How hotels can mitigate their fraud risk

ITASCA, IL—Data breaches and security challenges have long been issues that the hotel industry has had to deal with. But with mobile check-in and other industry trends, this landscape is evolving—and that’s something hotel managers need to understand.

“For the most part, hotels have always required a credit card and identification at check-in. This card-present environment has made credit card losses low as compared to other industries,” explained Lisa Rankin, VP of partnerships, marketing and sales enablement, Accertify, a global fraud prevention company, based here.

EMV chip-enabled cards have only reduced in-person, card-present fraud. “Most properties have by now deployed EMV terminals. Those who have not are smaller, locally owned hotels,” Rankin said. “It is important to note that those who have not yet migrated to EMV terminals may experience an increase in card-present fraud, which can result in increased chargebacks. Because of the payment networks’ EMV liability shifts, hotels that accept EMV chip-enabled cards may not be liable for fraud on those transactions. This is not the case for hotels that are not using EMV-enabled terminals. If there are not enough measures in place, a hotel risks providing goods and services to fraudsters, which can tarnish a brand’s reputation and hurt the bottom line.” 

However, she noted, as card-present fraud has decreased, other types of fraud have increased. “As hotels have expanded their offerings to meet the demands of a digital and mobile world, there has been an increase in card-not-present fraud,” Rankin said. “Fraudsters will always use the path of least resistance, and with card-present fraud being more easily detected, fraud has shifted to the online space.”

And this makes it difficult for hotel managers to contend with. “Hotel managers are in a difficult position when it comes to preventing fraud, especially since the vast increase in fraud is occurring online and from mobile devices,” she said. “Hotel managers often do not even come in contact with the fraudulent customer or the stolen or fraudulent credit card. The issues now fall on those that manage the online channels as they need to ensure they have the security measures in place to quickly detect and prevent fraud attacks.”

The increase in data breaches has resulted in hundreds of millions of credentials being compromised, making them available to fraudsters on the black market. “Because people often use the same username and password across their online accounts, cybercriminals can try credentials across several types of accounts—bank accounts, digital streaming accounts and loyalty accounts, etc.—and gain access to all,” Rankin said. “It becomes very difficult to then know a valid customer from a fraudster since the correct credentials are presented. This is when it becomes critically important to partner with an online fraud prevention solution that has other measures in place to quickly detect fraudulent behavior.”

One of the more popular methods of fraud these days regards loyalty accounts. “Fraudsters have quickly caught on to their value,” she said. “They can transfer points to different accounts, book travel using miles, and purchase additional points or miles with stored credit cards. Loyalty accounts can also be a treasure trove of personally identifiable information. Many people have their full name, address, date of birth, passport information, credit card information and more stored in these accounts. So when a fraudster gains access to these accounts, not only are the consumer’s points at risk, but their personal information is as well.”

The digital nature of guests also makes all of this easier for fraudsters. “Many hotels are now offering digital check-in and room keys via mobile apps. This can be a powerful engagement tool, but bypassing the front-desk, the check-in process provides new opportunities for fraudsters,” Rankin said. “Fraudsters can use stolen credentials to log in to a customer’s account and book a hotel room with a card on file or by using loyalty points. Using the hotel’s app as a room key enables the fraudster to bypass the front desk and check-in without issue. Hotels then are forced to deal with the increased fraud and reputational risk when their best customers’ loyalty accounts are taken over by a fraudster. As this attack scheme continues to grow, hotels must implement solutions to ensure their customers are protected.”

So what can a hotel do to mitigate its risk? “If it has not already, it should upgrade to EMV-enabled, point-of-sale terminals to reduce risk of card-present chargebacks,” Rankin said. “Partner with solution providers that can offer enhanced online fraud detection with little-to-no customer impact or friction; utilize device intelligence, site navigation metrics and IP geolocation tools that provide valuable insights on the risk of a transaction; incorporate machine learning/big data insights from a community of hotels to provide a more nuanced view of the risk of a transaction; create workflows to dynamically route higher risk transactions for additional scrutiny, such as requiring front desk check-in; ensure that your hotel’s loyalty accounts are subject to the same fraud screening measures as other online transactions; and understand typical and out of pattern behaviors for a customer and layer in this customer insight to refine your risk score.”

Of course, she noted, it is impossible to completely eradicate fraud. “There is no silver bullet; fraud will sometimes occur,” Rankin said. “When it does, hotel operators need to make sure they learn from it to make their systems smarter and more effective in the future. For instance, they can add certain devices or customer data to negative lists so when they are seen again in the future, they can review those transactions with additional scrutiny.” HB