We’ve had a slew of data breaches in the news lately, both big and small. From cloud based login manager OneLogin to Deep Roots Analytics, who store millions of American voter’s information. From the worldwide cyberattacks WannaCry and the more recent ExPetr, both demanding bitcoin ransom, to the Verizon debacle just a few days ago. Between data breaches to obtain people’s private information and credit card schemes aimed at stealing sensitive data needed to thieve other people’s money, fraud is at the top of the headlines and on the forefront of everyone’s mind.
E-commerce credit card fraud is on the rise.
While EMV chip credit card use has been able to lower retail fraud since its implementation in Oct 2015 online, or e-commerce, credit card fraud is rising and expected to reach $4 billion in 2017.
The truth is that fraudsters won’t stop trying to steal credit card information, they just transfer where they focus their attention to easier targets. And the fact is that since the adoption of EMV chips it has become much more difficult to steal numbers and create counterfeit cards. The next easiest target then, would be E-commerce.
Even though consumers are protected from the liability resulting from credit card fraud it remains one of their main concerns. While we are steadily moving toward a cashless society and people are becoming more and more comfortable paying with all the various methods, studies show that 80% of consumers are very concerned they might be a victim of credit card theft.
As a merchant your main goal is sales conversion. You must be able to set your customer’s mind at ease that you are taking all the steps available to ensure payment security.
What types of avenues are hackers taking to achieve successful credit card fraud?
An educated guess. Cyberhackers have been able to utilize simple algorithms to take the guess work out of stealing credit card numbers. They are able to spread the “guesses” across multiple websites at a time allowing them to come up with the right combination of card number, expiration date, and CVV code without triggering any alarms with the website or card issuing bank. Because it is spread out over multiple sites the card issuing banks don’t notice multiple invalid requests the way they would if they were coming from one place. This distribution of guessing attempts also allows them to circumvent the shopping carts built in IP blocking which may block an IP after 10 incorrect attempts.
It’s not just merchants that are being targeted. Hackers are increasing their efforts through email and phishing schemes in order to collect credit card data and other sensitive information needed to allow them to successfully complete a fraudulent charge. There is also still prevalence of the age old skimmer fraud where fraudsters put a card skimming device into gas pumps and other low attendance payment machines, who won’t be required to upgrade to EMV compatibility for three more years.
And, of course, consumers themselves contribute to their own risk by continuing to online shop on public Wifi and remain unmindful of the danger of entering their sensitive information in such an easy hacking environment.
While consumers are not saddled with the responsibility for credit card fraud, financial institutions and merchants are, and that amounted to about $24.17 billion in 2016 according to the Nilson Report, with merchants absorbing about 28% while the card issuing networks incurred the remaining 72%. As a merchant there are steps you can take to help reduce the instance of risk starting with who you decide to choose as your payment processor.
Not every payment platform or payment solution hold themselves to the highest standards. That is to say that not all solutions follow or are required to adhere to the same security measures. Partner with a provider that is a trusted and reputable company. One that is not only transparent about their rates but also transparent about their security measures.
Utilize basic fraud tools designed to make it more difficult for a would be thief to complete a transaction. Require the input of CVV codes. Enable AVS (address verification) and zip code matching on all transactions. This requires the customer to enter their zip code during the transaction and it must match the zip code on file with the card issuing bank. All of this extra information makes it a little more difficult for the thief and a little easier for the system to flag a questionable transaction.
Flag IPs that have multiple attempts at a transaction. This should immediately raise a red flag. There is no reason to wait till there is 10 or more attempts at a correct credit card number to flag a transaction. By creating a manual review you have a chance at catching fraud before it happens and save your business and your customer a big headache.
When you do store data, such as customer information, make sure you are using a 3rd party company who stores data for you on a cloud based server that employs strict security measures.
Educate your staff and implement cyber security measures. A strategic cybersecurity plan will focus on 3 main goals: prevention, resolution and restitution. One great resource you can start with is the Small Biz Cyber Planner, which was created by The Federal Communications Commission “to help businesses evaluate their current cybersecurity posture and create a plan”. The Federal Trade Commission also offers free resources to small business to learn how to run a tight ship.
Make sure that you are always up to date with the latest security and antivirus software on all devices that connect to the internet by automating the update process. But don’t rely on just that. You may want to consider adding specific security software such as advanced page fingerprinting, which help you detect when Web page elements have been changed.
This is by no means an exhaustive list, but if the main goal is to make yourself less vulnerable than these are not only great places to start but the very least that every merchant should be doing.
Cybercriminals become more and more sophisticated always looking for ways to exploit flaws in security even as we find more sophisticated ways to protect ourselves. In order to help guarantee your own success work with a company that cares about your success. Make sure you choose a payment processor that is knowledgeable about the types of encryption and security requirements required in this age of cyber crime.