Fraudulent opportunities often lie at the intersection between convenience and security, and forced sale transactions are a perfect example of that. While they do provide a certain convenience to merchants, they have been increasingly subject to fraud in the past few years.
We’re going to tell you exactly what you need to know about forced sale transactions.
What is a force sale credit card transaction?
A forced sale is a type of offline transaction that can bypass the authorization tokenization process that accompanies normal transactions by allowing merchants to manually enter an authorization code into a credit card machine.
Forced is a heavy-handed term. This functionality exists in POS systems because sometimes merchants need to accept payments offline, and it wouldn’t be realistic to block offline transactions altogether. There are also times when an honest customer is having issues with their card, and POS systems give merchants the tools to process a transaction (known as a force-post transaction) without the normal checks and balances.
In a normal transaction, there’s a lot of communication that occurs immediately after someone uses their chip or swipes at your machine. Your terminal sends an encrypted message to the issuing bank that the customer’s card is from. The bank looks at the transaction amount, makes sure there is enough credit or funds in the account to allow the transaction, checks for any signs of fraudulent activity, and then sends a “yes” or “no” back to the machine.
In a forced sale, you can essentially bypass that whole “check the account balance” part of the process. Force-post transactions are then uploaded and settled once the POS is connected back to its internal network or cloud-based solution, but you may not be aware of a forced sale’s failure until you receive your processing statement at the end of the month.
And here’s the thing: POS systems don’t need a legitimate authorization code when completing a forced transaction. Any combination of numbers will work because it is essentially running it as an offline transaction.
What does a force-post transaction look like?
Here’s how a legitimate forced transaction usually goes:
- The customer walks up with some items and initiates the checkout process.
- The employee asks them to pay, and the customer uses their credit card.
- The transaction is denied, and the customer says it usually works.
- The employee tries again, and this time they receive a prompt or know they can force a transaction.
- The employee or customer calls the cardholding bank and gets an authorization code.
- The employee enters that into the machine and runs the sale as a “forced” transaction with the authorization code provided on the phone.
- The payment is complete and the customer leaves with the items.
Are all transactions that bypass authorization forced?
No. Visa has a price floor, and any transaction below a certain threshold doesn’t need to be authorized. These are usually card-present transactions, and instances of payments where the card isn’t presented in person are always subject to tokenization.
How to know if you’re being targeted by forced sale fraud
The easiest way to know is by checking your statements for errors that mean the authorization token was incorrect or the card is expired. These are errors 72 and 73 in credit card transactions, so check if you have a spike in those on your statements.
The bottom line on forced-post transactions
Fake authorization codes and forced transactions are a popular scam these days, and retail stores are particularly vulnerable. Your best bet is to make a clear announcement and set up rules for your employees to follow. This will empower your employees to make smarter decisions around odd transactions and reduce the fraud burden your company currently has.