By now most consumers are aware, if not diligent, when it comes to credit card fraud. Almost everyone has been personally impacted by at least one of the many fraud schemes that have permeated the credit card universe. Account takeover, “skimming”, gift card scams, data breaches, and E-commerce fraud are common terms in today’s world.
WHAT IMPACT DO FRAUD PRACTICES HAVE ON THE CREDIT-RELATED PAYMENT METHODS USED BY BUSINESSES TODAY?
As companies strive for greater efficiency and cost savings, they often turn to payment methods beyond the traditional and embrace functions that make use of the same infrastructure as consumer debit and credit cards. In some businesses payments made via P-Cards and E-payables are outpacing those made via paper checks and even ACH payments.
While there are many advantages to these payment methods, it is important for a company to be aware of the potential fraud exposures. Although industry experts agree the benefits (in terms of cost savings, improved efficiencies and reporting) outweigh the potential risks, any business intent on achieving maximum profitability will do well to minimize those risks. In a previous article, we addressed the potential for duplicate payments within P-Card processing. Here, we will highlight fraud concerns with P-Cards; especially when used for T and E.
INTERNAL (EMPLOYEE) FRAUD IS THE MOST COMMON RISK, BUT CAN ALSO BE THE EASIEST TO CONTROL.
Fraudulent use (i.e. misuse) of the P-Card process by employees is, unfortunately, all too common. Most often it shows up in one of the following ways:
- Personal expenditures which the employee fails to reimburse.
- Employees who use their P-Card to pay for an expense, and then submit the same charge for reimbursement outside of the P-Card process (known as “double-dipping”).
- Charges which exceed Company limits or are considered inappropriate.
Prevention of these activities can best be achieved through enforcement of established controls. Here are a few points to keep in mind.
- When implementing P-Cards, policies and procedures (and the consequences of violating them) must be established and clearly communicated to employees.
- Work with your card issuer to systemically control parameters like purchase dollar limits and restrictions on the merchant category codes (MCCs) the employee is allowed to use. Transactions outside these parameters will result in a denial of purchase at point of sale.
- Solid expense approval procedures, along with required checks and balances is critical.
- Internal reporting can be useful in fraud prevention and detection. Design reports that highlight exceptions, such as purchases that exceed established controls.
Ultimately, it is management’s responsibility to ensure that controls are operating as expected to prevent fraud. Even the best reports are ineffective if they are not reviewed timely and thoroughly. If management becomes complacent regarding expense approval processes and maintaining controls, it is only a matter of time before employee fraud will occur.
P-CARDS USE THE SAME INFRASTRUCTURE AS CONSUMER DEBIT AND CREDIT CARDS AND ARE VULNERABLE TO THE SAME FRAUD EXPOSURES (TO AN EXTENT).
Because these cards use the credit networks, they are vulnerable to data breaches and hackers. The good news is if card information does fall into the wrong hands, there are limits on how it can be used. Restrictions that prevent an employee from exceeding a specified dollar amount or using the card for an unauthorized purchase will also prevent the same abuse by someone outside of the organization. Fraudsters know this, which is why they tend to avoid targeting P-Cards.
Additionally, the same fraud prevention controls in use for consumers also apply to P-Cards. PCI (Payment Card Industry) controls adhered to by all merchants encompass P-Cards as well as consumer cards. Cards containing chip technology in addition to the traditional magstripe are the most recent and significant advancement in fraud prevention. Most P-Cards issued today are chip-enabled.
P-CARDS HAVE SOME RISKS NOT INHERENT IN CONSUMER CREDIT CARDS.
Some fraud concerns are unique to P-Cards. One of those is simply the fact that employees may not be as diligent about protecting their P-Card as they are protecting their personal card. It is important to stress to any employee issued a P-Card that it be treated as they would their own card and personal information.
P-Cards are also vulnerable to scams related to business, but not applicable to consumer cards. Fraudsters have demonstrated the ability to “spoof” the email address of a Company executive and use this to direct an employee to unknowingly commit fraud. For example, an employee may receive an email from what appears to be the Company CFO instructing them to purchase gift cards to be used as customer appreciation gifts. They are told to reply with the gift card numbers and when they do the fraudster intercepts the email; giving him access to the gift cards. Awareness of the potential for these schemes should be included in P-Card policies and procedures.
HOW CAN YOU BE SURE YOUR CONTROLS AND PROCESSES ARE WORKING TO PREVENT FRAUD?
As a confirmation of your processes and controls, consider having a third party review your P-Card data for exceptions, anomalies, fraud, and cost recovery opportunities. This type of analysis can help identify potential areas of concern and highlight employees or divisions that should be more closely monitored. One advantage of using an independent third party for this review is the potential to identify abuse even at the management level; the very people you depend on for fraud prevention. A company experienced in analyzing large volumes of data is ideal for this type of project.