Whereas PCI DSS is about preventing cardholder data from being stolen, fraud prevention is about stopping fraudsters from then going on to use that stolen cardholder data for profit.
Fraud exists in many different forms. And as technology evolves, so will the methods fraudsters use to try to deceive businesses. So, to protect yourself as much as possible, it’s important to keep up to date with advice from your payments processing company.
The kinds of fraud your business might be exposed to will depend on the way you take payments. In general, payment fraud can be broken down into two types: card-present fraud (not so common nowadays) and card-not-present fraud (more common).
Card-not-present fraud can happen when the cardholder is not physically present during payment. This includes payments made online, via mail order, over the phone, or by fax. These kinds of transactions are more prone to fraud because:
Card-not-present fraud – example
Someone calls Katie’s shop to order 24 bottles of champagne for £1,200. This person gives their name and card details over the phone, and has the goods picked up by courier later that day.
The fraudulent act
What Katie didn’t realise was that the card was stolen from someone else – the ‘customer’ was actually a fraudster.
Unfortunately, taking payments over the phone does carry a fraud risk. Because Katie took the payment over the phone, she is liable to pay back the £1,200 to the card scheme, as well as losing out on the champagne that was effectively stolen by the fraudster.
How could this have been prevented?
If the customer on the phone was picking up the goods later that day, the shop owner should have insisted that the customer pay for the goods in-store, using the normal chip & PIN method. This is because the chip & PIN method creates an extra safeguard, which means fraudsters can’t use the stolen card to buy anything costing more than £30 (the current contactless limit), unless they also know the card’s PIN.
And in fact, under the scheme rules, even if the fraudster happened to know the cardholder’s PIN, the liability would still not sit with the merchant.
Other warning signs that could have indicated a fraudulent transaction:
- The order value was a lot higher than Katie is used to seeing (i.e. the fraudster was trying to maximise the amount of goods they could steal)
- The customer may have attempted to use several other cards which were declined before one was accepted (i.e. attempting to use other stolen cards which had been declined due to them being cancelled)
- The customer may have asked for goods to be picked up by a courier or third party (i.e. fraudster trying to stay anonymous)
For more information, see our ‘Card Not Present’ section on our fraud protection help and support page.
Card-present fraud is when a customer’s details, such as card numbers, are stolen when a physical card is used for payment. Common targets for card-present fraud are restaurants, retail stores and ATMs.
Card-present fraud is a lot less common than card-not-present fraud because of the protections the industry has put in place. For example, the introduction of holographic graphics makes it much more difficult for fraudsters to clone physical cards.
Card-present fraud – examples
- If the card’s magnetic stripe isn’t working, so you have to manually key in a card’s long card number (also called a Primary Account Number, or PAN), this could be a sign of a counterfeit card
- Someone buys a lot of items, not caring about the price, style or size. This could be a sign that the person wants to re-sell the goods, indicating that the card could have been stolen
- When a consumer tries to rush the transaction, or distract the cashier. This could be a sign they’re trying to cover up their fraudulent activity
- A card that looks like it is fake or has been altered can also tip off a merchant to possible card-present fraud
How can these be prevented?
- You can request that the customer presents photo ID to confirm they are the cardholder if you feel the card may have been stolen (for example, the card is embossed with ‘Mrs A Smith’, but the cardholder is a man)
- Similar to physical bank notes, payment cards can show signs of being counterfeit. For example, the card issuer’s hologram might not be on the back of the card
- Don’t allow customers to rush the transaction process, or distract cashiers
For more information and tips, see our ‘Card Present’ section on our fraud protection help and support page.
Fraud liability – who pays?
If fraud happens, who the liability sits with depends on the method used to take the payment:
Now you’re clued up on how to prevent fraud, you might want to read our other introductory guides on payment security: the beginner’s guide to PCI DSS, and the beginner’s guide to chargebacks.
Or for more in-depth info on fraud and how to prevent it, fraud and security management help & support page.