Payment Fraud

Payment fraud has become more prominent and more damaging as online transactions have grown in popularity. Cybercriminals are using advanced and evolving tactics to access payment information and avoid detection. It’s more important than ever for businesses to recognize the realities of payment fraud and implement prevention strategies.

Understanding Payment Fraud

Payment fraud is the illegal process of making a purchase using forged or fabricated payment information. Most payment fraud involves some sort of identity theft. Identity thieves might steal a target’s personal information as a direct or indirect way to access their funds. Vulnerable information can include the consumer’s name, Social Security number, credit card information, bank account information and account passwords.

Payment Fraud Across Industries

Payment fraud impacts businesses across multiple sectors. A 2022 report shows that many industries saw numerous instances of payment fraud costing hundreds of thousands of dollars over the year:

Industry Number of cases Median loss
Banking and financial services 351 $100,000 
Government and public administration 198  $150,000
Healthcare 130 $100,000
Energy 97  $100,000
Insurance 88  $130,000
Transportation and warehousing 82 $250,000
Construction 78 $203,000
Telecommunications, publishing, media and other information 60 $58,000
Real estate 41 $435,000
Arts, entertainment and recreation 41 $73,000

Types of Payment Fraud

Perpetrators use numerous tactics to commit payment fraud. A few common payment fraud types include:

  1. Credit card fraud
  2. Phishing attacks
  3. Friendly fraud
  4. Skimming
  5. Triangulation fraud
  6. Card testing

1. Credit Card Fraud

Credit card fraud is a type of theft that occurs when a person steals another’s credit card information and uses it to make fraudulent purchases. Credit cards are common targets for scammers because they have become so prominent in commerce. Credit cards are also vulnerable because few authentication factors are in place—if a person possesses the credit card or the information on it, they can use the card to purchase anything within the holder’s limit.

Consequently, credit card fraud has risen steadily over the past decade. Reports find that credit card fraud occurrences increased by 10% between 2020 and 2021, amounting to over $30 billion lost worldwide and over $12 billion lost in the United States.

Fortunately, credit card companies can combat fraud by flagging suspicious activity, such as abnormally large charges or purchases made in an atypical geographical location.

2. Phishing Attacks

Phishing occurs when a thief poses as a reputable company to deceive the victim into sending account or payment information. Phishing attackers use fake emails, text messages, phone calls and websites that look close enough to those of a recognizable business to trick their victims.

During a phishing attack, the victim will receive a website link that often appears safe at first glance. However, the link directs the user to a fake version of the site and asks for login credentials. Submitting the login form will hand account information to the scammer, leading to an account takeover. A phishing link may also contain malware that infects the user’s device to access more information.

Phishing scammers target consumers to access their personal information, especially login and payment information on financial accounts. These scams also frequently target employees through business channels to access company data.

Phishing is one of the most common and dangerous types of fraud in digital payment. One study found that over 80% of employees fell for a malicious email scam and provided sensitive information. Another shows that phishing is among the most common types of cybercrime, doubling in frequency between 2019 and 2020.

3. Friendly Fraud

Friendly fraud, also known as chargeback fraud, occurs when a customer falsely disputes a legitimate transaction. The fraud claim causes the merchant to refund the customer after providing the product or service.

Friendly fraud can also occur when a dispute is legitimate, but the merchant isn’t at fault. If a thief steals a customer’s card information, the customer will rightfully flag the fraudulent purchase. Their credit card provider will likely pass the burden onto the merchant unless they find the person who’s truly behind the fraud.

Friendly fraud is a delicate subject for businesses striving for customer satisfaction. Helping legitimate customers avoid fraud is essential, but businesses must implement measures to verify online purchases. One study found that 23% of consumers admitted to falsely disputing charges. Fraud prevention efforts can mitigate the harm that friendly fraud and chargebacks cause.

4. Skimming

Skimming is a tactic that involves stealing a cardholder’s information from their physical credit card. Here, a criminal uses an inconspicuous device to read a customer’s credit card information as they complete an in-person transaction. Some skimming devices have cameras that sneak a peek at the card number, while others are installed inside the scanner and read the card’s magnetic strip.

Criminals used skimming to compromise upwards of 120,000 cards in the first half of 2023. This type of fraud is most likely to occur at a gas station or automated teller machine (ATM).

5. Triangulation Fraud

Triangulation fraud is a scam involving two separate consumers and a merchant. These attacks are complex and difficult to track and quantify.

This type of fraud begins with a cybercriminal posing as a merchant by using a similar web or email address. The first consumer doesn’t notice the discrepancy and completes a purchase. As a result, the cybercriminal steals the consumer’s financial information.

After stealing the first consumer’s information, the cybercriminal visits the legitimate merchant’s website and places the intended purchase in the consumer’s name—but they use a second consumer’s stolen payment information for the transaction.

The merchant accepts and fulfills the order, only later recognizing that the shipping information and billing information do not match. The initial consumer receives illegally purchased items, often without realizing it. Meanwhile, the cybercriminal has their payment information to use in a future scam, and the second consumer loses money to the fraudulent transaction.

The second consumer can report the event and receive a refund when they notice the attack. The merchant will need to forfeit their payment despite delivering the product or service. The cycle continues with another victim, another merchant and the initial victim’s payment information.

6. Card Testing

Card testing is a tactic that cybercriminals use to verify stolen credit card information before they sell it off. The crime is harmful to customers and merchants alike.

During a card scam, the perpetrator submits numerous small transactions to an e-commerce site. The card number may be the same each time, but other information, like the CVC or expiration date, will change as the scammer attempts to find the right combination.

When the scammer sees that the transactions are processing, they launch a full-scale attack. The e-commerce system may receive thousands of small transactions at once, all using stolen payment information. The scammer automates their guessing processes using a bot or another technological tool.

As payment requests roll in, the fraud victims will recognize fraudulent transactions on their accounts. They’ll submit chargeback requests to retrieve their money. The business will experience a sudden influx of transaction fees and chargeback fees that can amount to thousands of dollars. The scam may also lead to a freeze of the business’s merchant account.

The Impact of Payment Fraud on Businesses

Payment fraud can have a widespread impact on a business, affecting everything from its revenue to its reputation:

  • Financial losses: Payment fraud can bring significant financial consequences for merchants. In 2022, online payment fraud caused $41 billion in e-commerce losses worldwide.
  • Customer trust and loyalty implications: Consumers trust merchants to facilitate secure transactions, and breaches of this trust could cause them to take their business elsewhere. One survey found that 87% of consumers will choose a competitor after a data breach.
  • Legal consequences: Payment fraud leaves businesses liable. Merchants often must repay the cardholder’s financial institution after a breach. Additionally, the Federal Trade Commission (FTC) details legal guidelines for protecting customers’ personal and payment information.
  • Reputational damage: The reputational damage that payment fraud causes extends beyond lost revenue. As consumers turn to different businesses, prospective employees, investors and partners may do the same.

Common Warning Signs of Payment Fraud

While payment fraud is common and detrimental, your business can mitigate its harm. Monitor transactions for these warning signs that indicate payment fraud:

  • Unusual transactions or spending patterns
  • Multiple failed payment attempts
  • Inconsistencies in consumer information
  • Sudden changes in consumer behavior
  • High-risk transactions or unusual activity spikes

Payment Fraud Protection Strategies

Explore some of the top fraudulent payment prevention strategies and practices your business can adopt today.

Secure Payment Processing Systems

You can implement an advanced payment platform to protect customers and your business while meeting Payment Card Industry Data Security Standards (PCI DSS) requirements. A cloud-based payment platform can provide a seamless customer experience while bolstering your business’s fraud prevention strategy.

Identity Verification

Methods like two-factor authentication and Know Your Customer (KYC) procedures can help verify purchasers’ identities to prevent fraud. Two-factor authentication requires customers to confirm their identity after submitting their password by responding to a text message, phone call or email. KYC procedures are internal measures your business can take to identify customers and qualify leads.

Tokenization

Tokenization is a data security method that replaces raw payment information with a digital placeholder.

When a customer completes a purchase, their payment information enters your payment portal. There, tokenization software can create a nonsensitive version of the payment data. The nonsensitive version of the data, or the token, travels onward for payment processing. The original sensitive information remains in the payment portal.

Payment processing systems have the credentials or tools necessary to decipher the token and view the sensitive information in the payment portal.

Real-Time Fraud Detection

The most secure payment processing systems include real-time fraud detection. Fraud detection systems use behavioral analysis to separate legitimate customer behavior from fraudulent activity. Behavioral analysis can prevent fraudulent purchases and help your business resolve claims faster.

Education and Training

Employees are often the target of phishing and other scams. Train your personnel to use secure practices and recognize attempts at data theft. Cybersecurity training should be a part of onboarding and ongoing learning to ensure employees build strong fraud detection skills and keep them current as tactics evolve.

Regular System Audits and Updates

Cyberattackers constantly adapt, so it’s important to update your infrastructure and protection on a regular basis. Analyze your fraud prevention system as a part of annual or semiannual risk assessments.

Protect Your Business Against Payment Fraud

Payment fraud is prominent and takes many forms. Understanding the possibilities and implementing prevention strategies can save your business countless hours and thousands of dollars.

At CSG Forte, we develop cloud-based payment systems with payment fraud security integration. Our systems and resources will give you peace of mind as you accept payments online, in person and over the phone. We encourage you to request access to our payment security whitepaper to learn more about effective payment security strategies.

We’re also available to discuss your situation, so contact us online to learn more about our secure, scalable payment solutions.

Layering Login Security: The Power of Multifactor Authentication

It used to be that passwords were enough to protect your accounts. Those days are gone, and you can blame the ever-growing sophistication of cybercriminals. Organizations now need an extra layer of defense against unauthorized access and fraud. That’s where multifactor authentication comes in.

It’s a good idea to require multifactor authentication in many of the systems your organization uses every day—especially critical systems like payments operations. Read on to learn what it is, how it works and why it matters.

What is multifactor authentication?

Multifactor authentication (MFA) is a security measure that requires users to provide two or more pieces of evidence to verify their identity before they can access their account or perform a transaction. Single-factor authentication methods often rely on the traditional username-plus-password combination. MFA goes further and requires additional factors—often something the user knows (e.g., the answer to a security question), something they have (e.g., a smartphone) or something they are (e.g., biometric data like a fingerprint).

How does MFA work in payment solutions?

Payment solutions can apply MFA in various ways depending on the level of security and convenience they offer users. Common examples of MFA in payment solutions include:

  • One-time password (OTP): The user gets a code via text, email or an automated phone call, and they have to enter it along with their username and password to access their account or perform a transaction. The code expires after a short period of time and can be used only once.
  • Push notification: The user receives a notification on their smartphone or a similar device though a secure app that’s linked to their account. With that device, they have to either approve or decline the transaction or account access.
  • Biometric authentication: The user must have their fingerprint, face or iris scanned. This biometric data is usually stored on the user’s device or on a secure server, and it’s matched with the user’s account.

When might payment solutions require MFA? Those scenarios can include when you or other users in your organization log in to their accounts, add a new payment method or change settings. MFA can also be complemented with other security features such as encryption, tokenization or fraud detection to create a more robust risk management practice.

Why is multifactor authentication critical for payments operations security?

Payment fraud incidents are on the rise, increasing 88% since 2021, according to PYMNTS Intelligence research. It’s making organizations and consumers more wary about how payment accounts data is kept (the same study found that 30% of consumers don’t trust having their personal information stored on a connected platform).

Clearly, bolstering security to the systems that house consumers’ payment account data is a priority for any organization. Here’s how MFA in payments operations supports that:

  1. Better Protection: MFA makes it harder for hackers or fraudsters to access your customers’ data, even if they have your username and password. It adds an extra layer of security that deters or delays attackers, giving your organization more time to detect and respond to the breach.
  2. Fraud Risk Mitigation: MFA can decrease the likelihood of fraudulent transactions when the additional authentication requirements thwart bad actors.
  3. Brand Reputation Preservation: A data breach resulting in compromised payment accounts is a major blow to an organization’s reputation that erodes customer trust. Implementing MFA shows you’re committed to keeping customers’ information secure, and it helps safeguard your organization’s integrity.
  4. Satisfying Security Standards: MFA complies with the latest security standards and regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) or the Payment Services Directive 2 (PSD2). MFA helps you meet the requirements and expectations of your customers, partners and regulators, not to mention help you avoid penalties or fines.

The new standard in payments operations security

MFA is no longer just a security best practice—it’s an expectation. A growing share of SaaS platform users consider MFA a must-have capability of the SaaS platforms they use, regardless of segment or industry. In payments operations, it can make a big difference in safeguarding payment accounts and protecting your organization from the potentially devastating consequences of data breaches and payment fraud.

This is part of what’s known as the Zero Trust strategy for information security programs, based on the principle of ”never trust, always verify.” It’s aligned with the latest industry standards, such as PCI DSS version 4.0. And it’s part of CSG Forte’s commitment to the rigorous safeguarding and protection of all customer data.

Want to learn more about how CSG Forte incorporates MFA into its solutions? Just ask us.

‘Tis the Season for Secure Payments: Protecting Your Business from Holiday Fraud

The holiday season is here, bringing with it the hustle and bustle of surging online transactions. Consumer spend is expected to rebound above pre-pandemic levels for the first time, even as 72% of shoppers anticipate higher prices.

Inflation dread isn’t enough to deter cash-strapped consumers. Credit options, such as Buy Now Pay Later short-term financing, will cover an estimated 13% of holiday purchases this year.

With the uptick of consumers embracing the holiday splurge, it’s essential to ensure that your store is safeguarded from the Grinches of the online world—fraudsters. Here are three tips to keep your e-commerce business merry and bright:

 

1. Hosted Payment Pages: A Trusted Haven for Transactions

Picture a secure fortress for your customers’ payment data—one that’s not on your servers. This is where securely hosted payment pages with a reliable payments provider come into play. By directing your online payments through these secure pages, you’re ensuring that sensitive payment data doesn’t linger in your system like a misplaced ornament.

The beauty of securely hosted payment pages lies in their ability to provide a seamless and secure transaction experience. Customers enter their payment details on a page hosted by the payments provider, keeping the crucial data away from your servers and reducing your PCI (Payment Card Industry) Data Security Standard scope. This ensures a worry-free experience for both you and your customers that leaves fraudsters out in the cold.

 

2. Digital Wallets: Security Wrapped in Convenience

‘Tis the season for giving, and what better gift to offer your customers than secure and convenient digital payment methods? Enter digital wallets. With enhanced security features, they provide a hassle-free and speedy checkout experience.

By offering popular digital wallets at your checkout, you’re not just embracing the holiday spirit—you’re also aligning with what consumers trust. Digital wallets safely store payment credentials and employ advanced encryption techniques to keep them protected. It’s a win-win—customers get a seamless payment experience, and you get the peace of mind that their data is protected.

 

3. Tokenization: Turning the Tables on Fraudsters

If you want to take your holiday defenses up a notch, consider the power of tokenization.

Tokenization involves replacing actual card and ACH payment data with generated tokens. These tokens have no intrinsic value and provide no value to fraudsters. It’s the equivalent of leaving fake presents under the tree for anyone attempting to snatch them. A reputable payments provider can assist you in implementing this robust layer of security, ensuring that even if a Grinch manages to sneak into your system, they leave empty-handed.

In the midst of the holiday season excitement, don’t let the fear of fraud steal your joy. By following these three tips—utilizing hosted payment pages, offering secure digital payment methods, and embracing tokenization—you can ensure your online business stays secure while shoppers stuff their carts.

 

CSG Forte is here to protect your payments this holiday season. Contact us to get started today.

P2PE vs. E2EE: What’s the Best Payment Security Option?

If end-to-end encryption (E2EE) and point-to-point encryption (P2PE) sound like they could be the same thing, you’re not wrong. Technically speaking, P2PE is a specific type of E2EE, and the objective in both cases is to secure cardholder data from the time it’s captured until it reaches its intended destination.

However, only one of these methods offers significant time savings and cost benefits to merchants. Read on to understand the differences and why choosing P2PE could be in your company’s best interest.

 

What Is P2PE?

As the ongoing threat of data breaches continues to menace businesses (and government agencies) of all sizes, securing cardholder data remains a top priority for merchants. In recent years, P2PE has become the gold standard for credit card payment security compliance.

Here’s why. PCI-validated P2PE is a set of standards defined by the Payment Card Industry Security Standards Council (PCI-SSC) that outlines a comprehensive set of best practices spanning the device supply chain, encryption key loading, configuration, encryption and application security.

The P2PE process creates a secure connection between devices, or components within devices, which prevents possible sensitive data from being exposed at any point while moving across a network. It effectively removes cardholder data from a merchant’s environment, providing better protection for the cardholder.

 

How Does P2PE Work?

P2PE encrypts cardholder data immediately upon receiving a card payment. It sends this encrypted code directly from the payment terminal to the payment processing system, where the information gets decrypted using a secure key.

Since the decryption takes place entirely in the payment processor, the merchant never sees any of the cardholder’s information. If a hacker manages to intercept the data while it’s in transit, they will not be able to read it because only the processor possesses the key—there’s no chance someone can steal the key from the merchant or any other party.

PCI P2PE Compliance Requirements

P2PE reduces the likelihood of PCI compliance breaches by directly connecting the payment terminal to the processing system—and correspondingly drops the number of self-assessment questionnaire questions from over 300 to around 30. This function means you can raise the bar on security without also increasing the compliance audit burden.

Some other key compliance requirements include:

  • The data must be encrypted at the payment terminal.
  • The payment terminal may only use P2PE-approved applications.
  • The merchant must conduct annual inventory checks on payment terminals.
  • The merchant must install cameras with a clear view of the terminal.

Ultimately, these requirements are fairly easy for most businesses to manage. That leaves you more time and resources to spend on the purpose and passion at the forefront of your business rather than the processes behind your business.

 

The Benefits of P2PE With CSG Forte Protect

CSG Forte Protect is a PCI-validated P2PE solution securing the V400C terminal for in-person payments. CSG Forte Protect helps merchants:

  • Remove liability issues for your business: Forte Protect merges processes, applications, and payment devices to securely encrypt and protect data during transit from the POI terminal/device or POS system
  • Protect cardholder data: Our solution has three parts—validated hardware, validated software, and validated solution providers to cover payment terminals, terminal application, deployment, key management, and decryption environments.
  • Save time and money: With a minimal per transaction cost, Forte Protect saves you PCI-related costs by reducing PCI scope as the number of questions from the self-assessment questionnaire drops from SAQ D (329 questions) to SAQ P2P3 (33 questions).
  • Fully integrate existing payment channels: Supported card input methods include tap, dip, swipe, keyed, Apple Pay, Samsung Pay and Google Pay. Your customer payment experience will be seamless without you lifting a finger!

We put data security at the core of all our payment solutions, so you can rely on Forte Protect to keep your data safe through every payment—every time. In addition to meeting PCI standards, we’re certified for compliance with ISO 27001:2013, SSAE SOC 1 and HIPAA. Whatever your industry and payment needs, we can help you protect your customers from data breaches.

 

What Is E2EE?

Many merchants’ transactions rely on end-to-end encryption (E2EE), a process that involves an indirect link between the payment terminal and processing network. During this operation, the processor or a third party is expected to encrypt the cardholder’s data (CHD) during transit.

Unfortunately, the indirect link means card present transactions—where the customer swipes, dips or taps their card—are a constant area of concern. Preventing fraud at the terminal isn’t just a matter of checking who is presenting the card. You also have to ensure the payment terminals themselves are secure. By intercepting point of sale devices, or using insiders, malware loaded to a device can scrape and transfer cardholder data available in its RAM and virtual memory.

That’s why rather than finding new ways to protect cardholder data, businesses are looking for ways to eliminate cardholder data from their environments.

E2EE and PCI Compliance

Some E2EE vendors claim that using E2EE makes adhering to PCI guidelines easier because it encrypts data throughout the entire process, but this claim isn’t entirely the case.

While this method is compliant with Payment Card Industry (PCI) guidance, E2EE requires intensive documentation and additional ongoing costs associated with PCI compliance. Merchants often hold the encryption keys, so merchants relying on E2EE will typically need to complete an annual PCI-DSS self-assessment questionnaire (SAQ) with over 300 questions.

Even though small business owners are used to wearing many hats, assuming responsibility for PCI compliance may be more than they can handle. If they choose to have someone else manage it for them, like processors or outside consultants, then they’ll also incur the added expense of outside help.

 

What’s the Difference Between P2PE and E2EE?

While they are similar in nature, some of the most significant differences between P2PE and E2EE include:

  • Security rules: P2PE and E2EE require different security checks on and around the payment terminal. For example, P2PE requires merchants to perform annual terminal inventory checks to ensure everything works properly.
  • Control: Because the scope for PCI compliance is much smaller with P2PE, merchants have greater control over their ability to adhere to the standard. E2EE, on the other hand, contains more endpoints, making compliance more complicated.
  • Liability: P2PE providers take complete liability for data breaches because they hold the keys. With E2EE, though, the merchant has control over decryption keys and can be held liable for stolen cardholder data.

Ultimately, these differences mean the best choice for most businesses planning to accept credit card payments is P2PE. It makes compliance more manageable and keeps cardholder data safer than E2EE—and it’s entirely possible with a reliable provider like CSG Forte. If you want to improve your payment processing technology, consider using our solutions to secure your card transactions.

 

Choose P2PE Payment Solutions From CSG Forte

The numerous controls and security implemented across this entire value chain make P2PE an extremely secure encryption method—but also a high bar for vendors to clear. Only a select few vendors offer PCI-validated P2PE today, and we’re proud to be one of those few.

At CSG Forte, we know securing a stable and safe merchant solution can relieve the security and compliance pressures from you and your business. For that reason, CSG Forte Protect was created with you in mind to give you peace of mind.

We know you didn’t open your business so you could worry about transactions and payments operations. But we did. Our team at CSG Forte has a passion for safe and secure payment processing solutions. Learn more about CSG Forte’s secure in-person payments processing solutions, or contact us to get started.

Payment Basics: NSF Re-presentment

What is NSF?

NSF stands for “non-sufficient funds.” An NSF check is a returned check. This means the bank has refused to honor the check because there isn’t enough money in the account to cover it. These are often also simply called bad or bounced checks.

 

What Happens When an NSF Check is Written?

When an NSF check is written, a number of negative consequences may follow. The financial institution of the person writing the check makes one of two choices:

Allowing the check

The bank of the check writer may also decide to let the check push through. This, however, would put the check writer’s account into an overdrawn status. For some banks, this means they will charge the account holder fees simply for overdrawing, but may continue to charge for each day or certain amount that they are over. It can end up burning quite a hole in the wallet.

Refusing the check

For the check writer, the bank may refuse to honor the check. The bank will not allow the funds to process, and the writer will likely be charged a fee just for writing the check.

If the bank chooses not to honor the check, they will return the check to the depositor (the person cashing the check or depositing it into their account as a payment). When this happens, the check will not clear, and the depositor’s bank will also tack on a “Deposit Item Returned” fee (DIR). Potentially, the returned item could sink the depositor’s account into overdrawn status, also initiating an overdraft fee.

Banks consider both the depositors and the check writers as being responsible for the NSF check – and they have no problem making it a very expensive mistake.

 

How do You Protect Your Business From NSF Checks?

NSF checks can be very frustrating and costly to businesses that need to process payments. Some decide not to accept checks at all as a last resort, but this is choice limits the payment options of your customers.

For many businesses, it’s a wise decision to accept paper and eChecks, or electronic checks. This allows customers the flexibility of selecting a payment option that works for them – and many people just want to simply have a payment come right out of their checking account.

But how can business handle NSF checks? It’s wise to have a plan set into place so that when NSF checks appear, it isn’t a complete disaster. NSF re-presentment is your best option, as it allows you to recover the funds for each check.

 

What is NSF Re-Presentment?

When an NSF check is written, re-presentment will simply “re-present” the check to the writer’s bank at a later date. This way, the check has another shot to clear. CSG Forte’s NSF re-presentment option lets you select the date you wish to re-present the check, which enables you to choose a time when you think there is a stronger likelihood that the funds are available. You may know, for instance, when your customer gets their paycheck. Scheduling NSF re-presentment on or directly after this date increases your chances of accessing the funds and clearing the check.