Theft is unlikely to ever go away, so it is up to individuals and businesses to protect themselves from becoming victims of it as best they can.
As a bricks-and-mortar retailer might use CCTV, well-placed signage and security guards to act as a deterrent to thieves taking what doesn’t belong to them, e-commerce retailers and businesses that process MOTO (Mail Order / Telephone) transactions must use ways of not only deterring fraudsters from attempting theft in the first place, but also protecting their customers’ details.
In 2020, unauthorised fraudulent transactions (card, cheque and remote banking) accounted for £783.8m of fraud losses, and unauthorised payment card fraud accounted for £574.3m (Source: UK Finance). These numbers are frightening, but the glimmer of hope that comes from these reports that £2.6bn of fraud was prevented, which means that 82% of the value of fraudulent attempts in 2020 was protected in one form or another, and businesses CAN protect both themselves and their clients from fraud losses, with the correct fraud loss prevention solutions.
Businesses that take payments in any form can be at risk of various types of fraud.
Stolen Card Data Fraud
A fraudster attempts to make payment using a physical stolen card, or data purchased on the dark web, and the cardholder initiates a chargeback.
A genuine cardholder initiates a fraud-related chargeback on a payment they have not authenticated (also known as a non-secure payment), suggesting that they do not recognise the payment, despite having received their purchase in perfect working order.
A member of staff is charged with taking payments for a business, and the payment processing system simply requires that the cardholder reads their details out to be processed. This member of staff then copies those details and either sells them on or uses them for personal gain. With the rise of Working-From-Home requirements due to the national lockdowns that came with the Covid-19 pandemic, came the rise of the temptation to commit Internal Fraud by employees taking payments.
Which type of fraud loss is my business at risk of if I take card payments?
The kinds of fraud loss your business is at risk of will depend on which kind of payments you take, and how you process them. For example, a business that takes telephone payments and processes them using a virtual terminal software will be at greater risk of multiple types of fraud loss, than a business that uses systems which are able to authenticate the payment, and a business which uses encryption on the data they store will be at a reduced risk compared to one that does not.
One of the most common losses incurred by a business if they inadvertently process a fraudulent transaction would be a chargeback. This occurs when a genuine cardholder challenges the card payment with their card issuer. A chargeback can happen for a variety of reasons, for example they order a blue chair and a red one is delivered or they receive a faulty product, but the retailer fails to resolve the matter. Arguably, the most dangerous chargeback reason for a business is a fraud-related chargeback. This occurs when the cardholder challenges a Card-Not-Present payment, stating they did not place that order or make that payment, as their details had been used by a criminal. If a business has not been able to get the payment authenticated, they are liable for any fraud-related chargebacks, which means the revenue will be returned to the cardholder.
Loss of stock
If the payment has been processed and the goods are shipped, then on top of the fraud-related chargeback, the business is then at risk of the loss of the goods shipped. It is not uncommon for a criminal to intercept goods purchased on a stolen card, and for those goods to be gone indefinitely. The business that sold and shipped those goods is the one which will need to absorb the cost.
If a small business accepts a huge order that ultimately turns out to be fraudulent, then the potential cost of reimbursing the payment and absorbing the value of lost stock can be crippling for a company that doesn’t have vast reserves of cash, and in some cases can result in bankruptcy of the business.
If your business keeps customer data on file, in particular their card information, and your databases are somehow hacked and that data falls into the wrong hands, then you would be liable for the costs of investigations into the crime itself, as well as replacing the stolen cards and providing compensation for any further losses incurred by spending on those cards. In June 2020, jewellery and accessories brand Claire’s Accessories announced that it had been subject to a malicious data breach and thousands of cardholder details had been stolen. To date, the average amount of compensation refunds claimed by those who had been affected was £4,000 per refund.
PCI-DSS and GDPR Penalties
Further to the costs of investigations and compensations associated with a data breach, businesses may also find themselves subjected to penalties issued by the Payment Card Industry Security Standards Council (PCI SSC) for being in contravention of PCI-DSS (Payment Card Industry Data Security Standards), which are a series of strict regulations around the protection and security of cardholder data that all businesses that take card payments must adhere to. By failing to secure your customers’ data, you may find yourself penalised to the tune of £4,000 - £80,000 per month.
On top of these penalties around PCI DSS Compliance, being subjected to a data breach also puts businesses at huge risk of prosecution and fines for contravening GDPR, which should be taken very seriously by a business. The most notable recent large penalty levied upon a business was almost £19m paid by British Airways for a serious data breach that occurred in 2018 that meant 400,000 customers’ payment card and addresses were recovered by hackers. GDPR is serious business, and Amazon were hit for £640m in July 2021 for breaching cookie consent rules.
How can I avoid fraud-related chargebacks?
Introducing SOTpay, from Gala Technology. SOTpay enables businesses to take secure remote card payments through all manner of methods, whether by telephone, e-commerce, live chat, video conferencing, or even social media, using a clever pay-by-link process. A PCI-DSS It implements innovative payment card authentication technology that can effectively shift liability from the merchant to the cardholder’s card issuer, it helps to reduce fraud losses by protecting businesses from fraud-related chargebacks. A further benefit to SOTpay is that it can futureproof your operations by being fully compatible with new Strong Customer Authentication (SCA) processes, which will require customers to provide further verification that they are indeed the person making the payment, and can come in the form of processes such as One-Time Passcodes, 3D Secure, or Biometric authentication, for example fingerprints or facial recognition.
How can I protect my business from Internal Card Fraud?
By using SOTpay, a business will never need to ask their customer to read out their card details again, and the data remains 100% in the environment of the cardholder. This protects the customer whose details remain secure, the business for whom the data breach could be catastrophic, as well as an otherwise great employee for whom the temptation may prove too much.
How can I protect my business from payment card data breaches?
The PCI-DSS Level 1 Certified SOTpay+ payment gateway from Gala Technology provides businesses with facilities to securely store customers’ card details, which is especially useful for businesses that take recurring payments, or wish to enable customers to make one-click purchases online. It does this with the use of tokenisation, a process that converts the card information into a string of randomly generated numbers. It is a similar process to encryption, and means that any unauthorised person or entity that is able to breach a company’s database will be unable to decipher the tokenisation, and therefore protects all customers’ details on file.
FREE PAYMENT REVIEW
DOWNLOAD A BROCHURE
THE IMPORTANCE OF PCI/DSS COMPLIANCE
WHAT ARE MOTO PAYMENTS?