Everything You Need to Know about Restaurant Fraud Prevention
The COVID-19 crisis has led to a surge in online orders — and an increase in credit card fraud. Make sure your restaurant and your customers are protected, whether they’re dining in or ordering takeout or delivery.
Restaurants face a unique set of challenges when it comes to fighting fraud. From fraudulent credit card usage to data breaches to chargebacks and beyond, restaurants need to stay up to date with evolving security threats to protect both their businesses and their customers. This piece will cover the many threats that target the restaurant industry as well as best practices that help mitigate them.
DISCLAIMER: This content is provided for informational purposes only and is not intended as legal, accounting, tax, HR, or other professional advice. You are responsible for your own compliance with laws and regulations. You should contact your attorney or other relevant advisor for advice specific to your circumstances.
Online fraud and chargebacks
In an effort to comply with COVID-19 pandemic restrictions, restaurants rushed to establish or bolster their online presence, allowing them to continue to provide for their patrons. Many revenue-boosting measures arose during this time, such as providing feasts via delivery, standing up makeshift drive-throughs, and creating curbside pickup stations — all to drive more online orders. Unfortunately, this rush toward off-premise service and implementation of online ordering capabilities coincided with an increase in fraudulent activity as well as chargebacks in the restaurant industry.
Chargebacks are caused by cardholders disputing a charge on their payment card, and can arise from a number of events that can be categorized as either “true fraud” or “friendly fraud.”
True fraud is when a transaction is processed without the cardholder’s consent. Most commonly, true fraud involves the use of a stolen, lost, or counterfeited credit card, and the charge is later disputed by the victim.
Contrary to its name, friendly fraud is not very friendly. This category of fraud is much more common than true fraud, but can be difficult to fight. Friendly fraud occurs when someone uses their own payment information for a transaction, but initiates a chargeback later. Some reasons why a person would engage in friendly fraud include when a cardholder:
- Was dissatisfied with food or service
- Sees a charge on their card statement that they don’t remember, recognize, or understand
- Had their card used by a friend or family member without their knowledge
- Maliciously intends to get a free meal from a restaurant by claiming dissatisfaction or a missing delivery
- Disputes a charge for any reason by going to their card issuer instead of by speaking with the restaurant first
Both restaurants and their payment processors are on the hook for chargebacks and their associated fees. However, chargebacks carry layers of expenses for restaurants, such as a refund of the purchase amount, the cost of preparing and servicing the refunded meal, and a chargeback fee. Chargeback fees are often a fixed amount per occurrence ($15 to $100, according to PYMNTS) and can quickly add up.
As a starting point, a restaurant should begin by selecting a platform with a reputable online ordering system that can track an order from start to finish, helping eliminate lost orders while providing a virtual paper trail of an order’s journey to the customer.
To minimize the occurrence of online orders where a chargeback is initiated due to fraudulent credit card activity, it is best to utilize a payments processor that employs an Address Verification Service (AVS) as an added measure of security. The AVS requires that the information entered from a physical card is accompanied by an address or Zip Code; if there is a mismatch, the transaction will not be approved.
In addition to an AVS, many restaurants are turning to integrated payment processors that leverage machine learning to stop potential fraud in its tracks. Generally speaking, a machine learning model — supplemented with supervision from a fraud team — digests the enormous amount of transactional data that goes through the payment processor to develop a risk scoring system. The iterative risk scoring system is then used as a threshold to reject suspected fraudulent transactions from being authorized, while the fraud team helps to identify false-positives and false-negatives to further refine the model.
Instances of non-malicious friendly fraud can be deterred by providing an easily accessible customer service touchpoint, such as the online ordering system, a note on a diner’s receipt, or the restaurant’s website. Restaurants can also preempt chargebacks caused by typos and errors — such as a celebratory $2,020 gratuity that was intended to be a $20.20 gratuity — by verifying suspiciously high entries with the guest before processing a check.
Unfortunately, malicious cases of friendly fraud are more difficult to combat, so it is important to use a restaurant technology platform that provides the tools you need to help reduce the overall number of chargebacks your restaurant receives by fighting more preventable types of fraud, like true fraud.
For additional information, you can check out our resource on how to avoid and combat chargebacks.
Credit card fraud
There are three main methods of physical card payments:
- “Swipe” - swiping a card using the black magstripe strip,
- “Dip” - inserting a card using its EMV chip, and
- “Tap” - touching an NFC-enabled card to a reader.
Due to the relative ease of replicating counterfeit magstripe cards, they have been largely phased out in favor of chip (EMV) and tap-enabled (NFC) cards, which are inherently more secure. In fact, card networks implemented the EMV Liability Shift in 2015, forcing businesses to carry the burden of liability when it comes to counterfeit fraud and its associated costs unless they upgrade to EMV technology.
EMV and NFC payments employ tokenization to encrypt information used in each transaction into a one-time-use “token” in lieu of any payment card information, helping to hide sensitive data from would-be thieves. The addition of signatures, PINs, or other identity verification measures can add a second layer of security when people are paying in person.
When an order is taken online, over the phone, or manually inputted due to a faulty physical card or card reader, it is referred to as a card-not-present (CNP) or “keyed-in” transaction. This method of entry is much more susceptible to fraud given the lack of embedded physical security measures; however, the use of an Address Verification System and machine learning-powered fraud prevention tools mentioned earlier can be effective ways to mitigate the risk of true fraud for these types of transactions.
The simplest way to protect your customers’ credit card information is to avoid keeping it stored. That’s where tokenization and encryption come in — when customers “dip” their EMV chip card or tap to pay, the transaction is stored as a unique “token” in lieu of any sensitive credit card or personal information, so your customers’ information is kept safe. Once the transaction is authorized, the token is deleted.
Additionally, data is only as safe as the weakest link in a restaurant’s overall ecosystem, and two commonly overlooked entry points come down to its technology solutions: its WiFi Internet network, and its point-of-sale (POS) system. To further protect a restaurant’s stakeholders from damaging data breaches, restaurant operators must ensure that their POS vendor provides strong encryption while meeting PCI compliance standards. While there are numerous steps that must be taken on the restaurant’s side to establish PCI compliance, it must also thoroughly vet its POS provider to ensure they are fully PCI compliant service providers. Even so, using a PCI compliant processor doesn’t mean that your restaurant is fully compliant. Your restaurant is ultimately responsible for maintaining a fully compliant environment, in addition to using a compliant processor. You can find out more about the steps you need to take to establish PCI compliance for your restaurant, such as the self-assessment questionnaire, here.
Phishing and scams
Fraudsters have found opportunities to target restaurants in new ways due to the unfamiliar nature surrounding the COVID-19 pandemic. Many of these types of scams revolve around people impersonating roles related to the pandemic, such as a health inspector or loan provider. Ultimately, these scammers are targeting personal data and credit card information, often over the phone or via email with a spoofed email address that looks official (“phishing”).
A rule of thumb is that official organizations will not request such information over the phone or email and that restaurants should never provide this information through those channels; one exception is if you call an officially verified phone number and need to provide information to verify your identity. When in doubt, take a moment to thoroughly review the request. You can conduct your own research and contact the organization yourself (through its official channel) to determine if the notice you received was falsified.
As an example, one common method that fraudsters have historically used to target restaurants is by impersonating a health inspector. These scammers can call, email, or show up in person with claims of a health code violation and usually attempt to collect a baseless fine or gather personal information to use for identity theft. Even when these scammers don't have official business cards or paperwork, they can feed off restaurant owners' fear and urgency to force them into compromising situations. Similar schemes began to crop up elsewhere as scammers looked to take advantage of the COVID-19 pandemic.
When dealing with suspicious activity like this, health officials recommend asking for official city identification and paperwork behind any health code violation claims. Never give up your personal, business, or financial information on the spot; instead, take the time to look up your local county's health division's phone number yourself — don't trust any contact information given to you by the person in question — and call the health department directly to verify the person's identity and claims.
Always take a moment to stop, collect yourself, and think about whether questionable interactions could be scams.
Keep your business safe
In a shifting environment full of uncertainty, restaurants need to stay vigilant to help prevent and fight fraud to protect themselves and their customers. Beyond implementing verification procedures and data security policies, it helps to work with a trusted restaurant technology platform like Toast to strengthen your defenses against fraud and data breaches.
Toast's real-time machine learning-based fraud prevention system can help block up to 95%⁺ of fraudulent chargeback volume for online orders, representing an average monthly savings of $300* per customer.
As a PCI-compliant Level 1 Service Provider, Toast provides a suite of fraud prevention tools:
- Machine learning-powered fraud monitoring helps analyze, detect, and block suspicious online ordering transactions in real-time to prevent resulting chargebacks
- Hardware equipped with EMV and NFC technology adds an additional layer of security to deter fraudulent transactions
- Address Verification System strengthens your online ordering process to defend against chargeback claims
- Industry-standard encryption and tokenization technologies protect your customers’ payment card data from thieves while reducing financial and brand risk
- Toast’s team of dedicated fraud experts helps monitor transactions, take action against fraud, and adapt Toast’s tools to threats arising from an evolving market
⁺As of June 2021.
*These amounts are estimates as of September 2021. Actual results may vary and depend on the unique characteristics of each business.