Are You at Risk? Risk Monitoring System May Leave Your Portfolio Open to Losses

One of the older schemes in merchant fraud is issuing credits/refunds with no offsetting sales. Over the years the trend on this old scheme has changed many times until the industry catches up and updates the monitoring systems.

The first version was the fraudsters would just issue refunds with no offsetting sales to credit cards. The industry learned to look for negative batches. The fraudsters then began issuing credits with no offsetting sales and then they would run a charge for the exact same dollar amount on a stolen credit card. This would make the batch zero or slightly positive. The industry caught up by having the risk monitoring systems looking at all credits and matching back for offsetting sales on the same card numbers.

During the mix, the fraudsters figured out if you run the returns on check cards, they would have access to almost instant cash instead of having to wait around for the issuers to send checks out. All of the earlier frauds were performed using the credit card networks.

The trend has changed again and many acquirers are experiencing losses where the crooks are issuing credits with no offsets, but their risk monitoring systems are not picking up on the transactions.

Traditional monitoring systems are set up to review the transactions flowing through the credit card networks. Many acquirers do not monitor pin based debit networks. In the past, there has been very little risk involving the debit networks for many reasons:

- Pin based transactions validate who the cardholder is, so there are very few chargebacks.

- Issuers typically limit pin based debit transactions to $500.00 or less per day.

- Some acquirers do not hold any liability for chargebacks through the debit networks.

- Credits cannot be run through the debit networks...NOT TRUE!

Typically the ability to issue credits/refunds through the debit side of the terminal is disabled. Unfortunately, the fraudsters have discovered how to turn this feature on in the terminals and sometimes at the network. If the transactions from the debit networks are not flowing through your risk monitoring system or are not being reviewed, YOU ARE AT RISK.

Refund fraud is so appealing to the fraudsters because the money is available very quickly. Often times once the fraud has been committed, the acquirer has a hard time to stop it. Most of the processors do not have an easy way to prevent it. FDR has a feature called Real Time Fraud which will allow the acquirer to delete the batch as long as it is caught prior to settlement. First National Merchant Solutions can delete a batch as late as the following day after settlement and is probably the most effective system we have seen. Most processors' only option is to perform credit reversals. Even the ones who have systems in place to delete batches or transactions, if the fraud is detected too late, the credit reversal is the only way to potentially undo some of the damage. Some processors charge huge fees to do these and they are not guaranteed to work. Credit reversals are tedious, time sensitive, and do not have to be honored by the issuers.

Here are some steps you can take to protect yourself:

1. Find out if your back end can disable the feature for allowing refunds through the debit network. If it is available, then turn it off.

2. If the controls are only available at the terminal level, you will need to come up with a password system to limit access to downloads. As we all know, more terminals than not have default passwords that are never changed.

3. Find out if your monitoring system is looking at both the credit and debit networks. If it is not looking at debit networks, you need to get that fixed. It is only the matter of time that the fraudsters figure out yet another way to get something through them now that the door is open.

4. Find out now how your processor handles reversing credits so you have the steps in place to do damage control if necessary. Make sure all of your staff knows where to access this information. Inevitably fraud will happen on a Saturday or on a skeleton crew. The fraudsters know we all have lighter crews on the weekends.

5. Keep your risk people actively involved with the International Association for Financial Crimes Investigators. If something like this does happen, they will need connections to issuers.

6. Keep your risk people actively involved with the Merchant Acquirers Committee so that they can keep up with current changes in the way frauds are happening.

7. If you are hit with a new type of fraud, pass the word on. A loss is a loss to the industry and benefits no one. There is no competition in risk and changes in fraud trends should be openly shared with everyone. You do not have to disclose true information about the perpetrators, but it is important to let everyone know if you are seeing something new.Fraud is ever changing. It is very important that you have a risk monitoring system in place robust enough to make changes as needed. You do not want to be the one the crooks know cannot make updates quickly. Fraudsters will find a vulnerability in a system and then share information with each other. You don't want your company on the list of easy targets.