-

Beginner’s guide to preventing fraud

Whereas PCI DSS is about preventing cardholder data from being stolen, fraud prevention is about stopping fraudsters from then going on to use that stolen cardholder data for profit. 


The kinds of fraud your business might be exposed to will depend on the way you take payments. In general, payment fraud can be broken down into two types: card-present fraud (not so common nowadays) and card-not-present fraud (more common).

Card-not-present fraud 

Card-not-present fraud can happen when the cardholder is not physically present during payment. This includes payments made online, via mail order, over the phone, or by fax. These kinds of transactions are more prone to fraud because:

  •  They’re not protected by chip and PIN
  •  They’re taken at the retailer’s own risk
  •  The merchant can’t check if the physical card is genuine
  •  The merchant can’t verify the cardholder’s identity
  •  

Card-not-present fraud – example 

Scenario

Someone calls Katie’s shop to order 24 bottles of champagne for £1,200. This person gives their name and card details over the phone, and has the goods picked up by courier later that day. 

The fraudulent act

What Katie didn’t realise was that the card was stolen from someone else – the ‘customer’ was actually a fraudster. 

Unfortunately, taking payments over the phone does carry a fraud risk. Because Katie took the payment over the phone, she is liable to pay back the £1,200 to the card scheme, as well as losing out on the champagne that was effectively stolen by the fraudster. 

How could this have been prevented? 

If the customer on the phone was picking up the goods later that day, the shop owner should have insisted that the customer pay for the goods in-store, using the normal chip & PIN method. This is because the chip & PIN method creates an extra safeguard, which means fraudsters can’t use the stolen card to buy anything costing more than £30 (the current contactless limit), unless they also know the card’s PIN. 

And in fact, under the scheme rules, even if the fraudster happened to know the cardholder’s PIN, the liability would still not sit with the merchant.

Other warning signs that could have indicated a fraudulent transaction: 

  • The order value was a lot higher than Katie is used to seeing (i.e. the fraudster was trying to maximise the amount of goods they could steal)
  • The customer may have attempted to use several other cards which were declined before one was accepted (i.e. attempting to use other stolen cards which had been declined due to them being cancelled)
  • The customer may have asked for goods to be picked up by a courier or third party (i.e. fraudster trying to stay anonymous)

For more information, see our ‘Card Not Present’ section on our fraud protection help and support page.

Card-present fraud

Card-present fraud is when a customer’s details, such as card numbers, are stolen when a physical card is used for payment. Common targets for card-present fraud are restaurants, retail stores and ATMs. 

Card-present fraud is a lot less common than card-not-present fraud because of the protections the industry has put in place. For example, the introduction of holographic graphics makes it much more difficult for fraudsters to clone physical cards.

Card-present fraud – examples

Scenarios

  • If the card’s magnetic stripe isn’t working, so you have to manually key in a card’s long card number (also called a Primary Account Number, or PAN), this could be a sign of a counterfeit card  
  • Someone buys a lot of items, not caring about the price, style or size. This could be a sign that the person wants to re-sell the goods, indicating that the card could have been stolen 
  • When a consumer tries to rush the transaction, or distract the cashier. This could be a sign they’re trying to cover up their fraudulent activity 
  • A card that looks like it is fake or has been altered can also tip off a merchant to possible card-present fraud

How can these be prevented? 

  • You can request that the customer presents photo ID to confirm they are the cardholder if you feel the card may have been stolen (for example, the card is embossed with ‘Mrs A Smith’, but the cardholder is a man) 
  • Similar to physical bank notes, payment cards can show signs of being counterfeit. For example, the card issuer’s hologram might not be on the back of the card
  • Don’t allow customers to rush the transaction process, or distract cashiers  

For more information and tips, see our ‘Card Present’ section on our fraud protection help and support page.

Fraud liability – who pays? 

If fraud happens, who the liability sits with depends on the method used to take the payment:

  • Face to face payments using Contactless or Chip & PIN – Merchant is not liable
  • Other face to face payments not using Contactless or Chip & PIN (e.g. Chip & Signature, manually keying in the long card number, or using the card’s Magnetic Stripe) – Merchant may be liable
  • Payments by postal mail – Merchant is liable
  • Payments by telephone – Merchant is liable
  • Online payments taken using 3-D Secure (namely Mastercard SecureCode, Verified by Visa and American Express SafeKey) – Merchant is not liable 
  • Online payments taken without using 3-D Secure – Merchant is liable