Pilot Pen G2 Edge

Gift cards present fraud dilemma

Print Friendly, PDF & Email

Payments companies and online retailers alike have their hands full trying to stay on top of fraudulent transactions.

Aaron Press

Aaron Press

For eight years, we’ve been charting the cost of fraud through an annual study, and in 2016 we have found that, while merchants overall lose 1.47% of their revenue to fraud, remote channels such as mobile commerce and international merchants experience greater losses, as well as a higher number of fraudulent transactions per month. Further, large m-commerce retailers lose significantly more dollars per month ($214,000, on average) than do large e-commerce merchants ($136,000), largely because they are unable to stop as many fraud attempts. I’d like to look at one of the most challenging of these scams, one that causes merchants to lose in multiple ways.

I’m talking about the use of fraudulent or stolen credit cards to buy digital gift cards. In fact, any digital product that can be instantly downloaded — media, music, software, video — presents a similar security challenge to the seller. But if someone uses stolen credit credentials to purchase digital gift cards, they are literally buying money — essentially, using stolen money to buy money.

There’s a significant secondary market for digital gifts cards — they’re very easy to monetize, either by reselling them or using them in-store. Here’s an example of how the scam works: A fraudster goes online to an omnichannel retailer’s website, uses stolen credentials to buy gift cards and has them instantly delivered. Before there’s time for the retailer to verify the legitimacy of the transaction, the fraudster has printed it out, walked into a physical store of that retailer, and immediately turned it into merchandise.

There are two factors that make this type of fraud particularly challenging. First is the lack of a physical shipping address. Verifying addresses is a key method for stopping fraud. Even more challenging, however, is the need for instant delivery. This significantly closes the window of opportunity available for fraud checks. With physical goods, the merchant has time between when the order is placed and when it is shipped to do secondary fraud checks or even manual reviews to determine if they wanted to ship that product. Digital goods, however, carry an expectation of instant delivery, removing the time for reviews the retailer might otherwise have had.

So who carries the liability when stolen card credentials are used? If someone walks into a brick-and-mortar store and pays with a counterfeit credit card, and the issuing bank gives the merchant the authorization, then the issuing bank has the liability for the transaction. (This may not be true if the account is tied to an EMV card and the merchant is not EMV compliant, in which case the merchant is
liable.)

For card-not-present (CNP) transactions, however, it works the other way. In e-commerce, if someone uses credentials that don’t belong to them, it is almost always the merchant’s liability. E-commerce merchants carry a much greater burden than their traditional retail counterparts in managing fraud and understanding who their customers really are.

So, for example, if a fraudster goes online to an e-commerce merchant and buys a gift card using a stolen credit card number, the merchant is out that money. And the loss is compounded because that gift card can then be redeemed for merchandise. The retailer is getting hit twice, losing the money and losing the goods. This is especially troubling if the gift card has been resold to an unsuspecting consumer. Even if merchants know the card was obtained through fraud, they may be reluctant to create a bad experience for the consumer.

While it’s possible for retailers to have near-zero losses from fraud, it also means that they will have near-zero sales, as they decline good transactions in an effort to avoid bad ones. And for payments issuers and banks, it’s more evidence that the world of fraud moves faster than they’re able to keep up with.

Managing fraud and knowing who the customer really is has become a high-tech, time-sensitive job of data analysis — and the smart merchant will want to be aware of all available tools to help prevent having to take it on the chin.

Aaron Press is director of payments at LexisNexis Risk Solutions and author of the 2016 LexisNexis True Cost of Fraud Study.


SATIS_728x90_1-25-21


You must be logged in to post a comment Login