Be Fraud Aware – A Vital Guide for Merchants
For most merchants, the instance of fraud is mercifully rare. However, it pays to be vigilant, and in this article, I will set out the 3 best ways minimise exposure to card fraud. In addition, I'll also cover how to avoid 2 common issues.
There are 3 main scenarios for accepting card payments: Point of Sale, Mail order/Telephone order, and eCommerce. These involve different levels of risk for the merchant and below is a note on the main points to be aware of for each.
1. Point of Sale (POS)
For this purpose, we will assume the card is present at the Point of Sale.
- Chip and PIN – this is the safest method to accept payment, with no risk to the merchant in the case of fraud
- Contactless – similar to the above, no risk to the merchant
- Fallback – this is where a chip cannot be read by the terminal, and the merchant chooses to swipe the card instead. The point to note here is that if the customer provides a PIN number, there is no risk to the merchant. However, if the merchant chooses to accept the transaction without the PIN, the merchant is liable in the case of fraud.
In addition, there is a potential security weak point when refunds are being made from the terminal. Here is the best practice for making refunds:
- Protect your terminal with a password
- Only authorised staff should have a password to enable refunds
If a merchant tries to make a refund to a card which is not the same one used to make the original purchase, the transaction will be stopped as part of the subsequent processing and the funds will not be cleared. This is to protect the merchant and in the same way, refunds for amounts higher than the original sale amount will not be cleared.
Also, transactions will not be cleared if the Merchant uses a ‘refund’ via their terminal to pay expenses or wages to themselves, suppliers, staff, friends, family members, or any other unapproved person.
2. Mail Order/Telephone order (MOTO)
A MOTO transaction is where a merchant manually enters a card number into their terminal without the customer's card being present and the pin number is not entered.
- Transactions of this nature are very high risk to the merchant
- The merchant is liable for any MOTO transaction that turns out to be fraudulent
- If the card is present but the PIN cannot be entered, the merchant would be liable in the case of fraud
- If the order amount looks too good to be true, it probably is, so be vigilant
- A forgotten pin or a customer using their friend’s card all mean the same thing; the merchant is liable in the case of fraud.
Best practice is – if in doubt, you should ask for a different form of payment.
3. eCommerce (online transactions)
There are 2 methods for accepting payments online
This is where the cardholder assigns a password to their card, and that password is then verified by Mastercard (Mastercard Securecode) or Visa (Verified by Visa), when a transaction is being processed online. This is the most secure means with no risk to the merchant.
In this case the cardholder will enter their card details online and they are used without verification by the merchant. Clearly this exposes the merchant to a much greater degree of fraud risk.
Best practice for eCommerce is to:
- Use 3D Secure in all transactions
- Request the customer input their 3-digit security code
- Deliver to the billing address
- Ensure a signature is taken at delivery
Avoiding common snags
Here's the best practice for avoiding two common issues – unauthorised transactions and chargebacks
Although not fraud-related, merchants will run into difficulties if they try to process payments for goods outside of their normal line of business. Merchants can only use their terminal to process transaction types that have been underwritten and approved for their category of business. For example, merchants cannot:
- Use their terminal to sell personal items such as a family car
- Lend the terminal to another unapproved business
- Sell off the contents of a business (such as a bakery selling off its old delivery vans)
A chargeback is where a consumer or their issuing bank disputes a transaction made with their card. This could be due to fraud, or, a service-related issue. If the dispute is resolved in the cardholder’s favour, the cardholder would be reimbursed for the partial or full amount of the transaction at the merchant’s expense.
A chargeback is initiated by the issuing bank; either at the request of the cardholder or when the bank sees the need to do so via the card schemes (e.g. Visa or Mastercard).
Common reasons for chargebacks:
- Fraud enquiries – cardholder denies participating or authorising a transaction
- Cardholder disputes the sale for reasons such as failure to receive goods or services
- Cardholder disputes the sale for reasons of quality
- Cardholder does not recognise a transaction, it may be the clearing name on the cardholder's bank statement is not the same as the seller's trading name
A cardholder or card issuer has the right to question or dispute a transaction and all merchants accepting debit and credit card payments are subject to chargebacks.
To minimise the instance of fraud, merchants should put in place controls around access to their merchant accounts and terminals. They should also be vigilant when accepting an order that appears too good to be true.
In the case of a service issue, the best practice for the merchant is to try to resolve the issue with the cardholder before it gets to the point of a chargeback.
Merchants who are mindful of all the above will have gone a long way to mitigating the most common security weak points. However, this article is intended only as a brief guide to avoiding the main issues arising, rather than an exhaustive list. You should contact your payments provider with any questions about your potential transactions.
Authored by Graham Donaldson, the views published here are his own.