Expert Advice on Payment Platform Fraud for Business Owners
It’s been anticipated that the global eCommerce market will be worth a staggering $2.4 trillion by 2019. That’s excellent news for anyone who sells products or services online. The problem? That also means that the opportunities for payment platform fraud are going to increase as well.
In fact, security is a top concern for customers, companies and the governments.
For retailers, fraud can be costly. If customers don’t trust a payment platform, they won’t willingly hand over their payment information. Chargebacks alone cost eCommerce $7 billion – that figure is expected to reach $31 billion by 2020.
While fraud is prevalent and shouldn’t be take lightly, there are ways to combat these potential threats.
The following is advice from industry leaders.
Online Security 101
When it comes to understanding and protecting your business from fraud, start to be familiar with the basics. These four security tips for online payments from Due’s, Renzo Costarella:
Verify Every Single Transaction
“Even though you’re dealing with customer cards not present (CNP) environment there are still ways to verify if each transaction is being made by the rightful card owner.
These ways include:
- Requiring customers enter their security code or CVV number.
- Always making sure there’s an address verification (AVS) match.
- Monitoring customer purchase patterns and identifying anything out of the norm, such as an abnormally large purchase.”
Partner With a Trustworthy Payments Provider
“A sure shot way to provide a safe payments experience is to partner with a trusted payments platform. Not all online payments solutions are required to take the same security measures,” adds Costarella.
The Right Business Platform
“When looking for the right business payments platform, it’s important to go with trusted and reputable companies. Stay away from providers that tout things like, ‘we’ll beat any rate’ or ‘find a lower rate and we’ll match it.’
Find a company that is transparent about their security measures and has good reviews. Look for reviews with trusted services like the Better Business Bureau or Consumer Affairs.”
Be Wary of Storing Customer Data
Mr. Costarella says that, “When it comes to storing customer data, there are fairly strict regulations in place. An estimated 95% of credit card data breaches come from small businesses.
Fraudsters assume smaller companies can’t afford proper security infrastructure making them a huge target. To avoid a data breach is to simply not store any payment information once the transaction is successfully cleared.”
Stored customer information should be protected by placing the data via a 3rd party/cloud-based server or encrypting user data.
Educate Yourself and Your Team
Even if you have a proper security systems in place, data breaches can still occur thanks to human error. You and your team need to be current on proper security techniques.
Strategies should be reviewed on cyber security basics to understand common threats. Everyone should be able to verify transactions. The security basics identify obscure payment patterns such as unsolicited emails. Your whole company should know that suspicious activity must immediately be reported.
Types of Payment Platform Fraud and Loss
Additionally, WePay lists the four types of fraud and loss that you should be aware of.
1. Chargebacks are when a customer disputes a charge. Business owners are responsible for resolving this issue. This can be costly both financially and for your reputation.
2. Merchant Identity Fraud is when “a fraudster establishes a merchant account on behalf of a seemingly legitimate business. The fraudster charges a number of stolen credit cards. The person disappears with the proceeds before the cardholders discover and reverse the unauthorized transactions.”
3. Merchant Credit Risk is when “a legitimate merchant defaults on its obligation to fund chargebacks. Although payment facilitators do not issue loans, they do take credit risk by settling funds within the chargeback window.”
4. Buyer Identity Fraud is when “a fraudulent customer uses a stolen credit card (or a card established with a stolen identity). They purchase a product from a legitimate merchant. The real cardholder discovers the fraudulent charges, but the fraudster already has possession of the goods.”
Understand PCI Compliance
PCI Compliance, is explained by Co-Founder and CTO of Due.com Chalmers Brown. “PCI Compliance is referring to the PCI DSS. This stands for the Payment Card Industry Data Security Standard.”
“It’s a universal set of security standards that were created by the major credit card companies. These companies include Visa, MasterCard, American Express, Discover, and JCB.”
The Payment Card Industry
“The Payment Card Industry (PCI) is an initiative that aims to protect sensitive consumer information. This includes credit card numbers.
The Data Security Standard (DSS) is a protocol that merchants who collects credit card payments need to meet. The DSS in order to protect that data personal data and shows how to properly setup your POS system.”
These standards were first established in December of 2004 and have been continually updated since. The latest version, Version 3.2, was released on April 28, 2016. Prior to the creation of these universal standards the credit card companies made-up their own rules and regulations.
“Regardless of the size of your business, you’re expected to be PCI compliant. If not, you could face penalties like being held liable for card replacements. This would required you to undergo audits from card providers. More importantly, it’s just not good for your business’s reputation,” adds Brown.
The entire PCI DSS is available here to read. Here are the five of the most important things to know about PCI compliance.
1. You’re responsible for ensuring your compliance, as well as your vendors.
If you make any financial transaction you must be PCI Compliant. You’re also “responsible for the compliance of any vendor that provides your business with software or services. You are responsible for any company or individual who you hire.”
2. The level of security required depends on the amount of you run annually.
- 1: Merchants that process over 6 million transactions annually.
- 2: Merchants that process about 1,000,000 to 6,000,000 transactions annually.
- 3: Level 3 merchants are e-commerce merchants that process between 20,000 to 1,000,000 in transactions annually.
- 4: Merchants that process less than 20,000 transactions annually.
3. Additional multilevel authentication.
You are required to use multi-factor identification.
4. Added requirement for service providers.
Service providers must have a detection system, conduct penetration tests twice a year, run quarterly checks in order to ensure that their teams are following security policies and procedures, and must demonstrate an understanding of PCI DSS compliance.
5. It’s an ongoing process.
PCI compliance is on-going process that is continually updated since new technology presents new risks.
Frequently Check Your Site’s Security
You now understand the basics of online payment fraud and PCI compliance. You’ll want to take “further steps to ensure that all personal and financial information for your customers is safe.
You’ll also protect your business, your bank, and your credit card company. All will be safe and secure,” writes Elli Bishop from BusinessBee on the Kissmetrics Blog.
1. Checking to see if your checkout URLs stay in “https” during the checkout process.
2. Checking to see what happens when you leave the checkout areas of your website and return to checkout later on. Do they have “https” URLs where they are needed?
3. Considering updating passwords to your web server control panel and databases on a regular basis.
4. Considering hiring a security auditor to see if they can find any weaknesses in your website.
“There are specific programs (particularly with credit card companies and security software firms). These will provide additional protection from fraud and hackers,” adds Bishop. “Do your research and find one that works best for your business.”
Here are four programs that you should consider:
Open Source Platforms
“If you use an open source platform, you will be at greater risk of fraudulent transactions.”
Since “the open source code is available for everyone to download, it is much easier for hackers to find the holes. Whatever security measures you might take, particularly if you use third-party plugins are easier to hack.”
“Hackers can figure out this code much easier than for other hosted payment platforms. You need to be very cautious and vigilant when using OS code.”
Power Up With Social Data
“As the world goes social, more advanced tools can help you verify data. You can compare to social data on such networks as Facebook and Linkedin,” writes John Canfield. Mr. Canfield is the VP of Risk for WePay.
“Such an approach can be particularly beneficial because it’s very easy for a fraudster to set up a new profile. It is difficult for them to create a long history profile that also matches the name and email address they wish to fraudulently use.”
Canfield states that, “WePay’s VedaTM risk analysis engine integrates social data. This provides for much ongoing benefit to platform customers and their merchants.”
Run a Velocity Check
“A velocity attack is when a nefarious individual keeps submitting a credit or debit card. They do this in order to make unauthorized charges,” writes Chalmers Brown.
“They’ll keep submitting the card number until it’s verified. They usually obtain card numbers that have been stolen from a point-of-a-sale terminal.”
As a result, you’re going to spend a lot of time determining which transactions were authorized and which were not. This requires you to contact your customers, bank, and payment processors to straighten this mess out. Even worse, you’ll lose the trust and confidence of your customers.
“Being proactive is the best way to reduce, and ultimately avoid velocity attacks,” adds Brown.
Begin With A Velocity Check
“The first place to start is by running a velocity check. This is simply software that keeps a lookout for repeating patterns. It will monitor the number of times that a specific data element occurs within a specified timeframe.
Data elements required:
- User ID/email address
- IP address
- Billing address
- Shipping address
- Phone number
- Device ID/signature
- Credit card number/payment method
- Browser cookie
Keep in mind that a customer name isn’t an effective data element during a velocity check. It’s possible that more than one person has the same name.”
Most fraud prevention services, like Sift Science or Fiserv, offer velocity checks. Companies like BluePay offer velocity filters.
This is a tool that tests multiple card numbers against your merchant account. It will then reject transactions made within a one-hour window based on your preferred parameters. These boundaries can be such as maximum dollar amount for all sales or total sales amount you have per hour.
Carefully Set Up Your Account
On top of investing software and tools, don’t forget to take additional measures like setting up your account so that you:
- Restrict the volume of refunds that available per hour.
- Set limits for maximum sales transaction values based on your average sales each hour.
- Set limits on transaction volumes.
Monitor and block IP addresses that have a higher-than-average number of visits and transactions.
Find Solutions For Mobile Fraud Immediately
More people use their mobile devices to shop online and transfer funds. Now, you also have have to be aware of the challenges and solutions to combat mobile fraud.
Verifi put together the following advice to help you protect against mobile fraud:
1. “Relying on velocity controls alone to detect abnormalities in purchasing behavior is unwise.
The two steps can better help merchants determine whether or not a purchase is being made by a legitimate customer or a fraudster.”
2. “Pairing front-end fraud security tools like geolocation – which confirms the location of a customer. The information as part of the transaction fraud scoring and authorization decisions. Tools like chargeback notifications on the backend is a winning combination.”
3. “Multi-factor authentication. This a method of access control is where a user inputs two types of authentication. The two types may include a password paired with a fingerprint. This is helpful to bypass “clunkiness” associated with 3-D Secure on mobile.
3-D Secure also provides safe, secure and user-friendly means of authentication.”
Don’t Forget About Gift Card Fraud
Did you know that the gift card industry is expected to reach $160 billion by the year 2018? Because of the growing popularity of gift cards, gift card fraud has become rampant. It’s become a part of a worldwide trillion-dollar problem – money laundering.
What’s The Solution?
“The gift card loophole is a growing concern. Casting sweeping regulations to tighten the industry and requiring customers to jump through hoops to purchase gift cards may not be the answer,” writes Stephen Ufford, CEO at Trulioo.
“In addition, the vast majority of gift card crimes are in small amounts. Imposing cost-prohibitive rules will be cumbersome not only for merchants but for legitimate customers.”
“The logical step would be to expand the use of Regulatory Technologies (RegTech) solutions. Regtech has a very large impact on payment platform fraud. The retail and e-commerce sector are increasingly adopting services by RegTech. This includes the financial technology firms, financial services providers, and global banks.”
RegTech includes Identity Verification tools. These instantly identify and verify customers electronically. “Financial institutions use these bank grade tools daily to satisfy compliance obligations.”
“These tools also weed out bad actors before they can commit fraudulent transactions or financial criminal activities. These activities include money laundering, terrorism financing or arms proliferation,” adds Ufford.
Losses Through Chargebacks
Ufford continues, “As gift cards become increasingly popular, merchants will continue to struggle dealing with gift card fraud. They will still suffer losses through chargebacks.” This means that they’re “liable for fraud charges if they unwittingly enable fraudsters to money launder or commit fraud on their site.”
It is clear that there will be no easy solutions in the financial arena. This remains the number one reason that regulations have become so tight for sales in all sectors of money use.