ETA Expert Insights: Evaluating the Fraud and Security Risks of Merchant Re-Opening
Introduction
As fall slowly turns toward winter, many schools are vacillating between in-person and virtual classes, and politicians, economists and health professionals debate matters of health, timing, regulations, and forecasting possible winter resurgences, many businesses are struggling to plan their operations in the latest COVID reality. In this blog, leaders from the ETA Risk, Fraud, and Security Committee explore the myriad ways in which businesses, merchants, and acquirers must address transaction-related risk as they seek to do business at this time.
General Reopening Risks
Over the past seven months, businesses of all kinds have been operating on a work-from-home basis and are in various stages of bringing employees back into their stores, offices, call centers, and processing centers. Research from Morphisec this summer showed that over half of these employees are using personal devices, but as many as 25% of employees are unfamiliar with how to secure their devices from common threats. As these workers return to the workplace, it is imperative that they do not bring with them laptops or USB drives that contain malware or unauthorized software that could allow bad actors access to sensitive systems and networks. Policy-enforced anti-malware and active traffic monitoring can detect and respond to such threats.
As part of their social distancing and risk mitigation plans, many companies are using a limited workforce, alternating workdays, or allowing employees to work from home on an ongoing basis. As such, the ongoing use of remote workforce means these protections will be all the more important to have in place going forward. PCI SSC has released a useful list of security considerations for businesses handling card data that must continue to support remote workers.
In this new reality, other common business challenges are also exacerbated. Fraud-related cases have grown, with the FTC reporting over 200,000 Americans defrauded in amounts exceeding $145M related to COVID-19 scams. These attacks including text messages and robocalls, fake emails impersonating the CDC, W.H.O, or insurance companies enticing victims to click links or visit fake websites for phishing or to install malware.
Scams are also emerging promising testing kits, sanitation supplies, and payday-loan-style scams (cash, gift cards, wire transfers, cryptocurrency) to obtain government stimulus. FTC cautions that these imposters should be reported immediately, and offers a number of useful resources to recognize scams.
The New York Times reports hundreds of millions USD in fraud in Washington State’s unemployment system. Signs of scams include requests for PII, too-good-to-be-true offers, selling a “starter kit” or resume consulting, and using direct deposit bank transfers, according to Norton. In addition, identity theft reports have risen drastically, as bad actors attempts to claim unemployment benefits, or targeting unemployment benefit recipients by notifying them that their benefits have expired in an effort to steal their reactivate using a fake form, where personal information, debit card, or PIN numbers are obtained. Other scams include emails, calls, advertising free COVID-19 testing, business loans, and fraudulent pandemic products.
Merchants
As consumer-facing retailers seek balance between safe re-opening while monitoring COVID-related risks, there are a number of new risks facing business owners. These risks cover much ground and many aspects of the business. With all good intentions, business owners want to ensure their staff is healthy to prevent spread of the disease, yet steps they may take such as monitoring social distancing, or use of infrared thermometer monitoring, or reporting of infections could put them at risk of violating central aspects of HIPAA, such as obtaining or disclosing protected health information. Merchants must also be aware that employees and customers may be immunocompromised, or require special adaption under ADA.
Fraud, theft, and insider attacks may also seek to take advantage of COVID-related confusion and While many governmental entities encourage or require the wearing of masks, we have all likely seen video of instances of confrontations between people in public settings who disagree on this practice. Beyond dealing with the consequences of such an event in your place of business, attackers may also utilize a fabricated scenario to to create a distraction to facilitate a theft? Furthermore, face coverings in common use may diminish the value of security cameras to identify bad actors.
Finally, there is the matter of securing the point of sale with respect to cleanliness; wiping and sanitizing PIN pads, encouraging contactless acceptance, and perhaps once and for all taking advantage of card brand rules whereby signatures are no longer required and removing pens from the point of sale!
Processor / MSP / ISO
Managing risk is important in any environment but it’s particularly critical while we are in the midst of a global pandemic. The health crisis is creating new, unprecedented risk challenges for business clients who are faced with keeping their businesses safely operational.
Companies that accepted funding with short-term forecasts are now saddled with a more long-term financial impact. When the initial round of Paycheck Protection Program (PPP) funding was offered to companies, there was a component for ‘debt forgiveness’ with a contingency that the businesses kept employees on the payroll during the shutdown. However, as the financial impact continues (due to both intermittent shutdowns and decreased customer foot traffic), PPP funds were quickly depleted and layoffs have had to occur as a result. As the nation awaits further PPP funding, merchants within the acquirer portfolio continue to suffer from dire financial hardships.Many are faced with a large debt repayment as well as increasing business expenses, such as mortgage/rent, inventory, etc. This scenario puts their long-term solvency at risk as revenue is likely to take time to rebuild back to former levels, requiring acquirers and ISOs to stay aware of how these trends affect their portfolio, and guard against new fraud risks:
Pre-Paid Services, Gift Cards, Donation Solicitations
As many states and local jurisdictions have imposed mandates around business closures and ‘safer at home’ guidelines/requirements, many business owners were forced to become creative about how to generate income. During this time, there may have been attempts to bolster short-term revenue by offering customers the ability to pre-pay for services. This new business model has now created a delivery risk for businesses that historically have been classified as low-risk, such as hair salons and restaurants. In addition, some businesses choose to offer gift cards to each customer as an incentive. This creates a similar future delivery risk. Lastly, some businesses have solicited donations directly from their customers and processed those donations via their merchant account which creates some risk issues relative to card brand compliance.
Change of Business Model
Without question, the pandemic has had a disastrous impact on the overall economy. However, some businesses have experienced a boon as a direct or indirect result of the COVID crisis. Companies that had all or a material portion of their business dedicated to eCommerce have seen tremendous growth. As well, medical supply companies, at home fitness equipment and app-based food delivery services have experienced huge growth. What may not have been anticipated are the shifts or outright business model changes that have taken place. For instance, wholesale restaurant suppliers (fish/meat) have transitioned to selling direct to consumers. Other companies have moved entirely to a new category – for instance, distillers switching from selling liquor to manufacturing and selling hand sanitizer. It becomes critical for acquirers to monitor these changes to ensure they know the risks that may exist as well as to make appropriate changes to MCC codes and such. In some instances, if the business model is completely different, it may require completely underwriting the account again.
Large Events, Refund Risk
As a precautionary measure, many large events, such as conferences, races, educational seminars, have had to cancel. In many cases, large numbers of attendees prepaid for these events, often months in advance. For some event planners, this is a planned contingency and refunds are done in a timely manner. For others, the funds for the event may have already been dispersed to vendors, presenting significant risk that they may either process refunds to their customers that they do not fund OR refuse refunds which ultimately will result in customer disputes.
Reserves, Refunds, and Fraud
In reaction to the added concerns, both for financial risk due to increased future delivery and change of business model, many acquirers are finding the need to hold back additional reserves. The modeling for reserves previously held a formula that included holding sufficient funds to cover 6 months of disputes and 3 months of refunds. That model becomes problematic as the uncertainty of the economy is completely unpredictable. Some acquirers have chosen to hold back funds to cover a longer period of risk.
Conclusion
The pivot to working from home and changes in our workplaces environment coupled with a struggling economy and public health concerns, have opened up a myriad of ways in which merchants and consumers are at greater risk for fraud as they reopen and make changes to their businesses. Businesses must also look into how their employees are accessing sensitive data, and truly understand what kind of protocols they have in place to make sure they aren’t securing data on insecure devices. Aside from data risks, health precautions, and the implementation of more payment choices (online, contactless, etc.), employers should also make accommodations to customers and employees, following guidance for securing and classifying PII. The authors of this blog have sought to lay out some fraud and security considerations during this volatile time, for additional research into health and safety concerns related to re-opening, please reference the helpful resources below.
Further Reading
Homeland Security
https://www.hsdl.org/c/assessing-risk-for-a-reopening-business-amidst-covid-19/
Center for Health Security
https://www.centerforhealthsecurity.org/our-work/publications/operational-toolkit-for-businesses-considering-reopening-or-expanding-operations-in-covid-19
CDC
https://www.cdc.gov/coronavirus/2019-ncov/community/reopen-guidance.html