How small merchants can detect, address, and prevent credit card fraud

by Maxine Bremner

Published • 17/01/2024 | Updated • 17/01/2024

Payments

How small merchants can detect, address, and prevent credit card fraud

by Maxine Bremner

Published • 17/01/2024 | Updated • 17/01/2024

Payments

Though there’s a multitude of sophisticated payment security measures that modern businesses can take advantage of, the threat of credit card fraud is still very prevalent.

According to the Office of National Statistics, there were more than 475,000 reported incidents of fraud in the cheque, plastic card and online bank account category in the 2021-22 financial year, a considerable rise from the previous year’s figure of just under 300,000.

Both small and large merchants can fall victims to credit card fraud. Incidents like this can not only cost you and your customer base a considerable amount of money, but also run the risk of tarnishing your brand reputation and undermining the sense of trust and customers loyalty with your brand.

In this guide, we’ll explore how credit card fraud occurs, the different forms that credit card fraud can take, and how businesses like yours can prevent, detect, and respond to card fraud threats.

What is credit card fraud?

Credit card fraud is a crime in which the perpetrator uses the victim’s physical card or their card information to carry out purchases without their consent. 

The fraudster doesn’t need to acquire the physical payment card to commit this kind of crime. In fact, according to payment industry body UK Finance, more than 80% of card fraud losses in the UK reported in 2022 were from forms of card not present fraud, where the perpetrator is able to commit fraud using the card information alone.

Fraudsters use various techniques to illegally obtain their victims’ credit card details, including stealing physical cards, skimming or cloning with purpose-built machines, and sourcing card details from illegal online databases.

Though credit card fraud is often distressing for the victim, it rarely causes lasting financial damage, as UK legislation ensures cardholders aren’t usually liable for unauthorised payments.

Concerned for your customers’ security?

SumUp’s multifunctional card readers operate according to the highest payment card industry security standards.

Find your card reader

Credit card fraud, how does it happen?

Credit card fraud is always changing as fraudsters work to keep a step ahead of developing security standards implemented by merchants, card issuers, and payment providers.

To effectively detect credit card fraud, merchants should try to familiarise themselves with the different schemes and tactics fraudsters use to commit it.

Here’s a brief look at 6 credit card fraud examples to help you get a better idea of the threats faced by merchants.

1. Lost and stolen cards

One of the more basic and traditional forms of fraud, criminals can obtain credit cards by either recovering cards people have lost, or physically stealing them. 

With the card in their possession, the thief can either make purchases in-person using Near Field Communication (NFC) tap transactions, or enter the card details online or over the phone to make illicit purchases without the cardholder’s knowledge.

2. Card not present fraud

Card not present fraud, sometimes called CNP fraud, happens when the fraudster doesn’t have to have the physical card to commit fraud. 

Imagine, for example, the fraudster obtains a cardholder’s information through stolen documents, hacked emails, or another channel. 

This might give them just enough information to make online purchases using a payment gateway or buy things through over the phone card payments using a virtual terminal.

3. Counterfeit and cloned cards

Credit card fraudsters are also able to obtain card information using devices known as skimmers. These machines are attached to other devices which come into contact with cards, such as cash points and Point of Sale (POS) systems. 

When a card comes into contact with a skimmer, the machine harvests the information contained in its magnetic strip, which is then used by the fraudster to create a counterfeit or cloned card.

Skimmers can be hard to detect for consumers, which is why many banks place notices on their cash points prompting customers to check for anything suspicious about the machine.

4. Card application fraud

In some cases of credit card fraud, the fraudster doesn’t steal card information from a cardholder, but rather creates their own by applying for a new card in someone else’s name.

In this kind of fraud, the perpetrator acquires the victim’s details such as their: 

  • Name

  • Date of birth

  • Address

Using these, the fraudster then applies for a credit card, receives it, and uses it to make fraudulent purchases under someone else's name.

5. Credit account takeovers

With account takeovers, fraudsters acquire their victim’s personal information using any of the same methods used in card application fraud, then use this information to steal the cardholder’s identity. 

The fraudster generally contacts their victim’s credit card issuer pretending to be the legitimate cardholder, and verifies their identity by giving details like passwords, purchases, or personal details. 

Once the card issuer is convinced they’re in contact with the cardholder, the fraudster will register a change of address, and later report the card as lost or stolen to have a replacement sent to them in the mail.

6. Mail interception

When credit card companies send new or replacement credit cards in the mail, some criminals try to either intercept the letter, or steal it after it’s been delivered from the legitimate account holder’s letter box.

Credit card issuers often use unmarked packaging when sending cards in order to prevent this happening.

How to detect credit card fraud

With various techniques of credit card frauds, and the fact that many of these techniques aim to make fraudulent transactions appear legitimate, it’s essential for merchants to take a proactive approach to detecting credit card fraud. 

Here are some of the most effective methods of credit card fraud detection keep you and your customers safe:

Address Verification Service (AVS)

Address Verification Service (AVS) is a payment security check that uses a cardholder’s on-file information to check the legitimacy of a purchase. 

With an AVS system set up, a customer’s billing address as entered on an online store is cross-referenced against the address held by the card issuer

If the details don’t match, this is flagged as a possible sign of fraud and prompts further investigation.

This security layer is an effective countermeasure against forms of credit card fraud which target e-commerce businesses, attempt to make fraudulent purchases, and send illegally acquired products to the fraudster’s address.

Card Verification Value (CVV)

A Card Verification Value (CVV) is the unique 3 to 4 digit code found on the back of a payment card. Checking this is intended to confirm that the payment card is in the cardholder’s possession, and is a basic component of online payment gateways facilitated by most reputable payment providers.

Repeated attempts at a purchase using a certain set of card details with a missing or repeatedly incorrect CVV can trigger a fraud alert. 

This method of detection can be an effective foil against credit card fraud techniques which involve stealing card information from online databases, as these sets of card details often lack the CVV.

3D Secure

3D secure is a card payment security layer facilitated by a number of major card providers, which adds an additional authentication step to a card not present transaction.

When a cardholder opts in to 3D Secure, they’ll be prompted to enter a PIN code with every purchase they make using their card. This means that even if a fraudster has access to a person’s card details, they won’t be able to complete a purchase without access to private information known only to their intended victim.

Repeated attempts at a purchase that fail to pass a 3D Secure check can be a sign of attempted fraud, and facilitating this security measure at your business can prove an effective way to detect and guard from fraud.

Machine learning fraud detection

Development in artificial intelligence and machine learning over recent decades have given rise to highly effective fraud detection that’s based on buyer behaviour. 

Sophisticated algorithms can be deployed to analyse customer behaviour and flag unusual activity which may be a warning sign of fraud. 

These kinds of security layers are especially effective because they’re constantly learning from the activity of both legitimate customers and attempts at credit card fraud, which helps to improve the system’s ability to identify and halt suspicious activities. 

It also means that fraudsters who have acquired credit card information can carry out activities in someone’s account which may seem safe, while unwittingly triggering a fraud detection system with behaviours that don’t match a customer’s usual spending patterns.

Velocity checks

Velocity checks are another security method that’s focussed on card user behaviour. It analyses the transaction volume and frequency carried out by a single customer within a given timeframe, checking for unusually high numbers of transactions or high transaction values which could be an indicator of fraud.

Unlike some other security layers, velocity checks can require some additional admin from the merchant’s side. With some velocity check systems, the business owner must establish their own predetermined limits and thresholds based on the transaction data they have access to.

It’s essential for merchants to approach this with caution, and avoid setting thresholds that risk triggering fraud alerts to legitimate activity and alienating customers.

Manual reviews

Though the current payment card security industry has many layers that can effectively protect customer data, it’s important to note that fraudsters are always looking for new ways to get around these security layers.

In some cases, automated fraud detection systems will only do some of the work, and you’ll need to take a manual approach to scrutinise the transaction details and decide whether or not the transaction is suspicious.

This human element can help you to both identify attempted fraud even when it’s passed automated checks, and avoid unnecessary card declines where customers are making legitimate purchases. 

Want to be better at monitoring transactions?

SumUp’s free online business account features scheduled payments and instant account statements designed to help merchants monitor cash flow.

Open your account

How to report credit card fraud

Incidents of fraud can be very distressing to merchants and cardholders alike, and hopefully you’ll never have to deal with this kind of situation in your role as a business owner. 

Though some business owners may go their whole careers without their venture being a target of fraud, it’s essential to have a plan of action for reporting credit card fraud in the event that your customers are the victims of fraud.

Credit card fraud: what to do

Here are some of the crucial steps in how to report credit card fraud when you suspect that it’s happened to one of your customers:

Step 1: Organise the evidence

From the moment you’re alerted to a credit card fraud incident, it’s important to carry out your own investigation and gather all evidence possible relating to the incident. This might include: 

  • Logs of the initial report from a customer

  • Transaction records, paper receipts

  • Anything else relating to the incident

After you’re alerted to an incidence of fraud, you may have to discuss this with multiple outside parties, such as the affected customer, your payment provider, and the police. 

It’s essential to gather as much information as possible for these discussions to keep relevant parties informed and come to a resolution as quickly as possible.

Step 2: Inform your payment provider

Payment processors and acquiring banks employ full-time professionals who are responsible for dealing with fraud. Your next step should be contacting these institutions and informing them about what’s happened.

During your discussions with your payment provider, you should provide them with all the evidence you’ve gathered and all the known details about the fraud incident. Armed with this information, they’ll be able to inform you on the next steps you have to take, for example initiating a chargeback.

Step 3: Report the incident to the police or Action Fraud

Sharing what you know with the police could be a big help in apprehending the criminals and creating a safer shopping experience for all merchants and consumers.

You can report incidents to the police by using the non-emergency number 101. Your report should include all the information you gave to your payment processor, along with any case or reference numbers the payment provider might have given you. These details can be instrumental in how credit card frauds are caught.

Alternatively, you can also contact Action Fraud. This government agency maintains an online portal that both consumers and businesses can use to report incidents of fraud, which they’ll then pass on to law enforcement agencies for further investigation.

Step 4: Notify customers

In cases where a fraud incident wasn’t reported to you by a customer, it’s an essential part of the reporting process to notify customers who may have been affected as soon as possible. 

This will give them the prompt they need to take further action, such as contacting their card issuer to freeze their card or checking their statements for any other suspicious transactions they may want to dispute.

Aside from ensuring that affected customers are kept up to date with the situation, this will also help you demonstrate a commitment to transparency, and show your customers that you take their security seriously.

Step 5: Review how the fraud occurred

Once you’ve informed the relevant parties about the incident that has taken place, it’s important to carry out a thorough review of your security measures, and determine how this incident occurred. This will help you inform your next steps as you work to strengthen security at your business and prevent further incidents of fraud from occurring.

If the fraud was caused by human error or a lapse in judgement, then you may want to review your policy for training staff on security best practices. If the fraudster was able to bypass automated security protocols, it may be time to add more layers of security or look for replacement security tools. 

Though no merchant’s security arsenal is perfect, making a point to familiarise yourself with your business’s weaknesses and constantly improve security will help you minimise the chances of future incidents.

Step 6: Keep records

Once the investigation is underway and you’ve made a point to learn and improve from the experience, it’s always a good idea to make a record of the fraud incident. 

This should include all the details you’ve been able to gather, your communications with payment processors and law enforcement, and the customer accounts that were affected.

Aside from giving you a useful point of reference for future training and information, you may need to refer to this record later if the police or your payment provider need any further details to help them with their investigations.

5 steps to reduce credit card fraud UK

Credit card fraud can take many shapes, and fraudsters are constantly finding new ways to get around existing security standards and continue making illicit purchases.

Though payment providers and card issuers have their own security measures to guard their users against fraud, there are many more proactive steps that small businesses like yours can take to keep their customer experiences as safe as possible.

Here’s 5 crucial steps to take as a small business to reduce credit card fraud.

1. Educate yourself on warning signs

As the majority of purchases at your business are going to be legitimate, it can be easy to forget about the issue of credit card fraud as a small merchant. 

By regularly educating yourself and training your staff about common credit card fraud examples, you can become more effective at reviewing business activity with a healthy degree of caution, and flagging transactions that show some of the warning signs of fraud.

If you have a physical premise like a cafe, it’s essential for your customer-facing staff to learn about the traits of counterfeit cards, such as: 

  • A crooked, unevenly spaced text and numbers.

  • A signature that’s been smudged or altered

  • A damaged hologram. 

It may also be useful to supply cashier staff with a list of issuer identification numbers, which are the digits at the beginning of a credit card number that are unique to specific issuers.

Legitimate Visa card numbers, for example, typically begin with a 4, whereas American Express numbers start with a 3.

Similarly, it’s important to educate anyone involved with your e-commerce operations on how to identify suspicious online behaviour. 

Specific behaviour to watch out for might include: 

  • Buying large quantities of luxury items.

  • The use of multiple cards when shipping to a single address.

  • Shipping to a geographic region where you usually don’t do any business.

2. Keep your payment and IT tools up-to-date

Payment security is always changing, and the software companies that supply the tools to run your business are always working to keep up with the current threat landscape.

To ensure your payment systems, e-commerce store, and other tools are able to repel fraud attempts, it’s essential to maintain a policy of installing patches as soon as possible to ensure your security layers function as intended.

By keeping your payment processing technology and your wider IT infrastructure protected from malware and other forms of malicious activity, you can fix vulnerabilities and keep fraudsters at bay.

3. Get PCI DSS compliant

The Payment Card Industry Data Security Standard (PCI DSS) guidelines lay out a security standard that’s mandatory for all businesses that handle customer payment data, and are designed to keep consumers safe from credit card fraud and other cybersecurity threats.

Some of the requirements for PCI DSS compliance include: 

  • Maintaining a firewall that’s able to protect cardholder data.

  • Encrypting cardholder data.

  • Restricting access to cardholder data within your business.

  • Creating a policy to regularly test your security layers.

When you begin to research PCI DSS compliance, you might feel somewhat overwhelmed by the extensive list of requirements. However, tackling this project and making sure your security is up to standard will keep your security in-line with your competitors and minimise the risk of fraud.

4. Encourage strong passwords and authentication layers

Like any responsible small business owner, your work on security has likely been focussed on what you can do to protect your customers. However, it’s important to give customers the ability to protect themselves through optional security layers on user accounts containing their card information.

One easy way to help your customers keep fraudsters out is to supply them with information on creating strong passwords for their account, with tips such as meeting a minimum character count, using both upper and lowercase letters, and including numbers and special characters.

Another good way to help customers secure their account is enabling two factor authentication (2FA) on your site login. This will require customers to enter a randomly-generated additional passcode when they log in on your site, usually supplied either through a one-time text message or an authenticator app.

With 2FA in place, customers will ensure that even if a fraudster gets hold of their username and password, they won’t be able to make fraudulent purchases due to not being blocked by the 2FA layer. 

5. Schedule regular audits

Although many entrepreneurs make sure their operation is up to certain security standards when they’re first starting their business, often this area of the business never gets revisited as they feel they've been protected from day 1. 

However, ensuring security at your business is an ongoing responsibility that requires regular audits to make sure you’re keeping customers safe from security threats.

Whether you organise it internally or outsource it to a security expert, carrying out regular audits to check for vulnerabilities and test defences will highlight features that need updating and keep your defences in-line with the current cybersecurity landscape.

By ensuring you and your staff have an up-to-date understanding of your business’s security, you’ll be much better equipped to proactively deal with vulnerabilities before fraudsters have a chance to exploit them.

Want to give your customers a safe, convenient shopping experience?

SumUp’s online store builder makes it easy to create a user-friendly e-commerce experience with safe payment gateways.

Start selling online today

Consequences of credit card fraud for a small business

Credit card fraud can have severe repercussions for small businesses. It’s crucial for merchants to understand these and appreciate the importance of effective payment security.

The biggest consequences of credit card fraud for small businesses include:

Chargeback fees

A chargeback occurs when a customer disputes a credit card transaction, claiming it was unauthorised or fraudulent. If approved, the card issuer refunds the customer for the relevant amount, and the funds are deducted from your account.

It’s important to do everything you can to avoid chargebacks, especially if you’re a new merchant working with a fluctuating cash flow. Aside from having to refund the customer, you’ll also typically incur chargeback fees, which can vary considerably from one chargeback to another.

Merchants that experience a high number of chargebacks may also incur penalties from their payment processors or receiving bank, with these institutions charging higher fees or imposing stricter terms on businesses with a history of chargebacks.

In cases where you incur excessive chargebacks, you may also experience reputational damage, as it can appear that your business isn’t taking adequate steps to protect customers from fraud.

Non-compliance assessments

Non-compliance assessments are penalties imposed on businesses that fail to meet industry standards and regulations, such as PCI DSS.

These assessments can have a number of negative effects on small businesses, including:

  • Financial penalties: Non-compliance assessments can result in substantial financial penalties. Fines may vary depending on the severity of the non-compliance and the number of payment card records affected. These fines can be a heavy burden for small businesses.

  • Legal consequences: Failure to comply with industry standards and regulations can put a business at risk of legal action. In addition to fines, non-compliance may lead to lawsuits and legal fees, further straining your resources.

  • Loss of trust: Non-compliance can erode customer loyalty and trust. Customers want assurance that their payment data is secure. When a business fails to meet security standards, it can damage the trust that customers place in your brand.

Disclaimer: The contents of this page are intended for informational purposes only and should not be construed as professional advice. For matters requiring legal or financial expertise, it’s recommended to seek guidance from qualified professionals.

Credit card fraud FAQs

What is a card not present (CNP) transaction?

A guide to the different forms that card not present (CNP) transactions can take, the associated risks, and how merchants should mitigate them.

Read more

Understanding and preventing card not present fraud

Learn how card not present fraud can affect small merchants, and the steps you can take to keep your customers and your business safe.

Read more

What is a virtual terminal? A comprehensive guide for UK merchants

Find out how virtual terminals can help your business process remote payments.

Read more

Learn more about payments