Products & Services
From the industry's best ticketing system to unified food & beverage and retail operations, Gateway offers world-class solutions to increase revenue.
by Jerry Lake, Product Manager
If you sell online, your business will likely have to deal with a problem at some point: credit card fraud. And if you’re in the attractions business, you’re one of the best targets for fraudsters. Why?
Let’s first look at the traditional e-commerce transaction where the product is a physical item. If you’re buying an iPad online, obviously it needs to be shipped. Providing a valid shipping address can be problematic to a fraudster as that can create a trail right to him. Additionally, in an effort to thwart fraudulent purchases, online sellers sometimes require the credit card billing address and shipping address to match.
Now let’s look at the e-commerce model of a typical theme park. The end product is an often-anonymous general admission ticket. And for guest convenience and operational efficiency, online tickets can be delivered electronically, either through email or directly displayed in a browser, allowing the purchaser to print their own tickets at home.
In other words, the fraudster no longer needs to have a valid postal address (or can use the address that matches their stolen credit card numbers) since nothing needs to be shipped. You just need an email address.
Ever wonder why you see an email address that looks like someone bounced a tennis ball off the keyboard? It’s because the fraudsters have so many of them. They’ll cycle through their different aliases to minimize the risk of detection.
The Fraud Model
So let’s step back and look at credit card fraud. First, in the choice between online and brick-and-mortar fraud, online is the overwhelmingly favorite for several reasons. Obviously, online activity can be far more anonymous, and in terms of volume, is less time-consuming than traveling to a retailer. But the biggest reason online fraud is easier is because of what the fraudster doesn’t need: a physical credit card. It’s not that lost and stolen cards don’t happen, but they’re a drop in the bucket when compared to the most common supply source for stolen credit card information – data breaches.
In recent years, millions upon millions of pieces of Personally Identifiable Information (PII) have been stolen through data breaches. Sometimes they get payment card information, other times they get personal information such as addresses, birthdates and social security numbers. The content of the stolen information determines the hackers’ next steps. If they happen upon credit card data, it goes up for sale.
The price of an ill-gotten credit card number starts at around $10. If you want more info to go with that, such as the cardholder address and the security digits found on the back of most cards, the price goes up. By buying more information about the account, it makes the fraudulent purchase seem more legitimate.
An interesting side note – several of the major credit card brands actually monitor these darker regions of the internet, and will frequently buy their own credit card numbers from the hackers, allowing them to disable the accounts more quickly than waiting for the fraud to show up. And realistically, the cost of buying their own credit card numbers is far less than the monetary and time losses associated with fraudulent purchases.
So, you’re a fraudster, and you just bought my Visa account number online from an overseas hacker. What’s next? Well, despite what you read in books, there is often no honor among thieves. If my card number was sold to you, it was likely sold to others, and now the mad dash begins to use it before either I or my credit card company realize it’s been compromised, and the account disabled.
Armed with my credit card number and some additional PII that the fraudster purchased, it’s time to try to buy something. If the information is fresh enough, and my account hasn’t yet been disabled, chances are, the fraudster will successfully complete a transaction? Why? Well, if my account isn’t over its spending limit, hasn’t been deactivated, isn’t on fraud alert and the info seems to all match up, the payment processing company that your e-commerce solution uses has no reason to reject the transaction. They simply don’t look at enough data points to know otherwise.
Generally, it doesn’t end there. Fraudsters are rarely looking for a free day at your attraction. They’re looking to make money. So they’ll look to resell what they just fraudulently purchased. Their next hurdle is to try to unload these tickets as quickly as possible. ebay and Craigslist are notorious for this. Do a search sometime for your favorite attraction and see how many ticket hits you find. Chances are some of them are fraudulent.
In many cases, it’s an on-demand fraud model. Have you seen an ad that looks like this: “Mother-in-law broke her hip, our loss is your gain, selling my FunPark tickets for half price!” You’ll see no mention of the quantity of tickets. This is because the fraudster is waiting to be contacted, and once you tell him you need five tickets, he’ll reply that he just so happens to have exactly five tickets. Next, he’ll go online with his latest batch of stolen credit card numbers, and keep trying until one works and he’ll buy the five tickets online. Then he’ll ask to meet at some nearby public place, possibly even in the parking lot of the attraction, to sell you the tickets for cash.
From an attractions standpoint, this is doubly bad. First, someone stole from your venue with the purchase transaction (since you know that this will involve a chargeback, resulting in your not getting paid). And second, now they’ve sold the tickets to someone else who shows up at your gate. If you’re alerted to the fraud with enough notice, you can deactivate the tickets so that they don’t scan for admission, but generally, the people you’re turning away aren’t the bad people. They’re the folks who paid money to the fraudsters, and now you’ve got a guest services issue.
Your best defense against fraud is to prevent the purchase from happening in the first place.
Common Fraud Misconceptions
Isn’t EMV supposed to help me combat credit card fraud? Well, yes, but EMV only applies to cardholder present transactions, so it may cut down on in-park fraud, but if you’re like most attractions, the majority of your fraud comes from e-commerce. EMV does nothing for this type of fraud.
We don’t really have that much fraud. In many cases, those administering your sales solutions (in-park and e-commerce) are not the same people being contacted by the banks with chargebacks. In some cases, your accounting staff is simply writing off chargebacks as a cost of doing business without even alerting those in charge of the sales channels where the fraud is occurring. Don’t assume. Check with your attraction’s point of contact for your payment processing merchant account to see where you’re at with chargebacks.
We respond to chargebacks in real-time and deactivate the tickets so they can’t be used. Great, that’s a good first step. However, the fraud is usually far more real-time than the chargeback notification. If you pull up your usage history, you’ll likely find that in many cases, by the time you’re alerted to the chargeback, the tickets have already been used.
Seven Ways to Make the Fraudster’s Job Harder
In the end, you need to realize that fraud is literally some people’s full-time job. If your venue doesn’t take fraud seriously, your defenses are down against people who are ready and willing to take advantage of you. Sadly, the fraudster community is very active and always talking to one another to find the path of least resistance. Don’t let that be your attraction. Empower yourself with the information in this article to take steps to send these fraudsters to the “unemployment” line.