In our tech-focused age, credit card (and debit card) fraud continues to be one of the most common and fastest-growing types of crime. Because the retail industry relies so heavily on credit transactions, it is particularly affected. It’s likely that everyone reading this article has either been the victim of a credit card fraud scam, knows someone who has, or has dealt directly with credit card fraud scams as part of their job.
While not all credit card fraud scams directly affect retail loss prevention, all LP professionals should learn as much as they can about the subject and be prepared to deal with it should the need arise. This post contains some information, tips and best practices that all consumers and retailers should know. This information relates mainly to payment terminals and PIN pads in retail but it also relates to ATMs, gas pumps and almost any device that can accept a credit or debit card swipe.
Pay-at-table (PAT) devices are wireless credit/debit card payment terminals which operate on wireless technologies like WiFi, Bluetooth or cellular. They are commonly used in restaurants or by delivery services to make it more convenient for consumers to pay for their meals or purchases. They are also the most common target of credit card fraud scams due to the ease of unattended access.
A good example of how easy it is for fraudsters to take advantage of these payment devices was recently experienced by a small pub. Two males visited the establishment for beverages shortly before closing time. When these individuals asked to pay their bill, the server brought a payment terminal over to the table and returned to his duties. A few minutes later, they called the server back to the table and informed him the terminal was not working properly. They instead paid their tab in cash.
The next morning, the payment terminal service company received a request to replace the malfunctioning terminal. Upon arrival, the service technician was quickly able to determine the issue. Although the terminal was of the same make and model of the other terminals used by the merchant, it had labels from a payment processing company the merchant wasn’t doing business with. In addition, the security stickers which were normally affixed over the screw holes at the bottom of the device were no longer intact, indicating that tampering had occurred.
Swapping out devices is becoming more and more common. Fraudsters will swap out a terminal or PIN pad and may or may not return at a later time to swap them back. This practice is done in an attempt to collect credit and/or debit card information from either the merchant’s original equipment or from a modified device that the merchant’s staff may continue to use unawares.
Once the credit information is collected, duplicate credit cards are created to sell on the internet and/or make purchases until the activity is detected. Even though recent changes to the type of information is stored on a payment terminal (and how it is stored) is being implemented industrywide, fraudsters will often modify a stolen payment device with technology to copy card information. This is the more commonly known method of skimming (to be discussed in the next section).
In the case at the pub, the merchant had to pay a significant amount of money to replace the stolen device. In addition, the device contained confidential merchant account information and might have contained temporarily stored credit or debit card information from cards previously used on it.
Best practices to identify and avoid swapping:
- Don’t leave PAT or any payment device unattended around customers; they should be treated like cash.
- Periodically examine the devices to be sure labels are intact and the device appears untampered with.
- Secure wired terminals or PIN pads to counters or secure with cable lanyards.
Skimmers are small devices that fraudsters use to copy credit/debit card information when they are affixed to payment devices. They can be concealed within a device or attached to the outside. Depending on the type used, the criminal can either physically collect the skimming device to collect the stolen information or obtain the information from the device wirelessly via Bluetooth or WiFi.
This method of credit card fraud has become popular, especially at gas stations where access to payment terminals at the pump is easy, given that they are outside.
Best practices to identify and avoid falling victim to skimming include:
- Periodically examine all terminals to be sure nothing has been tampered with.
- Run a credit card thought the terminal to be sure the “feel’ is normal.
- Be sure all terminals are the same make, model, etc., if that is what is expected.
- Ask service personnel for proper identification before they touch any equipment.
- Observe, note and report any suspicious activity to the police.
As previously mentioned, credit card fraud scams are rampant, and fraudsters are getting more creative in taking advantage of the latest technologies to carry out their crimes. By knowing some of their techniques and methods, retailers, and LP in particular, will be better equipped to identify, prevent, or report it.
This article was originally published in 2016 and was updated April 5, 2018.