The past several years have been a complete paradigm shift for the restaurant industry. Although noncash payments were always a norm among restaurant clientele, it became an absolute necessity, with most activity shifting to online and remote overnight. Based on the 2021 Diary of Consumer Payment Choice by the Federal Reserve Bank of San Francisco, the number of consumers conducting in-person payments fell by nearly 21% year over year, even as not-in-person spending at restaurants “increased substantially.”
Restaurants cannot ignore these trends, given the numerous challenges in their adoption and the subsequent threats of payments fraud. As more and more restaurants start processing an increasing volume of noncash payments, payment fraud at restaurants has also increased significantly.
These percentages and patterns are anything but small. In fact, they’re seismic as they are accelerating trends already in motion with the advent of smart devices and improving internet speeds. Consumers have been altering their spending away from cash at an ever-faster rate for the better part of a decade. The focal point of all human activity is growingly centered around their smartphones, and spending habits are no exception. Even physical rather than digital currencies are seen as sovereign existential threats.
In this article, we’ll explore the many different forms of payments processed and how restaurant payments fraud is becoming rampant. There is also the case of the changing legal liability and what security precautions the industry can implement in response to nip restaurant payments fraud in the bud once and for all.
Types of payments
Gone are the simple days of paying by cash, credit cards, or debit cards. Now, they’re a myriad of payment options, and consumers not only wish they could use to pay by but rather demand it. There are options such as Payment Service Providers such as PayPal, Zelle, Venmo, Cash App, and a multitude of digital wallets, including Apple Pay, Google Pay, and Samsung Pay, among a host of others.
The threat of losing customers by not offering that ease of payment is very real. The pendulum has swung such that restaurants unable to cater to such payment options face ubiquitous competition from those that can. Below is a more in-depth account of some of the standard payment types being adopted.
Swipe – this is the traditional way in which consumers have been accustomed to using credit cards over the past couple of decades. The merchant would swipe the credit card through a card reader that scans the black-colored magnetic stripe on the lower backside of the credit card.
Dip – a relatively new and more secure way of processing a card transaction. With the new EMV chip, the merchant dips the card into a particular reader that captures the data stored on the golden-metallic colored chip. This payment method has proven to be less prone to fraud as the EMV chip is almost impossible to duplicate, unlike a
Tap – this is the latest method of payment in which smart devices such as a smartphone, tablet, or smartwatch exchange payment details stored on those devices with near-field communication (NFC) enabled point of sale terminal by either touching it or placing the device very near the machine.
The Growing Risks of Restaurant Payment Fraud
There has been a growing chorus within the industry sounding the alarm on an increase in payments fraud targeting the restaurant activity. One specific activity is the root cause of restaurant payment fraud. It all stems from something known as chargebacks but can vary in the different ways that fraud manifests itself.
Chargebacks are disputed payments that consumers raise once they see unfamiliar charges on their account statement. Once a cardholder files a chargeback, their issuing bank withholds disbursement of funds intended for the merchant to investigate the transaction. Chargebacks can be classified as ”friendly fraud” or true fraud.
Chargebacks arising from true frauds are a result of stolen card information being used to process the transaction. There has been a substantial increase in true frauds at restaurants as the industry has started taking in more digital orders and delivery requests in which the physical card isn’t present.
Friendly fraud (do not be fooled by the name) occurs when the rightful owner of a card uses it to pay for a meal at a restaurant and then later disputes the charge on the card. This is often due to dissatisfaction with the service, food quality, or actual malintent. However, friendly fraud can also arise due to the customer not recognizing the transaction based on the descriptors used by the merchant. It can also be that there is no contact information to reach out to the merchant directly, so the cardholder instead simply calls the bank.
The main driver of this increased level of restaurant payments fraud has been driven by payments by card in which the cardholder is not physically present for the transaction, also known as Card Not Present.
The EMV Liability
Earlier, we discussed Dip as one of the payment methods used where the restaurant would dip the EMV chip-enabled card into a special EMV chip card reader. That is presently the most secure method of payment as an EMV chip stores all cardholder data in an encrypted format and transfers cardholder data via a process called tokenization. EMV cards still have the older magnetic stripes at the back of the card, so merchants can still use the older swipe technology.
The EMV liability shift is that if a merchant swipes an EMV card instead of using the dip option for any reason whatsoever, it is the merchant who will be liable for any fraudulent charges exceeding $25. Hence the term liability shift explains that the liability has shifted from the issuing bank to the merchant, in this case, the restaurant.
Considering the prevalent frauds and the changing liability landscape, it helps to understand what safety precautions are available to minimize restaurant payments fraud. Below are some examples of what measures restaurants must implement immediately.
EMV readers – to avoid the liability shifting to restaurants, all POS equipment, and card readers must have EMV capabilities. EMV-enabled cards have a nano computer installed into them that stores all the cardholder information, which cannot be duplicated or tampered with and is additionally protected by encryption and tokenization.
Point to Point Encryption (P2PE) – If POS equipment is P2PE enabled, it employs additional security measures in which cardholder data is encrypted at the point of capture and is decrypted at the endpoint, i.e., the bank receiving the data to process the payment.
3D Secure – During the authorization process of accepting a card payment, the industry is increasingly adopting the 3D secure option that is employed by all major card networks. 3D secure creates a code for a single-time use and sends it to the consumer to enter into the payments gateway to verify their customers’ identity and that it matches all internal contact information on record. This is another security layer considered to be very effective in authenticating customer identity by payment processors worldwide.
PCI Compliance – all these mechanisms, along with additional measures such as tokenization, Address Verification Systems (AVS), Card Code Verification service (CVV2), and AI-powered fraud detection and monitoring, are all security measures codified in the Payment Card Industry Security Standards Council (PCI SSC) guidelines. PCI Compliance can help in reducing restaurant payments fraud down to zero.
Employee Training – One of the best ways to minimize restaurant payments fraud is to increase the awareness of the various fraudulent activities among your employees. Your staff is on the front lines of your restaurant operations, and they will be your best defense in ensuring that there are limited occurrences of fraudulent activity.
Restaurants are making a form of investment when they train their employees in not just detection of payments fraud but good customer service. A great customer support experience can mask fraud detection protocol, given the intrusive nature of requiring additional personal information to authenticate a transaction.
Furthermore, staff should have appropriate training on common inquiries versus payments fraud activity versus customers calling in to verify a charge they see on their account statement. Employees should know the differences between these scenarios and understand the process of how to escalate them with management.
Billing Descriptors – Last but not least, billing descriptors are an essential defense to avoid restaurant payments fraud. Effectively using billing descriptors can go a long way in avoiding friendly fraud.
A billing descriptor is what cardholders see in their statements to identify specific charges. Every time a merchant charges a cardholder, they have to select specific information about their business and the nature of the transaction that will appeal on the statement the cardholder receives. It is often this information is unclear that leads to many friendly frauds. The cardholder may not recall the name of the business mentioned, they may not understand what they purchased, and there may be no contact number listed to clarify the charges.
As a result, some best practices for effective billing descriptors to avoid chargebacks classified as friend fraud are:
Always include the business name of the restaurant the customer visited. Not the trade name or the parent company name, but the actual venue the customer visited. This would be the best way to help a customer remember what, when, or where the charges occurred. So, if you are a Taco Bell, a Pizza Hut, or a KFC, your billing descriptor should mention precisely that, not Yum! Brands, the conglomerate that is the parent company of these businesses.
Also include the address of your business. It doesn’t need to be the complete address, but the street name along with the venue can help.
Finally, listing a contact number can help customers quickly access that number to call the restaurant directly to verify the charges. It is a lot better for the cardholder to call the restaurant rather than their bank to dispute those charges. Even if your business wins a disputed chargeback, too many of those and your business may be classified as a high-risk merchant.
Be careful contracting with Food Delivery Platforms: Food delivery platforms such as Deliveroo, Uber Eats, DoorDash, and others have a direct relationship with consumers ordering food from your restaurants. Technically, they are customers of the food delivery platform and not your restaurant. Their contracts should hold the restaurants liable for any fraudulent card activity on their apps. Furthermore, it is essential to ensure that the platforms have strong data protection and security protocols to limit credit card fraud.
The restaurant industry has undergone many transformations in the last couple of years. Digitization of the overall transaction and the payments by cards and other noncash means became the de facto standard overnight. All the while, the actual volume of transactions in the new form skyrocketed.
These were small shifts, but rather seismic, and they were sudden. And although the restaurant industry was unprepared for the influx of such a change and contended with significant amounts of fraudulent activity during that transformation, many restaurant owners learned that there are ways to manage the risks of these changing times and thrive. The industry still faces many hurdles and growing pain. However, the shifts in consumer spending habits and smart devices dictating more of how they spend their time and money are likely to increase. The changes restaurants have undergone over the past couple of years will be a permanent fixture and likely to intensify. As a result, restaurants must adapt specific best practices in managing the changes in payments platforms, shifts in legal liability, and the potential for payments fraud.