In a Nutshell: Cash has become an afterthought for a growing number of consumers, and businesses that don’t accept credit cards may have trouble attracting new customers. But with every card transaction comes the potential for fraud — both for companies and cardholders. For more than 30 years, the Association of Certified Fraud Examiners (ACFE) has offered training and certifications for building expertise in the prevention of all types of fraud. ACFE Senior Researcher Mason Wilder spoke with us about trends in the security industry — and what merchants and consumers can do to protect themselves.
Credit card technology has been increasingly effective against theft of card information at the point of sale and when cards are lost or stolen. But the card-fraud arms race continues as card-present fraud recedes and more advanced threats emerge.
Mason Wilder, Senior Researcher at the Association of Certified Fraud Examiners (ACFE), spoke with us about that trend. He said the inconveniences that today’s cardholders experience when their information is compromised, while not insignificant, can be relatively minor compared with the impact fraud can have on a merchant’s bottom line.
Many businesses choose to either bear the cost of card fraud or pass it on to customers. For others, especially those on the smaller or local end of the spectrum, card fraud can pose an existential threat.
For more than 30 years, the ACFE, based in Austin, Texas, has served as a source of knowledge and resources for teaching individuals and businesses how to combat fraud. As administrator of the Certified Fraud Examiner program, the organization also trains experts to prevent, detect, and deter fraud across a range of industries and sectors.
As a Senior Researcher for the ACFE, Wilder is responsible for supporting its efforts through detailed analysis of industry trends. The organization also offers professional education and training products, conducts seminars and webinars, sponsors events, and publishes content for both its members and the public.
And those resources are especially relevant for small businesses in the face of growing fraud trends.
“The most significant issue in credit card fraud over the past few years has been this dramatic shift to card-not-present fraud,” Wilder told us. “And so a lot of the older controls and procedures that were put in place no longer work as well because most activity now happens online.”
Balancing Security Against Damage from False Alarms
Brick-and-mortar businesses have seen a shift away from Europay, Mastercard, and Visa (EMV) card-present fraud. But the obstacle they now face has been a recent dramatic increase in the number of e-commerce platform data breaches.
The Wawa breach reported near the end of 2019, for example, may have affected customers at more than 850 stores from as early as March through December of that year. Reports from January 2020 indicate that hackers began to sell card numbers obtained from the breach on the dark web.
“So part of this migration has been due to a desire to circumvent the controls for in-person purchases like the EMV or chip card, but it’s also been fueled by the fact that it’s just so easy for fraudsters to access people’s credit card information online through these data breaches,” Wilder said.
The problem is similar to the one that merchants and card issuers are grappling with regarding EMV technology, in general — no one wants to go too far in clamping down on customer convenience. Card brands dropped signature requirements in 2018 and have resisted mandating PIN entry except for receiving cash advances at ATMs.
“Everybody’s playing catch-up in terms of dealing with the migration to card-not-present fraud, and a lot of that has to do with figuring out newer and better authentication processes for confirming transactions,” Wilder said. “But there’s this constant friction between wanting a better authentication service and not bogging down the process of making online purchases.”
Among merchants, no one seems to want to make the first move, especially large businesses best positioned to resist change.
“If your processes raise too many false positives, consumers are going to get frustrated and go to other sources for the same goods,” Wilder said. “If consumer orders get rejected from false positives on one site, they’re just going to try and find the product on Amazon.”
Friendly Fraud Exploits Legitimate Transaction Loopholes
Merchants are also on the hook in cases of so-called friendly fraud, which is increasingly eating into margins as cardholders become more experienced with e-commerce.
What we know now as friendly fraud actually originated in the 1970s as protection designed to entice consumers to trust and use credit cards. When a cardholder makes a purchase that turns out not to be what was expected, or an item isn’t delivered or is faulty, the cardholder can simply ask the issuer for a refund. The issuer then submits what’s known as a chargeback to the retailer, taking revenue from the merchant to reimburse itself.
“In the day of e-commerce domination, chargebacks are now being abused and exploited,” Wilder said. “It’s not necessarily an organized scheme, it’s just somebody who decides to tell Amazon that the package did not get delivered to their doorstep to see if they can get a refund even though they actually received the product.”
It happens all the time, and the consequences are felt by the most vulnerable businesses. Every merchant has the opportunity to dispute a chargeback, but even when they win a challenge, they still have to pay a fee. Amazon is not going to invest a lot of time in fighting a $5 chargeback because, even if it’s successful, it might pay more than it receives back.
“But if a smaller retailer that continuously has money taken out of its account by a card company gets fed up with it and decides to no longer partner with that company or accept those payments, they’re basically turning down a lot of business,” Wilder said. “They’re put in a really tough spot where a lot of times they just have to eat the loss.”
Making the Case for Credit Cards
Mom-and-pop shops and other low-margin, local businesses need to accept credit cards to attract a wide range of customers. But they could end up being hurt in the long run if they don’t understand how to mitigate or eliminate fraud.
“Without question, merchants are the ones being hurt the most by friendly fraud,” Wilder said. “It’s basically impossible to survive as a business right now if you’re not accepting the major credit cards.”
But recourse can come in the form of a payment processing service that offers chargeback protection.
“More processors are starting to incorporate machine learning and AI to check purchases against typical patterns of spending,” Wilder said. “And when an unusual order pops up, that’s going to send up a red flag and stop the purchase before the merchant is required to forfeit the revenue.”
Breaches like the one that recently occurred at Wawa stem from a form of malware that works like the physical skimmers that were once a common hazard at gas pumps.
“Web hosts are trying to catch up to where they can automatically detect it and protect e-commerce sites,” Wilder said. “But the ones that are going to remain the most vulnerable are the smaller retailers.”
Card companies also now offer a variety of fraud protection services. One that shows a lot of promise is the one-time card number feature. “Every time you make a purchase online, you request a single-use number linked to your account,” Wilder said. “Even if fraudsters manage to steal your information, they can’t use it.”
That could point to the best possible strategy for all well-meaning consumers looking to use plastic rather than paper.
“Credit cards offer more protection for the consumers than any other method of payment,” Wilder said. “You can always dispute the transaction, and you don’t have to wait for the resolution of the dispute to get your money back. If you use a debit card, in most cases you won’t see resolution until the process is resolved.”