Fraud mitigation is now integral to the operation of any successful business. For Vacation Rental Managers (VRMs), CNP (card not present) transactions are highly susceptible to fraud, for which merchants are held liable. We are dedicated to educating our merchants and our industry on assisting with fraud detection and prevention. We have some preventative tips that can help limit credit card fraud, starting with basic tools, educating your team and some good old-fashioned sleuthing.
LexisNexis Fraud Multiplier℠ estimates the total amount of loss a merchant incurs, based on the actual dollar value of a fraudulent transaction. In 2016, every dollar of fraud cost merchants $2.40, up from $2.23 in 2015. For each dollar lost to fraud, merchants can ultimately expect to lose $2.40 in revenue due to the associated fees, lost merchandise/service, sales potential, and more.
Finding the right balance between making the reservation and payment process easy and making it as secure against fraud as possible is something that we encourage each property manager to find for their business. Fraud isn’t only money laundering and identity fraud. Our industry is especially challenged with “friendly fraud”, or more commonly known as chargeback fraud.
Friendly fraud is similar to buyer identity fraud, but with a few important differences. In both cases, the merchant is the victim of a fraudulent buyer, but with friendly fraud, the buyer is actually the cardholder. The cardholder duly authorizes the payment, but reverses it once they have received the product or service. The cardholder gets the goods for free, and the merchant gets stuck holding the bag. Friendly Fraud makes up more than 70 percent of online fraud, according to LexisNexis.
Here are some possible reservation red flag alerts that deserve more scrutiny for protection:
- Last-minute reservations
- Customers who refuse to sign and return your rental agreement/confirmation
- Customers who want you to charge the card in excess of the total amount due, and to forward the excess funds to a third party
- Customers who provide multiple card numbers for the same stay
- Requests for services or merchandise you do not offer
- Customers who book with little or no regard for value or price
- Stories that don’t match
- Customers using someone else’s card
- Anything that triggers a negative gut feeling!
Here are some additional tips to take charge of fraud:
- Trust your gut
- Ensure your team knows the proper procedures for credit card transactions and follow card acceptance procedures
- Name on card MUST match the name on the lease
- Review transactions daily before batching out for efficient reconciliation
- Start by getting authorization for every transaction, this reduces the likelihood of processing an expired or invalid card, but does not guarantee payment
- Code 10/Cardholder Verification
- Use a Code 10 authorization as a preventive tool to verify additional information on suspicious transactions, such as last minute bookings. You can simply call the voice auth line at the bank where you will be transferred to an operator and will be asked a series of questions about the transaction. The cardholder doesn’t know that you are calling. The operator will attempt to verify the information you provide (cardholder name, address, etc.) with the card issuing bank. If the authorization request is declined, or the information you provide doesn’t match what the issuing bank has on file, we recommend you request another form of payment that can clear the bank and not be disputed after the stay.
- Utilize the Address Verification System
- AVS compares the billing address the customer entered with the one the credit card issuer has on file that the fraudster may not know
- Best Scenario is Partial AVS (available through SlimCD) that will normally match on Zip Code only. When it comes to AVS settings at Yapstone/VRP, a merchant has two options: AVS on, or AVS off. If turned on, the AVS response has to be a FULL match, otherwise the transaction is declined in the gateway. If turned off, any AVS response is accepted and even if the address does not match it will not decline.
- AVS can also affect you receiving the best rates possible
- Require Card Verification Value
- CVV/CVS is on the physical card and under PCI regulations, is NOT allowed to be stored
- While not requiring CVV does not affect your rates, it provides an additional step to help detect if the card is in the guest’s physical possession
- Set Timelines for Accepting ACH/E-check payments
- Guest has 60 days from date of payment to claim fraud, unhappy with service and get their money back
- Don’t accept ACH within 60 days of a stay to be safe
- Payment Card Industry Security Standards Council (PCI SSI)
The PCI SSC is the membership organization responsible for important security standards related to safeguarding payment transaction data. All parties involved in payment card acceptance must safeguard payment transaction data and comply with the applicable standard(s). If a system with payment card information is hacked or stolen, then the compromised party must take steps to report the data security breach and work with forensics investigators, law enforcement, merchant acquiring staff and others to report findings. The best defense is to implement data security operating policies, limit stored payment card data, and safeguard data that is necessary. Their main objective is to build and maintain a secure network to protect cardholder data.
Defeating fraud helps VRMs and guests. If VRMs and staff are well prepared with the skills to recognize suspicious transactions and know how to correct the situation, everyone will be more aware of fraud and prepared for it. Take the extra steps to stop fraud before it starts. After all, it‘s the merchant – not the consumer – that stands to lose the most from credit card fraud. The most important thing merchants can do is stay educated on how fraud occurs, and then follow standard procedures and processes in a suspicious situation.