Fallback Card Fraud Hits Home
Despite the inherent protections of chip cards (also known as EMV cards), card-present fraud still occurs and, unfortunately, I have first-hand experience. I live in Minnesota, but someone used a counterfeit version of my card account—with a fake/unreadable chip—to make purchases at big box retailers in the Miami, Florida area. My card issuer alerted me within an hour of the fraudster completing six successful transactions one morning last week. These are considered “fallback transactions” because a card was inserted into each store’s POS chip reader, but, when it didn’t work, the fraudster made the purchases by falling back to the old method—swiping the magnetic stripe. I assume the fraudster went into stores instead of shopping online because they likely lacked information required for most online purchases like the security code on the back of the card and/or part or all of the billing address.
Fallback fraud has become increasingly more common as fraudsters continue to reinvent their methods of operation in response to advancements in card security. I’ve read articles suggesting that card issuers should decline fallback transactions at the POS due to the risk of fraud, but, of course, such transactions could be legitimate. There could be a problem with the POS device, the chip on a real card, or the way a cardholder inserts the card into a chip reader.
We know card fraud can happen to anyone. Fortunately, card issuers typically protect cardholders from financial losses. Nevertheless, for Commercial Card programs, it still pays to take precautions. Following are three action items for card program managers.
Action Items for Card Program Managers
1. Train cardholders on card security practices, such as:
how to properly dispose of documentation reflecting their account number
the approved devices for making business purchases electronically (e.g., work computer versus home computer)
how to safely make purchases electronically (e.g., do not use public/unsecured WiFi, look for “https” in a web address, etc.)
2. Verify whether your card issuer sends text messages to cardholders about potential fraud, as this is typically the quickest way to reach a cardholder. If yes, encourage your cardholders to provide their mobile number to the card issuer. (In my case, my card issuer communicated three ways: text, email, and phone).
3. Ensure cardholders know how the issuer would alert them in cases of potential fraud and what the communications would look like. Cardholders should be equipped to discern between legitimate and fraudulent communications. Internal auditors should test their awareness as part of their annual “process audits.”
Final Thought
Above all, cardholders need to be diligent. They should quickly return messages from the card issuer, but ensure they have the right information for determining whether a purchase is fraudulent. In my case, the first text from the issuer only specified the vendor and dollar amount of the first fraudulent charge. Coincidentally, the day prior, I used the same vendor in Minnesota and the dollar total was nearly the same. I almost replied that the transaction was fine, but decided to wait until I could view my receipt. Subsequently, I saw the related email, which provided the key piece of information—that the transaction occurred in Florida.
Related Resources
Visit the card/payment security page for content about EMV, phishing, cybersecurity and more.
Available Products & Services from Recharged Education
Submit a contact form to request a quote for what your organization needs.
Subscribe to the Blog
Receive notice of new blog posts.
About the Author
Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more…