To kick-start Fraud Prevention Month, we knew there was no better person to speak to about fraud than Moneris’ Chief Risk Officer, Brian Prentice. Our CRO’s experience in the financial industry is extensive, and with his exceptional knowledge of the financial services and risk management industry, he knows what merchants need to protect themselves against fraud.
To start, what would you say are the most common types of fraud businesses experience today?
There are many types of fraud that happen to businesses, so it really depends on how we classify the most common. In terms of dollar value, the most popular for big budget activity is merchants being presented with stolen credit card information in a card-not-present environment. This could be in an ecommerce transaction, or an over-the-telephone type of scenario; something where a card is being used by a merchant but they’re not seeing it or authenticating it correctly. The fraudster will normally also try to get the merchant to deliver the items to them instead of picking them up, so they don’t ever have to show the stolen card.
In some of these situations, there are fraud protection measures in place. Other times merchants are simply accepting the credit card number as legitimate and completing a transaction.
What puts businesses at the biggest risk for fraud?
Not knowing or following card acceptance procedures is really what puts businesses at the biggest risk. It’s not just the business owners or managers who need to know the acceptance procedures, all staff members need to be trained correctly. As the business grows or the owner takes a step back from day-to-day operations, the full-time or part-time staff are the ones ringing through customers, and they need to know the acceptance procedures the most.
How much are merchants liable for the fraud that happens to them?
The merchant’s liability really depends on the type of transactions they’re processing. On tap or contactless transactions, merchants typically have good protection in place - these transactions are capped at $100, which lowers the overall risk of fraudulent use. If a transaction is over $100, terminals won’t process a tap payment and customers have to use their card and enter their PIN. In that situation, merchants need to follow proper card acceptance procedures to avoid having the liability fall on them.
For ecommerce transactions, the card networks have good risk-based authentication tools like Verified by Visa and MasterCard SecureCode. Moneris also has a selection of great ecommerce protection tools for merchants. In these transactions, merchants can use these tools to keep themselves protected as much as they can, but there is still some risk of fraud-related liability for merchants.
The riskiest transactions are manually-keyed-in transactions, where merchants are entering credit card data themselves. Not only are these risky because there is very little to confirm you’ve been given valid data, you’re essentially overriding the built-in logic of the machine. Terminals are made for transactions where the card is present and uses the information it gets from the card to help verify the purchase. Merchants doing these transactions are doing them at their own risk, and take on a lot of liability by doing so.
So should merchants ever be entering card data manually?
It depends really. In a known relationship, say for a B2B merchant who’s processing a payment for a long-standing customer, it’s up to the owner to say if it’s safe or not.
But with the rise of the internet, the situations that call for manual entry are becoming few and far between. It’s fairly simple to set up a page with the Moneris Vault tool and securely store customer information to process payments that way, and then save that data for future use. Or you can always have customers pay through one of Moneris’ hosted solutions, where the payment page is hosted on Moneris’ servers, so you don’t have to interact with the card data directly.
Talking about security, are contactless transactions secure?
Yes. Arguably, they’re actually more secure than handing your card to someone in a store to authenticate the card or process a payment.
Take contactless payments that are made through your mobile wallet as an example. The only way to authenticate these payments is biometrically, either through your fingerprint or face recognition (on newer phone models). If someone were to steal your phone and try to use it to make purchases, they’re not stealing your fingerprint with it, so it would be nearly impossible to tap that device and process a payment.
Tapping cards is similar, as you’re keeping the card directly in your hands. When you tap a card, the card’s chip sends a message to the terminal, which passes the message to the issuer and processes the payment. The card needs to be so close to the terminal to send that message, it would be incredibly difficult to intercept. And even if the message was intercepted, it wouldn’t be usable for another purchase, as it changes every time you tap.
Can you simply explain what a chargeback is?
A chargeback is a cardholder-initiated reversal of an original purchase/transaction. There are a few simple reasons why this may happen. First, there could have been an error where the merchant duplicate charged the cardholder. Or, the cardholder’s card may have been fraudulently used, resulting in an unauthorized charge to their account. The card networks also provide consumer protection to cardholders in respect to the satisfaction for goods or services received. Meaning this could occur if the products aren’t accurately described in a card-not-present transaction, if the cardholder is not satisfied with the quality, or if the products simply aren’t delivered.
What are some tips and best practices to help avoid chargebacks?
For fraud-related chargebacks, the most important practice is to make sure you and your staff are following card acceptance procedures at all times. If you’re following the procedures correctly, you really lower the risk of fraud-related chargebacks. For online transactions, implementing backup protection is important – this could be Verified by Visa, MasterCard SecureCode, CVV or Address Verification Service (AVS).
For all other chargeback types, merchants should take advantage of the resources on moneris.com/chargebacks. Simple things like making sure the items are suitable for the purpose they’re sold, are described correctly, and are delivered in satisfactory condition, are important. Anything shipped to a customer should be signed by the cardholder, and having a proof of delivery recipient is also a good practice.
Does Moneris contact the merchant when funds are being held from a fraudulent transaction? If so, how?
Yes. We attempt to contact a merchant when their funds are held for any reason, including fraudulent transactions. This happens on either the same day or next day of the transaction, just depending on when the transaction passes through the authorization system and is flagged. The transactions that set off an alert are manually inspected, so it may be the day after that merchants are notified, but we will try to get in contact with them. I emphasize ‘try’ here because we can only contact our merchants if they keep their information up to date with us.
What are the easiest things merchants can do to protect themselves online? In-store?
1. Use fraud protection tools that are appropriate for your business. Moneris has a great range of tools for any size of business and we’re always happy to help.
2. Again, watch your transactions for anything unusual. You know what’s normal and what isn’t for your business.
1. Make sure you and your staff follow card acceptance procedures.
2. Check your POS equipment daily to make sure it hasn’t been tampered with.
3. Be alert about unusual requests or transactions, especially if they’re coming from new customers. If it sounds too good to be true, it probably is.
Throughout March we’ll be publishing new and informative articles about fraud prevention, and how Moneris merchants can stay protected. Make sure to visit Moneris.com/insights throughout Fraud Prevention Month for new postings, and take a look at some of our favourite fraud-related pieces, including our Preventing Ecommerce Fraud [Webinar] and Chargebacks 101: Merchant Must-Knows!