Editors' pick: Originally published Aug. 4.
When Bruce McClary attempted to purchase a few sundries from his neighborhood Target where he conducts his weekly shopping, he was surprised that his debit card was declined.
The same thing occurred a few weeks later when he tried to buy a snack at a CVS, another place he shops frequently because it is located in his office building. After calling his issuer, McClary, a spokesperson for the National Foundation for Credit Counseling, a Washington, D.C.-based non-profit organization, learned that his card was turned down because the setting for potential fraud was set too high.
Although none of his purchases was urgent and he carried a credit card with him, the experience left him more aware of the potential of credit card issuers relying largely on spending patterns of consumers and cutting off access when the habits shifted.
"Something like this can happen when you least expect it," he said. "Sometimes creditors may take adverse action that is based on misinterpretation of account activity, blocking valid purchases and causing frustration for consumers."
Legitimate purchases, even small ones, can be deemed as risky ones, alerting issuers to potential deceit. Since fraud costs businesses millions of dollars, companies opt to "err on the side of being overly cautious," said Matt Schulz, senior industry analyst at CreditCards.com, an Austin, Texas-based credit card comparison website.
"Credit card issuers are all about managing risk," he said. "This can lead to plenty of legitimate purchases getting flagged as possibly being fraudulent because they don't follow your typical purchase patterns."
How Consumers Benefit
While consumers find it vexing when they are attempting to make a purchase, the overly cautious outlook by credit card issuers is beneficial, because it can prevent identity theft, Schulz said. Since the issuers all follow varying guidelines on when to restrict a purchase, carrying another card can prevent a hassle from occurring.
"If one issuer blocks a purchase, it doesn't mean that all others will too," he said. "If you're going to make a big, unusual purchase, consider calling your credit card issuer before. It may not be necessary, but you would rather have that conversation in the comfort of your own home than have it at the checkout counter at Home Depot."
While McClary is glad his issuer is proactive in preventing fraudulent purchases, the experience is bothersome when it is part of a routine shopping behavior.
"I am torn on this issue," he said. "In some sense, it's a good thing. On the other hand, it's annoying that a normal spending pattern can trigger a fraud alert and response. There could be some improvements made to their process that would create less of an inconvenience when the purchase is legitimate."
While credit card fraud settings should remain at the highest settings possible, the retailers in these instances may not have used appropriate identification methods, said Joseph Carson, head of global alliances at Thycotic, a Washington D.C.- based provider of privileged account management (PAM) solutions.
"These settings should never prevent the owner from using their card for valid purchases," he said.
Companies are utilizing behavior analytics more to detect fraudulent activities at locations where the consumer has never shopped before. As the adoption rate for chip-and-PIN by retailers increases, the likelihood of these scenarios should decline.
"The variation in using debit or credit cards and verification of the identification is going to likely see many more cases like this until retailers use the most secure identification method: chip-and-PIN," Carson said. "I would be shocked if this transaction was denied if chip and pin was used."
Behavioral analysis used by banks allows them to "rate" the customers and assign security ratings which limit where the cards can be utilized, said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based security consulting company. The fraud experts examine spending patterns such as where the card is used the most, the average amount spent, how often the card is used in one day and how much time typically passes between two transactions.
"If you always use your card at the same three retailers and then suddenly use the card on the other side of the country, that could be a red flag to the bank," he said. "Your card may not work as your security rating has been set in accordance with your more typical spending pattern. It can prevent a customer from stealing the credit card number and using it elsewhere."
Why Chip-and-PIN Credit Cards Remain the Safest Option
Consumers should avoid using debit cards, because the protection and security given for credit cards are higher.
"Whenever a retailer provides chip-and-pin option, consumers should certainly use it," Carson said. "When making online purchases, do not use a debit card."
The risk of credit card fraud is lowered when shoppers are cautious and use the new cards with chips embedded in them to avoid instances where they hand over a card to a sales person, said Wenzler. The chips contain an encryption technology that is aimed at defeating the majority of skimming methods. The technology creates a one-time use authorization for each transaction.
"Whenever you had over your credit card to someone such as a server at a restaurant, you run the risk that they may take your card and swipe it through a skimmer," he said. "Skimmers are devices designed to swipe the credit card's number and other information stored on the magnetic stripe, which can then be reused elsewhere."
Skimmers often look like a typical credit card terminal, deceiving unwary shoppers. The advances in 3D printing have made it easy for criminals to replicate the credit card slots of ATMs, retail store credit card pads and other public devices where cards are used, Wenzler said.
"These skimmers look exactly like the normal credit card terminal, but sit on top of it like a shell, stealing your card information as you insert or swipe the card into the device," he said. "The transaction may occur normally, but the information has been stolen already, waiting for the thief to come back and retrieve the skimmer with all the credit card numbers which have gone through."