Types of payment security fraud

The importance of being fraud-aware

Fraud exists in many different forms. And as technology evolves, so will the methods fraudsters use to try to deceive your business. We provide a multi-layered approach to keep your transactions protected. We can also give you advice and guidance on how to ensure your business is compliant with the Payment Card Industry Data Security Standard (PCI DSS).

The many faces of fraud

The methods of fraud your business may be exposed to vary depending on the way you take payments. In general, it can be broken down to two types:

1. Card Present (CP) 
2. Card Not Present (CNP) 

Clear and present risk

Card Present fraud occurs when a customer’s details, such as card numbers, are stolen when the physical card is used for payment. Common targets for CP fraud are restaurants, retail stores and ATMs. There are many different methods of CP fraud, which we can help you be aware of to protect your business and your customers.

Hidden threats

On the other hand, Card Not Present fraud occurs when the cardholder is not physically present during payment. This includes transactions made online, via mail order, over the phone or by fax.

These kinds of transactions are more prone to fraud because:

  •  they’re not protected by chip and PIN
  •  they’re taken at the retailer’s own risk
  •  the merchant is unable to check if the physical card is genuine
  •  the merchant can’t verify the cardholder’s identity

We can help you understand the different methods of CNP fraud, so you take the right steps to protect your business and customers from an attack.

Types of Card-Present fraud

Intercept/mail non-receipt fraud

This occurs when a cardholder’s new or replacement card is stolen before it gets to them. Properties with communal letterboxes, such as flats or student halls, are vulnerable to this type of fraud. With contactless technology becoming more and more a part of everyday life, there has been a growing trend in this type of fraud with the increase of upgraded cards going through the mail.

We work with the Royal Mail to monitor card losses, identify fraud hot spots and take preventative action. Card Companies use secure couriers to deliver to high-risk areas and may require customers to phone them to activate their cards before they can be used.

Skimming/cloning/counterfeit cards

The magnetic stripe of a genuine card holds all the information a fraudster needs to create an effective copy. How the information is compromised can vary but it usually occurs during a legitimate transaction, including ATMs.

Skimming or cloning can occur when:

  •  there’s a dishonest employee working for a legitimate merchant
  •  small electronic devices (such as a skimmer) swipe and store hundreds of victims’ credit card numbers
  •  the person doing the skimming in, say,  a restaurant or bar, has possession of the victim’s card out of their immediate view
We work closely with our retail customers to help them improve their security and minimise the opportunities for card details to be copied. This, along with the rise in security measures such as chip and PIN technology, has helped reduce skimming and cloning fraud by nearly 80%1 in the past three years.

Lost or stolen

No matter how careful your customers are, cards are inevitably lost or stolen. Fraudsters then use them either in shops that don’t have chip and PIN, or to commit fraudulent transactions over the phone, by mail or online.

We use a number of initiatives to fight this type of fraud, including chip and PIN and tracking unusual customer spending. We also give retailers access to the Industry Hot Card File (IHCF), which lets them check whether a card has been reported lost or stolen.

Methods of Card Not Present fraud

Keystroke logging (also known as key logging)

With Internet shopping becoming commonplace, more and more people are entering their card details online. Keystroke or key logging is the process of noting the order of keys struck on a keyboard. This is typically done in such a manner that the person using the keyboard is unaware the fraud has happened.

Methods of keystroke logging include:

  •  using hardware and software
  •  electromagnetic analysis
  •  acoustic analysis

Phishing

Phishing is when fraudsters send emails at random, pretending to be a genuine company such as a bank, in an attempt to trick customers to give up sensitive information. These emails usually claim that the cardholder must update or verify their usernames and password, leading them to a fake website.

Methods of phishing:

  •  communications purporting to be from popular social networking sites, auction sites, online payment processors or IT administrators – these are commonly used to lure the unsuspecting public
  •  emails or instant messages that direct users to enter details at a fake website which looks and feels like the legitimate one

Even when using server authentication, you may need tremendous skill to detect that a phishing website is fake.

Account takeover or identity fraud

If a fraudster gathers enough information about a victim, they may be able to assume their identity and gain access to their credit or debit account. By masquerading as the genuine cardholder, the criminal can arrange for funds to be transferred out of the account. Or they can change their address and ask for new or replacement cards to be sent.

Website/server hacking/malware

Malware covers a wide range of online methods of fraud, including the use of fake webpages, computer viruses, unsolicited emails or the spread of infected software. The fraudster may create a fake webpage and copy your payment page to capture your customers’ passwords, financial information or other personal details.