A customer making a credit card payment via a terminal device

The small business owner’s guide to payment fraud prevention

Saturday, February 19, 2022
$34 billion.

Over the next year, that’s how much businesses worldwide will lose to payment fraud. If nothing changes, US businesses alone will shoulder roughly a third of that burden ($11.3 billion), making America the most fraud prone country in the world.

All of that can seem a little overwhelming until you realize this:

Fraudsters aren’t superhuman or impossible to outsmart. They’re just people who employ different tactics to steal what they can when you’re not paying attention.

By understanding what they do, how they do it and how technology can help you fight back, you can thwart would-be thieves and protect what you’ve built. Read on to:

  • Understand what payment fraud is

  • See which types of businesses are most at risk

  • Discover how businesses are held liable for fraudulent activity

  • Learn how to recognize when payment fraud is happening

  • Prevent fraud from affecting your business

  • See how technology makes it easy to remain vigilant against threats

 

What is payment fraud?

At its most basic, payment fraud is when a scammer uses stolen information to make an unauthorized purchase. (Friendly fraud is technically an exception, but we’ll get to that later.)

A customer making a credit card payment via online payments

Payment fraud can happen anytime to any business, and will generally fall into one of two major categories: in-person and online. In both environments, the majority of fraud occurs via credit card or debit card purchases.

Who is at risk?

Any business that takes payments is a target, no matter their size or industry. But those with lax security protocols — like using traditional terminals to swipe chipped cards instead of dipping them in EMV-enabled terminals, or failing to monitor transaction activity — tend to be easy pickings and face increased risk. Aside from a flair for being jerks, scammers are good at finding and exploiting weaknesses. If a business’ defenses have holes, it’s only a matter of time before fraudsters will discover and target them.

Line chart of fraud identity theft and other reports by years

Fraudulent activity has increased every year since 2001, rising steeply in 2020 due to the pandemic. As more and more businesses were forced to move toward ecommerce to survive, fraudsters saw a rare opportunity to take advantage of merchants and customers who were new to performing transactions online.

Now that shoppers have experienced the convenience online shopping provides, they’re not likely to go back. Which means the scammers — and the risk they bring — aren’t letting up.

While small and mid-sized businesses are not necessarily at greater risk for payment fraud, they are less able to absorb the financial blow fraud can deliver. For companies with millions in the bank, a $5,000 loss is just a blip on the radar. For a smaller business, that could be the difference between restocking shelves or making payroll.

Man working on a tablet

How does payment fraud affect businesses?

Financially:

You may be wondering why the business would have to absorb any loss when a scammer is the one committing fraud. To find the answer, you have to understand how fraudulent transactions are processed, who is involved and the roles they play.

When a cardholder sees a bogus transaction on their debit or credit card statement, they can pursue two different methods to get their money back. They can either contact the merchant directly and ask for a refund. Or, they can dispute the charge with their card issuer by initiating a chargeback, which is typically the cardholder’s easier option. See the chart below for just one example of how this scenario could play out.

Chargeback infographic outlines

Because most credit card companies and banks offer complete fraud protection, cardholders will likely never pay for transactions their card issuer deems fraudulent.

Historically, the cardholder’s issuing bank absorbed the cost of in-person counterfeit credit card fraud. That is, until EMV chip card technology hit the US and the 2015 US EMV liability shift placed responsibility on merchants for helping to combat in person card fraud. Today, all merchants are responsible for using EMV-capable terminals to process payment transactions involving chip cards. If they don’t and a fraudulent purchase is made with a counterfeit credit card, they will likely be liable for the cost of refunding the cardholder.

But that’s not all. The cost of fraud is three-fold for merchants not using EMV technology.

  1. The merchant pays the cost of refunding the fraudulent charge to the cardholder account.
  2. The merchant pays chargeback fees (and potential fines) which vary by institution.
  3. The merchant also loses the inventory that was fraudulently purchased.

Businesses — or merchants — are at the mercy of the card network’s rules. Contesting a chargeback can be time-consuming and tedious. In fact, according to PaymentsJournal, many businesses find it too overwhelming and avoid fighting chargebacks entirely. And if the transaction involved a chip card and the merchant failed to process it with an EMV-capable terminal, they’ll likely lose the challenge anyway.

Operationally:

Visa, Mastercard, American Express, Discover and JCB are more than just names or logos on pieces of plastic. These organizations also make up the Payment Card Industry (PCI) Security Standards Council and shape the PCI Data Security Standards (PCI DSS). The standards exist to provide security benchmarks for any entity that processes credit card payments, which includes payment processors and merchants.

Even though PCI compliance isn’t a federal law and failing to abide by it isn’t illegal in most states, merchants who don’t could face significant financial trouble. When businesses contract with card networks and issuers for the ability to process their cards, they enter into a merchant agreement that includes PCI compliance as a condition. Those who don’t take steps to meet the standards are in breach of contract and may face consequences.

Businesses that aren’t PCI compliant leave themselves vulnerable to fraud, legal liability and financial penalties. PCI DSS is essentially a road map for how businesses can take “reasonable care” toward protecting themselves and their customers’ personal data. Not abiding by the standards leads to lax security measures that scammers could easily take advantage of, leaving businesses to deal with the legal and financial fallout.

Any business that has an excessive number of chargebacks and no actionable plan to reduce them will likely face fines and penalties from card issuers. Card issuers can also ban businesses from accepting their cards and fine any payment processor that enters into an agreement with a banned merchant.

So what does that mean exactly? Simply that if a business has too many chargebacks, they could lose the ability to accept credit and debit cards completely. Considering they’re the leading method of payment for in-person and online transactions, not being able to accept them could deal a major blow to any business’ ability to operate profitably — or at all.

Socially:

Even though the cardholder whose information was used to make a fraudulent purchase had probably never heard of the business that accepted it, that won’t necessarily keep them from sharing their story on social media or review sites. Negative word of mouth spreads quickly. And any business that appears as if it can’t keep fraud at bay could end up losing its customers’ trust and loyalty.

Man holding a credit card and looking at a desktop

What are the different types of payment fraud?

While many different types of fraud exist, credit card fraud is the most prevalent. Let’s dive into different types of payment fraud, and how you can spot and stop them.

In-person payment fraud

Luckily, the rise of chipped cards and EMV technology has made it practically impossible for fraudsters to create and use counterfeit credit or debit cards for in-store purchases. But that doesn’t mean every card-present transaction is risk-free.

physical card icon

Fraud type: Stolen physical card

  • What it is: A scammer has stolen a credit or debit card and is attempting to use it to make an in-store purchase.

  • How to spot it: The person attempting to make the purchase does not have an ID that matches the name on the card, or does not know the information needed to complete the transaction (i.e., four-digit PIN, the card’s billing ZIP code, etc.) The thief may claim the chip is broken or have another excuse to swipe the card through the traditional magnetic stripe reader instead of processing the chip via an EMV terminal.

  • How to prevent it: Stop swiping the magnetic stripes on cards and ensure all customers are tapping or dipping chipped cards on an EMV-enabled terminal at check out. You can also choose to ask for ID to ensure the person attempting to use the card is the rightful owner.

Online payment fraud

Because committing card payment fraud is so difficult to do in person, most thieves have moved online where it’s easier to steal and use information. This — in conjunction with the rise of online shopping and ecommerce — means that 81% of fraudulent transactions don’t happen at the point of sale.

Online payment fraud
Identity theft icon

Fraud type: Identity theft and stolen credit card numbers

  • What it is: A fraudster has stolen someone’s identity and is using that person’s credit card data to make fraudulent online purchases.

  • How to spot it: If the shipping address is different than the billing address, that could be a sign the person receiving the merchandise is not who they say they are. Also, if the customer is only able to enter limited pieces of information at checkout, they may be a scammer.

  • How to prevent it: Use technology solutions for online payments that identify discrepancies in billing and shipping information. Use an automated solution to search a card’s recent transaction history and find fraudulent purchase patterns. Lastly, make sure your online checkout process requires buyers to enter the CVV. This can help ensure the person making the purchase has the physical card, instead of just the number.

Login screen icon

Fraud type: Account takeover (ATO)

  • What it is: A scammer gains access to a customer’s online account and uses it to make fraudulent purchases.

  • How to spot it: Because a fraudster is trying to break into an account, you will likely see them attempt and fail to log in many times. Once the scammer is into the account, rapid-fire changes to customer information — like shipping address — is a common red flag.

  • How to prevent it: Using two-factor authentication to verify customers’ identity when they sign in can help prevent ATO. According to Chargeback Gurus, you can also require your customers to create safe passwords and lock account logins after too many failed attempts. Keep in mind that adding these steps could complicate the experience and frustrate your customers so be sure to offer responsive customer support. If your customer’s account is ultimately compromised, Chargeback Gurus recommends working with the customer to refund their money and secure their account. This may help you avoid having to fight a chargeback.

Phishing icon

Fraud type: Phishing

  • What it is: Phishing isn’t exactly a type of payment fraud, but it often leads to it. Phishing is a method scammers use to extract sensitive information from cardholders and businesses alike. Fraudsters use official-looking emails, texts and websites (see pagejacking below) to fool people into giving their personal data to what seems like a trusted source.

  • How to spot it: Phishing messages use threats of account closure or other serious sounding consequences to pressure recipients into sharing information quickly. They also tend to contain spelling errors, and email addresses and links that don’t match the supposed sender’s domain.

  • How to prevent it: Train yourself and your staff to be on the alert for emails and messages that ask you to share sensitive data by creating a sense of urgency. Don’t click on anything in the email, search the sender’s company online, call the phone number listed on the company’s website and ask about the issue directly.

Laptop with zero and one icon

Fraud type: Pagejacking

  • What it is: Hackers steal elements of your website’s code, use it to create a counterfeit site, deploy phishing emails to drive traffic to the fake site and begin collecting customer data.

  • How to spot it: Your website’s metrics may start to seem abnormal. You may start to see less traffic and fewer sales. If you do, search for your site. If an imposter site shows up in the results, then you’ve been pagejacked.

  • How to prevent it: There’s no easy, sure-fire solution to prevent pagejacking, but taking steps to protect your source code can help.

Digital wire icon

Fraud type: ACH and wire fraud

  • What it is: Fraudsters initiate unauthorized transactions that move money into or out of bank accounts. Scammers who use this technique typically get the information they need to do it from successful phishing tactics.

  • How to spot it: Because thieves rely on phishing to commit this type of fraud, they will usually pose as vendors — or other companies you do business with — and urgently request that you wire payments.

  • How to prevent it: Don’t let a phishing email fool you into taking immediate action. Stay calm. Take a moment. Then, reach out to whomever is supposedly requesting the wire to confirm it’s a legitimate ask.

a hand with dollar sign icon

Fraud type: Friendly fraud

  • What it is: Cardholders or customers — instead of scammers — initiate chargebacks for items they actually bought and received.

  • How to spot it: This can be tough to catch, because the people committing fraud are your actual customers. It’s hard to be aware that friendly fraud is happening at the moment it’s taking place.

  • How to prevent it: Some friendly fraud occurs because initiating a chargeback is easier than getting a refund. For that reason, PaymentsJournal recommends creating and sharing a clear, convenient return policy. That way, your customers have an avenue to obtain a refund in exchange for returning the item, instead of using the chargeback to make off with both.

Look for powerful tech

If you’re looking at the list above and wondering how just one person could possibly take all of the necessary steps to stop fraud, take a deep breath. Relax. Because the answer is that one person couldn’t. But the right technology can.

Image of a Heartland Point Of Sales

Namely technology that prevents data breaches and keeps customers’ data safe with encryption and tokenization.

Encryption essentially turns credit card data into a unique code that makes it impossible for anyone to read without the decryption key. When credit card numbers don’t appear as numbers anymore, it’s hard for scammers to steal them and use them to make fraudulent purchases. Tokenization replaces card data with “tokens” which take the credit card information out of the equation, keeping it hidden from thieves. These data security measures — along with the solutions we’ve mentioned throughout this blog like address verification services— work like your business’ very own security team.

Ultimately, most of the brainpower you need to outsmart scammers exists in modern payments hardware and software. You and your teams are your first line of defense against phishing attacks. But when it comes to other types of fraud, you don’t have to spend time and energy manually defending your business. And you don’t have to go it alone.

Get a team you can count on

While powerful technology should be at the center of your strategy, you also need to ensure your technology provider is in the trenches with you to provide guidance and support when you need it most. Scammers don’t punch a clock or observe office hours. And neither do the bots and scripts they deploy to try and breach your online defenses. That’s why it’s important your payment processing provider offers robust security features and 24/7 customer service.

If you think you’re under attack from fraudsters, navigating complicated phone trees, sending an email to a general-reply address or chatting with a bot is the last thing you want to spend time doing.

Heartland EMV terminal

Heartland’s got you covered

When it comes to the hardware and software you need to mitigate all types of fraud, Heartland Secure™ delivers EMV, encryption and tokenization, and comes standard for payment acceptance devices. Our POS and payment processing solutions make it easy to comply with PCI and practically eliminate the risk for fraudulent in-person transactions. Heartland's secure payment processing helps keep you, your business and your customers safe from online fraudsters and thieves. And our robust reporting capabilities make it easy to monitor transaction activity and spot suspicious entries.

Because preventing fraud goes hand in hand with preventing data breaches, Heartland also offers an unprecedented breach warranty to all merchants who are Heartland Secure and employ Heartland Secure-certified devices — for as long as they’re processing with us, at no additional cost. You can also count on 24-hour customer support from US-based live agents.

Today’s scammers have a lot of weapons at their disposal. But so do you. Understanding fraud, knowing your risk and leveraging powerful technology to prevent it can thwart would-be thieves and help you protect the business you’ve built. If you’re ready to fight back, we’re ready to fight with you. To learn more about the customizable tools we offer and how our teams can help, contact us today.


Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us