In Denver, “Mr. X” goes to a used car dealership and selects a car, then tries to pay for the vehicle with a credit card. The transaction is declined. Undeterred, he says he’s going to call his bank and proceeds to do so, and then gives the merchant an approval code to enter into the dealership’s POS system. The merchant inputs what’s known as an offline FORCE transaction into the system and hands the keys and paperwork for the car to “Mr. X,” who drives off the lot, happy as can be. But that night, when the transaction goes to the processor, it is rejected by the bank—and the merchant is liable for it. As it turns out, “Mr. X” didn’t really call his merchant for an approval code—he just pretended to do so in order to steal the car.
Across the country, “Ms. Z” picks out a $3,000 fur coat at a fur salon. She follows the same procedure as “Mr. X”—with the same outcome, down to the merchant’s liability for the transaction. While the first scenario is a true story and the second is fictitious, both are illustrative of a significant phenomena with a potential to have a very negative impact on merchants—the use of FORCE transactions for nefarious purposes. It’s occurring all over the U.S., and it’s not pretty.
It’s also easy, because with offline FORCE transactions, any code can be entered into the POS system. There is no way for merchants to check the legitimacy of any code provided. But what is legitimate is the risk: When a transaction is handled offline, as with those of the FORCE variety, the merchant has no way of knowing that the “call” to the bank was fraudulent until it is notified after the batch has cleared that this was indeed the case. By that point, the fraudster is long gone with the goods—and the merchant has no recourse.
What’s more, there are other ways in which the FORCE transaction abuse scheme is being perpetrated. For instance, criminals use a fraudulent application to obtain a merchant account, or they somehow coerce a merchant to participate in an attack. Alternatively, perpetrators deceive merchants by presenting to them forged bank letters that authorize offline (“force-posted”) transactions to cover major “purchases” to be laundered through merchants’ accounts. These are only a few examples.
POS systems and payment gateways have long been configured to accept FORCE transactions, which were created to facilitate transaction processing despite frequent glitches in earlier payment acceptance systems. However, these systems have evolved, to the point where the functionality to accommodate FORCE transactions is not a necessary POS system component. It poses an immediate risk to merchants. They no longer need it or, dare we say, want it. It does nothing but expose merchants to the potential for fraud—and who likes that? At best, the industry needs to find a way to remove FORCE transaction functionality from the equation, especially because there does not appear to be any compliance-related rationale for maintaining it. At the very least, it should be made optional—and even that could be too much of a risk.
One major card brand has already moved in this direction—and perhaps acquirers have, too. It’s time for the rest of us to follow suit.