Every day hundreds of people become victims of identity theft, credit card frauds, and other forms of cyber crime. In the year 2012, U.S. alone accounted for nearly half of $11.3 billion total credit card frauds in the world with card issuers losing $3.4 billion and merchants another $1.9 billion. While the United States’ credit card spending is only 25% of all world global card spending, cyber-criminals have found U.S. a very attractive market for a couple of reasons:
- The volume of cards in circulation: In 2013 there were 1.2 billion debit, credit, and pre-paid cards in the U.S. (that’s 5 cards per adult).
- U.S. still use magnetic card stripes, which are far less secure that chip-and-pin cards.
For these reasons, U.S. consumers and businesses have consistently been the target of some of the biggest data breaches. In 2013, nearly 67% of businesses were exposed to an actual or attempted payments fraud while the typical financial loss incurred due to payments fraud averaged $23,000.
Gone are the days when purses were snatched and banks got robbed; now, cyber criminals can do all that and more from the comfort of their own homes, leaving no or very little traces. Moreover, any and all kinds of information is now valuable to a cyber criminal. We now know that hackers’ market is a very sophisticated organization. Stolen data from credit card numbers to health information and Facebook passwords are traded at very large quantities and the industry is reported to be more lucrative than the illegal drug.
As much as we like to believe that hackers are only after big fish and are not interested in small businesses, we know that isn’t a true assumption. Businesses of all sizes are, and can be, target of data breaches. A small business that caters to affluent shoppers can be a better and easier target to hack than a large corporation that stores nothing but business card information. Hackers now are able to attach customers shopping behavior to the stolen card numbers and sell the data for high prices. Stolen data can then be used to reproduce new cards for in-store purchase or to shop online.
With the introduction of chip & pin technology the in-person use of fraudulent cards is going to be harder than ever. However, the risk to online retailers remains high and is expected to grow as online seller do not have any way of verifying the card owners ID. It turns out the accreditation by PCI doesn’t always offer much protection against fraud. Neiman Marcus and Target, which suffered record-breaking hacks in 2014, had been certified as PCI compliant earlier in the year. Web-based business and credit card fraud prevention needs a full understanding of the dynamics of data security and available tools for every party involved.
So, a sole reliance on a PCI compliant payment gateway isn’t enough. Online retailers need to not only build and maintain secure networks but to also manage to conduct periodic audits to ensure the safety of their customers’ credit card information. They also need to add security measures to prevent fraud from happening and to avoid chargebacks. In our experience, small businesses have been victims of fraud simply because the business owners never had any training on fraud detection and prevention.
Ideally your payment gateway should:
- Never store credit card data on your system/network
- Use the latest of data encryption and tokenization to make data indecipherable to hackers
- Reduce human errors and associated risks
- Be integrated with your ERP/accounting software for enhanced security as well as efficiency
- Provide solutions for all the channels you accept payments from to create an end-to-end solution
Educating your sales and customer service team on payment security standards and the steps required to process a credit card transaction on the phone or the web is crucial to your online business. Some simple yet vital steps employees need to take before processing a phone/online order:
- Require CVV code
- Require zip code
- If applicable, attach a code to your products that make them useless for resell
- Always insist on physical address for the shipment of goods
- Beware of expedited shipping when “bill to” and “ship to” are different
- Check for IP address and card address
- Use security services that scan your website on a daily basis for malware and viruses
- Do not fall for large overseas purchases
- Check for phone numbers
- If in doubt, call the card issuing company and request for information.