Data Breaches & Fraud

Merchant Protection: Accepting Credit Cards Affected by Data Breaches

Credit card fraud—unauthorized purchases made with stolen cardholder information—is a leading cause of profit loss for merchants. Criminals obtain personal card data using a variety of methods, but the end results are predictable: the cardholder learns of the fraudulent transactions and files a chargeback. The merchant loses their merchandise, sales revenue, and mandatory chargeback fees.

Credit card fraud is on the rise, too, with 2017 shaping up to be a record-breaking year. Many factors contribute to this increase, but one large component is the increasing number of corporate data security breaches.

Data Breaches by the Numbers

High-profile break-ins garner a lot of attention, and they should. Consider the Equifax breach discovered in July 2017—the worst such event in US history—where criminals walked off with Social Security numbers and other personal data for roughly 200,000 consumers.

Wide media coverage of the event is almost mandatory. People not only have the right to this information, they need to know what happened so they can protect themselves. But all the fuss over such high-profile incidents like this overshadows exactly how widespread the problem truly is.

Each breach can expose individual names connected to other identifying data, such as a driver’s license number, SSN, or medical and financial records. The Equifax breach added 143 million records to the running total...but that's just a drop in the bucket.

Hosting Tribunal reports that data breaches compromised 3.3 billion records just in the first half of 2018. US companies suffered 1,244 identified cyber attacks in 2018, with an average impact of $3.86 million per incident.

The Hacker Attack Is Everywhere

Data breaches in 2017 involved some highly recognizable names:

Security Hacked?High-profile Data Breaches in 2017

	Hackers accessed up to 143 million customer accounts, potentially downloading the names, SSNs, driver’s licenses, and credit card numbers of close to 200,000 people.
	A misconfigured setting on a cloud server made the phone numbers, names and PINs of some six million Verizon customers public for over a week.
	For nearly a month, tracking data (potentially including cardholder name, card number, expiration date, and internal verification code) was being read from cards during checkout and routed to hackers.
	A third-party data library used by this popular workplace chat platform was attacked by hackers. Messages and content in chat rooms may have exposed personal account data that included names, email addresses and hashed passwords.
	Account details—including email addresses, IP addresses, and passwords—of more than 2.5 million users of the gaming forums were compromised.
	In one particularly worrisome attack, hackers were even able to access data from this corporate password management service. Information obtained included information about users, apps, and certain keys, which—if decrypted—could expose additional information.

…and the list goes on.
Some of the recognizable brands to have experienced a security breach in 2017 include:

• Frontier Airlines
• Bed Bath & Beyond
• Sirius XM
• Gamestop
• Jewelry.com
• Kmart/Sears Holding
• Neiman-Marcus
• World Wrestling Entertainment (WWE)
• U.S. Cellular
• Saks Fifth Avenue
• Children’s Place
• Envelopes Unlimited
• Rand McNally
• Verifone
• Lowes
• New York Life Insurance
• Arby’s
• Boeing
• Toys “R” Us
• Auburn University
• Brigham Young University
• Walgreen

All told, some 163,305,500 records are known to have been exposed to some degree this year.  Approximately half the companies involved, however, have not released specific figures, meaning the actual number of records involved is probably much higher.

Online Merchants Ultimately Become the Victim

When data breaches make the headlines, media reports usually focus on the breached institution and the immediate potential damage to consumers.

But the true price for data breaches is often paid by businesses who had nothing to do with the actual break-in. Until a cardholder reports a compromised account, criminals can keep making unauthorized purchases, often at multiple locations. The merchants who process those transactions in good faith become victims once the fraudulent activity is finally discovered.

Unfortunately, many consumers simply don’t take the necessary fraud mitigation steps after a data breach. One 2014 survey reported 32% of data breach victims ignored the notifications altogether. They took no action, even knowing their personal information had been exposed.

Only 28% of victims bothered to cancel a compromised credit or debit card account. That means fraudulent purchases can be made by the criminals who stole the information, often months or years after the actual theft.

So why don’t more cardholders take action after a data breach? According to Eva Velasquez, President and CEO of the Identity Theft Resource Center, it’s all about convenience: “The main reason people don’t do it is the hassle factor. They want open and free access to their credit whenever they want. But what that creates is open and free access for thieves as well.”

When consumers don’t act to protect themselves after a data breach, merchants suffer from unchecked credit card fraud. This is particularly true with online transactions, where fraudsters only need the card information—not the card itself, to engage in account takeover fraud.

Protection from Credit Card Fraud

While cardholders might have lax attitudes about fraud protection in the wake of a data breach, merchants can’t afford to be. Any unauthorized transaction the merchant unknowingly processes is likely to reappear as a chargeback. So, is it possible to know if a credit card was compromised through a data breach—but never canceled by the issuing bank?

Unfortunately, no. While it would be ideal to know the validity of a credit card transaction before processing, it is currently not possible to unequivocally state that a cardholder has approved a purchase or that a transaction is safe to process.

Banks cannot disclose information regarding cardholders’ accounts, and cardholders might not even be aware of compromised data. Many data breaches go undetected for months or even years. It often takes even longer for the breached company to alert victims.

What are merchants’ options? How can they reduce the risk of fraud after a data breach? While the situation is serious, there is still hope. In general, there are eight ways to keep credit card fraud to a minimum:

1. Use Address Verification Service

   Address Verification Service is an automated fraud prevention system designed to reduce the risk of unauthorized transactions. AVS compares the billing address supplied during checkout to the address the issuing bank has on file.

   An AVS mismatch could be a sign of fraud, since the criminal might have limited access to the cardholder’s personal information and be unable to provide an exact match.

2. Request Card Security Codes

   Card security codes help authenticate a card-not-present transaction and ensure the actual cardholder is participating in the purchase. Because no merchant can store card security codes, they cannot be hacked by a criminal. If the valid card security code is used in the transaction, it’s a strong indication the shopper has the physical card in hand.

3. Be Alert for Suspicious Activity

   There are several warning signs of credit card fraud. Merchants need to be able to recognize the red flags that may signal a fraudulent transaction, then watch for suspicious activity and be ready to act quickly.

4. Validate Orders

   When transactions show potential indicators of credit card fraud, merchants should try to validate the order. This means contacting the cardholder directly and confirming the order before charging the card.

   The true cardholder will be able to answer simple questions about the transaction—and will usually appreciate the extra measure of security. A fraudster, on the other hand, is more likely use a fictitious phone number or email address.

5. Use Fraud Filters

   A fraud filter helps reduce the risk of profit loss by scanning for indicators that suggest the order was initiated fraudulently. Questionable transactions are flagged, and the merchant has the option of terminating the order and avoiding a potential chargeback.

   When fraud filters are used in conjunction with chargeback insurance, the merchant has a better chance of recovering revenue in certain chargeback situations.

6. Request Chargeback Alerts

   In many instances, a refund is preferable to paying all the additional costs associated with a chargeback. Chargeback alerts from participating banks give the merchant a chance to refund fraud victims before a chargeback is issued.

7. Use Visa Account Updater

   Some cardholders do take steps to protect their personal information in the wake of a data breach. This can help merchants avoid unauthorized transactions, but it’s a double-edged sword: when cardholders try to prevent post-breach fraud by canceling their accounts, they often forget to update recurring payment information with merchants. This can lead to a sharp increase in declined transactions.

   Visa Account Updater was designed to reduce the number of declined transactions (and the accompanying chargebacks). Visa Account Updater acts as an information clearinghouse, providing an electronic exchange of current and accurate account data to merchants, acquirers and issuing banks.

8. Postpone Settlements

   Merchants can only void a transaction before it is settled. After settlement, transactions can only be refunded, and are susceptible to chargebacks.

   Using an authorization hold, the merchant can temporarily freeze the cardholder’s funds or available credit, ensuring that funds exist for the transaction to be processed at a later date. This has the added bonus of enabling the cardholder to review the pending transaction.

   By briefly postponing settlement, merchants can avoid processing unauthorized transactions against savvy cardholders who carefully monitor their accounts.

Doing the Best You Can with a Difficult Situation

The world is becoming more data-connected every day, so data breaches are not going to go away any time soon. Sadly, we’re not yet able to pinpoint whether a transaction has been made with a card compromised by a data breach.

The good news is, there are plenty of strategies a merchant can use to keep general credit card fraud in check. If you’re a merchant interested in learning more, contact Chargebacks911 today. We’ll conduct a free, no obligation ROI analysis and show you how much more you could earn by effectively preventing credit card fraud.