The ‘Dark Web’

Did you know that full card details can be sold on the ‘dark web’ for a matter of pounds? Even personal data, log in details for many top online services such as Netflix are readily sold. Whether or not your company has protection in place, you need to know how to make the online experience secure for you and your customers.

Firstly, do not try to take customers credit card details yourself, do not write down your customers card details anywhere. If you process the credit/debit card data then you could be liable and its unlikely you’ll be meeting the PCI DSS (Payment Card Industry Data Security Standards), which is required by all businesses that accept card payments, whether it be online, offline (face to face), over the phone or mail order. If there is a breach and you’re investigated, you could end up with a hefty fine and might not be able to transact card payments.

You should be using what’s called a Payment Gateway or Payment Service Provider (PSP) to handle all card transactions for your online store. All liability is passed on to the PSP. As standard, they will provide a hosted payment page option, which can be simply integrated into your website, by a web developer or if you were to choose a website builder like Shopify and similar, then its something you could do very easily all by yourself. The card details are captured on this hosted payment page, which is hosted securely in highly secure servers. The card details are encrypted and then sent securely through the card payments network for verification and approval of sales. Most PSP’s should be fully PCI DSS compliant and to the most recent level.

Data Protection

According to Financial Fraud UK, fraud losses from online card transactions was in excess of £260 million in 2015. Small businesses need to be aware that its not the only aspect of trading only where they need to protect themselves.

Under the Data Protection Act, if you hold and process information about clients and suppliers, you are obliged to protect it and to be explicit about what you intend to do with it. From 2018, a European law known as the general Data Protection Regulations is being introduced, applying a potential penalty of 4 percent of your company’s turnover if you don’t comply.

To make sure that cyber criminals cant enter through the back door, you need to ensure the site is regularly updated and regular security patches are undertaken.

A challenge of making transactions secure is to make sure your customers experience of using your site is positive, whilst at the same time protecting them from fraud and identity theft. Some websites allow customers to log in using their social media accounts such as Google or Facebook, but not everyone trusts these routes because of privacy concerns, so its important to offer an alternative.

Selling online allows small businesses to offer their products to customers worldwide. Offering customers a secure experience is a priority. Its not just about the money or data that went missing; a security breach could affect your business’s reputation forever.

Mitigating fraud

The best thing a business can do to protect against credit card fraud is to “know your customer.” However, this has become increasingly more difficult in the global, online economy. Credit card fraud can have a devastating effect on your business but there are steps businesses can take to protect themselves.

Below are some of most common fraud issues facing businesses followed by steps that can be taken to mitigate these risks:

Stolen card/identity theft fraud: This type of fraud occurs when cardholder and credit card information is stolen and used to illegally purchase services or products. Typically, a business finds out about this type of fraud when the actual cardholder calls through their card issuing bank to inform them of a stolen card and then starts the chargeback process. However, by the time this happens its too late as the product has left the store or has been shipped or the service has been rendered. As such, the business is out the product/service with no compensation.

Mitigating actions (verify card value/billing address): Verifying the CVV code and billing address with the sale helps to confirm the cardholder is actually the person authorizing the sale. The address verification system (AVS) can confirm if the address provided matches the billing address on file with the credit card issuing bank. Unless a sale is initiated by a known customer, only ship to the verified billing address.

Eliminate guest checkouts: Online businesses should require customers to register and create a unique user ID and password to help them manage fraud. Customer activity can be tracked and “questionable” accounts may be deactivated. Likewise, for repeat customers with accounts in good standing, less scrutiny is needed on their sales, while new customers can be monitored and even limited in their sales activity. For instance, a repeat good customer may be permitted to ship to a noncertified address, while new users may only be permitted to have the option to ship to their verified billing address, until they build trust with your business.

Utilize fraud scoring systems: One of the more robust fraud management tools for online sales is a fraud scoring system. These tools, along with internal procedures, can be implemented to “rate” each sale to determine risk level. These tools aid businesses in identifying and avoiding high risk sales that may turn out to be fraud. Fraud scoring systems use a wide range of input to critique as sale, including IP filtering, geography filtering, sales thresholds (amount of sale, number of transactions), proxy detection, and even social media information. There are certain payment gateways that will offer such service but not all do.

Compromised systems and data

This fraud typically occurs when a point of sale system, website or other system that stores credit card information is “hacked.”  In these cases, the hackers steal customer credit card data and personal information that has been entrusted to keep secure by the business. The business may be liable for excessive fines and devastating negative exposure in their community. Consequently, this type of fraud is most widely represented in the news.

Mitigating actions

Utilize end-to-end encryption and tokenization: Tokenization replaces sensitive data, such as the credit card number, with a non­descript value set called a “token” while the sensitive data is stored securely. Encryption is the process of transforming data using an algorithm to make it unreadable to anyone except those possessing the “decoder ring,” usually referred to as a key. When both technologies are deployed, systems are highly secure, making hacking of data extremely difficult.  Most payment solutions offer these technologies that can be integrated into a point of sale or website.

Implement 3­D secure: Each of the major card brands has a 3­D Secure solution: Verified by Visa, MasterCard SecureCode, American Express SafeKey, etc.  These solutions are integrated into a business’ website and provide a safer, more secure online payment method as the actual card data is not entered on the website.  The cardholder authenticates the sale by entering in their user ID and password, which act like a PIN. These systems help protect all parties, including the business (merchant), the card holder and the banks from fraud. The drawback to these 3­D Secure technologies is it requires the cardholder to register their credit card with the corresponding card brand’s solution. Still, the first step is to enable your business website to work with these technologies and most payment gateways support 3­D secure.

International fraud

This fraud is perpetrated by international fraudsters who understand how to work the payment system to their advantage, at the detriment to the business. The aim is to extort product and/or money from the business and their a many elaborate scams associated with their international fraudsters.

Businesses must be especially cautious with international sales. Since address verification is not supported in most countries (AVS is only supported in the U.S., Canada and the U.K.), a business cannot verify the billing address. International sales are at the business’ own risk and there is very limited protection from fraud. For this reason, businesses are encouraged to only do business with known international customers. For new international customers, be sure to conduct proper due diligence on the legitimacy of the cardholder and the sale. There is a general lack of advocacy for businesses as it relates to the safest methods of accepting credit card payments. Knowing these fraud techniques and adopting these fraud mitigating procedures will help avoid the significant impacts of experiencing credit card fraud.

Looking to the future

The payments industry is evolving at a very fast speed at the moment and trying its very best to keep ahead of the fraudsters. Its understandably difficult for businesses to keep up to date with all the changes. By understanding the most common types of credit card fraud, businesses can better fight and control new cases of fraud in years to come. The earlier merchants have fraud management procedures and solutions in place, the faster they can begin to prevent losses. In layering security solutions, merchants can more securely authenticate payments throughout systems and networks. This will ensure that their environment – and customers’ payment information – is protected against fraudsters and attacks of hackers.