​Swipe Once for Fraud​

A recent IPO filing disclosure reveals the fraud p​​​​​erils faced by card processing companies serving small sellers.

Comments Views

​​A single seller defrauded online payments company Square​ out of US$5.7 million, Business Insider reports. Omaha, Neb.-based event planner, Creative Creations, allegedly used its Square card reader to sell worthless travel vouchers, according to the Omaha World-Herald. Square revealed that such fraud is a big risk in an initial public offering filing with the U.S. Securities and Exchange Commission (SEC). The company notes that the automated nature of its payment services makes it an attractive target for fraudulent and illegal activities. Moreover, Square acknowledged that it could be liable for losses associated with chargebacks and refunds connected to illegitimate transactions. Chargebacks occur when a person notices a charge for something he or she didn't purchase and the credit card company refunds the amount to the cardholder. Square, as the processor, may be liable for reimbursing the credit card company if the seller is unwilling or unable to do so.

Lessons Learned

As various forms of businesses targeting lower-cost electronic financial transactions proliferate, so too do the associated risks of fraud. In Square's business model, the company charges a fee of 2.75 percent on every credit card transaction but does not charge sellers monthly fees or set-up costs. Square claims  its costs are, on average, lower than the costs charged by conventional credit card processors. Square is regarded as a useful application for entrepreneurs, such as consultants, food truck operators, and other small retailers. Swiped payments are deposited directly into a user's bank account within one or two business days.

By its own admission, Square's business model puts it at a high level of risk for fraud. Its SEC filing notes, "The highly automated nature of, and liquidity offered by, our payments services make us a target for illegal or improper uses, including fraudulent or illegal sales of goods or services, money laundering, and terrorist financing. Identity thieves and those committing fraud using stolen or fabricated credit card or bank account numbers, or other deceptive or malicious practices, potentially can steal significant amounts of money from businesses like ours."

So what might Square do to balance its flexible payment services model while combatting fraudulent activity such as with chargebacks?

  • Implement a robust anti-fraud regime, tailored to its business model and customers. That would include a fraud risk assessment of high-risk customers (for example, those with little or no credit history, sellers who only provide future delivery of goods/services, and sellers with links to foreign or unknown origins), and transactions (for example, a higher dollar/higher volume value). As it did with an outright ban on firearms-related transactions, Square could set out other kinds of transactions and customers it will give closer scrutiny to or ​simply not accept, based on that fraud risk assessment. Certainly, testing the legitimacy of potentially high-risk or suspicious transactions and customers periodically is a good practice. This should be done in combination with various electronic testing, such as verifying the IP address of the customer/seller, checking whether sellers have a legitimate presence on Facebook or other social media, and verifying whether the billing and selling addresses match.
  • Consider introducing stronger controls over transactions that do not compromise either its business model or financial viability. These could include:
      • Establishing a reasonable waiting period before a customer or seller is reimbursed in a chargeback situation to allow time to confirm the validity of the transaction.
      • Investing in EMV chip card technology for all of its card readers to increase overall security over transactions.
      • Requiring high-risk sellers, identified in the fraud risk assessment, to maintain a financial reserve to cover losses such as from chargebacks.
      • Avoiding higher-risk transactions, such as what can happen when a purchase is sent to a freight company. For example, such companies can send goods overseas and still do a chargeback.
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

 

 

Comment on this article

comments powered by Disqus
  • IIA AuditBoard_Nov 2019_Premium 1
  • IIA GAM_Nov 2019_Premium 2
  • IIA OnRisk_Nov_Premium 3