Whether you’re a customer or a business, everyone wants online payment processing to be safe and secure. Hacks, data breaches, identity theft, and more are all genuine threats that could put you or your business at risk. So, how do we know if our transactions are secure, and what can we do to ensure this is the case?
Before jumping into the thick of payment processing security and, in turn, credit card security and PCI compliance, it’s essential to understand what a secure transaction is in the first place. Your payment processing is secure if your customer can confidently enter their credit card information into your ecommerce store payment solution without the risk of having that data exposed and stolen. Secure processing protects the customer’s credit card information throughout the buying process. From adding the product to the cart and providing payment links on your website to receiving it in the mail, your customer’s financial data must be shielded from any breach that could access the data.
Credit card security is vital for not only the customers but also the merchants. Data breaches and careless card management can incur fees, fines, or increased insurance costs. Half of all small businesses will fall victim to fraud in their lifetimes, while the average company loses 5% of its revenues to fraud each year. Resolving fraud cases is expensive, too, with an average cost of $114,000 each time. There are also intangible costs to neglecting your ecommerce security–consumers worry about their security while shopping online. If their fears are realized on your site, it can significantly tarnish your brand reputation. TJ Maxx is still dealing with the repercussions from 2007 when a security breach damaged its brand reputation.
Fraud comes in many forms. It can be a data breach that exposes credit card information and addresses, account takeovers from phishing, or card-not-present transactions. We have also seen many shopping carts get used for skimming a block of stolen credit card numbers and using a site to test if cards are still active. Hackers will write a script and run hundreds, even thousands of test transactions, and the business owner must pay for the transaction fees. Regardless, they all hurt your bottom line and brand image. Fortunately, there are plenty of ways to fight against fraud, and a proactive business will be much better equipped to handle threats, as many are preventable.
1. Choose the Right Merchant Account Provider
The most proactive solution to ensure transaction security is to be selective when choosing your merchant account provider. Apart from actions you can take on your website, your provider will be your best bet in protecting your customers and yourself. The most popular merchant account providers will have implemented many of the suggestions mentioned in this blog, so it’s essential to research and ask questions before signing your contract.
When choosing a provider, considering their fees should be secondary, their customer service should be your primary decision point, and the action plans their risk departments have in place in case there is a breach or fraud. Legitimate providers will always have answers to these questions, as they aren’t uncommon, so ask away!
2. Set Purchase and Value Limits in Your Store
Although this won’t directly protect your customers or you from fraud, setting purchase and value limits in your ecommerce store will guarantee that the damage is minimal if fraud occurs. Fraudulent purchases worth $100 will cause significantly fewer headaches and worry for you and your customers than purchases worth $10,000. Think of this as a safety net or informal insurance plan to protect you from any unforeseen circumstances that let a threat into your website. If your product value is higher than your risk threshold, use two-step verification, accept the online order, but contact the customer for final confirmation and make sure the Address Verification (AVS) matches.
3. Monitor Your Transactions and Customer Activity
You know your customers best, and the great thing about analytics in ecommerce is that we can be more in touch with our customers and their transactions than ever before. Suppose you see any abnormal activity, like a customer making frequent purchases of something they should theoretically only buy once. In that case, this is a red flag that something could be at play. Or, maybe a customer makes an abnormally large purchase. Checking to make sure their account wasn’t taken over by hackers or their credit card information wasn’t stolen is very important.
4. Keep Your Website and Plugins Updated
An outdated website can always be vulnerable. As new hotfixes and patches with security updates are released, you must apply them to your CMS and associated plugins to make sure nothing breaks. A faulty plugin or outdated website can lead to security breaches that expose any data you keep in the backend of your site. Thankfully, website maintenance plans can remove the guesswork from keeping your website updated and protect you from outside threats.
5. Verify Your Customer’s Card Information Is Accurate
If you receive a sale and the AVS does not match, there are a few things you can do to check if the sale is legitimate. First, you can use Google Maps Street View to verify that the building exterior is correct. Many business owners have pictures of their building on their website to compare building images. Next, if their shipping address is different from their billing address, do your due diligence. If you are concerned you may have received a stolen credit card, you can call your processor and provide the credit card number. They can verify the issuing bank for the card and provide you with their phone number to track down if the card has been reported as stolen.
6. Velocity Control Settings Within Your Gateway
The reputable gateways (PayTrace and Authorize.net) have a velocity security setting. This allows a merchant to monitor transaction flow, transactions by IP address, card number, and amount per transaction type. This enables merchants to monitor accounts and prevents fraudsters from writing scripts to your account.
1. PCI Compliance
Companies that adhere to the Payment Card Industry Data Security Standards (PCI DSS) can achieve payment card industry (PCI) compliance. Credit card companies enforce these standards, which apply for encrypted internet transactions and merchant processing. Ultimately, a business is PCI compliant if it handles its customer’s credit card information securely by following the requirements established by PCI DSS. If followed correctly, the likelihood of data breaches and associated fines will go down considerably.
Requirements include firewall implementation, sound password protection, up-to-date software, and encrypted cardholder data, to name a few. To see a comprehensive list of the requirements, changelogs, and future updates to the standards, you can visit their website’s document library. Your merchant account providers will often be PCI compliant, so make sure to check and see if yours is.
Each processor uses a third party to validate the PCI Compliance approval. While this is an annual requirement, it is very important to remain compliant to avoid unnecessary costs associated with compliance. You’ll need additional insurance if there’s a breach, your Errors and Omissions insurance requires this approved certificate to validate most cyber insurance policies, and if you are out of compliance, you are most likely receiving a monthly non-compliance fee.
2. EMV Technology
EMV technology was developed by Europay, Mastercard, and Visa and subsequently named based on its founder’s initials. EMV technology is better described as the chip on physical cards, replacing the magnetic strip technology that hackers easily manipulated.
EMV chip cards shine when used with physical point-of-sale equipment. Although EMV technology isn’t as relevant for ecommerce as other security options, this is still important to mention in case your business does operate a physical storefront in tandem with your ecommerce store. Surprisingly, the United States was one of the last countries to upgrade to this security. Since the hackers cannot access the card-present transactions, their focus has shifted to online fraud, which is why it’s critical to ensure your transactions are secure.
3. Require a CVV
A card verification value, or CVV, proves that you have a physical copy of the card while completing your transaction online. Visa, Mastercard, and Discover use three-digit numbers, while American Express uses a four-digit number that they call a card identification number (CID). Regardless of the digit count, it accomplishes the same thing. Unlike your credit card number, name, and expiration date, which can all be stored in a merchant’s system, credit card compliance standards prevent a merchant from storing the CVV. This way, if your data gets into the wrong hands, fraudulent transactions are impossible since your card’s CVV won’t be in the breach.
Requiring your customers to enter their CVV during checkout will add an extra layer of security to the transaction. It’s a simple and easy addition that will pay dividends in the long run in the case of a data breach or attack. By taking this extra step, processors reward merchants with lower processing rates as a reward for a reduced risk of fraud.
Tokenization is becoming more popular every year, and it’s only a matter of time before it’s common practice. Tokens convert a cardholder’s account number into a digital identifier that isn’t reusable and can only be validated by the processor. Because the token has no actual value, a hacker couldn’t do anything with it if they found a way to get it. The token is decoded by the processor when a transaction occurs, and a new token is generated. Tokens are best applied to subscription-based services, as recurring billing requires credit card information to be on file. With tokens, the merchant can safely keep identifiers for its customers that the processor can send and verify. Visa is one of many who are transitioning to tokenization solutions because they see the potential behind it.
There’s hardly a worse feeling than coming to the realization that your business or your customers are victims of fraud. Although it comes in many different forms, fraud will impact your bottom line directly and indirectly, and can leave a lasting stain on your brand image. Fortunately, there is a multitude of mitigation techniques that businesses of all sizes can use to be proactive and protect themselves and their customers.
Compliance and security are confusing topics that can be quite overwhelming, but don’t get discouraged. Once implemented, these measures will pay dividends. If you want to protect your business from fraud, contact our team today. We have years of experience in payment security and can help get you to a place where both you and your customers can have peace of mind.