Data security essentials

As fraud tactics and cybersecurity breaches evolve, payment processors, card issuers, and merchants must work closer together to prevent attacks and remediate potential* impacts to merchants and their customers. As card brands like Visa and Mastercard roll out new fraud detection technologies*, businesses should also take action to protect their operations, employees, and customer payment data from bad actors. By partnering with your payments processor, you can understand how fraudsters target your business, tactics they use to steal customer payment information, and solutions for preventing fraud from occurring at the point of sale – in-person or online. Here is what you need to know.

Fraud categories: understand why bad actors are targeting your business

Detecting cyber-attacks, scams, and other threats to your business starts with understanding who is targeting your business and what they are trying to achieve. Most merchant fraud falls into these three categories:

• True fraud
  While that may sound like an oxymoron, it is one of the oldest types of fraud. True fraud* occurs when bad actors use stolen credentials to open accounts in the victim’s name or uses stolen credit card information to make purchases online. Most commonly, these fraudulent purchases are eventually disputed by the actual cardholder which results in the card account being closed and the assignment of a new account number and card. If the dispute is considered valid, the merchant is required to refund the amount of the transaction plus a chargeback fee paid to the payment processor.
  
  
• Carding fraud
  Fraudsters don’t always use the information that they steal; instead, carding fraud* occurs when cybercriminals package together thousands of stolen credit cards to sell to other groups for fraudulent use, or use stolen credit cards to buy prepaid cards to sell to unsuspecting customers. Like true fraud, cardholders will likely report their information as stolen and dispute the fraudulent purchases.
  
  
• Friendly fraud
  This type of fraud goes by a lot of names – friendly fraud, first-party fraud*, or chargeback fraud. Regardless of terminology, it occurs when the cardholder disputes a transaction that they made (and was correctly fulfilled, like an online order or services rendered). This can happen unintentionally if the cardholder doesn’t recognize a credit card charge on their billing statement; it can also happen maliciously, if a cardholder tries to use a chargeback to get a refund even when they actually received the goods or services that they paid for. This type of fraud is harder to track or prevent* because the cardholder is the bad actor – merchants have to closely monitor their chargebacks and see if there are patterns or repeat offenders that they need to challenge.

Fraud tactics: learn common ways bad actors will try to exploit security vulnerabilities

Regardless of who the bad actor is or why they are targeting your business, they use and adapt numerous tactics to steal customer information and payment data. These constantly evolve to meet the challenge of antivirus software and other cybersecurity tools, which is why it is important for your business to be vigilant:

• Card testing
  Fraudsters engage in card testing schemes* when trying to determine if a stolen credit card number is valid or what the credit limit is; they will make a large amount of small test purchases on merchant websites, which will usually result in chargebacks or fraud disputes that are costly for merchants. It is important for businesses to keep track of all transaction authorizations and declines, regardless of dollar amount*, to be vigilant about card testing and subsequent costs and consequences. This type of fraud tends to be more problematic for merchants, who might get hit with separate chargebacks for many small purchases, incurring fees for each transaction or authorization.
  
  
• Phishing
  Using phishing tactics*, fraudsters will relentlessly try to gain access to your business systems to steal customer personal information and payment data – often by targeting your staff via email, text, and spoofed websites. The scammers may pretend to be legitimate businesses, banks, online resources, and credit card companies to trick people into sharing personal information, passwords, and possibly financial information – then using this stolen information to access your business’s systems and confidential data.
  
  
• Account takeover fraud
  Fraudsters may gain control of customer bank accounts, social media accounts, or other valuable access credentials to make purchases; when customers regain control of their accounts, they will dispute transactions and file chargebacks that can be costly for merchants. While businesses cannot completely prevent account takeover fraud* that affects their customers, they can monitor for unusual types or volumes of purchases and prevent transaction authorizations that could turn out to be fraudulent later on.
  
  
• Card-not-present fraud
  Any time someone makes a payment without presenting a physical card, it is called “card-not-present” – this includes online shopping, app purchases, and manually entered card details. Making fraudulent purchases can be easier when a card doesn’t have to be physically presented to make a purchase – like buying items online or subscribing for services. Thus, merchants must be vigilant about preventing card-not-present fraud* in their ecommerce operations with additional authentication measures, like address verification and CVV codes.

Fraud prevention and remediation tools: get started protecting your business, employees, and customers

Bad actors are constantly evolving their tactics to steal customer data, access business systems, and make fraudulent transactions. Businesses must continually evaluate their operations and implement improvements to stop data insecurity from creating huge financial and reputational losses. Consider these prevention and improvement tactics.

• PCI DSS compliance validation
  PCI DSS requirements* apply to businesses of any size that accept credit card payments. These security standards and best practices help you protect customer payment data and frequently review your operations for security vulnerabilities. From technical requirements to employee protocols, PCI DSS is a comprehensive framework that your business should follow; if businesses do not validate and maintain compliance with PCI DSS, they may be found liable for any fraudulent transactions and incur larger financial/reputational losses.
  
  
• EMV, encryption, and tokenization
  Card issuers and payment processors are always innovating to protect merchants from fraud attempts and data insecurity. It is critical for businesses to implement the latest payments technology to protect customer card data and improve data security for all operations. EMV-enabled payment devices* read and authenticate the card from the  secure chip on customer credit cards, while encryption and tokenization* mask card data during transactions to reduce the amount of information fraudsters can steal in a potential breach.
  
  
• Address Verification Service (AVS)
  To combat in-person and online fraud, some checkout processes will prompt users to enter additional details beyond card number to help verify they are the legitimate cardholder. When these authentication steps include address details, like zip code, it is a feature of the Address Verification Service* offered by payment processors. Requiring users to enter some or all of their billing address can thwart bad actors who only have a small amount of stolen cardholder data and prevent the authorization (and eventual chargeback) of fraudulent transactions.
  
  
• CVV codes
  Like the Address Verification Service, payment processors also enable businesses to request additional cardholder information before authorizing transactions; requiring online shoppers to enter the Card Value Verification (CVV) code* on the back of the physical card at checkout can prevent purchases by fraudsters who only have a stolen credit card number.

Fraudsters will continue improving their tactics to target business information systems and customer payment data; that’s why it is important to partner with your payments processor to understand emerging threats, identify vulnerabilities in your operations, and invest in solutions to prevent fraudulent transactions at checkout – online or in-person.

* By selecting this link, you will leave Elavon content and enter a third-party website. Elavon is not responsible for the content of, or products and services provided by this third party, nor does it guarantee the system availability or accuracy of information contained in the site. This website is not controlled by Elavon. Please note that the third-party website may have privacy and information security policies that differ from those of Elavon.