Payment fraud vs. identity theft: What’s the difference? And why does it matter to merchants?
With so many advances in payment security, many people are surprised to find that fraud is still on the rise, year over year. According to the Insurance Information Institute’s report about cybercrime, “In the past six years identity thieves have stolen over $107 billion.”
As more merchants transition to new chip card-enabled devices, confusion lingers. To clarify and better understand what’s going on, let’s define the two different types of criminal activity potentially at work here: payment fraud and identity theft. It’s important to understand the difference, because the repercussions of each are different for merchants and their customers.
Payment fraud: What does it mean for business?
When defining payment fraud, the one word to remember is “payment.” That’s because this sort of activity occurs when a fraudster has stolen someone’s credit or debit card number, or checking account data, and uses that payment information to make an unauthorized purchase. Often, the criminal will quickly sell the item or items purchased illegally to obtain cash.
With payment fraud, customers do have recourse back to their financial institution, so they don’t have a great financial loss to bear. While regulations continue to evolve, take note of the Consumer Financial Protection Bureau’s Regulation E (Electronic Funds Transfers) that limits consumer liability if an unauthorized payment is made using a debit card, and Regulation Z, Truth in Lending, which applies to protections for consumers’ credit card transactions.
The 2015 payments liability shift: How does it affect you?
The good news is, due to EMV chip cards, card-present fraud is going down. This trend will continue in the next few years as more merchants transition to chip-card devices. However, EMV chip cards also ushered in a liability shift that merchants need to be aware of.
It’s a complex set of rules, but the essence of it is this: in-store fraud liability has shifted to either the card issuing financial institution or the merchant––that is, the one entity that has not yet adopted EMV chip technology or the one with the lowest level of security in place. Which is why it’s important for every brick-and-mortar merchant to have chip-enable POS devices.
However, don’t fret about having to outdo the security measures of your bank. They still have liabilities to shoulder; you just need to make sure you’ve put your own business protections in place. Read more about the fraud liability shift to educate yourself and protect your business.
When it comes to eCommerce credit and debit card purchases, protect your business by making sure your payments processor or gateway uses tokenization, which replaces cardholder data with information rendered indecipherable and unusable to criminals. By the way, most EMV-enabled POS devices use tokenization to protect customer data.
Protecting the most valuable thing of all: Your business reputation.
Clearly, every merchant wants to protect his or her financial assets, as well as customer information. However, there’s another loss that can occur and affect a business long after a data breach occurs, and that’s their reputation. If a business experiences a breach, they could suffer from the loss of customer trust that’s spread through word of mouth. Plainly put, a breach is bad for business. And with the prevalence of online ratings and reviews, bad news spreads fast and can have a more profound negative impact on a business.
Identity theft: What does it mean for every consumer?
To define identity theft, the essential word here to consider is “identity.” Identity theft occurs when a criminal impersonates someone for the purpose of committing fraud, using the person’s private information such as a social security number or banking information.
This could involve a situation where a loan is established under the individual’s name, or a falsified tax return is filed with the IRS, or a credit card is opened without the individual’s knowledge. While fraud is the end result of identity theft, the big difference here is the implications upon the targeted individual.
With identity theft, the damage to the individual is more severe. Unwinding the damage done by the fraudster can take months or years, and can take a huge toll on credit scores. For example, getting a bank to acknowledge that a consumer did not apply for a loan can be a time consuming experience with much dialogue back and forth. Likewise, getting the IRS to believe that the fraudulent tax return wasn’t filed by that same consumer, but rather a criminal, can take a lot of convincing. In addition, working with the Credit Bureaus to restore a consumer's good credit rating when the fraudster has run it into the ground can be extremely frustrating.
What should a merchant focus on?
While identity theft is important for all consumers, not just business owners, merchants should focus on protecting their business’ financial assets, their customers’ data and their reputation.
One data breach could close a business down. At this point in time, the best way to protect your business is to install EMV-enabled devices at every point-of-sale. With eCommerce payments processing, make sure tokenization is in place to help secure all transactions. Another option for merchants of all types is to employ a strong transaction fraud monitoring system to detect abnormal behavior and stop fraud before it happens.
When it comes to payment transaction security, technology and regulations will continue to change. Regardless of these changes, it's wise to stay informed and aware of how you can best the steps you need to take to protect your customers and your business.