When it comes to merchant fraud, businesses that accept credit cards as payment often have an “it can’t happen to me” mindset. Unfortunately, it all too often does.

“Security risks are not going to go away,” says Michelle Thompson, vice president, fraud/risk officer for FirstMerit Bank.

Business owners and their employees may be doing things which could put the company at risk, like unintentionally being negligent with sensitive client credit card information. And until you have worked through the process of becoming PCI compliant, you may not have realized that you were at risk for data integrity issues.

Smart Business spoke with Thompson about merchant fraud and how businesses can protect themselves.

What should merchants be aware of in terms of fraud?

Many times, merchants will take a transaction over the phone, and the customer on the other end of the line is someone they’ve never done business with before. If the supposed transaction is fraudulent, oftentimes, the individual posing as a customer will ask that the product be shipped to an alternate or obscure location. Another tactic is to provide multiple credit cards for payment. I have seen this where the credit card numbers were almost identical, and all from the same credit card issuer. A credit card issuer is not going to provide an individual several cards in their name. A frequent tactic used is the individual will create a sense of urgency in order to rush the order. This is a very common fraud pattern, and it’s still working.

Merchants should also be wary of calls through the relay line, oftentimes called the TDD or TTY line, referring to telecommunications devices for the deaf or teletypewriter. This phone assistance line was originally created with an interpreter or someone in the middle to serve people who can’t speak or don’t speak the language. Unfortunately, to-day, 90 to 95 percent of these calls are fraudulent. Criminals use this tool to mask them-selves for anonymity. Beware of misspelled words or a structure that is grammatically incorrect.

There are a large number of merchants, many of which have accepted credit card transactions for many years, who believe that once they receive an authorization number, they are guaranteed payment. All that authorization code validates is ‘At this time, that credit or debit card has availability to cover the cost of the pending transaction.’ That doesn’t mean, however, that the authorized person is the one using the card.

Why do so many merchants fall for these ploys?

Businesses are anxious to sell their product, so they tend to bypass red flags, focusing on making a sale. Fraud is much more prevalent than many merchants think, or would like to admit. In some cases, it’s glaringly obvious, but in others, it’s very well hidden.

Many merchants also don’t understand that a credit card transaction is the same as accepting a check. Many merchants accept cards because the process feels safer and quicker. But if somebody writes you a check, especially if it’s for a large dollar amount, you could wait the standard 10 days to know if that check’s going to come back. It’s the same process with credit card transactions. They provide  provisional credit, just like a check; however, there’s no guarantee it’s not coming back.

What preventive measures can merchants put in place to avoid becoming a victim of fraud?

Knowing your customer is key. Many businesses are motivated by the prospect of a large sale; however, it’s important to utilize common sense and good judgment. A busi-ness also needs to be aware of whose hands are in the mix. Is there a person selling on the front line who faxes or emails orders to an accounts payable department? Does that person know this customer? Has someone completed proper due diligence on the credit card being used as payment? It takes everyone working together. The best way to help prevent employees from accepting fraudulent transactions is education. Educate everyone in the company who has any part in the sales process. It’s the best defense for protecting yourself.

What happens when a merchant or its service provider discovers a fraudulent transaction? Is there any way to recover the money that was lost?

If merchants suspect a fraudulent transaction, or are unsure about a customer or trans-action, they should contact their merchant services provider immediately. If the merchant reacts quickly enough, the shipment can often times be tracked down, and there may be the option to engage legal enforcement to attempt to track down the perpetrator.

It’s unfortunate that there are times when a merchant is unable to retrieve their product. This is prevalent with international transactions. Once the product leaves the United States, the likelihood of it being tracked down, even if the transaction is fraudulent and you can prove it, is fairly minimal due to the distance. That’s why it’s essential, when conducting international transactions, for a merchant to ask a lot of questions and look for those ‘red flags.’ When we do confirm that a transaction is truly fraudulent, we simply walk the client through backing out of the situation, and many times that reduces or negates any cost/loss being incurred by them.

What should merchants know about Payment Card Industry (PCI) compliance?

 

PCI is the unified security standard on behalf of American Express, Discover, MasterCard and Visa, although each of the Card Brands still has its own individual security standards and requirements. If a merchant does not become PCI compliant, and they should experience a breach, the fines and costs associated with it could put them out of business. There should be a partnership between a merchant and its merchant service provider.  Safety and security should be a merchant’s No. 1 concern when processing credit card transactions.

 

Michelle Thompson is vice president, fraud/risk officer for FirstMerit Bank. Reach her at (330) 849-8937 or michelle.thompson@firstmerit.com. For more information on PCI compliance, visit the PCI Security Standards Council official site at www.prcisecuritystandards.org.

Insights Banking & Finance is brought to you by FirstMerit Bank

Published in Akron/Canton

When it comes to merchant fraud, businesses that accept credit cards as payment often have an “it can’t happen to me” mindset. Unfortunately, it all too often does.

“Security risks are not going to go away,” says Michelle Thompson, vice president, fraud/risk officer for FirstMerit Bank.

Business owners and their employees may be doing things which could put the company at risk, like unintentionally being negligent with sensitive client credit card information. And until you have worked through the process of becoming PCI compliant, you may not have realized that you were at risk for data integrity issues.

Smart Business spoke with Thompson about merchant fraud and how businesses can protect themselves.

What should merchants be aware of in terms of fraud?

Many times, merchants will take a transaction over the phone, and the customer on the other end of the line is someone they’ve never done business with before. If the supposed transaction is fraudulent, oftentimes, the individual posing as a customer will ask that the product be shipped to an alternate or obscure location. Another tactic is to provide multiple credit cards for payment. I have seen this where the credit card numbers were almost identical, and all from the same credit card issuer. A credit card issuer is not going to provide an individual several cards in their name. A frequent tactic used is the individual will create a sense of urgency in order to rush the order. This is a very common fraud pattern, and it’s still working.

Merchants should also be wary of calls through the relay line, oftentimes called the TDD or TTY line, referring to telecommunications devices for the deaf or teletypewriter. This phone assistance line was originally created with an interpreter or someone in the middle to serve people who can’t speak or don’t speak the language. Unfortunately, to-day, 90 to 95 percent of these calls are fraudulent. Criminals use this tool to mask them-selves for anonymity. Beware of misspelled words or a structure that is grammatically incorrect.

There are a large number of merchants, many of which have accepted credit card transactions for many years, who believe that once they receive an authorization number, they are guaranteed payment. All that authorization code validates is ‘At this time, that credit or debit card has availability to cover the cost of the pending transaction.’ That doesn’t mean, however, that the authorized person is the one using the card.

Why do so many merchants fall for these ploys?

Businesses are anxious to sell their product, so they tend to bypass red flags, focusing on making a sale. Fraud is much more prevalent than many merchants think, or would like to admit. In some cases, it’s glaringly obvious, but in others, it’s very well hidden.

Many merchants also don’t understand that a credit card transaction is the same as accepting a check. Many merchants accept cards because the process feels safer and quicker. But if somebody writes you a check, especially if it’s for a large dollar amount, you could wait the standard 10 days to know if that check’s going to come back. It’s the same process with credit card transactions. They provide  provisional credit, just like a check; however, there’s no guarantee it’s not coming back.

What preventive measures can merchants put in place to avoid becoming a victim of fraud

Knowing your customer is key. Many businesses are motivated by the prospect of a large sale; however, it’s important to utilize common sense and good judgment. A busi-ness also needs to be aware of whose hands are in the mix. Is there a person selling on the front line who faxes or emails orders to an accounts payable department? Does that person know this customer? Has someone completed proper due diligence on the credit card being used as payment? It takes everyone working together. The best way to help prevent employees from accepting fraudulent transactions is education. Educate everyone in the company who has any part in the sales process. It’s the best defense for protecting yourself.

What happens when a merchant or its service provider discovers a fraudulent transaction? Is there any way to recover the money that was lost?

If merchants suspect a fraudulent transaction, or are unsure about a customer or trans-action, they should contact their merchant services provider immediately. If the merchant reacts quickly enough, the shipment can often times be tracked down, and there may be the option to engage legal enforcement to attempt to track down the perpetrator.

It’s unfortunate that there are times when a merchant is unable to retrieve their product. This is prevalent with international transactions. Once the product leaves the United States, the likelihood of it being tracked down, even if the transaction is fraudulent and you can prove it, is fairly minimal due to the distance. That’s why it’s essential, when conducting international transactions, for a merchant to ask a lot of questions and look for those ‘red flags.’ When we do confirm that a transaction is truly fraudulent, we simply walk the client through backing out of the situation, and many times that reduces or negates any cost/loss being incurred by them.

What should merchants know about Payment Card Industry (PCI) compliance?

 

PCI is the unified security standard on behalf of American Express, Discover, MasterCard and Visa, although each of the Card Brands still has its own individual security standards and requirements. If a merchant does not become PCI compliant, and they should experience a breach, the fines and costs associated with it could put them out of business. There should be a partnership between a merchant and its merchant service provider.  Safety and security should be a merchant’s No. 1 concern when processing credit card transactions.

Michelle Thompson is vice president, fraud/risk officer for FirstMerit Bank. Reach her at (330) 849-8937 or michelle.thompson@firstmerit.com. For more information on PCI compliance, visit the PCI Security Standards Council official site at www.prcisecuritystandards.org.

Insights Banking & Finance is brought to you by FirstMerit Bank.

Published in Akron/Canton

As fears of identity theft and online privacy concerns increase, PCI compliance has become a vital priority to any company that deals with credit card information. If you allow customers to pay with a credit card, you have to pay attention to the regulations and stay compliant. The consequences are severe: Just one data breach can wreck your company’s finances and reputation in one fell swoop.

“Everyone is bound by PCI compliance,” says Zack Schuler, founder and CEO of Cal Net Technology Group. “It doesn’t matter if you are a small, ‘mom and pop’ hardware store or a national retail chain; if you accept credit cards, you have to adhere to the rules.”

Smart Business spoke with Schuler about what business owners need to know about PCI compliance, and how to ensure your business isn’t breaking any rules.

What is PCI compliance?

PCI compliance is a standard that has been required by the credit card companies that defines the way that anyone who accepts a credit card has to protect that card information. It is a very specific standard that outlines all of the data protection requirements, as well as the physical security requirements and all types of other issues as they relate to security, with the end goal of making sure the card information is protected.

Regardless of whether you are a small, one-location business or a national retail chain, everybody is bound by the rules of PCI compliance.

Why is it important for companies to be compliant?

The first reason it is important is because if your systems are hacked, and you are PCI compliant, the chances of the intruder being able to get to some of your protected credit card information is quite slim. If you follow the security protocols outlined in the compliance standard, you should be all right.

Now, if you are not following the rules in terms of protecting that credit card data, you probably won’t be as lucky. For example, if your point of sale system that collects credit card information does not encrypt the swipe data, then that POS system is more easily compromised and hackers would be able to take all of that data.

What will happen in that situation is the credit card companies will be able to link the breach to you, because they have very sophisticated software programs that track where the breach happened, and narrow it down to a single location at which a credit card was used. When they collect all the different cards that were part of the breach, and they see that all the cards had one thing in common — this particular location on this particular day — you’re in trouble.

What type of trouble is possible in the event of a breach?

‘Trouble’ involves being fined by the credit card companies. There are different levels of PCI compliance to which companies must adhere. The compliance goes from level 1 to level 5. A small mom and pop store will be at level 5, because they are not collecting a ton of credit card information. A national retail chain or eBay will be at level 1.

However, if your company is at level 3 and the company is subsequently hacked, you immediately have to build up to the security protocols of a level 1 company. And the necessary work to put in those most stringent security protocols is astronomically expensive.

Why should companies pay attention to this issue sooner rather than later?

Cyber crime is on the rise. On a go-forward basis, it is just going to keep becoming more of an issue. More and more companies are getting hacked. That is the reality. There are hacking toolkits out there that make it easy to hack companies. More and more companies are having their credit card information stolen from them. If your company is taking credit cards, it’s your job to protect the consumer and not share that information with anyone else. If you are hacked, the credit card company will find out about it and it will be expensive.

Also, if you don’t comply with what the credit card companies are asking of you, they will make it so you can’t take credit cards anymore.

How does a company know what level of compliance it must reach?

Anyone who accepts credit cards has received a self-assessment questionnaire from the credit card company. The credit card companies will tell you, based on volume and other various factors, what compliance requirements are necessary for you.

What steps should be taken to ensure compliance?

The first and best step is to hire a company that understands PCI compliance to come in and assess your computing environment to determine if you are in or out of compliance. If you are out of compliance, an assessment will help you determine what steps are necessary to regain compliance.

Next, going through that self-assessment questionnaire on your own or with your information technology team, because a lot of the questions are IT-related, will give you a good idea of your current compliance status.

If you’re going through the questionnaire and it asks a bunch of technical questions like ‘Do you have a firewall in place that segregates your network traffic?’ and you keep answering no, it is probably pretty likely that you have some work to do. The questionnaire can provide a good indicator of whether your company is compliant or not.

Zack Schuler is the founder and CEO of Cal Net Technology Group. Reach him at ZSchuler@CalNetTech.com.

Published in Los Angeles