Credit card fraud is a serious problem for businesses of all sizes. When someone uses a stolen credit card, the business ultimately suffers the loss: The credit card–issuing bank refunds the money to the customer, then requests the refunded amount from the company that processed the credit card. While larger businesses are capable of absorbing the theft, small business owners may have a lot more to lose. So who pays when you’ve experienced fraud?
Image via Flickr by Yu. Samoilov
Most theft takes place through online or over-the-phone sales. Both forms of sale are ones for which cards are not present. While fraud can be done with a physical card, an in-person act can be harder for a thief. Criminals prefer to go online or make a phone call so that they don’t have to face a seller with a cloned card. In fact, EMV credit card introduction has experts predicting higher rates of theft through card-not-present sales.
When a business accepts a card as not present, that company must use strict security to process a card. Typically, companies will need the 16-digit card number, expiration date, the three digits on the signature line, and the mailing address. Cards can get processed without the extra security measures in place, but a business that doesn’t use security measures puts itself at a higher risk of theft.
Collecting the extra information doesn’t always work, however. Sometimes, thieves still find ways around the process.
Federal law states that a cardholder is not liable for theft. This provision initially puts the burden of reimbursement on the bank that issued the credit card. But the chain of responsibility doesn’t stop at this point: The bank, in turn, contacts the business that processed the card in the first place.
The bank uses the following logic to rationalize the demand for funds: The company failed to use high-security measures. This point can be frustrating for business owners when a credit card number gets stolen from a database, and the initial theft had nothing to do with the firm itself.
Businesses need to take a look at the way their companies process credit cards to figure out how to stop theft. One way is to investigate how employees accept credit card information and transmit the information through the PCI DSS standards. Another way is to make sure that the business itself works with credit card processing companies that use the latest security technology.
The major credit card processing banks may claim that their banks have high-security measures in place. But the banks are not the only ones that maintain strong security. High-risk merchant account providers also use advanced antitheft measures to lower fraudulent transactions.
When processing a credit card for a sale, the payment processing needs to go through a gateway. This gateway has software that checks the information as it processes through the system. The card gets rejected when the information sent through the gateway doesn’t match up with algorithms and information in the database from the card-issuing bank. Ultimately, the business won’t get the sale, but the company doesn’t lose the item to a thief, either.
If a company sells a product that can entice thieves, the business may be less likely to qualify for a low-risk merchant account. However, sometimes a company sells an item that customers want to buy at any price. Naturally, this situation can put a business at risk of losing its low-risk merchant account status if theft occurs. Too many invalid cards or chargebacks could prompt account closure without warning. Alternatively, merchants can open a high-risk merchant account for security and support.
While catching every fraudulent transaction isn’t possible, being proactive can make a difference. Review internal security measures, and talk with your merchant account provider about the systems its company uses to prevent fraud — but never hesitate to accept credit for sales. While a level of risk presents itself with each credit card transaction, the risk can get reduced when businesses take proactive measures when processing credit cards.