Imagine this: you’re a brick-and-mortar retailer and you’ve watched chargebacks and fraud steadily decline as EMV chips have become more prevalent. Your chargeback ratio is healthy, disputes have been few and far between, and everything is on the up and up. Only, suddenly you’re getting hit with chargebacks again. Chargeback fees are piling up, you’re at risk of losing revenue, and if your chargeback ratio continues to increase, you may have to pay higher processing fees. What’s going on?
Chargebacks are a major threat for most retail businesses. The EMV rollout has greatly reduced card-present fraud, however, scammers can still use social engineering to convince merchants to let them complete a transaction using a swipe. If the merchant agrees, the scammers may be able to use stolen credit card data to complete a transaction.
We’re going to dig into the details, but if a cardholder is claiming that they’re having trouble with their card’s EMV chip, and they want to use the magnetic strip instead, you may want to decline the transaction. It’s possible you’ll lose some legitimate sales, but you could also prevent fraud. With this in mind, it’s crucial to train your staff to watch out for suspicious transactions and to put them on pause if the risks of fraud are high.
Stealing Credit Card Data Was Once Quite Easy
For a long time, it was relatively easy for criminals to use skimmers and other tactics to steal card data and make cloned credit cards. These cards could then be used to make unapproved purchases. When the cardholder noticed the unauthorized charges, they could file a chargeback dispute and would almost certainly win.
Until recent years, most credit and debit cards used magnetic strips, which aren’t especially secure and can be targeted relatively easily by skimmers. Essentially, when a customer swipes their card, the skimmer can intercept and record the data, including credit card numbers, expiration dates, and Card Verification Values. Then a fraudster could use that data to create a cloned credit card.
Unfortunately for merchants, if they accept payment from a cloned credit card, it’s likely to result in chargebacks. In some cases, merchants might ask for a signature, ID, or the cardholder’s zip code to verify that the person using the card was authorized to do so. However, forging signatures and even IDs is relatively simple. Meanwhile, it’s often pretty easy to find the zip code a cardholder is likely using simply by looking up their address.
Thankfully, criminals now have to work much harder owing to the roll-out of EMV chips. Yet already, some fraudsters are figuring out how to get around EMV chips using social engineering. As a result, merchants may find themselves at risk of getting hit with chargebacks.
EMV Chips Flipped the Script for Card-Present Fraud
Credit card companies recognized that skimmers and cloned credit cards greatly increased the risks of fraud. That’s why in the 1990s Europay, Mastercard, and Visa set out to create new technologies that would make card-present payments more secure. One such technology is the “EMV” chip, which stands for Europay, Mastercard, and Visa, and this chip has in many ways delivered on its promises. Let’s take a look at how it works.
The EMV chip contains a tiny computer chip that can transmit data. You can insert the card into a credit/debit card POS system and the system will communicate with the chip. However, instead of sending the credit card data itself, an EMV chip will create and send a unique, encrypted code to the machine. Crucially, the data is tokenized, which means that one-time-use substitute data is sent. The EMV chip does not transmit the credit card number like a magnetic strip would. This means that even if someone steals this data, they get the token and not the credit card number.
EMV chips have been a smashing success and have substantially reduced fraud with card-present transactions. Not every merchant accepts EMV payments but acceptance has grown substantially over the years. Back in September of 2015, less than 2 percent of American merchants accepted EMV chips. By 2019, more than three quarters of merchants were accepting EMV chips and adoption has increased since.Unfortunately, however, fraudsters have adopted new tactics and have figured out a way around EMV chips with card-present transactions. Let’s take a look at the tactics criminals are using and strategies for combating fraud and reducing chargebacks.
Fraudsters Can Use Social Engineering to Get Around EMV Chips
A credit card equipped with an EMV chip is typically “dipped,” which simply means inserted into a card reader. They can also be tapped with contactless payment systems. When the EMV chip is used, you don’t swipe the card. However, most credit cards still contain a magnetic strip and it’s often possible to pay using that strip.
Merchants that recognize the benefits offered by EMV chips will typically prefer to use the EMV chip and not the magnetic strip since the payments are more secure and can reduce the risk of fraud and chargebacks. If a customer doesn’t have an EMV chip, some retailers will decline to process their payments.
Yet social engineering is a major part of many criminal tactics, and it’s being used to get around the protections provided by EMV chips. A fraudster can create a seemingly legitimate credit card with what looks like an EMV chip but is actually a dud. The fraudster can program the magnetic stripe with real, stolen credit card information.
When the checkout clerk dips the credit card and tries to read the chip, they’ll get an error message. The fraudster might then claim that this is the first time this has ever happened, or maybe they’ll say that their chip has been acting funny these past few days. Whatever the case, they’ll try to get the clerk to instead use the magnetic strip, which is programmed with stolen credit card data.
If the clerk falls for the ruse, the transaction may end up processed and approved. Once the legitimate cardholder sees the transactions, they’ll contact their bank, and the merchant will get hit with a chargeback.
For the above tactic to work, the fraudster will still have to get the relevant data to make a magnetic strip credit card. EMV chips make getting that data much more difficult. However, it’s possible to extract data from EMV chips and then plant said data on magnetic strips. The fraudsters can’t clone the EMV chip itself, but they may be able to get enough data to make a magnetic strip clone. From there, they simply need to trick a merchant into accepting a swipe payment.
Training Your Staff to Prevent Chargebacks
EMV chips have made perpetuating card-present fraud much more difficult. Many brick-and-mortar retailers have seen fraud and chargebacks decline substantially. That said, merchants still need to be diligent and take steps to prevent chargebacks. Crucially, social engineering can allow fraudsters to circumvent some of the protections offered by EMV chips.
Yet employees can be trained to spot and resist social engineering. With card-present transactions and EMV chips, the answer is straightforward: don’t let customers swipe credit or debit cards. This could annoy some customers, including legitimate ones. Yet accepting swipes simply exposes merchants to too many risks.
In fact, if you swipe an EMV-enabled credit card and the cardholder files a chargeback, you may automatically lose any resulting chargeback dispute. Credit card companies have shifted liability in the case of card present EMV transactions to merchants. The easiest way to avoid chargebacks and the associated penalties is to always ensure that purchases are made with the EMV chip and not the magnetic strip.
Of course, many other things could result in disputes and chargebacks. When it comes to combating fraud, merchants need to develop a holistic approach and use dispute management platforms, chargeback alerts, and other tools. Doing so could protect your business and help ensure success.