Forcing Software for PCI Compliance

Lately I've been hearing reports of processors that are starting to charge their customers $19.95 per month for not being PCI compliant. To fix this problem, these processors are requiring their customers to install some PC based scanning software that is supposed to magically make the business PCI compliant, thereby allowing them to avoid the monthly charge.

Let me start out by saying: This is a bunch of crap!

There is nothing that you can just put on your PC that will make your business PCI compliant. This is so far off course that it hardly can be related to PCI. PCI compliance is in reference to networks, computers, hardware and software that play a part in the processing, storage, or transfer of a credit card transaction.

It is now required that every business be PCI compliant, but let me assure you that there is no simple computer program that will do this for any business. Even if only a single computer is used to enter card data, it is unlikely that it is the only piece of the puzzle, and even more unlikely that a single piece of software can guarantee PCI compliance.

Steps to get compliant:

1. Determine whether you need to be PCI compliant. (If you accept credit cards, or play any part in the processing of a credit card, you need to be PCI compliant.)
2. Determine which Level of compliance is required for your business.
   • Level 1: Greater than 6 million credit card transactions per year or any business that has suffered a hack or data breach, or any business deemed Level 1 by card associations.
   • Level 2: 1 to 6 Million credit card transactions per year.
   • Level 3: 20K to 1 Million credit card transactions per year.
   • Level 4: Less than 20K ecommerce, or 1 Million total transactions per year.
3. Fill out the self assessment questionaire (SAQ).
4. Fix every area that you answered 'NO' to on the SAQ.
5. Hire an approved scanning vendor (ASV) to perform quarterly scans of any external networks. - All Levels
6. Fix and maintain any failed area of the scan.
7. Level 1 Only: Complete an annual on-site audit by a Qualified Security Assessor (QSA).
8. ** Continue to maintain security of networks and card information! **

Once you complete all of those requirements, and maintain a secure network and business environment, you are PCI compliant. Most of the details of PCI compliance can be found in the SAQ, and on the PCI Security Standards website.

If you're trying to determine whether PCI compliance is worth it to you, consider this: A security breach will result in a business requiring Level 1 compliance. The cost for level 2, 3, and 4 compliance can be as low as a few hundred dollars per year. The cost of Level 1 compliance can easily reach into the 6 and 7 figures per year.

Some Good PCI Resources:
PCI Answers Blog
PCI Security Standards website
Visa Cardholder Information Security Program
MasterCard SDP Program

2 comments May 6th, 2008

Merchant account theft (pt 1 of 2) - Don't get slammed!

Slamming is a situation in the credit card processing industry where a sales agent or an ISO will steal a merchant account from another processor.

This deceitful tactic has been observed in every area of credit card processing, from the retail to ecommerce. It is most common with smaller retail shops and restaurants, and seems to be especially prevalent in rural areas where business owners often have a first name relationship with their merchant account rep. Slamming has a negative impact of both the business that switched, the company whom they switched from, and the processing industry in general.

How slamming happens:
Picture this scenario. You own a clothing shop in a small town in Colorado. One day a person calls or walks into your business claiming he is with your credit card processing company and needs to update your terminal because of new security regulations. He tells you he works with your rep, Sam, who set up your merchant account initially. You know Sam and assume that he must have sent this person to correct your terminal. He has you sign some paperwork, he makes a few phone calls, messes around with your credit card terminal, thanks you and leaves… You've just been slammed!

At the end of the month, you get two bills for your credit card processing. One from the company you originally signed up with which is basically blank, and the other that has all of your transactions on it, but you don't quite recognize the name on it.

What you didn't realize when that person was reprogramming your terminal was that he worked for a different company, and he just switched you to his service. He knew your sales rep Sam's name because most of the businesses in the area process through the same company and Sam is their rep. You may not have even signed an actual contract with him, but he got your signature and your terminal is programmed with his company. Although what he did was illegal, you now have two merchant accounts, and the second one is a complete mystery as to what you are actually paying, or who you are processing with. Unlike switching providers on your own, you didn't need or want to switch, and you don't know anything at all about the new company or what you're going to get with them. Hopefully, they actually did setup you up with a real merchant account, but for all you know, this may have been some criminal that installed something to skim all of the credit card numbers that go through your terminal. Some ex-bankcard technician may be routing your money into their bank through a stolen merchant account. Just about anything is possible.

How slamming can hurt your business:

• You are now processing through a deceptive company!
• You almost always have extra fees, due to two accounts being open!
• You will most certainly have a termination fee!
• You can possibly be put on the TMF / Match file if you end your relationship with either company in a bad manner!
• There is a now huge potential for fraud and credit card theft through your business!

Simply put, any company that would con a business into using their service is not someone you want to be doing business with. This company just doubled any fixed fees you had because you have two accounts open now, and you most certainly have has an early termination fee that you will be required to pay when you realize you just got scammed. They have a termination fee, because there is a good chance your going to dump them once you realize what just happened. Apart from that, who knows what your fees are, what this company's reputation is, if they are even a legal business, if you are going to get all of your money, etc. This is just a bad position to be in for a business.

Of course this is illegal and you can take recourse against this deceptive company, but lawyers are expensive, and this could become an enormous burden to fight. Additionally, it may be hard to track down who is actually responsible for doing this to you. Many businesses do fight and they usually win, but it takes time and money, which is why slammed businesses often stay with the new company.

How this hurts the merchant services industry:
Reputable service providers spend a lot of money to gain your business, and they spend a lot of money on staff, training, and equipment to support your business. It takes months and sometimes years for a processor to regain the cost of establishing a single customer. When merchants are stolen, it has the same affect on a processor that shoplifting has on a retail businesses. Profit margin's sink, and it becomes harder to keep prices and fees where they are. On an industry wide level, it ends up costing all businesses more, because the lost revenue has to be accounted for somewhere.

Companies that slam are scum!
Slamming exists because some providers and reps find it easier to steal hard earned customers from honest companies than to provide a service worthy of gaining their own customers. The people doing the slamming are criminals and should not be trusted on any level. Businesses have gone bankrupt, been put on the TMF, have been locked into horrible contracts and paid thousands of dollars because of thieves that do this. There is so much risk to a business that gets slammed, only a true criminal would put an honest business into a risky situation that could cost them their business.

What to do if you're slammed:
First off, do some research to find out who did it to you and when it was done. Usually someone showed up and either switched out your terminal, or reprogrammed your terminal claiming to be with your processor. More than likely an outside agent slammed you and not the company they work for. Luckily, this is the best case scenario for your business, because you can easily bypass the agent and deal directly with the company you are now processing through. Additionally, a sales agent that is out slamming businesses is a huge liability for a processor so they will be more likely to sympathize with your situation. You need to make sure that if you close this new account, you will not be charged a termination fee, and you will not be put on any sort of TMF/Match list. Depending on what you actually signed, it's possible that it was a complete application. Whatever the case, you are the victim of fraud, and you shouldn't have to compromise, even a penny! You also need to figure out what you want the outcome of this to be. You can go back to your original company, you can find a new company, or you can stay with the current one. Based on how your relationship got started with this new company, it's probably a good idea to go somewhere else out of principal. If you do decide to leave your original provider, make sure you know if you are required to pay any sort of termination fee. Most likely your account with them is still open, so going back to them should be simple and painless, maybe taking only a few minutes to get your terminal reprogrammed.

If a provider slammed you themselves, you are in a stickier situation. Going straight to the bank they are registered to, or to Visa and MasterCard may be the best resolution. If you find that the cost is significantly higher, you may need to consult a lawyer or file a report with your police department. If you do decide to call them, go up the chain of command as high as you can. Even if the company is responsible, it was still most likely a rogue sales person that carried out the slam. Filling reports with the BBB can go a long way to getting their attention and getting out of their grip. Ripoff Report is another company you can file a complaint with.

(My Ripoff Report Advice: Only file a Ripoff Report after all other options have been exhausted! You should be 100% certain that you are filing against the correct organization, there is no chance of an amicable resolution, and you do not expect anything positive to further come from the company. Unlike a BBB report, a Ripoff Report cannot be undone, even by you, and they can be so damaging that there is little chance the company will deal with you any more at all. If you commit libel or slander, you should be prepared for for the full legal wrath of the company you reported. Enough said!)

Prevent it!
Don't let anyone reprogram your terminal unless you are certain that they are supposed to and that they work with your current processor. Whether it is over the phone or face-to-face, make sure you know who is changing your terminal, because you just can't know what they may be changing on it. Your money and your business's very existence could be at stake.

Add comment March 18th, 2008

Visa warns of software that stores prohibited data

A week and a half ago, visa released a list of POS and other software programs that are storing prohibited data. Prohibit data is in reference to magnetic card track information, which Visa and Mastercard specifically prohibit merchants from storing.

These programs store prohibited data and must be replaced or patched for a business to be processing legally:

• ICVerify All versions prior to 2002, V2X and lower.
• Menusoft Systems Corp. All versions using DDserv.dll prior to V7.3.0350
• Micros8700 HMS: V1 - V2.11.9, V2.5 - V2.50.20, V2.7 - V2.70.14; 9700 HMS: version prior to V2.5; RES 3000: V1 - V3.1.2, and V3.2.0
• Posera Software Maitre'D Versions Prior to V2002, Prior to V2003 SP 11, and prior to V2005 SP 3.
• Radiant Systems Aloha: Prior to V5.3.15
• Southern DataComm (SDC) All versions of ConnectUp, All versions of PopsOn, ProtoBase 4.7-x - 4.80-x, and PbAdmin versions 4.01-x and 5.00-x

Businesses need to make sure that their POS system is properly patched. Radiant Systems Aloha, and Micros have a huge number of users, so it is very likely that many businesses using these systems may need to patch their current software.

Don't neglect this!!!
Businesses with these software systems are especially vulnerable and will no doubt be targeted by hackers and thieves for the data that they possess. With full track data, a thief could potentially make exact copies of real credit cards, which is much worse than simply loosing card numbers.

Additionally, businesses that are not compliant risk having major fines assessed against them. If your business is using one of the POS systems listed above, immediately check to see if it needs to be upgraded.

Add comment June 14th, 2007

How many data security breaches will it take?

I was checking out this chronology of data security breaches this last weekend, and I realized that the amount of breaches that have occurred is absolutely amazing. Over 150 Million records have been compromised in the past two and a half years, and this number doesn't take into account the fact that the number of compromised records for about 1/3 of the total number of breaches is unknown.

From looking at this we can observe a few solid facts about data security breaches in general. First, the three most common reasons for data to be compromised are lost and stolen laptops and storage devices, disgruntled employees, and hacking.

The Top five data security breaches are:
TJ Max (45.7M) - Massive long-term hack
CardSystems (40M) - Hacking of unencrypted data
U.S. Dept. of Veteran's Affairs (28.6M) - Stolen laptop (No data has been used to date)
iBill (17.7M) - Inside
Georgia Dept. of Community Health (2.9M) - lost disk

These are breaches relating to banks and financial institutions:
CardSystems (40M) - Hacking of unencrypted data
iBill (17.7M) - Inside
CitiFinancial (3.9M) - Lost backup tapes
Bank of America (1.2M) - Lost backup tape
Wachovia, Bank of America (676,000) - Inside
Providence Home Services (365,000) - Stolen backup tapes
Mortgage Lenders Network USA (321,000) - Inside
Ameriprise Financial Inc. (260,000) - Stolen laptop
Ameritrade (200,000) - Lost backup tape
Fidelity Investments (196,000) - Stolen laptop
Iowa Student Loan (165,000) - Lost laptop while being shipped
Firstrust Bank (100,000) - Stolen laptop
People's Bank (90,000) - Lost computer tape
MoneyGram International (79,000) - Hacking
Mercantile Potomac Bank (48,000) - Stolen laptop
J.P. Morgan (47,000) - Tape drive missing
PayMaxx (25,000) - Accidentally exposed online
Bank of America (18,000) - Stolen laptop
Premier Bank (18,000) - Stolen data
KeyCorp (9,300) - Stolen computer
North Fork Bank, NY (9,000) - Stolen laptop
Univ. of Michigan Credit Union (5,000) - Stolen documents
Chase Bank and the former Bank One (4,100) - Documents left in desk that was sold
TransUnion (3,623) - Stolen computer
AllState Insurance (2,700) - Stolen computer
Equifax (2,500) - Stolen laptop
Sovereign Bank (Thousands) - Stolen laptops
West Shore Bank (1,000) - Security break
Westborough Bank (750) - Inside
Ceridian Corp (150) - accidentally posted personal data on website
City National Bank (Unknown) - Lost backup tapes
J.P. Morgan Chase & Co. (Unknown) - Stolen laptop
J.P. Morgan (Unknown) - Information found in trash
Bank of America (Undisclosed) - Stolen Laptop
Bank of America (Unknown) - Internet by former contractor
Bank of America (Limited Number) - Stolen laptop
La Salle Bank, ABN AMRO Mortgage Group (2M) - DHL lost but later found backup tape
Wells Fargo (Unknown) - Stolen computer
M&T Bank (Unknown) - Stolen laptop
Matrix Bancorp Inc.(Unknown) - Stolen laptops
U.S. Bank (Small Amount) - Stolen briefcase
VISA/FirstBank (Unknown) - Visa card processor's compromised data
Home Finance Mortgage, Inc. (Unknown) - Accidentally discarded files
Columbia Bank (Unknown) - Hacking

How we can stop all of this:
The current focus on data security seems to resolve around PCI / CISP compliance and keeping data protected and properly stored. In truth, not storing sensitive data on portable devices would do far more good. The biggest reason of data compromise is stolen or lost laptops containing sensitive information on them. Many of the stolen incidents were from a personal vehicle or their home. Five data loss incidents by a single company (Bank of America) is completely unacceptable. Companies, especially ones where trust is a huge factor (Banks) need to take a much more serious approach to securing information. Only three of these data losses at financial institutions were due to hacking. There really is no excuse for the rest of them.

The next thing that I find particularly upsetting is that a huge overall percentage of the laptops and portable storage related losses were from government agencies, and the majority of all losses happened at universities or other educational institutions. Our government and educational institutions are obviously not being cautious enough with personal information. I wont list all of these because it would take about 10 pages to get them all in.

The bottom line is that everyone needs to take some common sense precautions to data security. The newest two million bit encryption, and all the security in the world isn't going to help when an employee looses a laptop with sensitive information on it.

7 comments May 24th, 2007

Texas businesses liable for data security breaches, Jan 09

I'm a few days behind on this one. I completely forgot to write about it last week, but the PCI and Data Security Compliance Blog reminded me when I saw it in my feed reader.

Last week, Texas legislation passed a bill that makes businesses liable for any monetary expenses resulting from data security breaches of their company. The data that is specifically covered under this is credit card or other magnetic or chip stored information, and personally sensitive information. The bill also states that businesses must safeguard sensitive information and that they must take action if a data security breach is discovered.

Businesses will be responsible for any costs that a financial institution incurs when they have to replace customer's cards that may have been compromised as well as repay the financial institution's legal fees. More importantly, the business is completely liable for any refunded transactions that the bank has to make to the customer (This is the first time that I have ever seen a bill, law, or regulation that takes chargeback liability from the business that actually accepted the card.) Also one of the only logical regulations I have seen regarding the payment processing industry.

The bill does not specify how the data must be stored, so any business that keeps copies of sensitive data, either in an electronic database, or on paper, is subject to this bill. Also, businesses that are PCI compliant are protected.

This is an extremely important bill and I imagine that many states are likely to follow suit. In my opinion the most significant part of this bill is placing liability on the business where the breach occurred. Realistically, this could be a very positive change for online businesses and others that are subject to stolen card fraud. I'm not sure if there is a measurable percentage of fraud that occurs from breaches, but if there is it could definitely help take the load off businesses being hit with this type of fraud.

Texas BILL HB03222E (text document)
Actual Texas BILL HB03222E

Other blogs about this law:
Texas first state to make PCI law - pcianswers.com
PCI Codified into Texas law (nearly) - pcidss.wordpress.com
The Law of PCI - blog.ncircle.com
PCI Takes A Twist - blog.loglogic.com

1 comment May 18th, 2007

Did you know, refunds are calculated into your chargeback ratio?

Visa and MasterCard have two scores used to help calculate how risky a business is that processes with them. Of these scores, one is based on chargebacks, and one is based on returns. Now, two scores may make the title of this seem misleading, but for reasons of simplicity, many processors combine these into a single number for risk assessment.

What this means:
This essentially means that a business's merchant account can be shut down, the business can be penalized, or they can even be placed on the TMF (Match File) for having too many chargebacks or 'too many returns'.

You've got to be kidding me:
Most of us view returns as taking a proactive approach at customer service, so naturally we don't associate returns with risk. You are making your customer happy, because you failed to deliver them what was owed, and were making due. Or, because they were complaining a lot, and refunding them was the easiest way to make them happy. Or, simply because something got a little messed up and a refund was the appropriate action at the time. Whatever the case, you fixed the problem before it escalated to a chargeback. Good service right?…

Not everyone sees it the same way. When taking a look into risk assessment, there are a few flags that immediately alert that something is wrong. First off, chargebacks are the obvious one. Apart from the occasional, non-recognized name on a statement, or some other frivolous reason, a chargeback usually means your business failed to provide the service agreed upon, and you failed to make your customer happy afterwards. It is not a good thing, and should not be taken lightly, not by the customer making it, and especially not by the business receiving it. Your customer is essentially saying that you failed, and they need a higher power to correct the situation. Getting a lot of chargebacks is very bad!

Now a return, while not as severe as a chargeback, is also an indicator that you, as a business, are not living up to your end of the deal. Businesses will always have returns, customers return merchandise, customers buy the wrong products, and processors know this. But, when returns go up a lot in the dollar amount, or start becoming very frequent, Visa and MasterCard see it. Your processor sees it too, and can take action to protect their investment in you. With each return, there is a chance that you don't have the money available in your account. Since the processing system does not check the balance in your bank account before you make a return, the processor risks paying the bill every time. As silly as it sounds, this scares processors, a lot.

What investment do they have in you?
When your processor approves your merchant account, they are taking responsibility for all of the money you process. They are financially liable for every penny. If you were to process a million dollars and have it all charged back to you, they get the bill when you cant pay. For thousands of businesses, processing millions or billions of dollars, that is a lot of money to be liable for.

How returns can tip the scale:
Since returns are often weighed into the standard chargeback ratio on the processor's level, they can easily cause your business to break the dreaded 1% mark. For a small business, 1% is not a lot of room. Luckily, returns are usually weighted so that several returns equals one chargeback, but then again returns are far more common that chargebacks.

Conclusion:
This is not meant to scare anyone, but is it definitely something to think about especially during the post-holiday season. It would be extremely rare for a business to have any repercussion against them for slightly breaking the 1% mark once, but repeatedly breaking it will most definitely cause some negative reactions.

It is also a good idea to look at your current return policy and amend it if necessary. Things like only returning to the same card that made the purchase are not just a good idea, they will help protect you from loosing to fraud. Check out this recent post about return fraud. There are some ideas on how to handle return fraud and some good general ideas on how to handle returns.

2 comments March 12th, 2007

What it actually takes for the government to investigate fraud

I just got back from a vacation, which is why the posting had ceased for the past week and a half. The following is a personal summary of a situation that I recently had the pleasure of enduring, and a personal opinion about businesses having fraud committed against them.

The Fraud:
We recently had a situation where a customer committed fraud against us. I am going to avoid disclosing exactly what this person did, because he essentially found a security gap in the processing system that allowed him to steal a lot of money, very quickly, very effectively, and that security gap has not been closed that I know of. As I know, he has stolen over $250,000 from several processors in the US.

Now, when a business is confronted with a situation like this, it is warranted to file a police report, and report it to the FBI and secret service. This is much easier said than done, and most businesses that have fraud committed against them, don't even make it through this process.

To say that law enforcement personnel have no clue about anything related to electronic fraud, or fraud occurring across multiple states is a gross understatement. When trying to report this to the police, we were bounced between police stations about thirty times, and at no point did any person actually know where the fraud should be reported. It didn't matter if we talked to an investigator or a receptionist, nobody knew where this actually needed to be reported.

Eventually, we found that the fraud needs to be reported where it actually occurred, which was in another state from us. We had to do the homework ourselves just to figure out where this needed to be reported at.

We then went to report it…

First we had to fight to even get the opportunity to fill out a police report. At this point we were absolutely sure we were filing it with the right state, but nobody at that state agency seemed to believe us (More likely they just didn't want to deal with it). Finally we were introduced to an investigator that agreed that we were doing the correct thing at the correct location. Initially the investigator didn't even believe that this situation could have happened. We are still shocked ourselves that it can happen, but it definitely did happen. After listening to the situation, he sent us some paperwork which was a police report and a bunch of signature documents, and we sent it back. He said he would look into it… The moment we first contacted the police station, to the moment the paperwork was actually filed took four days.

We then went to the secret service to report the situation. While they were much more knowledgeable about situations like this and electronic fraud in general, it didn't appear that our situation was large enough to warrant their investigation. Even so, they said that they would consider it. They took our information and said that they would get back to us. They were very professional, and I wish that the police stations were even remotely as organized. Our entire dealing with the secret service was about 30 minutes, and we felt like we got a lot more accomplished.

In the weeks following the fraud we reported, processors in the US saw several other cases of the same situation with other processors. The total amount grew, and passed $250,000 the last I had heard. It may still be growing.

Finally, after five weeks the police station got back to us and said that they would conduct a formal investigation. We then sent over all of the information that we had, and now we wait again.

No Justice:
The truly sad thing about fraud that is electronic in nature, is that there in virtually no recourse once it happens. Unless you have an extraordinary case involving a ring of fraudsters, months worth of fraud, and millions of dollars in losses, there is virtually no chance that you will ever recover your losses. This person got away with a quarter million dollars in a few weeks, and I highly doubt that he will ever be caught. There were several chances that police could have got him, and there will probably be many more, but the bureaucracy of the system and the quantity of fraud and theft that occurs, prevents any quick action which would be required to catch people like this.

This person committing the fraud had better knowledge of the internal workings of the processing industry than any person I have ever talked to. He knew exactly what to do, how to do it, and when to do it, to get away with a lot of money before anything could be done about it, and he did it several times. The last few times, he did it with large financial institutions, while they were looking for it, and he still got away. He is most likely some employee, or ex-employee of a processor or bank, that thoroughly did his homework.

Conclusion on Fraud:
Online and retail businesses need to take appropriate steps to prevent fraud, chargebacks, and data loss before they happen, because the simple truth is that once that fraud is committed, it's already too late to recover anything.

Add comment January 16th, 2007

Where do data losses actually occur?

Most businesses that accept credit cards online have become more aware of Payment Card Industry (PCI) security regulations like CISP, and SDP. What I find to be an interesting figure is that very little data loss actually occurs with online businesses.

Roughly 65% of all data security breaches occur at restaurants, the next largest group retail stores claim about 12%, and the remaining percentage is split between every other type of business out there including online. The simple truth is that with all the scrutiny over online businesses, card companies have failed to see the actual problem. It is retail businesses where employees and even customers often have direct access to sensitive data. Online businesses, even with poor security would require someone very knowledgeable in networking and computers to compromise their data. Any average Joe could obtain a credit card skimmer and use it at the restaurant where they work.

What this concludes is that somewhere along the line, card companies ignored where data breaches actually occur, and just decided to target all online businesses. Now everyone has to jump through hoops when for many there is absolutely no risk of a security breach because the information just isn't there to steal.

Security is extremely important for all businesses, and protecting cardholders information is every business's responsibility. Don't store sensitive data if you don't have to, and if you do, make absolutely sure you know how to encrypt and store it properly.

Also, if you use any custom made POS software system, you may want to check with the programmer that the system is not storing track data. If it is and you get caught, you can get up to a $100,000 per month fine until it is fixed. That is just a fine for storing the track data, not for an actual data breach which could be significantly higher.

Add comment November 28th, 2006

Merry Christmas, Return Fraud and the Holidays

With the busiest shopping season for many retail and internet merchants right around the corner, businesses are prepping for the holiday chaos. The busy shopping season also brings the largest season for consumer fraud. Consumer fraud against merchants including 'return fraud' costs businesses billions of dollars a year.

With an estimated 3.5 Billion dollars of return fraud during this holiday season, it is very likely that most businesses will be affected by return fraud in some way.

What is return fraud?

Return fraud is when a consumer returns merchandise to a store, with a purpose other than a genuine return. I did some research on return fraud, and found a couple of main types of return fraud that businesses will see.

Returning multiple items on the same receipt is when a customer will return a quantity of an item on a single receipt, by making multiple copies of the receipt. They may purchase additional items at discount and then return them to another store with high prices using fake receipts.

Returning a lower priced item in a higher priced item's packaging. This would occur when a customer purchases two similar looking items at a very different price. The customer would then put the lower priced item in the higher priced package, return it and keep the higher priced item for themselves.

Renting Stuff is a very common type of fraud for electronic and clothing retailers. A customer will buy some electronic device, or some piece of expensive clothing, use it and then return it. Businesses usually cant sell the returned goods for full price, and take a loss when they discount it. This is more common with higher dollar merchandise.

Stolen Merchandise Returns occur when someone tried to get a refund on merchandise that was stolen, often from the same business the return is taking place at. Employees may also steal merchandise and then have an acquaintance return it for cash.

Counterfeit Money actually tops the entire list of the most common form of return fraud, and can consist of fake checks, or counterfeit cash used to pay for merchandise, and then later the customer tries to return it for real cash.

Employee return credit fraud is one of the most common types of fraud that exists. An employee will issue a credit on their own, or a friend's credit card through a business's credit card terminal. This is often overlooked by managers or employers as it can appear as a legitimate refund.

How return fraud costs a business:

Businesses lose to return fraud in several ways. They may be buying merchandise that they never sold, or that was stolen from them.

Businesses may not be able to resell the merchandise that was returned if it were heavily used, or it was simply something that cannot be resold.

A business may be making a payment to one of their employees, or may be loosing money by accepting a deceptively returned product.

Ways to combat return fraud:

A business should have a very clear return and refund policy outlined for their customers, and they should stick to it. I think it should be fair, as there are situations where returns are completely legitimate, but strict enough to stop some of the fraud that is likely to occur.

Businesses should not accept returns without a receipt, and if they do decide to accept a return without a receipt, store credit should be issued instead of cash. Also, if a customer made a purchase with a debit or credit card, the return should always be credited to that exact card. This is also an important chargeback prevention measure. If a business gives cash and then the customer charges back a transaction, the business can lose the chargeback in addition to the money they already refunded.

Implementing a system that keeps track of returned receipt numbers will prevent fraud from copied receipts. For some businesses this may not be a cost effective option, but some system should be used to keep track of returns in the event that electronic means are unavailable.

Employee return credit fraud can be combated by having a business's credit card machine or POS system to require a password or key to perform a return. Most credit card machines and POS systems can be setup with some type of security to prevent this type of fraud.

Return fraud normally occurs on Friday, Saturday, and Sunday.
Since these are the busiest shopping days, fraudsters go because there is a good chance that their return will be overlooked.

Who's a target?
The biggest targets of return fraud aren't necessarily large retailers, as these companies often have complex returning systems designed to prevent return fraud. Target now only allows two non-receipt returns per year, per customer, and many other super retailers are taking similar measures. Take the time to look at your current setup and determine if you are a possible target of return fraud.

Your customers make your business possible, but not every person who visits your store is doing it for legitimate purposes. It is always a good practice to make customers happy, but care should be taken that a business isn't being taken advantage of in the process.

Add comment November 15th, 2006

Required Actions for PCI Compliance

If you accept credit card online, this chart is for you. This chart is a simple breakdown of the PCI data compliance levels and requirements. If you accept transactions online, you fall into one of these levels. This chart explains what the requirements are to be in a specific category, and what a merchant must do to remain compliant.

The yearly cost for a level 2, 3 or 4 merchant is around $150, while the yearly cost for a level 1 merchant is more than $30,000. Because of this, it is extremely important not to ever have a data compromise. I personally recommend not storing any sensitive data online, at all, and if it is stored offline, access should be highly restricted and the data should be encrypted. Track data should never be stored anywhere, under any circumstance.

If you have a data compromise and card holder data is stolen, you should expect upwards of $100,000 in fines, arbitration fees, and regulations in addition to the additional cost of level 1 PCI certification.

Related Posts:
Scan Alert PCI / CISP
A Guide to Small Business Security, Free PDF Download…
CISP, SDP, PCI Compliance required for every business…

1 comment October 25th, 2006