Shoppers with PIN-debit cards often ask for $20 back in cash when paying at the point of sale, but criminals using fake cards have no qualms about demanding $1,000 or $2,000, risk experts say.
Requesting outlandishly large sums sometimes works for fraudsters. All they have to do is ask often enough – usually by phone -- and eventually a clerk or cashier hands over a fistful of cash when the criminal shows up at the store.
Financial losses from such crimes and many other fraudulent scenarios often fall into the lap of someone in the acquiring business, particularly ISOs. So the industry’s risk-management experts responded by starting the Merchant Acquirers Committee in the late ‘90s.
The committee remained informal for a while, but from the beginning the group has shared information on who is committing fraud, what schemes fraudsters use and how the four major card brands are changing the processing rules to combat criminals, says Deana Rich, the group’s president since 2007.
Rich, president of Deana Rich Consulting Inc., a Los Angeles-based company that offers strategic risk-management services to the acquiring industry, is preparing to turn over her duties as committee president next year to Richard Parrott, director of risk for Litle &Co., a Lowell, Mass.-based ISO and processor.
Rich became president when the committee incorporated and thus became eligible to accept donations, she says.
In the early days, the committee shared information in email “blasts” to multiple recipients, says Rich. By 2003, membership had grown to 250 companies and individuals, she says.
Today’s 650 members receive information from the committee by visiting a website, Parrott said in a phone interview. About 70% of the members qualify as ISOs, and the remainder are banks, processors and vendors, he says.
The group has become less “stealth” about its work over the years, Rich says. Secrecy had seemed to fit the business of combating thieves, she maintains.
Incorporation also enabled the committee to begin collecting dues, now set at $75 annually for individuals and up to $225 annually for companies, Rich said.
The committee held its fourth annual educational conference and tabletop vendor show this spring, convening in Las Vegas for three days, Parrott says. Attendance grew by 25% to 260 this year, and the group expects a similar increase next year, he says.
The event attracted 40 sponsors and 40 speakers. It offered presentations from the Federal Trade Commission, the Federal Bureau of Investigation, the U.S. Postal Service, Microsoft Corp., PayPal Inc. and the four major card brands, says Parrott, who served as chairman the last three years. Groups engaged in panel discussions included risk-system providers, lawyers specializing in acquiring, and Payment Card Industry data security standards compliance vendors, he said.
The committee also holds three regional educational events each year, Parrott says.
Law-enforcement officials often attend the events to keep up with trends in fraud and to find out what the industry is doing to thwart schemes, says Rich.
In one example, perpetrators of fraud have discovered recently that a scam works better if they type out the request on a telecommunication device for the deaf, or TDD, than if they talk on a phone. Somehow, a pizzeria operator or auto dealer just seems more likely to go along with a “deaf” person, Rich says.
Risk-management experts would call using TDD a refinement of an old confidence scheme. Reworked confidence schemes typify a trend they see.
“The fraud schemes recycle like clothing styles,” says Rich. “We haven’t seen anything unique in a long time–just twists and turns on the old frauds.”
The variations can keep the acquiring industry busy playing catch-up, agrees David Fish, a senior analyst at Maynard, Mass.-based Mercator Advisory Group Inc. who formerly worked in risk management and fraud investigation for ISOs.
“Threats are continually evolving, and merchant-risk management has to be nimble to adapt,” Fish says.
The industry has good reason to try to stay nimble, too, because responsibility for “charge-backs,” as insiders call uncollectible credit card bills, can come back to haunt acquirers, Fish says.
Card brands transfer the liability for charge-backs to the acquiring banks, which tend to pass it along to processors, says Fish. The processors, in turn, hand over the liability for charge-backs to ISOs, he continues. The ISOs are left with the bad debt if they cannot collect from the merchants, he says.
However, if the ISOs cannot pay, the card brands still hold the acquiring banks responsible, Fish adds.
ISOs screen merchants who apply to accept cards and then monitor their merchants’ activity, Fish says. Contracts often hold a merchant personally responsible for the charge-backs a store incurs, he notes.
The Merchant Acquirers Committee, through its information-sharing and education, helps ISOs with those difficult security tasks, Fish maintains.
