By Marcus Leach
With criminals hitting back against falling credit card fraud the Forum of Private Business (FPB) is warning that small businesses are more vulnerable when taking online payments.
Recent figures from the UK Cards Association show that, while debit and credit card fraud has fallen to its lowest level for 11 years as a result of chip and pin technology, attempts to infiltrate consumer accounts, steal identities and forge payments are increasing.
Banks have tightened their security systems — including introducing physical devices for taking online payments — but despite lower levels of online fraud many small businesses are bearing the brunt of breaches of supposedly secure payment systems.
For example, in instances where credit card information gained illegally is used to place an order for which the original cardholder will not pay out, the e-Commerce merchant is expected refund all the expenses and cover the hassle by paying a chargeback fee.
Even when no fraud has occurred entrepreneurs are being hit. Recently, PayPal has been accused of withholding traders’ Ebay payments for up to six months when accounts are automatically limited following suspicions of fraud. Even those who establish that there has been no crime often struggle to unfreeze their accounts.
Offline, banks have been criticised over moves to charge shop and restaurant owners for IT checks to ensure they comply with data processing a storage obligations under the Data Protection Act. Firms face charges if they refuse.
The Forum’s Adviser on Merchant Services, Richard Bradley of Accept Cards Ltd, urged business owners to be more proactive in preventing credit card fraud, including ensuring they fully understand and properly utilise the banks’ security systems.
He noted a recent scam where fraudsters order high-value goods and have them delivered to what they claim is their child’s university address, but in reality the child does not exist and the address is just a pick up point for the fraudster to collect the goods.
“Card fraudsters are like a virus in that they change and adapt to the conditions they face and it is important to be vigilant in order to minimise the risks of being hit,” he said.
“While debit and credit card fraud fell by 9% to £170 million in the first half of 2011 there is still much to do to stop people who are determined to take money from your business by using someone else's card.
“These criminals are much less likely to target businesses in person via a chip and pin transaction, and the majority of fraud is seen where the cardholder is not present, in other words mail order and online payments. The best advice is to be prepared.”
For mail order transactions Mr Bradley advised business owners to apply Address Verification Service (AVS) and Cardholder Verification Value 2 (CVV2) checks on their terminals.
He said that all the information requested should be entered in full and verified, warning that any missing data could lead to banks charging more for transactions and reduce the level of security for businesses.
Mr Bradley identified several key questions business owners should ask to assess if mail order fraud is taking place:
- Is the sale too easy? Is the customer disinterested in the price or details of the goods? Are they a new customer?
- Are the goods high-value or easily resalable?
- Is the sale excessively high in comparison with your usual orders?
- Is the customer ordering many different items?
- Do they seem unlike your usual customer?
- Is the customer providing details of someone else's card, e.g. that of a client or family member?
- Is the customer reluctant to give a landline phone number? Are they only prepared to give you a mobile number?
He also advised internet retailers to minimise the risk of being hit by fraud by:
- Ensuring their online ‘shopping cart’ or checkout is secure and meets the requirements of Payment Card Industry Data Security Standards (PCI DSS).
- Ensuring they or their payment software suppliers have up-to-date anti-virus and anti-phishing software installed on all computer systems.
- Adopting fraud prevention tools such as Verified by Visa and MasterCard SecureCode on their payment gateway, which prompt customers for their passwords.
“All of these measures will help small business owners to judge whether a cardholder is genuine but it is important to remember that authorisation of a card in not a guarantee of payment whenever the cardholder is not present," Mr Bradley added.
“If in any doubt whatsoever it is important not to proceed with the transaction or deliver the goods at all. At the end of the day, they are your goods and it is your money potentially at risk.”
Mr Bradley also recounted instances of Mastercard and Visa imposing fines on card acquirers running into tens of thousands of pounds where card data has been misused by members of staff because it has not been held securely, with the card acquirer ultimately passing these fines on to the merchant.
Join us on