The anatomy of a point-of-sale fraud
Point-of-sale (POS) transactions using a credit card or a smartphone ensure greater payment convenience. But with technologies such as near-field communication (NFC) and radio-frequency identification (RFID), POS payments are more vulnerable to fraud.
The uses of NFC technology include tracking users and permitting access to secured locations. Though NFC is a short-range technology that allows close data exchange (immediate physical proximity of about 1.5 inches to 4 inches), you can supplement it with RFID to broaden the range of an NFC tag. Even within that short range, a fraudster can intercept an NFC exchange. Because it applies to longer-range RFIDs and NFC-based data interactions, this type of fraud is often referred to as RFID skimming.
Retail stores emphasise cloud and mobile security but often neglect POS safety. According to a report, the value of a card fraud per $100 transaction stands at ¢6.4 in 2022. With daily global transactions worth billions happening daily, this amount quickly adds up to millions of dollars. Fraudsters target the firmware within the POS system to capture credit card details. Without a point-to-point encryption (P2PE) solution, customers’ data remains unsecured.
Encryption in backend payment processing
Many retailers rely on transmission-level encryption for POS transactions, which encrypts the card data only when it moves from the POS terminal to the payment processor. The data is vulnerable at this stage from hackers who can exploit it for their benefit.
One of the most significant areas of vulnerability is the operating system (OS). Unaware of the technical aspects, retailers continue to use legacy systems that do not respond well to the changing fraud techniques.* It is also essential for retailers to maintain and upgrade current data security patches. In such a scenario, the P2PE system guarantees data security from a customer's smartphone to its destination in the backend processing systems.
Original equipment manufacturers (OEMs) don't always manufacture POS systems that address every cyber threat during designing and manufacturing. This makes it essential for all vendors using POS machines to have regular security patches and software updates.
Transition to proven compliance frameworks
Retailers should move towards proven compliance frameworks such as Payment Card Industry Data Security Standard (PCI DSS). PCI DSS provides an overall framework to adopt P2PE and recommends the use of P2PE. It also contains guidelines for POS systems.
POS lockdown strategy uses technology that whitelists authorised processors. If the system comes in contact with a POS machine that's not on the whitelist, the processor shuts down automatically, preventing any fraudulent transactions. By plugging in these sources of revenue leakage, businesses can improve profitability, enhance process efficiency, eliminate policy abuse, and stop POS theft.
Types of in-store data checks at the POS level
Access to rich POS data can reduce the losses due to fraud by allowing real-time monitoring and swift decision-making. Certain checks at the POS level in-store can raise red flags to reduce fraud significantly:
- Logs per user:
- Duplicate invoice printing:
- Customer refunds:
- Sodexo, credit card, or gift card use:
- Credit sales:
- Manual discount:
Fraudsters in a retail store siphon cash by not logging in certain transactions. This type of fraud is a 'bill void.' A POS fraud detection and prevention system can review bill voids (item and line-wise) against the store, cashier, date and time of void, amount, and shift time.
This happens when the biller does not record a customer's original invoice but hands over a duplicate invoice of more or less the same amount. POS fraud solution can log any duplicate bill printing store-wise, shift-wise, and item-wise.
The fraud prevention system links the use of cash drawers to the system to track any incoming and outgoing cash. The system can also make it mandatory to get the store manager's approval for any refunds.
Fraudsters can use the same card details from different mobile numbers to redeem gifts. POS fraud detection systems can track such transactions.
By mapping a customer's phone number to the system data, store, product, and shift in-charge details, the system can capture trends in credit sales.
Track the frequency of any ad hoc discounts by capturing manual discounts store-wise and shift-wise.
How can Infosys BPM help?
Fraud detection works on multiple data sources. This includes inventory, product promotions, returns, and POS transactions. The advanced analytical methods of pattern recognition, anomaly detection, and machine learning (ML) algorithms detect potential POS frauds. The services include:
- Predictive analysis:
- Rules/risk repository:
- Case/workflow management:
- Video analytics:
- Reporting and analytics:
ML algorithms capture complex patterns that are difficult to detect manually.
Enhance the decision engine/risk book to stop future incidents.
Create and manage watch lists or block suspicious individuals.
Use existing CCTVs in the store to pull videos of suspicious activities in real-time.
Use reports to understand areas of concern and plug any leakages.
*For organisations on the digital transformation journey, agility is key in responding to a rapidly changing technology and business landscape. Now more than ever, it is crucial to deliver and exceed organisational expectations with a robust digital mindset backed by innovation. Enabling businesses to sense, learn, respond, and evolve like living organisms, will be imperative for business excellence. A comprehensive yet modular suite of services is doing precisely that - equipping organisations with intuitive decision-making automatically at scale, actionable insights based on real-time solutions, anytime/anywhere experience, and in-depth data visibility across functions leading to hyper-productivity, Live Enterprise is building connected organisations that are innovating collaboratively for the future.