With Thanksgiving just a few days away, preparations are afoot. Turkeys will be stuffed and brined, potatoes will be peeled, elastic pants will be donned, retailers’ Black Friday signs will be displayed, and sensitive payment data networks of all kinds will be targeted by hackers and fraudsters alike.
Black Friday is the biggest shopping day of the year, and all the excitement in the air felt by those looking for the Best Deal of the Century on a new HD TV is also being felt by big data hackers the world over. When it comes to crime, there are crimes of passion and crimes of opportunity, and credit card and identity theft can be classified as crimes of opportunity, especially in the sense that when opportunity increases, so does the amount of fraud.
In 2014, 86.9 million people shopped online and in stores on Black Friday, so if that trend continues this year, there will be a lot of opportunities for fraud. In 2013, that opportunity was realized in a big way when hackers breached Target’s network and stole the payment and contact information of around 110 million Target customers. Reported date of the breach? November 27, 2013. Black Friday was November 29, and the hackers likely made a swift killing on the sale of stolen credit card numbers alone—according to Krebs on Security, the thieves probably made somewhere around $53.7 million before banks got around to canceling any affected customers’ cards. And that’s not even considering any residual income being made from selling the identities of Target customers exposed by the breach.
Since that time, Target has seen the enormous impact of inadequate protection from fraudsters: company profits dropped by nearly 50% in the fourth fiscal quarter of 2013, and by 1/3 over 2013 as a whole. CEO Gregg Steinhafel resigned, and the company has already agreed to pay out $10 million to affected customers, with another settlement for upwards of $100 million pending to compensate banking institutions affected. In addition, Target has committed to shareholders and customers to improve security both online and at the point of sale, including a massive $100 million retrofit that has equipped its stores with the technology to accept new EMV chip cards.
So the question is, how do merchants learn from what happened at Target, and what has happened at other major retailers like Nordstrom, Home Depot, PF Chang’s and Goodwill? What can merchants do to protect themselves and their customers from the threats of credit card fraud and identity theft, and more pertinently, how can you as a merchant service provider (MSP) ensure your merchants are prepared for the holidays and beyond?
Here are some tips to help your merchants understand the scenarios to prepare themselves for, and what you as an MSP can do to assist your merchants in avoiding the devastating effects of fraud on SMBs and their customers.
Make employees the first line of defense
Merchants with seasonal staff that’s hired on during the holidays should focus on training them well. Part of the opportunity fraudsters take advantage of during the holidays is that temp workers are known to be undertrained, less likely to catch anomalies or know how to handle them, and also might be less vigilant when it comes to looking for the signs of fraud.
Monitor online transaction reports closely
Although merchants should always be vigilant in monitoring transaction activity, during the holidays there’s a need for increased awareness. Merchants should pay special attention to various types of online activity, including multiple transactions attempted in a short amount of time, multiple transactions for very small amounts (think less than $1-2), or transactions being run by users with nonsensical names or emails.
Protect gift cards
Gift card fraud is especially common during the holidays, when customers are more likely to purchase gift cards. A typical gift card scam entails a fraudster copying the serial numbers off the backs of unpurchased cards, checking them frequently to see when they’ve been loaded, then using the funds to buy merchandise online. To prevent this, merchants should do their best to ensure gift cards are not located in isolated areas where they can easily be removed from their displays and then put back—the safest bet is to have the majority of gift cards behind the register, if possible. In addition, sales staff should be trained to check cards for tampering before loading them—if the number has been exposed, the card might have been tampered with and should not be sold.
Guard sensitive customer information
If a merchant has store credit cards that your customers are likely to sign up for during the holidays, their staff should be trained on how to dispose of paper applications. Customer information shouldn’t be left anywhere it could be exposed to potential theft. In addition, merchants should consider directing applicants to a secure site where they can submit their information online.
Secure data online
For merchants who process a lot of online transactions, keeping customers’ payment information safe is a must. There are various methods available to protect sensitive data, including payment gateway software that encrypts data and stores it in a secure digital environment.
Beware of card skimmers
Card skimming fraud is also at a high during the holidays, and merchants should be on the lookout for any hardware on or near their POS systems that doesn’t belong there. Card skimmers are generally small pieces of hardware (like a circuit board) that are temporarily affixed to or near a POS device so they can be easily removed by the fraudster once they’ve collected the information they need.
Beyond Black Friday
While it’s true that the holidays generally present the greatest risk of fraud to consumers and merchants alike, this year is a little different—on October 1, 2015, the EMV liability shift happened in the U.S., meaning that it will become increasingly hard for fraudsters to counterfeit chip-enabled credit cards. Though the transition to EMV cards has been rocky, it is making progress, and as a result, experts predict fraud losses involving card not present (CNP) transactions will increase by more than 100%, to $6.4 billion, by 20181.
Though the date of the liability shift has passed, many merchants are still unequipped to accept EMV cards, and even more concerning, are not prepared to deal with the onslaught of e-commerce fraud that’s anticipated in the coming years. A comprehensive fraud-prevention plan should include the following:
- EMV-ready hardware and the accompanying software that accepts chip cards, and preferably is also able to process transactions using NFC technology
- A real-time fraud scrubbing utility that screens transactions before and after they take place to ensure suspicious transactions are caught before bank approval, saving the merchant from unnecessary chargebacks
- Back office tech support from specialists trained in spotting patterns of fraud who can help a merchant assess risk
The threat of fraud is real, especially during the holidays. Make sure your merchants are protecting themselves from the risks associated with credit card and identity theft year round by educating them with these tips.
If you’re a merchant service provider searching for information on comprehensive fraud detection tools for your merchants, find out more here.
1. Daly, Jim, "Repelling the Card-Not-Present Fraud Assault, Digital Transactions, 12, no. 11 (2015): 20-23.