Online fraud cost Ecommerce businesses $3.5 billion in 2012. The average percentage of online orders that proved to be fraudulent was 0.8 percent, while mobile commerce showed a 1.4 percent revenue loss from Ecommerce fraud.
Though some of these numbers are relatively small, they should jolt your business sense into realizing that Ecommerce fraud is an issue and that you need to protect your business at all costs. What should be more alarming are the penalties and loss of service associated with violating PCI (Payment Card Industry) compliance. Here are 10 practices that will arm your business with the tools necessary to prevent potential fraud and to keep your online business PCI compliant.
1. Select the Right Ecommerce Platform
If you’re not building your Ecommerce functionality from scratch, then there are many Ecommerce platforms that you can choose to either be your entire website solution or simply provide the commerce functionality of your online business.
The research you do in connection with choosing a platform is a crucial step in ensuring that you have the least amount of worry possible when it comes to fraud. When you’re researching different platform providers, search beyond monthly costs and transaction rates and look more deeply into the platform’s features. You may find that some of the platforms with the best rates do not perform as well in the area of fraud protection. For example, you might want to look for a platform that offers top-notch risk management support in case you do become a victim of a fraudulent transaction.
Here are 9 Ecommerce platforms / solutions that are worth looking into:
- Shopify – Designers and developers love it for its user-friendly designs and templates and wealth of features, plus a mobile commerce shopping cart for access from any device.
- Stripe – This service handles all PCI-compliance requirements for you, and they settle transactions every seven days instead of monthly so you get your money faster.
- Highwire – In addition to user-friendly and mobile-ready templates, this service takes a multi-channel approach and sells your products on Facebook, Bonanza, and eBay, in addition to your website.
- Volusion – Besides having one of the lowest prices (a $9/month mini plan for up to 25 products), this service has a daily deal option to help you promote your products and allows your customers to create a wish list.
- Bigcommerce – Mobile-ready, this service delivers single-page checkout and allows user reviews of products. Also, you can arrange to have an email sent if a customer abandons a shopping cart (to remind them of the potential purchase).
- Magento – Free to download, this service is not tied to a host since it is open source, so your developer or designer can create a customized experience for your customers that you can host from anywhere.
- osCommerce – Free and built by the open source community – this is a complete shopping cart website that you can install on your webserver. There is a huge community of users, as well as more than 7,000 add-ons from them (which you can download and use at no cost), in addition to free templates available.
- FoxyCart – You can host your site from anywhere with this service; however, the shopping cart and checkout technically will be hosted on FoxyCart’s website to handle all of the security details.
- DPD – Similar to FoxyCart, this service hosts only the shopping cart and checkout. DPD specializes in digital products, particularly for blogs and websites that have products to sell. There also is a built-in affiliate program to pay a commission to affiliates in exchange for referrals.
2. Achieve and Maintain PCI Compliance
According to the PCI Compliance Guide, the Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information—basically any merchant with a Merchant ID (MID)—maintain a secure environment.
PCI is designed to proactively protect customer data. Cardholder data is defined as any personally identifiable data associated with the cardholder, including account number, expiration date, name, address, social security number, etc., whether it is stored, processed, or transmitted.
Launched in 2006 to manage the ongoing evolution of the PCI security standards, PCI applies to all organizations and merchants, regardless of size or number of transactions, that accept, transmit, or store any cardholder data, and it is absolutely mandatory. Noncompliance may result in a fine of $5,000 to $100,000 per month to the acquiring bank (which then will pass it down to the merchant), plus other penalties that are not openly discussed but could be damaging for businesses.
There are four merchant compliance levels based on the number of transactions they process each year and whether the transactions are from a brick-and-mortar location or over the Internet. Each payment card brand establishes their specific requirements, and these are Visa’s PCI-compliance level definitions:
- Level 1: Over 6 million transactions per year
- Level 2: 1 million to 6 million transactions per year
- Level 3: 20,000 to 1 million transactions per year
- Level 4: Fewer than 20,000 transactions per year
Also, any merchant that has suffered a hack which compromised account data may be escalated to a higher validation level.
PCI compliance generally involves basic security precautions, such as changing factory default passwords on all network equipment and establishing a firewall between your Internet connection and any system that stores credit card numbers. In essence, you are responsible for safeguarding cardholder data by any means necessary. And there is some data that you should never store, such as the full contents of a credit card’s magnetic strip.
Merchants must comply with the PCI application and review process, which includes:
- Identify Validation Type to determine which Self-Assessment Questionnaire to use for your business.
- Complete Self-Assessment Questionnaire according to the instructions given.
- Complete and obtain evidence of passing a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), if applicable.
- Complete the relevant Attestation of Compliance, which is located in the Self-Assessment Questionnaire tool.
- Submit the Self-Assessment Questionnaire, evidence of passing a scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
- Or a security professional credentialed as a qualified security assessor (QSA) will perform an independent review of your processes and systems.
Depending on your Ecommerce platform provider, some of these steps may be taken care of for you. PayPal has a PCI-compliant solution called Payflow Link, which handles PCI standards for you with checkout page templates you can customize. It then streamlines the paperwork process, though you still need to complete the questionnaire and abide by Quarterly Security Scans.
Here are few Ecommerce solutions that are PCI compliant:
- Shopify is certified Level 1 PCI DSS compliant.
- Etsy has been audited and certified as PCI-compliant.
- Stripe handles all security requirements for you by using SSL (https instead of http).
- Highwire operates a fully secure PCI-compliant checkout and handles all SSL for you.
Check with your individual provider because there is a chance they already handle at least some of the PCI compliance efforts for you.
Again, PCI compliance is mandatory, so make sure you abide by these guidelines to avoid any fines or penalties. Also, be completely honest in your self-assessment, as there have been issues with this in the past; and being caught could mean facing all of the fines and penalties, particularly if someone hacks your system as a result of noncompliance.
3. Sanity Check Your Site Security
Once you have chosen the best and safest payment processing platform and you are in compliance with PCI requirements, consider taking further steps to ensure that all personal and financial information for your customers, your business, your bank, and your credit card company are all safe and secure.
- Check to see if all your checkout URLs stay in “https” during the checkout process.
- Check to see what happens when you leave the checkout areas of your website and return to checkout later on. Does the site maintain “https” URLs where they are needed?
- Consider updating passwords to your web server control panel and databases on a regular basis.
- Consider hiring a security auditor to see if they can find any weaknesses in your website.
There are specific programs (particularly with credit card companies and security software firms) that will provide additional protection from fraud and hackers. Do your research and find one that works best for your business. Here are four programs that you may want to look into:
If you use an open source platform, you will be at greater risk of fraudulent transactions, as the superior security measures taken by larger platform services will not be included.
Because the open source code is available for everyone to download, it is much easier for hackers to find the holes in whatever security measures you might take, particularly if you use third-party plugins. Hackers can figure out this code much easier than for other hosted payment platforms, so you need to be very cautious when using OS code.
4. Set up System Alerts to Screen Suspicious Activity
Depending on the software or processing platform you are using, the platform may automatically alert you when suspicious activity occurs, such as:
- Multiple orders placed by the same person using different credit cards
- Phone numbers that do not match the area code of the billing address
- Big spenders who order large quantities of products, several of the same product, or pay extra to ship quickly (possibly using a stolen credit card to get the products quickly and resell them for a profit).
Orders where the cardholder’s name is different from the recipient’s name, particularly for foreign addresses (possibly because they are shipping a product to a destination where a fraudulent customer can pick it up without being tracked). In 2012, the fraud rate for orders placed outside of North America was 1.6 percent (twice the overall Ecommerce fraud rate of 0.8 percent).
Some Ecommerce platforms have these types of fraud monitoring steps in action already. PayPal, for example, has a series of Fraud Management Filters that screen and sort transactions for various reasons. And eBay has strict fraud monitoring protocols in place, so strict that they have drawn complaints from some customers who were prevented from completing legitimate transactions.
Shopify delivers information about returned AVS and CVV2 orders so that the shop owner can make his or her own informed decision. If you use a hosted platform, check with your security contact about whether or not certain fraud monitoring steps are in place in case you need to implement your own.
5. Use Credit Card Security Codes
The credit card security code is the 3 or 4-digit number printed on the back of a credit card. Using one in a transaction process ensures that the cardholder is in physical possession of a valid card. This number is not printed on receipts, so it is a big help in keeping your customer’s credit card information and the sale of your products safe from fraud.
Once the transaction is being processed, the card issuer replies with a response code either confirming or rejecting the provided number’s validity.
This number is referred to by different names for specific credit cards, as follows:
- Visa – CVV2
- MasterCard – CVC 2
- Discover – CID
- American Express – 4 digits above card number – CID
Be sure to employ these credit card security codes to ensure the safest transactions possible for you and your customers.
6. Do Not Store Sensitive Customer or Transaction Data
In most cases, PCI standards strictly forbid businesses from storing customer data, particularly credit card numbers, expiration dates and CVV2 codes. If for whatever reason you do have any of this data stored, get rid of it immediately, and keep only the minimum amount of data possible—only enough for refunds and chargebacks.
However, if you have a system set up where you need to charge a card on a recurring basis, you can store credit card information as long as it meets PCI standard encryption and storage policy guidelines. Never store CVV2 codes. Essentially, if you have no data to steal, then hackers have no reason to rob you.
7. Use Tracking Numbers for All Orders
Tracking numbers for transactions help to protect your business from chargeback fraud. Chargeback fraud, also known as friendly fraud, is when a customer requests the return of funds from a merchant, which is forcibly initiated by the issuing bank. When this happens, the merchant is held accountable regardless of any measures taken to verify the transaction.
Additionally, merchants usually still have to pay for all transaction fees including the fees associated with the removal of fraudulent funds out of the merchant’s banking account.
One way that customers engage in chargeback fraud is to claim that a product was never delivered and that they want their money refunded. But if you use tracking numbers, you have the confirmation that the product was delivered to the customer. Requiring a signature upon delivery is another good way to prevent this type of chargeback fraud.
8. Require Strong Passwords from Customers
When your customers are opening an account with your business, you want to make sure they create strong passwords that are not easy for hackers to access. Require a minimum number of characters and capital letters, numbers, and symbols. This complicates the password enough that hackers cannot breach customer information and perform fraudulent purchases from the front-end.
Of course, there are many customers who reject having to open an account just to make a purchase. To prevent losing customers over this important security issue, make the account creation available after the order has been placed. This way you won’t lose a customer or the security of the transaction at hand.
Be sure to read 9 Ways to Make the Payment Process Easy for Online Customers by KISSmetrics for additional ways to your checkout conversions as high as they can be.
9. Educate Staff on Security and Fraud Protocols
While there are security measures that you, as a business owner, must take for your business, there also are ways that your employees can comply with security measures to protect your business from fraud from the back-end.
Any passwords your employees use to access payment systems and business records should be governed by the same strict rules as for customers. Ensure they know what to monitor in transactions to prevent any unnecessary attacks or fraudulent purchases. They need to understand not only your risk management procedures but also the gravity of the risks so that they can protect themselves, your business, and your customers from potential hacking and fraud.
10. Create and Maintain a File of Past Fraudulent Transactions and Attempts
Should your system ever be hacked or compromised or should your business ever be a victim of fraud, keep a record of all of the details in a file. Record the unfortunate event so that you and your employees learn for the future and prevent the situation from happening again. Use the file to compare with future transactions, and either approve or deny them based on what you learned.
A lot of times you will see patterns that you can learn from. You may notice that fraudulent charges come from:
- Particular countries or geographic regions
- Shipping addresses that don’t match the billing address
- Unusually large orders
If possible, modify your system to put those transactions on hold or for further review. Additionally, make sure your employees are aware of these patterns so they can preemptively stop them from going through.
Fraud protection, while not perfect, is possible when you take the necessary precautions. There are many services and protocols already in place to help you achieve this, and you also can develop your own internally to ensure that every aspect of your business is completely covered.