Card-Present Fraud
Before addressing CP fraud, understand:
- Terminal operations and fleet management
- PCI DSS requirements for physical security
- Fraud types and how CP differs from CNP fraud
- EMV liability shift rules
Card-present fraud is lower than CNP, but when it happens, you eat the loss. EMV shifted liability, but the shift only works if you actually use the chip. Keyed transactions, employee schemes, and physical tampering are your real risks.
Most SMBs assume in-person payments are safe. They're safer, not safe. See fraud metrics for how to measure your exposure.
What Matters
- EMV liability shift only works if you dip the chip. Swipe or key the card, you own the fraud.
- Skimming still happens. Attackers overlay devices on your terminals to capture card data.
- Employee fraud is your biggest CP risk. Internal refund schemes, keyed transaction abuse, card data theft.
- Keyed transactions are high-risk by definition. Every keyed entry should trigger velocity rules.
- Physical security is fraud prevention. Terminals in view, tamper checks, access control. See PCI DSS Requirement 9.
Skimming Detection
Skimmers capture card data at the point of swipe or insert. Modern skimmers are sophisticated.
Types of Skimmers
| Type | How It Works | Detection |
|---|---|---|
| Overlay skimmer | Fits over existing card slot | Wiggle test, visual inspection |
| Deep insert skimmer | Inside the card slot | Harder to detect visually |
| Bluetooth skimmer | Transmits data wirelessly | RF detection, Bluetooth scan |
| Shimmer | Thin device reads chip data | Very hard to detect |
Daily Terminal Check
Train staff to check terminals every day:
- Card slot sits flush, doesn't wiggle
- No overlay on PIN pad
- Terminal casing is intact, no gaps
- Cables are secure, no additions
- Tamper stickers/seals unbroken
- Terminal serial number matches inventory
Weekly Deep Check
- Compare terminal to photo of known-good state
- Check for unusual Bluetooth devices nearby
- Verify firmware version matches expected
- Review transaction patterns for anomalies
Terminal Tampering
Beyond skimmers, terminals can be physically compromised.
Tamper Indicators
| Sign | What It Means |
|---|---|
| Broken or missing tamper seal | Terminal may have been opened |
| Loose screws or panels | Internal access attempted |
| Different colored parts | Replacement components |
| Unusual weight | Internal additions |
| Strange behavior | Slow transactions, unexpected prompts |
What to Do If Tampering Suspected
- Stop using the terminal immediately - see terminal operations
- Do not process more transactions
- Preserve the terminal as evidence
- Contact your processor security team
- Review transactions from that terminal for past 30 days - check metrics
- File police report if confirmed - document for PCI incident response
Physical Security Basics
- Terminals in view of staff at all times
- Cable/lock terminals to counter
- Limit who can access back of terminal
- Lock terminals in safe overnight (high-risk locations)
- Visitor/vendor check-in for anyone who touches terminals
Employee Fraud Schemes
Your employees are your biggest card-present fraud risk. This is a form of first-party fraud when committed by insiders.
Common Schemes
Refund Fraud
Pattern: Employee processes refund to their own card or an accomplice's card without a corresponding sale. See refund fraud for detection strategies.
Signals:
- High refund count for specific employee
- Refunds without corresponding sales
- Refunds to same card repeatedly
- Refunds processed after hours or at close
Prevention:
- Require manager approval for refunds over $X
- Match refunds to original transactions
- Review refund reports by employee weekly
- Dual control for cash refunds
Skimming by Staff
Pattern: Employee uses hidden device to capture card data, sells data or uses for fraud.
Signals:
- Employee handles cards out of customer view
- Transactions take unusually long
- Multiple fraud reports traced to your location
Prevention:
- Customer-facing terminals only
- Cards never leave customer's hand
- Clear sightlines to all terminals
- Background checks for new hires
Keyed Transaction Abuse
Pattern: Employee keys in card numbers from memory, photos, or written notes for personal purchases.
Signals:
- High keyed ratio for specific employee
- Keyed transactions to same card
- Keyed transactions after hours
Prevention:
- Monitor keyed ratio by employee
- Require manager approval for keyed transactions
- Review keyed transactions daily
- Disable keyed entry on some terminals
Void/Cancel Manipulation
Pattern: Employee processes sale, pockets cash, then voids transaction.
Signals:
- High void rate for specific employee
- Voids at end of shift
- Voids without customer present
Prevention:
- Require customer signature on voids
- Manager approval for voids
- Receipt required for all voids
- Camera coverage of register area
Monitoring by Employee
Track these metrics per employee:
| Metric | Red Flag Threshold |
|---|---|
| Refund count | > 2x average |
| Refund value | > 2x average |
| Keyed transaction % | > 5% |
| Void rate | > 2% |
| After-hours transactions | Any |
| Same-card refunds | > 1 per month |
"Can we pull reports showing refund and void rates by employee? What about keyed transaction percentage?"
MOTO/Keyed Transaction Risk
Every keyed transaction is a liability.
When Keyed Entry Is Acceptable
| Scenario | Risk Level | Notes |
|---|---|---|
| Established B2B customer, phone order | Lower | Known relationship, verify identity |
| Card present but chip failed once | Medium | One retry, then request different card |
| Delivery driver collecting payment | Medium | Consider mobile terminal instead |
When Keyed Entry Is a Red Flag
| Scenario | Risk Level | Notes |
|---|---|---|
| Walk-in says chip "doesn't work" | High | Common fraud tactic |
| Customer reads card number from phone | High | Likely stolen card data |
| Rush to complete before closing | High | Pressure tactic |
| High-ticket item, new customer | High | Classic fraud pattern |
| Employee keying without customer present | Critical | Potential internal fraud |
Liability Shift Loss
| Transaction Type | Liability for Fraud |
|---|---|
| Chip dip (EMV) | Issuer |
| Contactless (NFC) | Issuer |
| Swipe (mag-stripe) | Merchant |
| Keyed (MOTO) | Merchant |
If you key a fraudulent transaction, you eat the loss. No exceptions.
Keyed Transaction Policy
- Chip must be attempted first
- If chip fails, tap must be attempted
- If both fail, request different card
- Keyed entry requires manager approval
- Document reason for every keyed transaction
- Never key a number read from a phone or paper
EMV Liability Shift Mechanics
Understanding liability shift helps you make risk decisions.
How Liability Shift Works
Before EMV (pre-2015): Issuer usually liable for fraud.
After EMV: Liability falls on the party with less secure technology.
| Merchant Has | Card Has | Liability |
|---|---|---|
| Chip terminal | Chip | Issuer |
| Chip terminal | No chip | Issuer |
| No chip terminal | Chip | Merchant |
| No chip terminal | No chip | Issuer |
What "Chip Terminal" Means
- Terminal must be EMV-capable
- EMV must be enabled and active
- Transaction must be processed as chip (not fallback)
If your terminal has chip capability but you swipe anyway, you lose liability shift.
Fallback Transactions
When chip fails and you fall back to swipe:
- First fallback: Some liability protection (varies by network)
- Repeated fallback: Loses protection, signals potential issue
If your terminal regularly falls back to swipe, investigate:
- Dirty chip reader
- Worn chip slot
- Firmware issue
- Fraud attempt
Test to Run
2-week card-present security audit:
Week 1: Assessment
- Inspect all terminals for tampering signs
- Pull keyed transaction report by employee
- Review refund patterns for past 90 days
- Verify terminal firmware is current
- Check physical security (locks, sightlines, access)
Week 2: Remediation
- Address any tampering concerns
- Investigate high keyed ratios
- Implement employee monitoring dashboards
- Update terminal check procedures
- Train staff on fraud indicators
Success criteria: All terminals verified clean. Keyed ratio under 2%. Monitoring in place.
Scale Callout
| Volume | Focus |
|---|---|
| Under $100k/mo CP | Daily terminal checks. Manager approval for keyed entries. Basic employee monitoring. |
| $100k-$1M/mo CP | Automated employee metrics. Weekly refund review. Tamper detection procedures. |
| Over $1M/mo CP | Dedicated loss prevention. Camera integration. Real-time anomaly detection. Regular security audits. |
Where This Breaks
-
High-turnover retail. Constant new employees means constant training gaps. Simplify procedures and automate monitoring.
-
Mobile/delivery operations. Terminals out of your sight increase risk. Use cellular terminals with GPS tracking. Limit keyed entry capability.
-
Multi-location franchises. Consistency is impossible without automated monitoring. Centralized reporting and regular audits required.
Analyst Layer: Metrics to Track
| Metric | What It Tells You | Target |
|---|---|---|
| Keyed transaction % | Liability exposure | < 2% |
| Refund rate by employee | Internal fraud risk | Compare to average |
| Void rate by employee | Manipulation potential | < 2% |
| Fallback transaction % | Terminal health | < 1% |
| CP fraud/dispute rate | Overall health | < 0.3% |
| After-hours transaction % | Anomaly indicator | Investigate any |
Location-Level Comparison
If you have multiple locations, compare:
- Keyed % by location
- Refund rate by location
- Dispute rate by location
Outliers indicate location-specific problems (terminal issues, employee issues, or local fraud patterns).
Trend Analysis
Week-over-week trends matter more than snapshots:
- Increasing keyed ratio = investigate
- Increasing refunds at one location = investigate
- Spike in voids before employee resignation = investigate
CP Anomaly Monitoring
Build alerting for these card-present anomalies:
| Anomaly | Detection Logic | Alert Threshold |
|---|---|---|
| Keyed entry spike | Keyed % > baseline + 2 std dev | Real-time alert |
| Off-hours transactions | Transactions outside business hours | Any occurrence |
| Refund without sale | Refund not matched to prior sale | Any occurrence |
| High-value void | Void > $X (set threshold) | Each occurrence |
| Multiple cards, same device | 3+ distinct cards on one terminal/hour | Real-time alert |
| Repeated decline then success | 3+ declines followed by approval | Flag for review |
Anomaly Investigation Workflow:
- Alert fires → Identify employee, terminal, transaction details
- Verify legitimate? → Check with manager, review camera
- If suspicious → Escalate to loss prevention
- If false positive → Tune threshold
- Document outcome → Train detection model
Employee Risk Scoring
Build employee risk scores based on:
| Factor | Weight | Signal |
|---|---|---|
| Keyed % vs peers | High | Above-average = risk |
| Refund % vs peers | High | Above-average = risk |
| After-hours transactions | Medium | Any = flag |
| Void pattern | Medium | Clustered voids = risk |
| Tenure | Low | New employees = higher monitoring |
Score employees monthly. Investigate top 10% risk scores. Many will be false positives (high performers, complex transactions), but some will reveal issues.
Next Steps
Preventing skimming and tampering?
- Train daily terminal checks - Staff inspection routine
- Perform weekly deep checks - Compare to known-good state
- Handle suspected tampering - Response protocol
Addressing employee fraud?
- Know common schemes - Refund, skimming, keyed abuse
- Monitor by employee - Per-employee metrics
- Implement prevention controls - Manager approvals
Managing keyed transactions?
- Identify acceptable scenarios - Low-risk cases
- Recognize red flags - High-risk signals
- Enforce keyed policy - Chip first, approval required
Related Pages
- Card-Present Terminal Decisions - Terminal selection
- Terminal Operations - Day-to-day management
- Fraud Prevention - Prevention strategies
- Velocity Rules - Pattern detection
- EMV & Contactless - Chip security
- PCI DSS - Physical security requirements
- Refund Fraud - Employee abuse patterns
- First-Party Fraud - Customer abuse
- Chargeback Prevention - Dispute reduction
- Fraud Metrics - Measuring CP fraud