Payment fraud can be an expensive problem. UK annual payment card fraud losses are more than £500 million – and much of that cost is borne by retailers and ecommerce merchants.
Businesses face two competing pressures: to make it easy for genuine customers to buy from you, while also deterring and detecting potential fraud. Understanding the most common types of payment fraud and putting in place sensible risk controls can help you find the right balance.
Card-not-present payment fraud
As business has increasingly moved online, so has payment fraud. Card-not-present fraud – particularly for purchases online, but also for purchases by phone or through mail order – is the most common type of card fraud.
Typically, stolen card information is used to buy goods. Even though the payment may be credited to your merchant account, that does not guarantee that you will get paid. When the fraud is detected and reported by the legitimate cardholder, as the seller you suffer a chargeback. Not only do you lose the money you expected, but you are likely to pay extra costs.
You can reduce the risks by using a payment gateway that offers good fraud detection and prevention tools. These can include:
- Requiring the purchaser to input the Card Verification Value (CVV) from the back of the card, as well as the other card details.
- Using 3D-Secure (3DS2), which involves additional checks such as sending the customer a one-time password which needs to be entered.
- Other technologies that help detect risk factors. For example, checking whether there is anything unusual about the location of the device being used to make the purchase, the time of day the order is placed, the amount and so on.
Depending on your payment provider, there may be extra fees for some security tools, typically charged as a percentage of each transaction.
SCA, 3DS2 and payment fraud
Some form of ‘Secure Customer Authentication (SCA)’ like 3DS2 is a legal requirement for many online transactions, but there are exemptions. For example, you may not need to use 3DS2 for most low value transactions (below €30), repeated subscription payments, and other low risk transactions. This can have advantages, as it makes the payment process slightly easier for the customer – which reduces the risk of a purchase being abandoned.
The big advantage of using 3DS2 is that it significantly reduces the risk of a chargeback. If 3DS2 is used, you will not normally be liable for a chargeback even if the card is later found to be stolen or counterfeit. This ‘liability shifting’ does not, however, protect you from other kinds of disputes – for example, if the customer claims that the goods are faulty or were not received.
You should make sure you understand what security measures your payment processor uses, under what circumstances you could be liable for a chargeback and what the associated costs would be. You may be able to fine-tune the way security is applied – for example, using 3DS2 for all transactions with new customers, even if they are for small amounts that would qualify for an SCA exemption.
In person payment fraud
If you sell in person – for example, in a shop or restaurant – the ‘Chip and PIN’ system helps protect you against fraud. Provided Chip and PIN is used, you should not be liable for a chargeback if the card is later found to be stolen or counterfeit. Similar protection applies to more modern forms of payment such as contactless.
Be wary of any transactions that bypass these security features: for example, cards issued overseas that do not use Chip and PIN, or cards with a damaged magnetic strip.
If you accept payments in cash, make sure employees are trained to recognise the signs of potentially counterfeit currency. Avoid accepting payments using cheques unless you know and trust the customer – or the customer is prepared to wait until the cheque has cleared before receiving the goods.
Take steps to prevent unauthorised access to card processing equipment just as you would protect a cash till. Fraudsters can use distraction techniques to allow them to cancel transactions or process refunds.
Disputes, refunds and other payment frauds
With any purchase, there is always a risk that the customer will raise a dispute – for example, claiming that goods were not delivered or were faulty. There are practical steps you can take to reduce the risks, particularly for higher value purchases:
- Consider ‘onboarding’ new customers and requiring them to set up an account before making their first purchase. This gives you an opportunity to check their credentials, and will help deter casual fraudsters.
- Prepare a returns policy, and make sure customers are aware of it. Make sure you comply with the regulations covering distance and online selling.
- Have an appropriate refunds policy and make sure employees know how to deal with customers who request a refund. Be aware that payments you have received (for example, by card) could still be reversed. Avoid making any refund to a different account from the one that paid you.
- Protect the security of your payment processes. For example, set up a procedure for making payments and make sure you have appropriate IT security.
Payment fraud risk indicators
Make sure everyone in the business is aware of the signs of a potential fraud attempt. Indicators of higher than average risk include:
- customers (or suppliers) that aren’t known to you
- transactions for large amounts, or repeated small purchases
- orders from high-risk countries
- orders for delivery to an address that differs from the accountholder’s address, or for collection in person
- any attempt to create urgency or pressure – for example, for expedited delivery or an immediate refund
- attempts to pay using a different method after a card payment has been declined by the issuer
- changes to account details or requests to use different payment methods
If you think a transaction may be suspect, consider asking the customer for more information – or simply declining the order altogether.
If you think you have been the victim of a fraud, you should report it to Action Fraud online or by calling 0300 123 2040. You may also want to contact your bank or payment processor, particularly if you have made any payments to potential fraudsters.
Download more information on UK fraud trends, statistics and prevention from UK Finance.