Credit card fraud has been an issue for consumers and businesses since the boom in credit card use in the 1980s (leg warmer shopping spree, anyone?).
But since the EMV liability shift, which came into full effect in April 2018, the burden has shifted. Now, business owners need to learn ways to prevent credit card fraud to avoid footing the bill for fraudulent charges.
The EMV liability shift is the change in responsibility for charges made with a fraudulent credit card, from banks to businesses. Before the shift, the card issuer (i.e. the bank) was liable for fraudulent charges and would have to absorb the costs. After the shift, businesses became liable for fraudulent charges over $25.
EMV cards – chip-based debit and credit cards designed to increase security and prevent fraud – are now the global gold standard. So, if someone tries to pay with a fraudulent EMV card and your venue processes the payment by magstripe (swipe) instead of with an EMV reader (tap or dip), you’ll be liable for fraudulent charges. That means footing a fraudster’s bill out of pocket , whether it’s for a $30 lunch or a lavish $300 five-course meal. Ouch.
That’s right, folks. Credit card fraud is no joke. That’s why it pays to learn all you can about how to protect your restaurant against EMV chargebacks – because ultimately you’ll be preventing credit card fraud for your customers, too.
Credit card fraud is when someone steals payment card information, a personal identification number (PIN), or a person’s actual physical card and uses it to pay for something.
There are two main types of credit card fraud:
Card Not Present (CNP) transactions: phone and online orders where the information is entered manually
Card Present (CP) transactions: the physical card is used for payment
Credit card fraud is a growing risk for restaurants because the industry has been slow in implementing EMV.
Because EMV compliance is not required by law, many restaurateurs simply aren’t changing the way they process payments. They say the cost of buying new hardware or software needed for EMV compliance is just too high to justify the switch.
We know your profit margins are slim, but this trend makes restaurants a target for CP fraud. Fewer security measures at bars and restaurants make it easier for fraudsters to use counterfeit and stolen cards – and get away with it.
But that’s not the only reason. The risk of CNP fraud at restaurants is also growing, with a couple of causes.
The credit card fraud threat is real, no matter where your orders are coming from.
Learning about the EMV liability shift, credit fraud, and growing risks is a good first step toward prevention. But how do you take that knowledge and use it to actually guard against credit card theft from happening at your restaurant?
Here are seven security measures you should know to protect your business against paying credit card chargebacks.
According to Visa, U.S. merchants that have switched to EMV readers have seen a 66% decline in counterfeit fraud within a two-year time span. Decline in fraud means a decline in chargeback liability.
Chargebacks were created to protect consumers from fraudulent charges. They occur when a cardholder disputes certain charges made to their account. When a chargeback is issued due to a lost or stolen card, the bank issues a reversal of funds – which means if chargebacks happen at your business, you’re responsible for soaking up the costs associated with each chargeback.
So make sure your payment processor is equipped to accept EMV payments, which can significantly reduce the likelihood of fraudulent charges happening at your restaurant.
A restaurant is usually PCI compliant by making sure their payment processor and/or POS are PCI compliant. PCI Compliance is a security standard set by the payment card industry to protect businesses and consumers from cybercriminal activity.
But if your restaurant is gathering and storing customer data, that means you are the one who must be PCI compliant. Here are 12 steps to ensuring data is protected before, during, and after transactions.
Note that some point of sale companies store credit card information in their own systems and others do not. POS companies that do not store information are considered more secure because they don’t handle or store any sensitive payment information.
Imagine the following scenario: you’ve just swiped a customer’s card with the number 6117 0987 2342 1800. Someone hacks into your server hoping to gain access to the card number, so they can copy it and use it.
But, because your payment processing company uses tokenization, that card number is no longer stored on-site – instead it’s pushed off-site to an ultra secure location. A “token”, or unique set of numbers and letters, sits in place of the original number.
This token is generated at random and can’t be decoded back to its original number. Regardless of whether the card was swiped or dipped, the card information is still protected from cybercriminal activity.
Tokenization is one way merchant service providers can keep card data secure throughout the transaction process, because the data is protected even when the point of sale is at rest.
Point-to-point encryption (P2PE) is the standard set by the PCI Security Standards Council as another way credit card processing companies can protect user information. When the card is swiped through the card reading device via your POS, the card reader instantly encrypts the card data. The encryption becomes a code that is then securely sent to the payment processing company for decryption.
Unlike tokenization, which turns card information into a random set of numbers and letters that can’t be decoded, P2PE uses an algorithm to make card data unreadable to everyone except the end receiver of the information – who is then able to convert it back into its original form.
P2PE protects both merchants and cardholders from cyber security breaches, making every transaction more secure.
More and more consumers are choosing to use mobile payment apps like Apple Pay, Android Pay, Google Wallet, or Chase Pay. Why? Convenience is a big factor. But so is safety.
In some ways, mobile payments are actually safer than traditional credit card payments because a consumer’s financial information isn’t transferred during the transaction. Only a coded version of the data is used to authorize a payment.
But mobile payment is also safer for the business accepting that payment – which they can set up through a modern POS – because most phones already require one- or two-factor authentication, making the data harder to hack and a stolen phone harder to use.
With third-party online ordering solutions (TOOS) like Uber Eats, ChowNow, and DoorDash on the rise for restaurants, Card Not Present (CNP) fraud is a growing risk.
These apps send orders to your restaurant, either directly to your POS through an integration partner like Chowly, or to a separate system that needs to be manually entered into your POS.
While the order goes to you, these apps process payment for their customers through their own platforms, meaning restaurants aren’t selling directly to customers.
However, if you are using one or more of these takeout or delivery partners, make sure:
Imagine purchasing fancy new kitchen equipment without teaching back-of-house staff how to use it. Money down the drain.
Protecting your restaurant against credit card requires similar training. Now that your business is liable for fraudulent charges, you’re going to want to teach your staff to spot a fraudster from a mile away.
When training your staff, focus on these five areas:
It’s difficult to recognize credit card fraud as it’s happening, especially when there’s a morning caffeine rush or the dining room gets slammed after a football game.
But you can teach your staff how to spot potential signs of fraud. The top signs are:
Create a step-by-step list of what to do if a staff member suspects credit card fraud. This can include things like:
While these steps should be clearly laid out for employees, training should also emphasize how to make fraud prevention a seamless part of every transaction, since you want measures to be safe but have minimal impact on the business.
While most banks are now only issuing EMV-chip cards, it’s still important to make sure your staff know how to recognize the difference between a chip-enabled card and a traditional magstripe card.
EMV cards have a small, metal rectangle (usually gold or silver) on the front of the card, above the numbers. If the card has this chip, your staff should be using the EMV reader, not swiping the card.
Bonus tip: Make sure your staff know about the EMV liability shift. If they know your business is on the hook for fraudulent charges, they’ll be more apt to keep an eye out for fraud.
An EMV card can be read in two ways, and different readers will have one or both of these methods built into their design:
Traditionally at full service restaurants, a server takes a credit card away from the table to process the payment, returning with a printed authorization for the customer to add a tip and sign.
However, with EMV readers, your staff should be trained to leave the card in the hands of the customer. This helps eliminate both suspicion from customers and opportunity for staff to copy credit card data.
Make sure your staff know never to:
Credit card fraud prevention starts with businesses that make it difficult for fraudsters to make transactions. When you take the time to make sure your transactions are as secure as possible, you’re protecting your business and your customers.