Merchants are becoming EMV compatible, but that doesn’t mean they’re not still at risk. We’ve had a slew of data breaches in the news lately, both big and small. From cloud-based login manager OneLogin to Deep Roots Analytics, who store millions of American voter’s information. There was the worldwide cyberattacks WannaCry and the more recent ExPetr, both demanding bitcoin ransom. And the Verizon debacle just a few days ago.
Between data breaches to obtain people’s private information and credit card schemes aimed at stealing sensitive data needed to thieve other people’s money, fraud is at the top of the headlines and at the forefront of everyone’s mind.
E-commerce credit card fraud is on the rise.
EMV compatible chip credit card use has lowered retail fraud since its implementation in Oct 2015. However, e-commerce credit card fraud is rising and is expected to reach $4 billion in 2017.
The truth is that fraudsters won’t stop trying to steal credit card information, they just transfer where they focus their attention on easier targets. And the fact is since the adoption of EMV chips, it has become much more difficult to steal numbers and create counterfeit cards. The next easiest target then would be E-commerce.
Even though consumers are protected from liability, credit card fraud remains one of their main concerns. We are steadily moving toward a cashless society. Because of this people are becoming more and more comfortable making payments with all the various methods available. However, studies show that 80% of consumers are very concerned they might be a victim of credit card theft.
As a merchant, your main goal is sales conversion. You must be able to set your customer’s mind at ease that you are taking all the steps available to ensure payment security.
What types of avenues are hackers taking to achieve successful credit card fraud?
An educated guess. Cyberhackers have been able to utilize simple algorithms to take the guesswork out of stealing credit card numbers. They’re able to spread the “guesses” across multiple websites at a time. This allows them to come up with the right combination of the card number, expiration date, and CVV code without triggering any alarms with the website or card issuing bank.
Because it’s spread out over multiple sites, the card-issuing banks don’t notice multiple invalid requests the way they would if they were coming from one place. This distribution of guessing attempts also allows them to circumvent the shopping carts built-in IP blocking. Most may block an IP after 10 incorrect attempts.
It’s not just merchants that are being targeted. Hackers are increasing their efforts through email and phishing schemes in order to collect credit card data and other sensitive information needed to allow them to successfully complete a fraudulent charge. There is also still a prevalence of the age-old skimmer fraud where fraudsters put a card skimming device into gas pumps and other low attendance payment machines, who won’t be required to upgrade to EMV compatibility for three more years.
And, of course, consumers themselves contribute to their own risk by continuing to online shop on public Wifi and remain unmindful of the danger of entering their sensitive information in such an easy hacking environment.
What can merchants do to help to mitigate their risk?
While consumers are not saddled with the responsibility for credit card fraud, financial institutions and merchants are. In 2016, fraud amounted to about $24.17 billion. According to the Nilson Report merchants absorbed about 28%, while the card-issuing networks incurred the remaining 72%. As a merchant, there are steps you can take to help reduce the instance of risk starting with who you decide to choose as your payment processor.
Choose an experienced payment provider.
Not every payment platform or payment solution holds themselves to the highest standards. That is to say that not all solutions follow or are required to adhere to the same security measures. Partner with a provider that is a trusted and reputable company. One that is not only transparent about their rates but also transparent about their security measures.
Utilize basic fraud tools in addition to being EMV compatible.
Employ fraud management tools designed to make it more difficult for a would-be thief to complete a transaction. Require the input of CVV codes. Enable AVS (address verification) and zip code matching on all transactions. This requires the customer to enter their zip code during the transaction and it must match the zip code on file with the card-issuing bank.
All of this extra information makes it a little more difficult for the thief and a little easier for the system to flag a questionable transaction.
Flag IPs that have multiple attempts at a transaction.
This should immediately raise a red flag. There is no reason to wait until there are 10 or more attempts at a correct credit card number to flag a transaction. By creating a manual review you have a chance at catching fraud before it happens and save your business and your customer a big headache.
No on-site data storage.
Do not store any credit card information after the transaction. The best way to avoid a data breach is to not have the data in the first place.
When you do store data, such as customer information, make sure you are using a 3rd party company that stores data for you on a cloud-based server that employs strict security measures.
Educate your staff and implement cybersecurity measures.
Being EMV compatible only goes so far as to reduce fraud. A strategic cybersecurity plan will focus on 3 main goals: prevention, resolution, and restitution. One great resource you can start with is the Small Biz Cyber Planner, which was created by The Federal Communications Commission “to help businesses evaluate their current cybersecurity posture and create a plan”. The Federal Trade Commission also offers free resources to small business to learn how to run a tight ship.
Commit to ongoing security updates and compliance.
Make sure to remain up to date with the latest security and antivirus software on all devices that connect to the internet. The best way to do this is to automate the update process. But don’t rely on just that. You may want to consider adding specific security software as well. For example, advanced page fingerprinting, helps you detect when Web page elements have been changed.
This is by no means an exhaustive list, but if the main goal is to make yourself less vulnerable than these are not only great places to start but the very least that every merchant should be doing.
- Help reduce fraud by becoming EMV compatible today.
Cybercriminals become more and more sophisticated. They’re always looking for ways to exploit flaws in security even as we find more sophisticated ways to protect ourselves. In order to help guarantee your own success, work with a company that cares about your success. Make sure you choose a payment processor knowledgeable in the encryption and security requirements in this age of cybercrime.
“Bankcard Brokers is here for you. Our guarantee to you is to always maintain our core values and to provide secure and reliable unparalleled service.”