Every moment a U.S. merchant is robbed via electronic payment systems—totaling $3 billion per week. What’s a merchant to do? First, we must define and understand the problem.
Three types of fraud afflict merchants using electronic payment systems:
1. Internal fraud, or employee theft
2. External fraud, in which a third party is involved
3. Friendly fraud, indicating an authorized cardholder bends the rules of the payment system
Last fall, the U.S. Chamber of Commerce released results of a study indicating one in three employees steal, making internal fraud a prevalent problem. Most commonly, employees steal customers’ identity information to gain access to accounts and withdraw funds.
The Payment Card Industry (PCI) strives to eliminate internal and external fraud through 12 steps designed to protect physical and electronic security. It’s a common misconception that PCI only refers to e-commerce merchants. By definition, any merchant handling merchant service information is required to report. Compliance with these regulations is driven by the number of transactions conducted each year.
Regardless of fraud type, merchants should become familiar with several security measures: background checks, division of responsibility, audits and monitoring of statements.
Background checks are essential. Check the histories of employees and potential hires to see if they pose a risk. Employees who lie on applications should never be hired. Non-verifiable references should raise an eyebrow as should any applicant’s refusal to allow criminal and financial background checks.
Once employees are hired, check their records as frequently as you feel appropriate. Never assume anyone who passed a background check will remain loyal and not cause your business harm. Life circumstances change and can influence people’s mindsets radically.
Divide responsibilities as much as possible. Even at small self-storage facilities, it’s a mistake to give one employee control of all finance functions. If you can’t divide, then rotate responsibilities.
Audit frequently and erratically. Most employee thefts occur soon after an audit. Employees don’t expect management to audit immediately after an audit. Always do unannounced and random audits, making it impossible for employees to predict the timing. This significantly reduces the likelihood of internal theft.
Monitor your expected results. Establish benchmarks for predicted monthly outcomes adjusted for seasonal or other influences. If numbers aren’t adding up, make sure you rule out fraud. And remember, while a change in the number of charge-backs can indicate equipment malfunction or other operational concerns, it’s also an early indicator of fraud.
When you are accepting merchant services look for the following:
- Excessive credits
- Change in downgrade patterns
- Increased number of chargebacks
- Increase in voids
- Increase in returns
It’s highly likely you’ve been robbed in the last year. Not the kind of robbery where you’re hit over the head and dragged into a dark alley, but a subtler and potentially more damaging approach.
When you are accepting electronic checks (ACH) look for the following:
- Changes in credit patterns
- Changes in debit patterns
- Reconciliation failure
- Missing bank statements
Your best defense is to monitor everything: employees, cash flow, bank statements and merchant-service statements. On that note, do you really understand the latter? No two processors use the same layout, language or charges for services. Request a detailed written line-by-line explanation for all those you receive. Don’t assume anything!
Once you can interpret statements, track critical components and ratios. Review the plan summary, number of card types accepted, transactions of each card type, and number and type of charge-backs, downgrades and voids. For voids, take a step-by-step approach and log all of the following:
1. Reason for the void
2. Time, date and operator who entered it
3. All associated receipts
4. Customer signature
5. Reason for the void
Confirm data with the customer, and accumulate voids to see if a pattern emerges. For example, is one operator tallying more voids then others? Do voids occur at a specific time? Are one or several related cards receiving an unusual number of voids?
Compare this information with your previously identified benchmarks, reviewing the statements from the last 12 months at least and calculating the critical ratios discussed above. This provides a reference of the expected number and type of issues you should expect.
We’ve seen a number of examples of fraud being perpetrated for many years. Unknowingly, management incorporated fraudulent activities into regular data—month after month—so benchmarks may have been similar while theft was prevalent. Third-party benchmarking would have been a valuable resource in each case, perhaps uncovering the inaccuracies long ago. It may protect your facility from fraud as well. You can never be too careful. Remember there is no such thing as too much security or a bulletproof organization.
Ross Federgreen is a co-founder of CSRSI, which provides an integrated approach to the analysis, design, implementation, deployment and management of electronic transaction services and systems. Since 1999, the company has helped more than 350 public and private institutions reduce the cost of acquiring money and minimize the liability exposure related to payment transactions and customer data. Its products include the Credit Card Analysis System. For more information, call 866.462.7774, ext. 23; e-mail firstname.lastname@example.org ; visit www.csrsi.com .
For more information about self-storage security, check out "Security: Choosing Tools, Protecting Your Investment," a 32-page e-book available through the Self-Storage Training Insititute. Click here for more info!