What is payment fraud?
Payment fraud happens when unauthorized use of a credit card occurs. Cybercriminals can obtain an individual’s personal information through social engineering, buying leaked information on the dark web, or conducting data breaches.
While individuals have to deal with the unwanted side effects of identity theft by cybercriminals, businesses can also suffer. On top of losing their inventory, they may be responsible for covering the credit charge by the criminal, in addition to paying the chargeback fees to the card brand.
Types of Payment Fraud
Unfortunately, there are many examples of credit card fraud. These are the types of credit card fraud that ISVs need to be aware of.
A card-not-present (CNP) transaction is when a consumer doesn’t physically hand their credit card to a merchant to swipe, insert, or enter their credit card details. Example CNP transactions include online and mobile orders, in addition to phone and mail orders.
To process a payment, details such as a credit card number, CVV number, and a billing address are needed. Card-not-present fraud is increasing at an alarming rate because the usual safeguards of employees checking customer photo IDs or verifying signatures for physical credit cards are missing.
Cybercriminals can gain access to payment information by hacking prominent companies or using phishing techniques towards individuals. Since the victim’s physical credit card remains with them, they may be unaware that their data was stolen, making it possible for criminals to get away with this type of theft before the consumer realizes they are a victim of credit card fraud.
According to the Fair Credit Billing Act, consumers are not liable for unauthorized transactions for a stolen credit card number (versus the card itself). However, the burden is on merchants to prove that the actual customer placed an order. If they cannot, they may end up being responsible for covering the costs.
Friendly fraud happens when a customer makes a purchase but later disputes it. They may claim the following:
- They never received the product.
- The product received was not what they were expecting.
- They returned the product but never received a refund.
- They canceled their order, but it was still sent to them.
- They don’t recall ordering the product and believe it may be fraud.
In some cases, the above claims might be valid. But some bad customers will use this reason as an excuse to file a chargeback claim to get their money back (and the item for free).
An account takeover happens when a cybercriminal gets credentials to access a real customer account, such as a bank account, email, or eCommerce login. According to LexisNexis, account takeover fraud is up 72% YoY.
Once the cybercriminal has access, they could change account details and login credentials, locking out the real account owner. They could also use the account number and other stored credit card details to order goods or sell the information to someone else.
Cybercriminals can take this type of fraud even further by placing high-value or bulk orders, in addition to taking advantage of “buy online, pick up in-store” (BOPIS) options, which historically have fewer security hurdles.
Trends in Payment Fraud
The Covid-19 pandemic may partially be to blame for the increase in payment fraud through digital payments. With social distancing and lockdowns going into effect, eCommerce sales in the United States alone grew 31.8% quarterly. While this led to considerable digital payments growth, it also gave cybercriminals more opportunities to get unauthorized access to credit card details and take advantage. LexisNexis reported a 48% increase in mobile device fraud attacks.
Some businesses noticed more payment fraud attempts because of the transition to work from home. According to the 2021 AFP Payments Fraud and Control Survey Report, the lack of face-to-face communication and adjusted signoff approvals encouraged fraudsters to look into ways they could exploit these deficiencies through social engineering. AFP also reported that business email compromise (BEC) was a primary method that cybercriminals used to attempt payment fraud, with 62% of surveyed organizations claiming they experienced attempted or actual payment fraud through BEC.
Synthetic Identity Fraud
According to the Federal Bureau of Investigation, synthetic identity fraud is one of the fastest-growing crimes in the United States. Synthetic identity fraud differs from traditional identity fraud in that cybercriminals create a new identity with a mix of real and fake information. Unfortunately, children and the elderly are targets for this type of fraud.
Synthetic identities can also make credit card fraud detection challenging. Sometimes cybercriminals take years to build up their fake identity before making fraudulent charges, maxing out their credit cards, then abandoning the identity, leaving financial institutions or card issuers on the hook.
Payment Fraud Management
There is no guarantee that any entity can completely eradicate payment fraud. However, ISVs need to ensure their software is PCI compliant to minimize the chances of a credit card data breach. Not doing so can be costly for businesses, leading to excessive fines, revenue loss, potential lawsuits, and damaged reputations.
ISVs can begin to reduce the chances of payment fraud for their customers by doing the following:
- Understand the organization’s PCI DSS scope. Doing so ensures that areas and systems where cardholder data is stored are appropriately secured.
- Once the PCI scope is understood, look into ways to reduce or eliminate PCI scope.
- Keep customer data safe from unauthorized access through tokenization and encryption.
PCI compliance may be daunting, but ISVs do not have to achieve it on their own. Instead, they can partner with a trusted payments processor such as Global Payments Integrated to provide a secure and reliable payments option within their software.
Contact us today to see how we can maximize payment security for your customers.