Retailings Hard Lessons: Curtailing Debit Card Fraud

Earlier this fall, a national credit card processor relayed a noteworthy instance of pre-paid debit card fraud to us—one that could target and damage numerous retailers across the U.S. at any given time. Over the summer, a small retailer had someone gain access to their stand-alone credit card terminal, which was not password protected.  That person used an anonymous, reloadable pre-paid debit card (i.e., the type purchased at a gas station) to issue themselves a card refund in a very large amount.

The next day, the merchant saw funds debited from their account and started asking questions to the employees and the bank. No one knew anything. Finally, he contacted his credit card processor, who was able to contact the debit card issuer.  The bank that had issued the card immediately froze the account, but two days had elapsed at that point, and the criminal had likely spent those 48 hours withdrawing funds from every ATM that he/she could find.

How did the business owners catch the account debit so quickly? It was because the debit was for over $50,000One might think the card processor or the card issuer would have controls in place to confirm such a large refund amount before allowing that kind of account debit, but many card processors and card issuers simply do not. Now, the merchant may get the remaining frozen funds back, but only after considerable time and money spent coordinating with his legal counsel, employees, the police, his insurance company, his bank and the card issuer. Either way, he’s been left with a significant financial loss.

How can retailers avoid this type of debit card fraud? Leaving an unprotected, stand-alone terminal out on the retail counter (or anywhere that is accessible) is essentially like leaving a signed check out in the open, with all of the details filled in except the payee. Instead, be sure at all times—but especially during the peak holiday season—that your stand-alone terminals are both physically protected and password protected.  If they are not, and they are linked to an account with a balance of any size, it could leave you highly vulnerable to instances of fraud. As a secondary precaution, discuss with your card processor to see if there are any debit, refund or cash back limits that you can put on your systems’ debit transactions.

Stay tuned to the blog in the weeks ahead, as I’ll be writing a second guest blog post related to the newest electronic payment technologies and their impact across the retail industry.