Chapter 2 How to Protect Your Ecommerce Store from Payment Fraud
According to the Association of Certified Fraud Examiners, almost 50% of small businesses fall victim to fraud at some point in their business lifecycle, costing them an average of $114,000 per occurrence.
Aside from phishing and hacking, if you accept a fraudulent payment, you could be held financially responsible for the loss. Having to deal with a fraudulent transaction — the chargeback process, and the potential hit to your company’s reputation — is unpleasant, to say the least.
Thankfully, there are steps you can take to help minimize your risk and protect yourself and your customers from digital attacks.
Below are some best practices for online businesses who want to be proactive about ecommerce fraud prevention — aka keeping your ecommerce store safe from hackers.
Two Types of Online Store Fraud
Before we talk about what you can do to minimize your risk and protect your ecommerce store from fraud, it’s helpful to understand common tactics that scammers use.
There are many types of online fraud, but they can be broadly categorized in the following two buckets:
- Account takeover: Most ecommerce stores provide customers with accounts that store personal information, financial data and purchase history. Perpetrators often hack into these accounts through phishing schemes. In one of the most common tactics, fraudsters send emails to trick customers into revealing usernames and passwords. They then log into your customers’ accounts, change the passwords and make unauthorized purchases. The use of bots have also been used to obtain confidential information from customers.
- Identity theft: Although most businesses take many precautions to secure customer data, fraudsters still manage to hack into databases and steal usernames, passwords, credit card numbers and other personal information.
Hackers often sell credit card numbers to other scammers, who then open accounts with ecommerce merchants and use the stolen numbers to pay for purchases.
DDOS and Automated Fraud Detection
BigCommerce is a secure hosted ecommerce platform with hacker deterrent security provisioning, three redundant network architectures and hardware firewalls to protect online stores from cybercrime. For additional security, Sift Science –– the security company behind Airbnb, Uber and Wayfair –– is available for customers to install.
This type of ecommerce fraud is difficult to detect because many people don’t check their credit card statements thoroughly — and because victims typically have no idea that someone opened an online account in their names.
PCI Compliance and Your Ecommerce Store
To help businesses protect themselves and their customers from online fraud, the Payment Card Industry Security Standards Council (PCI SSC) — a forum of global brands including Visa, MasterCard and American Express — has developed a set of best practices to safeguard consumer data.
Complying with these standards, i.e. PCI compliance, is not optional for online retailers and is strictly enforced.
While many of the following recommendations fall within the PCI standards, visit the PCI Security Standards website for full requirements.
Also, know that your payment processor can help you with — or completely handle — PCI compliance. Many payment processors, including PayPal and BigCommerce, build PCI compliance into the solutions they offer businesses of all sizes.
Managing Your Risk
Although the potential for fraud is high for online transactions, you don’t have to concede and accept it as a business cost.
By putting the right tools and processes in place, you can reduce your chances of an attack (especially when accepting bitcoin payments), keep both your business and your customers safe, and reduce your chances of losing revenue and drowning in chargeback fees.
Below are a few recommendations from the PayPal Security Center.
Monitor Transactions and Reconcile Bank Accounts Daily
Nobody knows your business as well as you do. You know your biggest spenders and their buying patterns. Monitor your accounts and transactions for red flags such as inconsistent billing and shipping information, as well as the physical location of your customers. Use tools that track customer IP addresses and alert you to any addresses from countries known as a base for fraudsters.
Also, check to see if your customers are using free or anonymous email addresses (such as Gmail or Yahoo), as there’s a much higher incidence of fraud coming from free email service providers than from paid. For more information, check out the FBI’s Common Fraud Schemes.
Consider Setting Limits
Based on your order and revenue trends, set limits for the number of purchases and total dollar value you’ll accept from one account in a single day. This can help keep your exposure to a minimum should fraud occur.
Use the Address Verification System (AVS)
Address Verification Systems compare the numeric parts of the billing address stored on a credit card to the address on file at the credit card company. AVS is a fraud tool included in most payment processing solutions but check with your payment processor to be sure it’s supported.
Require the Card Verification Value (CVV)
You’re most likely familiar with this three- or four-digit security code printed on the backside of credit cards. What you might not know is that PCI rules prevent you from storing the CVV along with the credit card number and card owner’s name. That’s why the CVV is so effective. It is virtually impossible for ecommerce fraudsters to get it unless they’ve stolen the physical credit card. Most processors include a tool to require CVV as part of their checkout templates. Use it.
Get Tougher with Password Requirements
Align with PayPal — The Safer Way to Sell
PayPal thinks shopping should be fun — and fraud-free. Learn more about how PayPal helps keep consumers and businesses safe.
Hackers employ sophisticated programs that can run through all the permutations of a password. It won’t take them long to crack a simple, four-character password (such as “abcd”). Best practices these days call for at least an eight-character, alphanumeric password that requires at least one capitalization and one special character (for example, “P0r$che9!!”). Your customers might grumble, but it’s better safe than hacked.
Let your customers know exactly why you require better passwords, and it’s likely you’ll gain some loyalty points for being upfront and customer-focused. A little extra messaging can go a long way toward building customer lifetime value.
Keep Platforms and Software Up to Date
Make sure you’re running the latest version of your operating system, as providers continually update their software with security patches to prevent fraud and protect you from newly discovered vulnerabilities, as well as the latest viruses and malware.
Likewise, install and regularly update business-grade anti-malware and anti-spyware software to prevent attacks that exploit outdated software vulnerabilities. Free, limited-feature and consumer-strength antivirus software are not sufficient.
Note: If your site is hosted on a managed solution, such as BigCommerce, automatic security patches help ensure that any vulnerabilities are quickly resolved.
Now that you’re educated on credit card fraud and ecommerce fraud prevention, it’s time to dig into chargebacks.
Photo: Flickr, Yuri Samoilov
Table of Contents
- Two Types of Online Store Fraud
- PCI Compliance and Your Ecommerce Store
- Managing Your Risk
- Monitor Transactions and Reconcile Bank Accounts Daily
- Consider Setting Limits
- Use the Address Verification System (AVS)
- Require the Card Verification Value (CVV)
- Get Tougher with Password Requirements
- Keep Platforms and Software Up to Date
Table of Contents
Less Development. More Marketing.
Let us future-proof your backend. You focus on building your brand.
Your choice of payment gateways
BigCommerce integrates with popular payment solutions.