Secure payment services are an important aspect of online trading. If neglected, they can cause severe setbacks including potential fines, lawsuits and loss of reputation. According to recent research from UK Finance, card-not-present fraud has increased to £506.4 million in 2018 – an equivalent of 24% increase – compared to the previous year (2017). In light of these statistics, eCommerce businesses need to optimise their payment security and endeavour to cut down on instances of fraud. Not doing so could result in a lessening of consumer trust and ultimately, lost revenue.
Multiple actions can be undertaken to combat fraud. Merchants need to comply with industry standards, analyse fraud data and enable AVS to ensure they can accept online payments safely. Keep reading to find out more.
Secure payment services
To supply the highest level of security for their customers, merchants should work with a payment service provider that is dedicated to risk and fraud management. There are a number of key factors that merchants should look out for when selecting their PSP, including real-time monitoring of fraud, analysis of data and managing chargebacks effectively. Having a good relationship with your provider will help ensure they understand the exact requirements of your business and tailor their services accordingly.
Secure payment gateway
Payment gateways act as a means for securely processing payments. The encryption of card details means that transaction information can be safely transferred between the customer, merchant and their issuing and acquiring banks. It’s useful for merchants to integrate a payment gateway because it means that it is one less element for them to worry about, whilst maintaining a high level of security.
For more information on payment gateways
read our article here.
PCI standards
The Payment Card Industry Security Standards Council was formed in 2006 and is dedicated to setting global security standards. They are in charge of setting standardised rules that ensure businesses are handling data securely.
Compliance
PCI DSS (Payment Card Industry Data Security Standard) is a framework of requirements set by the PCI Security Standards Council for businesses processing, transmitting or storing card details. Depending on the size of the business and the number of transactions per year, there are four different levels of PCI compliance. Level 1 is for merchants handling over 6 million card transactions and Level 4 is for those processing under 200,000.
However, regardless of transaction volume, this mandate holds all merchants responsible for the safeguarding of customer data. Non-compliance or data breaches can result in serious consequences.
There are a number of ways that businesses can ensure that they are PCI DSS compliant, such as regular testing of systems, encryption of cardholder data across open networks and making sure that all anti-virus software is up to date. Additionally, physical access to stored card details should be limited with a personal ID assigned to all those with computer access.
Analyse fraud data to set better rules
Prevention is better than cure when it comes to fraud. Being able to notice patterns in fraudulent activity increases your chances of predicting, and of course stopping, future incidents. This can be achieved through the analysis of a merchant’s fraud data, specifically transactional and historic processing figures.
Relevant data analysis can yield fruitful discoveries that can inform future fraud management strategies and improve performance. It is integral that merchants work with their payment partners to create rules based on these findings, however, surprisingly few do. The implementation of an effective monitoring system will help flag and potentially stop fraudulent transactions.
Monitor fraud in real-time
Introducing easy to manage parameters can help increase efficiencies when it comes to monitoring fraud. We’ve compiled a few straight-forward ways of doing so. Firstly, limit customers to a set number of cards that can be used in an allocated timeframe.
Secondly, set up an alert to flag when the same email is issued for numerous cards from different issuing countries.
Thirdly, limit the number of accounts and emails that can be opened from one card.
Finally, track how many transactions are made by an individual card over a set amount of time. This will help create a baseline to map suspicious behaviour against.
This list is not exhaustive but will help build a strong foundation for fraud monitoring.
Manage chargebacks efficiently
Chargebacks are a common type of fraud where a consumer purchases an item on their own card, then after receiving the goods, they request a chargeback from their issuing bank. Chargebacks can be difficult to dispute as it is often challenging to prove whether the consumer has truly received the goods or not.
Limiting chargebacks is a priority for many online businesses as it can prevent the loss of revenue and reduce operating costs. The application of advanced fraud rules can be a good preventative measure as it can help merchants spot patterns of behaviour.
Transaction data encryption
Encryption protects data in transit. With encryption at source (Client-Side Encryption), you will be able to remain secure and reduce PCI compliance scope. As mentioned above, when a transaction is processed through a payment gateway the cardholder’s details need to be encrypted. This enables them to be securely stored and transmitted to all the relevant parties.
Tokenisation is another way of protecting sensitive data, whilst maintaining all information needed. Not only is tokenisation a useful data protection tool, but it also enables shoppers to complete purchases in less steps, resulting in increased conversion.
Enable Address Verification System (AVS)
Implementing an Address Verification System (AVS) provides merchants with another level of security. It allows them to determine whether the cardholder has provided them with the right details, checking to see if the address given matches their recorded billing address. If the information is misaligned it could be an indicator of fraud. The perpetrator may have managed to get hold of all the card details, but it is less likely that they would also be able to connect the correct billing address.
Stay agile and run tests
Perform regular tests on your payment pages. Audits are recommended at least once a week to make sure that your website and payment page(s) run smoothly and without friction. This will give you ample opportunities to detect if there any issues to be resolved and provide insight to optimise payment pages. You can find more insight on payments optimisation by downloading “
The New Performance Agenda” whitepaper.
3D Secure and strong authentication
As of 14
th September 2019, PSD2 started rolling out. Despite the 18 months delay being granted, many merchants have begun to adopt the requirements of the European mandate already. One of the main features of PSD2 is Secure Customer Authentication (SCA) intended to add another layer of security. This two-factor authentication process will no doubt help combat fraudsters.
3DS2 is an additional layer of identity verification which based on numerous data points determines the risk of a transaction. If it is deemed a high-risk transaction, the customer will have to verify their identity through alternative means, such as biometrics or a one-time password.
We have written an entire article dedicated to the subject of
PSD2, so head to our website to find out more information. Likewise, if you’d like to
learn more about 3DS2, we have an article for this too.
What is an SSL Certificate?
SSL stands for Secure Socket Layer and its presence is signified by a https:// URL and a padlock symbol. An SSL certificate is a digital certificate that authenticates the website’s identity and then encrypts information sent to the server with SSL security technology. If you are accepting card payments, SSL is a mandatory PCI requirement. Beyond PCI compliance, SSL technology can also provide customers with reassurance around data handling.
SSL certificates are now compulsory as Google Chrome is starting to block websites and elements without SSL.
Which SSL certificate should you choose?
There are a number of different SSL certificates and it is important that you choose the right one for your business. We will explore the key features of six different types.
Domain validated- this is the lowest level of validation and is a simple check to see if the business has control over the domain in question.
Organisation validated- is the next level up and involves a slightly more thorough investigation. Company details need to be verified alongside checking the domain.
Extended validation- this is the strictest level of validation and can be recognised by the green address bar featuring the company’s name.
Single-name- only protects the single subdomain requested.
Wildcard- will allow a company to protect an unlimited amount of subdomains connected to one domain.
Multi-domain SSL- this single certificate allows a business to protect up to a hundred domains.
Final thoughts
Being able to accept online payments securely is essential for eCommerce businesses. A lack of consumer trust will result in decreased sales and revenue. Having
secure payments systems in place will mean that consumers will feel safe and encouraged to place transactions through your store. As we’ve discussed in this article, there is a growing pressure for businesses to adhere to regulations surrounding data security and there will be repercussions if they are not closely followed.
emerchantpay is a trusted payments service provider, processing over 6 million transactions per year. To find out more about how we can help you accept secure payments online, drop us a line today.