Whereas PCI DSS is about preventing cardholder data from being stolen, fraud prevention is about stopping fraudsters from then going on to use that stolen cardholder data for profit.
Fraud exists in many different forms. And as technology evolves, so will the methods fraudsters use to try to deceive businesses. So, to protect yourself as much as possible, it’s important to keep up to date with advice from your payments processing company.
The kinds of fraud your business might be exposed to will depend on the way you take payments. In general, payment fraud can be broken down into two types: card-present fraud (not so common nowadays) and card-not-present fraud (more common).
Card-not-present fraud can happen when the cardholder is not physically present during payment. This includes payments made online, via mail order, over the phone, or by fax. These kinds of transactions are more prone to fraud because:
Someone calls Katie’s shop to order 24 bottles of champagne for £1,200. This person gives their name and card details over the phone, and has the goods picked up by courier later that day.
The fraudulent act
What Katie didn’t realise was that the card was stolen from someone else – the ‘customer’ was actually a fraudster.
Unfortunately, taking payments over the phone does carry a fraud risk. Because Katie took the payment over the phone, she is liable to pay back the £1,200 to the card scheme, as well as losing out on the champagne that was effectively stolen by the fraudster.
How could this have been prevented?
If the customer on the phone was picking up the goods later that day, the shop owner should have insisted that the customer pay for the goods in-store, using the normal chip & PIN method. This is because the chip & PIN method creates an extra safeguard, which means fraudsters can’t use the stolen card to buy anything costing more than £30 (the current contactless limit), unless they also know the card’s PIN.
And in fact, under the scheme rules, even if the fraudster happened to know the cardholder’s PIN, the liability would still not sit with the merchant.
Other warning signs that could have indicated a fraudulent transaction:
For more information, see our ‘Card Not Present’ section on our fraud protection help and support page.
Card-present fraud is when a customer’s details, such as card numbers, are stolen when a physical card is used for payment. Common targets for card-present fraud are restaurants, retail stores and ATMs.
Card-present fraud is a lot less common than card-not-present fraud because of the protections the industry has put in place. For example, the introduction of holographic graphics makes it much more difficult for fraudsters to clone physical cards.
How can these be prevented?
For more information and tips, see our ‘Card Present’ section on our fraud protection help and support page.
If fraud happens, who the liability sits with depends on the method used to take the payment:
Now you’re clued up on how to prevent fraud, you might want to read our other introductory guides on payment security: the beginner’s guide to PCI DSS, and the beginner’s guide to chargebacks.
Or for more in-depth info on fraud and how to prevent it, fraud and security management help & support page.