Further information for merchants processing Mail Order Telephone Order (MOTO) transactions:
9. Know the risks of Mail Order/Telephone Order (MOTO) hand-keyed transactions
MOTO transactions are riskier than card present transactions and are more likely to result in a chargeback. In the event of a chargeback, it is the merchant’s responsibility to prove that the actual cardholder (and not a fraudster in possession of the card details) initiated and completed the transaction, meaning that the risk of MOTO transactions resides with the merchant, not Tyro or the cardholder.
MOTO transactions should only be processed when the value of the transaction sits within the merchant’s risk appetite for loss. It is often said that if a purchase (or sequence of purchases) seems too good to be true, then it probably is and caution should be taken before shipping goods or providing services. MOTO payments should never be processed when the cardholder is present, because this bypasses the security features provided by the EFTPOS machine.
If a merchant has MOTO enabled on their merchant facility and would like to have this functionality removed, they should contact Tyro Customer Support on 1300 966 639
Further information for merchants processing eCommerce transactions:
10. Know the risks of eCommerce transactions
eCommerce transactions (i.e. payments taken by a merchant online via a website or via an application) are riskier than card present transactions and are more likely to result in a chargeback. In the event of a chargeback, it is the merchant’s responsibility to prove that the actual cardholder (and not a fraudster in possession of the card details) initiated and completed the transaction, meaning that the risk of eCommerce transactions resides with the merchant, not Tyro or the cardholder.
eCommerce transactions should only be processed when the value of the transaction sits within the merchant’s risk appetite for loss. It is often said that if a purchase (or sequence of purchases) seems too good to be true, then it probably is and caution should be taken before shipping goods or providing services.
Fraud can occur in many different ways and there is no silver bullet when it comes to fraud prevention. That said, merchants should apply caution when processing:
- Unusually high-value orders;
- Multiple transactions on the same card to different shipping addresses, or the use of multiple cards with the same shipping address;
- Multiple different cards originating from the same email address or IP address;
- Multiple transactions on the same card in a short time period, especially for large value items;
- Orders with different billing and shipping addresses, especially for large value items;
- Bulk orders, especially for high-value goods or infrequently purchased high-quality items;
- Orders with unusual addresses or addresses that can’t be verified;
- Orders requiring expedited shipping, particularly for large value items or duplicate items;
- Orders from higher risk jurisdictions, especially where the goods being sold are commonly available in that jurisdiction;
- Refunds when the cardholder requests the refund to a different card or cards.
Care should also be taken when processing Click & Collect transactions, where cardholders pay online and collect in store, specifically where this involves the sale of alcohol or high-value goods. Merchants should have procedures in place to validate the identity of the cardholder, for example by sighting the physical card and checking that the card is genuine and the name on the card matches the identification provided by the person collecting the goods, and confirm the age of the individual collecting the goods when there are applicable age restrictions.
When shipping goods, it is advisable to request cardholders to sign for deliveries and provide photo ID, however this does not guarantee protection in the event of a chargeback.
3D Secure (3DS) technology can be used to authenticate online transactions, which is the online shopping equivalent of chip and PIN security for card present transactions processed on a EFTPOS machine. Version 1.0 of 3DS has been available for a number of years (e.g. Mastercard Secure Code and Verified by Visa), however has limitations and creates “friction” for cardholders. Version 2.0 will be adopted globally in late 2018 and through 2020 (depending on the card scheme) and is expected to make the technology available on browsers, mobile apps, and connected devices, and significantly reduce the cardholder payment friction seen with Version 1.x.
11. Avoid card testing
Fraudsters test the validity of stolen card credentials by using automated scripts to process large volumes of transactions through eCommerce merchant facilities. Each time the transaction is sent by the eCommerce Facility to the card issuer for authorisation, the fraudster receives an approve or decline decision and can determine whether the card is still active. Card testing is most common at charity merchants and utilities organisations, however, other merchant categories can be targeted.
Tyro recommends the use of CAPTCHA/reCAPTCHA technology in the purchasing flow on merchant websites to disrupt the use of automated scripts, and validate that the cardholder is human, and limit the potential for chargebacks.