How to protect your business against merchant fraud

Michelle Thompson, vice president, fraud/risk officer, FirstMerit Bank

When it comes to merchant fraud, businesses that accept credit cards as payment often have an “it can’t happen to me” mindset. Unfortunately, it all too often does.
“Security risks are not going to go away,” says Michelle Thompson, vice president, fraud/risk officer for FirstMerit Bank.
Business owners and their employees may be doing things which could put the company at risk, like unintentionally being negligent with sensitive client credit card information. And until you have worked through the process of becoming PCI compliant, you may not have realized that you were at risk for data integrity issues.
Smart Business spoke with Thompson about merchant fraud and how businesses can protect themselves.
What should merchants be aware of in terms of fraud?
Many times, merchants will take a transaction over the phone, and the customer on the other end of the line is someone they’ve never done business with before. If the supposed transaction is fraudulent, oftentimes, the individual posing as a customer will ask that the product be shipped to an alternate or obscure location. Another tactic is to provide multiple credit cards for payment. I have seen this where the credit card numbers were almost identical, and all from the same credit card issuer. A credit card issuer is not going to provide an individual several cards in their name. A frequent tactic used is the individual will create a sense of urgency in order to rush the order. This is a very common fraud pattern, and it’s still working.
Merchants should also be wary of calls through the relay line, oftentimes called the TDD or TTY line, referring to telecommunications devices for the deaf or teletypewriter. This phone assistance line was originally created with an interpreter or someone in the middle to serve people who can’t speak or don’t speak the language. Unfortunately, to-day, 90 to 95 percent of these calls are fraudulent. Criminals use this tool to mask them-selves for anonymity. Beware of misspelled words or a structure that is grammatically incorrect.
There are a large number of merchants, many of which have accepted credit card transactions for many years, who believe that once they receive an authorization number, they are guaranteed payment. All that authorization code validates is ‘At this time, that credit or debit card has availability to cover the cost of the pending transaction.’ That doesn’t mean, however, that the authorized person is the one using the card.
Why do so many merchants fall for these ploys?
Businesses are anxious to sell their product, so they tend to bypass red flags, focusing on making a sale. Fraud is much more prevalent than many merchants think, or would like to admit. In some cases, it’s glaringly obvious, but in others, it’s very well hidden.
Many merchants also don’t understand that a credit card transaction is the same as accepting a check. Many merchants accept cards because the process feels safer and quicker. But if somebody writes you a check, especially if it’s for a large dollar amount, you could wait the standard 10 days to know if that check’s going to come back. It’s the same process with credit card transactions. They provide  provisional credit, just like a check; however, there’s no guarantee it’s not coming back.
What preventive measures can merchants put in place to avoid becoming a victim of fraud
Knowing your customer is key. Many businesses are motivated by the prospect of a large sale; however, it’s important to utilize common sense and good judgment. A busi-ness also needs to be aware of whose hands are in the mix. Is there a person selling on the front line who faxes or emails orders to an accounts payable department? Does that person know this customer? Has someone completed proper due diligence on the credit card being used as payment? It takes everyone working together. The best way to help prevent employees from accepting fraudulent transactions is education. Educate everyone in the company who has any part in the sales process. It’s the best defense for protecting yourself.
What happens when a merchant or its service provider discovers a fraudulent transaction? Is there any way to recover the money that was lost?
If merchants suspect a fraudulent transaction, or are unsure about a customer or trans-action, they should contact their merchant services provider immediately. If the merchant reacts quickly enough, the shipment can often times be tracked down, and there may be the option to engage legal enforcement to attempt to track down the perpetrator.
It’s unfortunate that there are times when a merchant is unable to retrieve their product. This is prevalent with international transactions. Once the product leaves the United States, the likelihood of it being tracked down, even if the transaction is fraudulent and you can prove it, is fairly minimal due to the distance. That’s why it’s essential, when conducting international transactions, for a merchant to ask a lot of questions and look for those ‘red flags.’ When we do confirm that a transaction is truly fraudulent, we simply walk the client through backing out of the situation, and many times that reduces or negates any cost/loss being incurred by them.
What should merchants know about Payment Card Industry (PCI) compliance?
 
PCI is the unified security standard on behalf of American Express, Discover, MasterCard and Visa, although each of the Card Brands still has its own individual security standards and requirements. If a merchant does not become PCI compliant, and they should experience a breach, the fines and costs associated with it could put them out of business. There should be a partnership between a merchant and its merchant service provider.  Safety and security should be a merchant’s No. 1 concern when processing credit card transactions.
Michelle Thompson is vice president, fraud/risk officer for FirstMerit Bank. Reach her at (330) 849-8937 or [email protected]. For more information on PCI compliance, visit the PCI Security Standards Council official site at www.prcisecuritystandards.org.
Insights Banking & Finance is brought to you by FirstMerit Bank.