As NGCOA recently reported, our industry was recently hit by a credit card scam. To date, this scam has hit at least 15 golf courses, and resulted in more than $428,000.00 in erroneous charges tied to what appear to be robots hacking the online shopping carts on courses’ websites. This appears to only be hitting the online stores on golf courses, where items like gift cards are sold — not the tee sheet and booking engines.
In particular, and as of right now, the scam only seems to be involving those courses using the ETS Emoney Commerce Platform (or Elavon Emoney). Please note that ETS was purchased by Elavon in 2018, and Elavon is a subsidiary of U.S. Bank.
Here is how it seems to work:
- Robot scammers are somehow entering random credit card numbers into the payment page of the online store. Each time the merchant processing system attempts to process the credit card entered, the golf course is charged a small transaction fee ($.08 to $.10), even if the number doesn’t work.
- The robot continues to enter random numbers until it stumbles upon a valid number. The scammers harvest the valid credit card numbers and use or sell those numbers for criminal benefit.
- The robots may make tens or hundreds of thousands of attempts on the golf course’s online store, which results in enormous processing fees for the golf course (we hear between $1,000.00 and $160,000.00 in charges per course in a month’s time).
- This money is drafted from the course’s bank account as a fee to the merchant processor. Course operators may not realize these charges until your regular monthly bank and merchant processing statements are reviewed.
An additional concern may be the individuals who hold card numbers that were successfully charged by the robots. They may have an illegitimate charge for a golf gift card purchase on their statements, and subsequently, seek chargebacks. This could put the victimized golf courses in a dispute situation with credit card companies.
We believe this activity is the result of the lack of security in the online store technology. Ideally, the technology should be able to detect when fraudulent attempts are made, especially at this volume and speed.
Since being alerted to this issue, NGCOA engaged with all parties who had participated in processing the credit card transactions and withdrew funds from our golf courses’ bank account. This includes representatives from Elavon, U.S. Bank, which was the acquirer for Evalon/ETS credit card transactions, and VISA Corp in an effort to identify the parties responsible for refunding our golf courses.
Elavon indicates that they are going to provide refunds to the affected golf courses. We are continuing to work with all of our affected courses to ensure they receive the same commitment and their funds are fully returned.
What steps can you take to protect yourself?
- At this time, the hackers seem to be only targeting online shopping stores, so you need to work with your web site partners, golf management software, and merchant processor to ensure safety procedures are in place that will limit this type of “bot” activity.
- Ensure you are only using technology that is both PCI compliant and PA-DSS certified. Technology safety measures may include limiting failed transaction attempts, followed by a timeout for activity, from the user’s IP address.
- If you are using the ETS/Elavon platform, you may want to consider temporarily shutting it down until this is satisfactorily resolved.
- If you believe you’ve been a victim of this crime, we recommend you let your bank know these fraudulent charges have been made to your account. They may temporarily restore your funds until a thorough investigation is completed by their fraud department.
- You may want to challenge the charges with the merchant processor responsible for your online store transactions. Note: this may be different than the one managing your primary golf business transactions, such as tee time transactions, in-house credit card transactions, etc.