Credit card fraud has been an issue for consumers and businesses since the boom in credit card use in the 1980s (leg warmer shopping spree, anyone?).
But since the EMV liability shift, which came into full effect in April 2018, the burden has shifted. Now, business owners need to learn ways to prevent credit card fraud to avoid footing the bill for fraudulent charges.
What Is the EMV Liability Shift?
First things first, it’s important to answer the question, “what is EMV?”
Put simply, the EMV liability shift is the change in responsibility for charges made with a fraudulent credit card, from banks to businesses. Before the shift, the card issuer (i.e. the bank) was liable for fraudulent charges and would have to absorb the costs. After the shift, businesses became liable for fraudulent charges over $25.
EMV cards – chip-based debit and credit cards designed to increase security and prevent fraud – are now the global gold standard. So, if someone tries to pay with a fraudulent EMV card and your venue processes the payment by magstripe (swipe) instead of with an EMV reader (tap or dip), you’ll be liable for fraudulent charges. That means footing a fraudster’s bill out of pocket , whether it’s for a $30 lunch or a lavish $300 five-course meal. Ouch.
That’s right, folks. Credit card fraud is no joke. That’s why it pays to learn all you can about how to protect your restaurant against EMV chargebacks – because ultimately you’ll be preventing credit card fraud for your customers, too.
What Is Credit Card Fraud?
Credit card fraud is when someone steals payment card information, a personal identification number (PIN), or a person’s actual physical card and uses it to pay for something.
There are two main types of credit card fraud:
Card Not Present (CNP) transactions: phone and online orders where the information is entered manually
Card Present (CP) transactions: the physical card is used for payment
Why Is Credit Card Fraud a Growing Risk for Restaurants?
Credit card fraud is a growing risk for restaurants because the industry has been slow in implementing EMV.
Because EMV compliance is not required by law, many restaurateurs simply aren’t changing the way they process payments. They say the cost of buying new hardware or software needed for EMV compliance is just too high to justify the switch.
We know your profit margins are slim and credit card fees can be costly, but this trend makes restaurants a target for CP fraud. Fewer security measures at bars and restaurants make it easier for fraudsters to use counterfeit and stolen cards – and get away with it.
But that’s not the only reason. The risk of CNP fraud at restaurants is also growing, with a couple of causes.
- More consumers are placing orders by phone, online, or through takeout and delivery apps, where there are fewer methods to authenticate purchases.
- Fraudsters are targeting restaurants that don’t have EMV readers by contesting charges made with real EMV cards and forcing restaurant owners to pay the chargebacks. According to a CBS report, 86% of all chargebacks are, in fact, fraudulent.
The credit card fraud threat is real, no matter where your orders are coming from.
Learning about the EMV liability shift, credit fraud, and growing risks is a good first step toward prevention. But how do you take that knowledge and use it to actually guard against credit card theft from happening at your restaurant?
Here are seven security measures you should know to protect your business against paying credit card chargebacks.
1. Get an EMV Reader
According to Visa, U.S. merchants that have switched to EMV readers have seen a 66% decline in counterfeit fraud within a two-year time span. Decline in fraud means a decline in chargeback liability.
Chargebacks were created to protect consumers from fraudulent charges. They occur when a cardholder disputes certain charges made to their account. When a chargeback is issued due to a lost or stolen card, the bank issues a reversal of funds – which means if chargebacks happen at your business, you’re responsible for soaking up the costs associated with each chargeback.
So make sure your payment processor is equipped to accept EMV payments, which can significantly reduce the likelihood of fraudulent charges happening at your restaurant.
2. Make Sure You Are PCI Compliant
A restaurant is usually PCI compliant because their payment processor and/or POS are PCI compliant. PCI Compliance is a security standard set by the payment card industry to protect businesses and consumers from cybercriminal activity.
But if your restaurant is gathering and storing customer data, that means you are the one who must be PCI compliant. Here are 12 steps to ensuring data is protected before, during, and after transactions.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords.
- Protect stored data.
- Encrypt transmission of cardholder data across open, public networks.
- Use regularly updated anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data on a need-to-know basis.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Note that some point of sale companies store credit card information in their own systems and others do not. POS companies that do not store information are considered more secure because they don’t handle or store any sensitive payment information.
3. Make Sure Your Payment Processor Uses Tokenization
Imagine the following scenario: you’ve just swiped a customer’s card with the number 6117 0987 2342 1800. Someone hacks into your server hoping to gain access to the card number, so they can copy it and use it.
But, because your payment processing company uses tokenization, that card number is no longer stored on-site – instead it’s pushed off-site to an ultra secure location. A “token”, or unique set of numbers and letters, sits in place of the original number.
This token is generated at random and can’t be decoded back to its original number. Regardless of whether the card was swiped or dipped, the card information is still protected from cybercriminal activity.
Tokenization is one way restaurant merchant services providers can keep card data secure throughout the transaction process, because the data is protected even when the point of sale is at rest.
4. Use Point-to-Point Encryption.
Point-to-point encryption (P2PE) is the standard set by the PCI Security Standards Council as another way credit card processing companies can protect user information. When cards are swiped through the card reading device via your POS, the card readers instantly encrypt the card data. The encryptions become codes that are then securely sent to the payment processing companies for decryption.
Unlike tokenization, which turns card information into a random set of numbers and letters that can’t be decoded, P2PE uses an algorithm to make card data unreadable to everyone except the end receiver of the information – who is then able to convert it back into its original form.
P2PE protects both merchants and cardholders from cyber security breaches, making every transaction more secure.
5. Set Up Mobile Payment for Your POS
More and more consumers are choosing to use mobile payment apps like Apple Pay, Android Pay, Google Wallet, or Chase Pay. Why? Convenience is a big factor. But so is safety.
In some ways, mobile payments are actually safer than traditional credit card payments because a consumer’s financial information isn’t transferred during the transaction. Only a coded version of the data is used to authorize a payment.
But mobile payment is also safer for the business accepting that payment – which they can set up through a modern POS with integrated payments – because most phones already require one- or two-factor authentication, making the data harder to hack and a stolen phone harder to use.
6. Review Contracts with Third-Party Online Ordering Solutions
With third-party online ordering solutions (TOOS) like Uber Eats, ChowNow, and DoorDash on the rise for restaurants, Card Not Present (CNP) fraud is a growing risk.
These apps send orders to your restaurant, either directly to your POS through an integration partner like Chowly, or to a separate system that needs to be manually entered into your POS.
While the order goes to you, these apps process payment for their customers through their own platforms, meaning restaurants aren’t selling directly to customers.
However, if you are using one or more of these takeout or delivery partners, make sure:
- Your partnership contract with them does not hold you liable when the app accepts an order using a fraudulent card.
- They have data security policies in place to prevent credit card fraud.
7. Provide Hands-On Training for Staff
Imagine purchasing fancy new kitchen equipment without teaching back-of-house staff how to use it. Money down the drain.
Protecting your restaurant against credit card fraud requires similar training. Now that your business is liable for fraudulent charges, you’re going to want to teach your staff to spot a fraudster from a mile away.
When training your staff, focus on these five areas:
Spot signs of credit card fraud
It’s difficult to recognize credit card fraud as it’s happening, especially when there’s a morning caffeine rush or the dining room gets slammed after a football game.
But you can teach your staff how to spot potential signs of fraud. The top signs are:
- The first number is wrong for the type of card they have (American Express always starts with 3; Visa is 4; Mastercard is 5; and Discover is 6)
- The magnetic strip is made of the same material as the rest of the card
- A customer seems especially anxious or in a hurry to leave the restaurant
- A customer refuses to produce identification when requested by a staff member
Create a step-by-step list of what to do if a staff member suspects credit card fraud. This can include things like:
- Asking for a different form of payment
- Consulting with a manager
- Contacting the card issuer
While these steps should be clearly laid out for employees, training should also emphasize how to make fraud prevention a seamless part of payment processing, since you want measures to be safe but have minimal impact on the business.
Recognize EMV cards
While most banks are now only issuing EMV-chip cards, it’s still important to make sure your staff know how to recognize the difference between a chip-enabled card and a traditional magstripe card.
EMV cards have a small, metal rectangle (usually gold or silver) on the front of the card, above the numbers. If the card has this chip, your staff should be using the EMV reader, not swiping the card.
Bonus tip: Make sure your staff know about the EMV liability shift. If they know your business is on the hook for fraudulent charges, they’ll be more apt to keep an eye out for fraud.
Instruct customers to dip or tap cards
An EMV card can be read in two ways, and different readers will have one or both of these methods built into their design:
- Dip: The card is inserted into the EMV reader. Staff should instruct customers to keep the card inserted until the transaction is complete.
- Tap: The card is quickly placed on the EMV reader screen. Communication from the card to the unit is wireless. Tapping is more common in Canada and Europe, but more American banks are incorporating this method. Staff should direct customers to use this method if it’s available, since it’s the most secure way to pay.
Leave cards in the hands of customers
Traditionally at full service restaurants, a server takes a credit card away from the table to process the payment, returning with a printed authorization for the customer to add a tip and sign.
However, with EMV readers, your staff should be trained to leave the card in the hands of the customer. This helps eliminate both suspicion from customers and the opportunity for staff to copy credit card data.
Know what NOT to do
Make sure your staff know never to:
- Accept a damaged card
- Manually enter a card number
- Let a customer swipe a card when it has an EMV chip
Credit card fraud prevention starts with businesses that make it difficult for fraudsters to make transactions. When you take the time to make sure your transactions are as secure as possible, you’re protecting your business and your customers.