September 25, 2018
Not too long ago, manual credit card imprinters used to be the norm at any cashier’s station. The customer would wait while the cashier pulled out a clunky looking machine and made an imprint on the card used for the purchase. Nowadays, we have contactless payments, and the whole process moves along much smoother. However, it seems that the new tech has also brought about its fair share of controversy.
In a recent video, a man is shown using a card terminal to process a contactless payment from an unsuspecting victim with a cell phone in his pocket. The man put the payment machine close to the victim’s pocket, and the machine detected the card and processed the payment. The video has stirred controversy in the payments industry.
Contactless payment technologies use radio-frequency identification, which can be implemented on phones, watches, and other wearable devices. For this reason, viewers have expressed concern over the possibility to commit fraud using payment terminals. If a person can use the machine to process a payment from a card tucked away in someone’s back pocket within their wallet, then it could potentially be even easier to get it from phones and watches. Card readers can detect this frequency anywhere from 4 to 10 centimeters away, making it a high possibility that people might start using this tech to steal money from unsuspecting individuals.
While there have been documented cases of people who have had their money stolen, contactless payment theft is not a threat. All merchants have taken the necessary extra steps to ensure you are secured against contactless payment fraud.
Payment Terminal Providers, also known as Merchant Service Providers (MSPs), are often middlemen between payments processing companies like Visa and MasterCard and merchants. They require strict background checks for signing merchants up to the MSPs network to use payments software and terminals.
The merchant application process is lengthy and thorough. It involves some if not all of the following steps:
Verifying the identity of the business owners (checking the business registrations and IDs).
Checking past merchant account history if applicable.
Analyzing the business operation (looking at the website, content, business model, operations).
Making sure the business is following credit card network security rules.
Checking credit scores.
Fraud can fall on any party if there is a serious breach or negligent action, but typically, fraud falls on the issuing bank or merchant. Many MSPs provide free equipment upfront. The merchants pay it back through transaction fees. As such, background checks are processed to reduce risk. MSPs put their reputation on the line if they sign a fraudulent business, which could result in a case of legal liability, such as money laundering. Background checks help prevent those types of situations.
MSPs also risk losing money on every transaction that has to be returned to the consumers if the merchant makes a mistake. The transaction fees are not refunded, which is where the majority of profit risk lies. This process makes it incredibly difficult for fraudulent businesses to be onboarded.
Aside from having a strict onboarding process, MSPs have a thorough underwriting procedure to catch fraudsters. It’s divided into three separate categories.
In the first category, known as the customer identity verification stage, the initial pieces of information which validate the identity of the applicant are analyzed. This includes the collection of documents such as ID and other corporate registration documents. Other static data is taken into account, like location, address, and account information. There are also commercial history checks and blacklist checks. In e-commerce, a web crawler is used to detect harmful traffic.
The second category is called the counterparty credit check. This is where the commercial background of the managers and corporations (i.e., how long they’ve been in business or the industry) is observed. The Merchant Category Code (MCC) is checked for validity, as well as an assessment of transactions volume, geographic footprint, and credit score.
The final category activates the customer by doing a final review of all the submitted documents. This is done to review the applicant submission and confirm that all the necessary papers are valid and in order.
Fraudsters would have to be quite sophisticated to jump through all of the legal and underwriting hoops. They would have to fake an entire business to qualify for a legitimate business, and any one of the above steps (background check, credit check, transactions analysis, etc.) could result in a denial or raise a red flag. The process is thorough and strict because of the amount of information and number of questions that are tied to personal identification and authentic registration.
Regardless of how strict the processes are for onboarding and underwriting merchants, there will still be a certain number of fraudulent applications from people trying to slip through the cracks. This is why MSPs use IP trackers.
Whenever someone connects to a server, they exchange their computer’s IP address with the one that the server provides. When the IP address tracker detects the origin of the computer, that’s how MSPs find fraudulent applications. IP trackers capture IP addresses from the businesses that are applying. As such, it is very easy for the MSPs to identify someone in a foreign country applying as a merchant from Ohio, for example. The fraudster will access the MSPs’ online portal, and the IP trackers immediately narrow down the location of the computer.
Software and machine learning has also been developed, which checks to see if bits of an application have ever been used in past merchant applications. This is because it is becoming more commonplace in merchant onboarding software. The info can be checked against merchant accounts that have been terminated before or are associated with other flagged products or businesses.
Even with the added backup of merchants looking out for contactless payment users’ security, other standards have been established to reduce fraud. In terms of clients’ personal funds, most contactless payment systems have a limit (usually around $50 US or £30) that can be processed on every payment. Furthermore, if someone manages to steal that amount of money from an unsuspecting customer, most credit card companies have a zero liability agreement that refunds any money that was fraudulently stolen. In the end, while the video may have caused some concern in the eyes of viewers, the reality is that clients are protected.