As the holiday season approaches and online shopping increases, so does the risk of credit card payment fraud.
With billions of dollars being processed via credit cards and retailers seeing a high percentage of their revenue peaking from Black Friday through the end of the year, there are countless opportunities for fraudsters to strike. It’s vital for business owners and retailers to understand how to defend against these threats.
Even though EMV (chip-based) credit cards have helped drive down fraud by 52 percent, according to Visa, at brick-and-mortar retailers, fraud in e-commerce and card-not-present (CNP) businesses continues to increase at an alarming rate.
CNP fraud rose 40 percent from 2015 to 2016, according to Javelin Strategy & Research’s 2017 Identity Fraud Study. Fraudsters successfully adapted to net 2 million more victims in 2016, a 16 percent increase in identity fraud incidence rate from 2015, and losses jumped more than $1 billion to $16 billion.
Some experts claim the increase in online fraud is simply due to the increase in online sales. However, these increasing online fraud trends match those seen in the UK and Canada as those countries rolled out EMV chip cards in 2004 and 2005, respectively.
While there is no way (yet) to make your business 100 percent safe, you can take steps to reduce your risk. The best protection against credit card fraud is to know your customer. Even though this is a challenge in our global, online economy, addressing the following areas will help you better understand your customers and their behavior online, and, as a result, minimize your overall risk of fraud.
Stolen card/identity theft fraud
When a credit card or credit card information is stolen from cardholders and used to purchase goods or services online, businesses usually find out long after the product has shipped or the service rendered, leaving them without compensation or recourse. It isn’t until the actual cardholder initiates a dispute (chargeback) after notifying their issuing bank of the stolen card or fraudulent charge that businesses learn of the incident.
That means more stringent precautions at the time of purchase are the best defense. You want to make it harder for thieves to assume someone else’s identity without making the buying process too cumbersome for legitimate customers. These precautions do just that:
- Require CVV code validation and address verification at checkout. By verifying the CVV code and billing address with the sale, you can confirm the cardholder is actually the person authorizing the sale. The address verification system (AVS) can confirm the address provided matches the billing address on file with the credit card issuing bank. Only ship to the verified billing address, unless a sale is initiated by a known customer.
- Require online customer accounts and registration, such as user IDs and passwords. By eliminating guest checkouts that can be completed without registering, you can track customer activity and more easily detect questionable accounts. You also can more closely monitor new customers and even limit their sales activity. In the same way, you can reduce scrutiny of repeat customers in good standing. For instance, a repeat user in good standing may be permitted to ship to a noncertified address, while new users may only be permitted to have the option to ship to their verified billing address, until they build trust with your business.
- Implement fraud scoring systems that evaluate the risk level of each online sale. One of the more robust fraud management tools for online sales is a fraud scoring system. These tools, along with internal procedures, can be implemented to “rate” each sale to determine risk level, helping you identify and avoid high-risk sales that may turn out to be fraud. Fraud scoring systems use a wide range of input to critique a sale, including IP filtering, geography filtering, sales thresholds (amount of sale, number of transactions), proxy detection and even social media information.
Compromised systems and data
This is the type of fraud that most often makes headlines. These thefts typically occur when hackers break into point-of-sale systems, websites or other databases and steal customers’ credit card or personal information — information customers have entrusted the business to keep secure. Businesses may be liable for excessive fines and lawsuits, and their reputation and credibility may suffer long after the incident. Implementing a few industry best practices can better protect you:
- Use end-to-end encryption and tokenization to decrease “hacks” and the amount of liability for which the business may be accountable. Tokenization replaces sensitive data with nondescript values, while encryption transfers data using an algorithm to make it unreadable to anyone except those possessing the data. When both technologies are used, hacking data is extremely difficult. Most payment solutions offer these technologies and can integrate them into a point of sale or website.
- Use technologies, such as 3D Secure, that require cardholders to register credit cards that will be authenticated at checkout to ensure the purchaser is also the cardholder. Each of the major card brands has a 3D Secure solution, such as Verified by Visa, Mastercard SecureCode and American Express SafeKey. These solutions are integrated into a business’ website and provide a safer, more secure online payment method because the actual card data is not entered on the website. The cardholder authenticates the sale by entering their user ID and password, which act like a PIN. These systems help protect all parties, including the merchant, the cardholder and the banks, from fraud. The drawback to these 3D Secure technologies is they require cardholders to register their credit card with the corresponding card brand’s solution. Still, the first step is to enable your business website to work with these technologies, and most payment gateways support 3D Secure.
Businesses must be especially cautious with international sales. International fraudsters understand how to work the payment system to their advantage and try to extort product and/or money from businesses. Because address verification is not supported in most countries (AVS is only supported in the United States, Canada and the United Kingdom), a business cannot verify the billing address. International sales are at the business’ own risk, and businesses have very limited protection from fraud. To reduce your risk of becoming a victim of international fraud:
- Question all unusual sales, such as international orders that may be rare for online businesses, as well as high-value orders from new customers.
- Only engage and accept orders from international customers you have previously been in contact with. For new international customers, be sure to conduct proper due diligence on the legitimacy of the cardholder and the sale.
Criminal data breaches will cost businesses a total of $8 trillion over the next five years, due to inadequate enterprise-wide security, according to a report released by Juniper Research in April 2017.
We all hear about big brands when they are compromised or hacked — Target, Neiman Marcus, Wendy’s, Chipotle and most recently Equifax. The list goes on.
However, thousands of other medium and small businesses experience online fraud and data breaches almost daily, and they never make the news. A 2017 Data Breach Investigations Report conducted by Verizon found that 61 percent of the breaches examined occurred in businesses with less than 1,000 employees. They costs accumulate — lost revenues, fines, impact to reputation and lost time trying to increase security — all impact the bottom line, outside of the initial occurrence.
A 2014 study by the Association of Certified Fraud Examination found the median loss due to fraud was $145,000, with 22 percent reporting losses of at least $1 million. However, companies with fewer than 100 employees lose a median of $155,000 a year.
By understanding the most common types of credit card fraud, businesses can better protect their customers, their businesses and their boards, and better control new cases of fraud. By layering security solutions, merchants can more securely authenticate payments throughout systems and networks. This will ensure that their environment — and customers’ payment information — is protected against fraudsters and hackers.
Patrick O’Boyle is a founding partner of MSP Consulting, a Kansas City-based merchant services consultancy that counsels companies on best practices for managing payments. He has more than 20 years of experience advising businesses in the areas of payment services technologies, customer service and support, as well as experience working across several industries, from startups to Fortune 500 businesses.