Payment fraud is organised, so what do you do?

Opinion by Shannon Martin

Merchants have enough difficulty manoeuvring through today's 'topsy-turvy' economic times.

Merchants have enough difficulty manoeuvring through today's ‘topsy-turvy' economic times.

When your merchant processor calls to inform you that the card associations have flagged your company as falling within their criteria for a fraudulent operation, the threat of having to close your doors for the very last time can take on awesome proportions. Is this scenario a real possibility, and what can you do to prevent it from ever happening to you?

Seasoned risk management professionals will tell you that payment fraud today is very sophisticated and well organised. Where there is money involved, the criminal element of our society has focused their efforts on various schemes that will conveniently and easily transfer its value to their coffers.

Their primary objective, as if directed from some planning division, is to create a steady flow of income beneath the radar screen of detectability. For this reason, one can never eliminate fraud completely, but you must manage it down to an acceptable and predictable ‘cost-of-doing-business' level.

This frightful call situation happens more frequently than we would like, even under today's highly electronic and terminal-driven payment environment. Card payment fraud can come from many sources, but one prevalent method is to force a number of fraudulent transactions through a single merchant portal, fence the goods and then disappear.

It may take days for consumers to object, but investigators quickly assemble data and look for a common point of purchase (CPP), in card payment parlance. A call follows to notify you that your merchant system has been breached.

How can you prevent this call from ever taking place in your situation? Unfortunately, systems today are extremely complex. Even highly sophisticated and large merchants with ample resources devoted to fraud prevention have suffered from breaches in their networks.

In response, the card associations came together as one to fight crime by developing the Payment Card Industry Data Security Standards (PCI-DSS) that has been an ongoing effort for the past five years.

The world of merchant account payment options can be very daunting, especially for smaller merchants, but processors have typically developed a cadre of experts to assist merchants in their respective compliance activities.

Navigating through these turbulent waters requires experience on a daily level with the variety of attacks that can transpire between the point of sale and the eventual posting of a transaction to a consumer account. If your processor does not provide support of this nature, then it may be a good time to switch your allegiances.

After a breach has occurred, the first step is to secure with the assistance of your processor, who should be a capable PCI forensic investigator. This individual will determine where and how your system was breached and recommend changes to prevent any further data compromises from happening down the road.

The changes may be as simple as upgrading your operating software to the next release, or may require a major overhaul of your entire method of doing business. Either way, it is a costly procedure.

To avoid larger costs in the future, the prudent way to go is to review your merchant account payment options and determine where the weaknesses in your present system of controls exist. PCI standards are very specific, especially in their encryption requirements of personal consumer and card data during every step in your internal processing regimen.

Due to its inherent complexity, your processor may require an outside auditor to confirm your PCI compliance before accepting larger volumes of transactions from your merchant network. Compliance levels do vary according to size so you need to be aware of when critical levels are on the horizon.

The card associations continually update merchant processors on their level of PCI compliance and issue fines when the facts warrant. If the processor can justify his position and find fault with your PCI status, he will most likely deduct the fines from your daily deposit stream. The time to act is before the breach, not after.

Shannon Martin is editor of


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events