Restaurant Payment Fraud: Who Is Liable?

Global financial losses from card fraud are truly staggering. A recent Nilson report projects that over $408 billion will be lost over the next decade. Credit card fraud in the UK is currently running at a five year high, according to Forbes.  

Restaurants (just like anywhere that accepts card payments), have always been a target. However, much changed for food service businesses throughout the peak of the pandemic. In its wake, plenty of those changes remain. 

During lockdown periods, food service businesses were forced to adapt or die. Many embraced takeaway delivery services, and had to establish new ways to process customer payments from a distance. This exposed restaurants to a much higher number of “card not present” transactions, which account for 80% of card fraud losses.

What’s particularly interesting is that consumer habits learned in lockdown have stuck.

According to a study by the British Takeaway Campaign, 32 percent of people said that they would continue to order more takeaway food following the pandemic. 31 percent said that they would “eat out less in the future”. The pandemic isn’t over, and while a Friday night walk along a high street may convince some that things are “back to normal,” plenty of people have changed their habits – possibly permanently. 

Along with the ongoing popularity of services such as Deliveroo and JustEat, this change in consumer behaviour means that restaurants operate in an increasingly cashless environment. It’s an environment where the risks of card fraud are ever present. 

Food service businesses must therefore do all they can to minimize their exposure to financial loss, whilst also providing customers with a friction-free way to pay for food – whether they choose to eat out or dine at home. 

Building an awareness of where liability for card fraud lies is a key first step. The way that payments are taken can determine whether this liability sits with the card issuer or the merchant (the restaurant or takeaway). Encouraging customers to pay using methods where the liability is with the issuer is key.

Below, we explore the practicalities, and look at how food service businesses can minimize their risk. 

In the Restaurant: Card Present Transactions

For “card present” transactions, the golden rule is that Chip and Pin and Contactless transactions present less risk that those using Magstripe (swipe) payment. That’s because the liability for fraud on Chip and Pin and Contactless lies with the card issuer.

On October 1, 2015, liability for fraud on Magstripe transactions shifted to the merchant, an event known as “the liability shift.” This means that swipe transactions now introduce more risk of financial loss to a business. 

While some countries (such as the UK) have almost entirely moved away from swipe transactions, they’re still seen in other countries such as the US. While the vast majority of new cards come with a chip, some businesses don’t yet have the EMV card readers needed to read them. 

Mastercard states that as of 2024, there will be no requirement for issuers to include a Magstripe strip on new cards. However, they’re not being entirely phased out until 2033. As such, restaurants can continue to expect to see occasional swipe payments. 

The two main mitigations for restaurants are simple: 

  • Invest in the POS technology to take Chip and Pin and Contactless payments.
  • Exercise scrutiny when accepting Magstripe payments, with awareness that the liability for fraud lies with the business.

Delivery Orders: Card Not Present Transactions

Card not present transactions present different challenges.

Restaurants and takeaways who are not in sight of a payment card open themselves up to a higher risk of fraud. Essentially, the only way to take a takeaway order where the liability for fraud lies with the card issuer is by doing so via an eCommerce site that uses 3D Secure technology.

Businesses have two options here: They can ensure that they use apps and website frameworks that support 3D Secure, or run all of their takeaway orders via a third-party service such as JustEat or UberEats. As POS provider Sunday says, this “take(s) the weight of CNP payment off of most restaurant owners’ shoulders.”

But what about telephone orders?

Obviously, restaurateurs don’t want to turn them away, and some prefer to operate with the personal touch of telephone service. The issue is that this does increase the risk of debit or credit card fraud. And with telephone orders (along with non-3D Secure eCommerce) the liability for fraud lies with the restaurant.

There are various ways to mitigate the risk. One is to collect as much data as possible on each customer, which can in turn be quickly analysed during the order-taking process.

For example:

  • Using a phone system with caller ID can immediately give access to the customer phone number – this can then be used for data enrichment purposes (as below).
  • Asking for the customer’s phone number to cross-reference against the caller ID.
  • Collecting an email address provides an additional data point.
  • Collecting full card information, including the CVV code and the associated address and postcode.

Restaurants with a high throughput of telephone orders may wish to consider a fraud prevention solution that allows for the use of data enrichment techniques. The customer’s phone number and/or email address could be cross-referenced against a host of freely available data – in real time, while the order is in progress.

This can flag up anomalies, such as “throwaway” or virtual cell phone numbers, rather than those linked to a recognised provider. Similarly, an email address that doesn’t link to an expected number of social networks and online accounts can raise suspicion. 

By integrating such checks into the ordering system, suspicious orders can be flagged for further manual checks, or for rejection. 

There are three key rules that restaurateurs should remember to reduce their liability around card fraud:

  1. Avoid Magstripe payments wherever possible.
  2. Flow takeaway orders through 3D Secure compliant systems, where possible.
  3. Implement additional checks on “card not present” transactions organised by phone. 

Not only do these checks minimize the chance of falling victim to fraud in the first place, they also make it easier to show due diligence in the event of any claims or chargeback disputes.