John Lewis plans to begin charging some customers who pick up online orders in stores. Competitor Marks & Spencer will expand its free click-and-collect ...
Criminals are using small-ticket online transactions to test fraudulent payment cards.
Amid the ongoing efforts of merchants and risk managers to stay ahead of cyber-criminals, one soft spot thieves exploit is web sites that sell digital games and music at low prices, says John Eggleton, head of risk management at London-based WorldPay, a provider of payment gateway and risk management services.
“We see these sites being hit with larger-than-normal criminal activity,” he says.
Criminals are attracted to low-value e-commerce sites because the sites often provide a way to test stolen payment account data without setting off the kind of alarms that would be triggered by high-value transactions, Eggleton says. It’s an extension of a common practice in the offline world of criminals who steal a payment card and buy $1 worth of gas at a self-service pump to see if the card has been canceled.
Charity sites that accept small donations are also prime test sites for criminals, who may make small donations just to see if their stolen payment account data will complete a transaction, he adds. Once assured that a stolen payment account remains live, criminals will then use it to make larger fraudulent transactions at other e-commerce sites.
Such account testing actions by criminals against charities and other low-value transaction sites are often called victimless crimes because little if any value is actually stolen. But even charities often wind up paying many times the value of the fraudulent small donation in chargeback fees and staff time to rectify accounts after the legitimate payment account holder denies making a transaction, Eggleton says.
One way web retailers of inexpensive items and digital content can mitigate the effect of such criminal activity, Eggleton says, is by deploying payment capture delay systems, which routinely delay a payment transaction for up to three to five days.That gives a merchant time to monitor chargeback reports or take other measures to check the payment accounts of suspicious transactions. He notes that such systems are becoming more common at charities and other sites that don’t need to immediately process transactions; they’re available as applications hosted on the Internet by companies such as WorldPay.