Online fraud cost Ecommerce businesses worth a lot. The average percentage of online orders that proved to be fraudulent was 0.8 percent, while mobile commerce showed a 1.4 percent revenue loss from Ecommerce fraud. Though some of these numbers are relatively small, they should jolt your business sense into realizing that Ecommerce fraud is an issue and that you need to protect your business at all costs. What should be more alarming are the penalties and loss of service associated with violating PCI (Payment Card Industry) compliance. Here are 10 practices that will arm your business with the tools necessary to prevent potential fraud and to keep your online business PCI compliant.
According to the PCI Compliance Guide, the Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information—basically any merchant with a Merchant ID (MID)—maintain a secure environment. PCI is designed to proactively protect customer data. Cardholder data is defined as any personally identifiable data associated with the cardholder, including account number, expiration date, name, address, social security number, etc., whether it is stored, processed, or transmitted. Launched in 2006 to manage the ongoing evolution of the PCI security standards, PCI applies to all organizations and merchants, regardless of size or number of transactions, that accept, transmit, or store any cardholder data, and it is absolutely mandatory.
If you’re not building your eCommerce functionality from scratch, then there are many Ecommerce platforms that you can choose to either be your entire website solution or simply provide the commerce functionality of your online business. The research you do in connection with choosing a platform is a crucial step in ensuring that you have the least amount of worry possible when it comes to fraud. When you’re researching different platform providers, search beyond monthly costs and transaction rates and look more deeply into the platform’s features. You may find that some of the platforms with the best rates do not perform as well in the area of fraud protection. For example, you might want to look for a platform that offers top-notch risk management support in case you do become a victim of a fraudulent transaction.
Here are some solutions you can use to fight ecommerce fraud:
Most ecommerce merchants have employees assigned to review purchases that fall into specific risk categories, such transactions above a specified dollar amount and/or transactions where the billing and shipping addresses don’t match. Common manual review techniques include using Google to find verifiable data on the purchaser, checking social media accounts and using Google maps to see if the shipping address appears legitimate. This is more accurate than simple Gateway filters, since a veteran employee becomes quite effective over time in preventing fraud.
Time consuming, results vary greatly according to employee skill, potential bottleneck during high season, risk of experienced employee leaving the company and limited tools available for research. This is recommended for merchants in low to moderate risk fraud categories. Once you have chosen the best and safest payment processing platform and you are in compliance with PCI requirements, consider taking further steps to ensure that all personal and financial information for your customers, your business, your bank, and your credit card company are all safe and secure.
Check to see if all your checkout URLs stay in “https” during the checkout process. Check to see what happens when you leave the checkout areas of your website and return to checkout later on. Does the site maintain “https” URLs where they are needed? Consider updating passwords to your web server control panel and databases on a regular basis. Consider hiring a security auditor to see if they can find any weaknesses in your website. There are specific programs (particularly with credit card companies and security software firms) that will provide additional protection from fraud and hackers. Because the open source code is available for everyone to download, it is much easier for hackers to find the holes in whatever security measures you might take, particularly if you use third-party plugins. Hackers can figure out this code much easier than for other hosted payment platforms, so you need to be very cautious when using OS code.
Payment Gateway Filters
Most payment gateways allow ecommerce merchants to set up some basic fraud prevention rules to block or flag transactions that may be fraudulent. Typical examples are to decline all transactions when the billing address does not match what the credit card company has on file (an AVS mismatch) or excluding all transactions from specified countries. No cost to merchants. The selection of available rules is inadequate for merchants facing a moderate to high amount of fraud. There is also a high risk of false declines as the rules are not very flexible. This step is recommended for merchants in low-risk fraud categories and merchants that have not experienced much fraud.
Tracking numbers for transactions help to protect your business from chargeback fraud. Chargeback fraud, also known as friendly fraud, is when a customer requests the return of funds from a merchant, which is forcibly initiated by the issuing bank. When this happens, the merchant is held accountable regardless of any measures taken to verify the transaction. Additionally, merchants usually still have to pay for all transaction fees including the fees associated with the removal of fraudulent funds out of the merchant’s banking account. One way that customers engage in chargeback fraud is to claim that a product was never delivered and that they want their money refunded. But if you use tracking numbers, you have the confirmation that the product was delivered to the customer. Requiring a signature upon delivery is another good way to prevent this type of chargeback fraud.
Fraud Prevention Tools
There is a multitude of third-party fraud prevention companies that leverage sophisticated fraud prevention technologies such as IP Proxy Piercing, Geolocation, Device ID and Global Fraud Blacklists to reduce or eliminate fraud liability. The solutions range from the very basic, providing a risk score and tools to build a fraud prevention algorithm, to full service solutions that leverage machine learning to give you a yes/no response and will even reimburse you for any fraud chargebacks that resulted from their decision. These are very effective against fighting fraud. Most solutions eliminate the need for manual review, providing expert service that is not tied to employee skill. Companies can accept more orders that would have normally been declined due to fraud concerns, allowing you to pre-determine fraud costs.
Score and tool models still require fraud expertise to set up and maintain. Solutions can be pricey, although they generally pay for themselves when calculating decreased chargebacks. You can accept more orders with less employee overhead. This is recommended for businesses that have been targeted by fraud, businesses in high risk categories, and smaller businesses that want to free up resources devoted to fraud prevention to concentrate on sales and expanding their enterprises. Orders where the cardholder’s name is different from the recipient’s name, particularly for foreign addresses.
Possibly because they are shipping a product to a destination where a fraudulent customer can pick it up without being tracked). Some Ecommerce platforms have these types of fraud monitoring steps in action already. PayPal, for example, has a series of Fraud Management Filters that screen and sort transactions for various reasons. And eBay has strict fraud monitoring protocols in place, so strict that they have drawn complaints from some customers who were prevented from completing legitimate transactions.