When people think of credit card fraud, they usually think of identity theft and data breaches or someone buying items online with a stolen credit card number. But there are other ways that criminals can commit credit card fraud, and they're always looking for new ways to skirt your business’ latest security protections.
Certain types of credit card fraud have grown over the last few years, especially during the pandemic.
According to PaymentsNext.com, a payments industry trade journal, global losses in payment fraud have tripled between 2011 and 2020, with card not present (CNP) being the worst culprit. Some analysts believe that CNP will reach $130 billion in global losses by 2023.
Fraud affects small retailers too, not just the big ones.
For one thing, credit card fraud has the potential to affect all of us as customers. In 2019, Markus Bergthaler, director of programs at Merchant Risk Council, told the Washington Post that “recent figures suggest that over 80 percent of credit cards currently in people’s wallets have already been compromised." That is, your credit card number may exist in a hacker’s database waiting to be used or sold.
That makes businesses vulnerable as well, because any time someone orders a product with a fake credit card — say, a $1,500 iPhone or a $3,000 home theater system — and the cardholder finds out about it, the bank will give them a refund.
And they'll take it out of the merchant's account — your account.
So not only will you be out the purchase amount, you're out the actual merchandise too. It would be one thing if you could recover the merchandise and resell it. But it's gone, and your revenue is gone, so you've been hit twice.
Let me explain something: Credit card companies are doing everything they can to protect consumers from credit card fraud, theft, shady merchants and rip-off artists. And do you know what they're doing to protect businesses from credit card fraud, theft, shady customers and rip-off artists?
Much, much less.
8 ways to protect your business from credit card fraud
I recently did some marketing for a payment services provider. I was astounded at how much the credit card networks did for its customers, even if it was detrimental to the merchant.
You as a merchant want to make sure you're taking the appropriate steps to protect your business from credit card fraud in order to preserve your bottom line, including:
- Have an EMV chip card reader.
- Use Strong Customer Authentication.
- Use CVV2 codes online.
- Better yet, use dCVV2 codes.
- Have cybersecurity insurance.
- Watch out for chargeback fraud.
- Require returns on damaged items.
- Participate in Order Insights and Ethoca.
Let’s get started.
1. Have an EMV chip card reader
Most businesses are required to have an EMV chip reader, but not all of them. For example, gas stations have been able to put off that requirement for their gas station pump card readers for years, even as they're required to have them inside. So if your industry doesn't require it, protect your business from credit card fraud and get one anyway.
EMV is a security standard developed in Europe by Europay, Mastercard and Visa in the 1990s, and now includes American Express, Discover, JCB and China UnionPay. They have made the EMV chip cards a global security standard.
EMV card readers read the chips inside the cards, and you either insert the card into the reader (called "dipping") or tap it on top of the reader (called, well, "tapping"). Before EMV, we all swiped the magnetic stripes on the cards, but we don't do that for debit cards anymore, although we often do for credit cards.
The problem is that while EMV cards are harder to use in person, they're not completely secure because the thief could either forge a signature or sign the back of a blank card, thus making it "their" signature.
One of the EMV chip card reader protections is that it follows the European security standard, Strong Customer Authentication (SCA).
2. Use Strong Customer Authentication (SCA)
Some payment service providers in the U.S. have begun using Strong Customer Authentication (SCA), and if you can find a provider that offers it, grab onto it with both hands.
SCA will protect your business from a lot of credit card fraud.
The EMV readers even follow the basic principles of Strong Customer Authentication. In SCA, merchants are required to use two of three components to verify a credit card purchase. The customer has to show something they have, something they know, and something they "are."
- Something you have means you have a mobile phone or debit card.
- Something you know means you know your password or PIN.
- Something you are means your biometrics, like your fingerprint or facial recognition.
The SCA standard and the EMV chip card reader protect merchants and entrepreneurs that accept physical credit cards at a physical location. The one thing it doesn't do is solve the problem of card-not-present (CNP) fraud.
Anyone who sells online processes CNP transactions. It's one of the most popular transaction types, which means it's the most vulnerable to credit card fraud. But there are a few things you can do to protect your business during CNP transactions.
3. Use CVV2 codes online
Many online merchants create a security risk by not using CVV2 codes in their purchases (the 3-digit code on the back of your credit card).
The code is an added security step that prevents merchants from accepting credit card numbers stolen in data breaches and hacks.
Since most merchants don't store these static CVV2 numbers on their servers, or they keep them in a separate database, the crooks are stymied on websites that require a CVV2 code.
Important note: This is why you should never, ever store CVV2 codes! If a crook gets ahold of those numbers, it blows a lot of the security protection other businesses have taken to avoid credit card fraud.
You can protect yourself, however, if you do the following.
4. Use dynamic CVV2 Codes
To help combat the theft of CVV2 codes, Visa has begun generating a dynamic CVV2 (dCVV2). Whenever a cardholder wants to buy something online, they can request a dCVV2 code through their mobile Visa app and use it like it was the regular security code on their card.
Since the cardholder's card number and the dCVV2 are tied into the Visa app, once the transaction reaches Visa's system, the dCVV2 is cross-checked and approved, and then the dCVV2 is discarded.
That way, even if you ignored what we said and stored the CVV2 number, it wouldn't matter because it's no longer valid.
You can put a stop to anyone with a stolen CVV2 number just by requiring a dCVV2.
5. Have cybersecurity insurance
If you don't have cybersecurity insurance, get it immediately. Your regular business insurance will not protect you if fraudsters breach your servers and steal your customers' personally identifiable information.
If (or when) that does happen to you, you're required to notify every person whose data was stolen and provide them with one free year of credit monitoring services. Your insurance company will pay for everything, even going so far as sending the professionals to handle the process.
Of course, you should take all necessary steps to ensure your business is protected. But if you get hacked — it happened to Equifax! — you don't want to pay for any of that yourself, let alone try to figure out what you're supposed to do and how you're supposed to do it.
6. Watch out for chargeback fraud
Chargebacks are one of the biggest types of credit card fraud that your business faces.
Chargebacks usually protect customers from merchants who refuse to give refunds on damaged or incomplete orders. The customer can request a chargeback, and the credit card network will automatically grant a refund.
But as a merchant, when you're hit with a chargeback you're hit with additional fees on top of the refund. Depending on your chargeback ratio, the fees could total as much as 300% over the cost of the original purchase. So a $100 refund could turn into a $400 chargeback.
However, most chargebacks are fraudulent or at least only filed out of convenience.
According to Chargebacks911, 81% of customers admit to filing a chargeback simply out of convenience.
In other words, a person who doesn't recognize a $6 charge on their credit card statement will issue a chargeback, not realizing it was a purchase at your coffee shop three weeks ago and not bothering to figure it out on their own. Meanwhile, you're hit with a $3 penalty on top of the refund, so now you're out $9.
Worse yet, people commit return fraud and chargeback fraud on an alarming basis.
A favorite trick is to order a lot of food from a restaurant and then call their bank the next day and say, "The restaurant screwed up my order. I want a full refund."
I've seen story after story about chargeback fraud during the pandemic, including the closing of a popular Korean restaurant, Spoon by H, which was shut down as a result of chargeback fraud.
One way to avoid chargebacks is to participate in Visa's Order Insights and Mastercard's Ethoca programs (more on that in a minute). You should also contest large chargebacks, especially if you think the chargeback is an error or is fraudulent.
And you only have a short window of time to challenge them, so don't miss that window.
Finally, make sure you know what your chargeback rights are as a merchant. You don't have to just accept every chargeback that comes your way. There are ways to fight chargebacks and come out on top.
7. Require returns on damaged items
One chargeback fraud method is when customers report that a shipment was damaged or stolen. They request a replacement because they know that most merchants will automatically just give them one. Except the damaged shipment was not damaged, and the lost item was never actually lost (unless it was stolen by porch pirates).
The fraudster is counting on you being so busy that it's just easier to ship out a replacement without making them do any extra work. So they'll get two TVs or two laptops because the first one was "broken."
You can put a stop to damaged item fraud by sending your customer a prepaid return label and asking them to return the damaged item before you ship out a replacement.
If the customer doesn't send back the item, you don't have to send out the replacement, and you just stopped some fraud!
Just watch out for another return fraud method: Crooks will stuff an envelope with junk paper, apply your return label, and send it back. When the envelope arrives, it will get scanned, which tells your system the item was "returned."
Or, they'll return an item at a UPS or FedEx store because some online retailers will consider an item returned once it has been scanned at the FedEx/UPS store. So be sure to compare the weight of the original package and the new one before you process the return.
8. Participate in Visa's Order Insights and Mastercard's Ethoca programs
These are great programs offered by the two credit card networks.
The way the system works is the bank rep taking the customer’s call about a disputed charge has immediate access to your transaction data.
They're able to ask questions. If a customer says they didn't receive their complete order from your restaurant, the rep will ask whether they called you to resolve the problem. If the customer hasn’t reached out to you, the rep will not process the chargeback.
The program also helps the customer see if it's a purchase they forgot or if another family member made the charge, such as a teenager making an in-app purchase on a game.
They can also detect fraud patterns, such as the same cardholder making the same type of chargebacks on a restaurant week after week or repeatedly receiving "damaged" shipments.
Additional steps to protect your business from credit card fraud
There are a few additional steps you can take to protect your business from credit card fraud:
Set spending limits for new customers, especially if your business has regular repeat customers. A spending limit won't stop fraud, but it will reduce the impact of "first-time" crooks with a stolen credit card.
Look for patterns of returns among past customers. Are there customers who report a lot of lost and damaged items? Do they return a lot of items? Flag their names in your CRM database to identify possible fraudsters.
Watch out for unusual buying patterns like multiple cards being used to ship orders to the same address or one card ordering products for multiple addresses. Someone buying gifts during the holiday time, but there are even patterns to look for there, such as electronics being shipped to several addresses in the same city.
You're going to have to accept credit cards as a part of doing business, but that doesn't mean you have to accept fraud as the cost of doing business.
Identity theft, credit card fraud, and chargeback fraud can all be reduced if you take the right steps, work with the right payment service provider, and even participate in programs like Ethoca and Order Insights.
Fight all chargebacks over $25, and keep all of your paperwork and transaction details. They'll protect you whenever you contest a chargeback. Require customers to return damaged goods, and ask shippers to take photos of completed deliveries whenever possible.
And if you're looking to get paid in your own online store, GoDaddy now offers GoDaddy Payments in Websites + Marketing.