Financial fraud is a hydra. Every time there’s a leap forward in security procedures, it adapts, growing new heads. Then there’s the fraud that could be perpetrated internally—embezzlement.
Though there’s no fail-safe method for preventing it—especially in a rapidly-changing environment—there are process controls you can put in place to help protect your practice.
Protect the merchant number provided by your credit card processor.
Though it may seem like innocuous information, that merchant identification number can be used to access your account and commit fraud against you. It makes it relatively easy to pretend to be your office, and allow someone to attempt to make changes to your account that could be used to set up new equipment for illicit transactions or direct your deposits to a new bank account, among other things. It’s important to remember the following.
- Never give out your merchant ID number over the phone. Criminals may call pretending to be your processor or claim you’re not compliant, and ask you to verify account information. Always make the caller give you your merchant ID number.
- Redact your merchant ID number before sending your monthly statements to anyone outside of your business. Most credit card processors will do a cost analysis (for potential clients) based on a previous statement. Out of the thousands of cost analyses we do for offices, less than 5% take the simple step of blacking out their merchant ID number.
- Card readers often have a sticker containing the merchant ID number. Make sure it’s not easily visible to people outside the office. Best Card truncates the number to the last 6 digits, but not all processors do.
Before you get rid of a terminal, make sure the memory is deleted.
When you purchase a new card reader or switch credit card processors, make sure your processor deletes the memory on your old reader by performing a quick software update to it that removes the old application. Otherwise, someone might use that terminal and your account without your knowledge. If you keep the terminal as a backup, keep it locked up.
Use secure email when sending private data.
Credit card processing is a banking transaction, and requires your tax ID, the social security number of the contract signer, and a copy of a voided check (which contains your bank routing/checking account number). Make sure this information is left off the signed contract and sent only via secure email. If you’re not using secure email, only provide this information verbally.
File for a hawk alert with the 3 major credit bureaus.
Or sign up with a service that will do this on your behalf to protect your identity.
We get many calls from “dentists” who want to open a new account for their non-dental business (car wash, storage facility, etc.). These thieves provide real social security numbers and dates of birth for actual dentists. I.e., many dentists have had their social security numbers compromised.
This is why when we receive an email that isn’t from a practice’s email account, or the sender seems too eager to open an account, we call the dentist and ask if she’s authorized the opening of a new account. We’re often surprised some don’t seem more concerned.
If you get a call from someone who isn’t a patient asking why you ran her credit card, take it seriously. Ask her to send you a copy of what’s showing on her statement, because you may have been compromised.
Reconcile, reconcile, reconcile.
We had an office whose prior processor handled its bank-account change incorrectly. Funds were put into the wrong account for 14 months, and the office ended up losing more than $40,000 when they couldn’t be recovered.
If you ever change bank accounts, make sure you look at your bank account to ensure deposits are properly funded. Mistakes can and do happen.
Also, always balance your day sheet totals to ensure the cash, check, and credit-card volumes agree with the bank statement. Pay particular attention to refunds/returns to ensure legitimacy.
We recommend you turn on the audit controls in your dental software; and with refunds, occasionally review changes after the initial transaction. Most equipment can be enabled to require a password (only the dentist should know) before a return is processed. Embezzlement happens, and 90% of prevention is perceived vigilance.
Issue refunds to the payment source of the original sale.
If you run a transaction to a health savings or flexible spending account and insurance pays more than expected, always return funds to the card, not the patient’s bank account.
If a refund is run to a different cardholder account than the original sale (or the refund is for a large amount), Best Card suspends that transaction for one day and notifies the office it wants to verify it to prevent a chargeback fee, or for other fraud-prevention reasons mentioned above. Most processors don’t do this.
Be wary of unusual payments.
If you accept website payments, be wary of unusual payments (an odd amount and/or one from a non-patient). Computer bots run programs to test stolen cards for $.01, and then go shopping elsewhere if the card is valid.
Tokenize and truncate credit card numbers.
All online systems should tokenize credit card numbers and truncate the number displayed. If you don’t use an online system, DO NOT store the full credit-card numbers in computer software. The Payment Card Industry (PCI) allows you to keep them on paper and locked away, but digital storage should be handled carefully.
Run quarterly PCI scans.
PCI standards require quarterly scans for businesses that process cards via ethernet (versus a telephone line, in which case scans are not required). These scans exist for your protection, to ensure outsiders can’t access your network and install malware/spyware for stealing credit card information. Newer equipment takes the keyboard away, and encrypts data as it’s entered (called P2P encryption).
Only use EMV (chip-reading) equipment.
If a card has a chip in it, but the equipment only reads the magstripe, anyone—patient or bank card issuer—can issue a chargeback, and the merchant would automatically lose the chargeback. Most processors charge $15-25 per chargeback. A fraudster may also have skimmer equipment to make a fake card. EMV technology has significantly reduced fraud since its introduction.
By following these common-sense steps, you’ll be your own best protection against fraud and embezzlement.