Ecommerce fraud is a huge problem for ecommerce retailers. Though the number of fraudulent transactions seems pretty small in comparison to how many ecommerce transactions occur daily – it hovers around 0.8% – this still represents a huge number of potential risks for your business. That’s why fraud cost ecommerce businesses $3.5 billion in 2018.
Your risk level will also be higher if you have added advanced features to your ecommerce store. Mobile transactions are more likely to be fraudulent than those made from desktop machines, and retailers who see a large number of mobile purchases need to take extra care to mitigate the risk of fraud.
Equally, as we’ve pointed out in our beginners guide to tracking, web analytics can also be a security risk. Whilst the value to your business of using web analytics will far outweigh the increased risk, if you are using web analytics you also need to take extra care about your site security.
You should also be aware that the consequences of fraud go far beyond the up-front cost of fraudulent transactions. Get hacked, and your online reputation could take years to rebuild. And then there are the fines associated with violating PCI (Payment Card Industry) compliance, which can be larger than the (already considerable) cost of getting scammed.
In this guide, we’ll take you through 10 easy ways to keep your ecommerce store protected against fraudsters:
1. Choose The Right Platform(s)
The first and most important factor in mitigating the risk of fraud is to make sure you’re using a secure ecommerce platform for your ecommerce business. Today, very few online businesses run their own ecommerce platform: they are far more likely to use an off-the-shelf solution. This is fine, but you should be aware that there are significant differences between the security of various platforms.
The best advice in this regard is to go for one of the larger ecommerce platforms such as Shopify, Stripe, Highwire, Volusion, or Bigcommerce. Though there are differences when it comes to the features each platform offers, each is well regarded in the cybersecurity industry.
Don’t stop with just your ecommerce platform, though. Mature ecommerce retailers typically use many other third-party services such as SMS providers, marketing software, and secure email platforms, and business phone lines to use when calling customers to avoid scammers taking advantage of your phone system.
2. PCI Compliance
Secondly, make sure you are PCI Compliant. The Payment Card Industry (PCI) Data Security Standard was launched back in 2006 as a way to ensure that every company that processes, stores, or transmits credit card information does so in a secure way. The PCI Compliance Guide is a great resource for checking your systems for compliance.
PCI compliance is necessary for two reasons. The first is that achieving compliance will greatly reduce your risk of fraud. The second is that being non-compliant can lead to huge fines: $5,000 to $100,000 per month to the acquiring bank (which then will pass it down to the merchant), plus other penalties that are not openly discussed but could be damaging for businesses.
And if you think you are too small to worry about PCI compliance, think again. The standard applies to all businesses that use cardholder data, regardless of size or number of transactions.
3. Check Your Site Security
Once you’ve chosen a secure ecommerce platform and reached PCI compliance, you should put in place a few other measures to harden your site against fraud. This is particularly important if you are managing your business remotely, because your remote connection to your ecommerce store is a major temptation for hackers and scammers.
Most of the ecommerce platforms we’ve mentioned above will take care of the basics for you, like ensuring that your store uses HTTPs (a secure version of the standard HTTP language that powers the web). However, it is also worth looking at a number of systems offered by credit card companies that are specifically designed to prevent fraud: Verified by Visa, VeriSign, McAfee Secure, and MasterCard Merchant Fraud Protection are the most popular.
4. Setup System Alerts
If you are using a high-quality ecommerce or payment processing platform payment processing platform, it will alert you to particular types of transactions that have a high chance of being fraudulent. In 2018, the fraud rate for orders placed outside of North America was 1.6 percent (twice the overall ecommerce fraud rate of 0.8 percent), so you should pay particular attention to these payments.
In addition, there are several types of transactions that you should set up automatic alerts for:
- Multiple orders placed by the same person using different credit cards
- Phone numbers that do not match the area code of the billing address
- Customers who order huge quantities of products, many of the same product, or pay extra to ship quickly.
All of these types of transactions have a high chance of being fraudulent, and – assuming that you have enough time – you should check each one personally.
5. Ask For Credit Card Security Codes
Credit and debit card security codes are those short codes printed on the back of a card, and requiring one at checkout is a way for merchants to ensure that a customer is in physical possession of the card they are trying to pay with. Many online stores do not currently require this code in order to make a purchase, which is a major mistake considering how fast consumer spending has grown in the last couple of years alone.
Different card issuers use slightly different codes (and names) for their implementation of this system, but they all use it for the same purpose. The Visa code is referred to as a CVV2, MasterCard a CVC 2, Discover uses a CID, and American Express a 4-digit CID. Again, if you have chosen a good ecommerce and payment processing platform, it will be easy to start using these codes in your online checkout.
6. Data Storage
Next up, data storage.
There is a pretty basic principle when it comes to storing credit card information securely: fraudsters can’t steal what you don’t have, so don’t store any information you don’t need. PCI standards (mentioned above) explicitly forbid you, in most cases, from storing customer data, particularly credit card numbers, expiration dates and CVV2 codes.
However, if you need to charge a card on a recurring basis, you can store some information, including the card number as long as you are completely PCI compliant. This means complying with PCI encryption and storage policy guidelines. The only exception is CVV2 codes, which you cannot store in any circumstances.
7. Use Tracking Numbers For Deliveries
One particular type of fraud is particularly dangerous – and particularly common – for merchants who sell goods that are delivered. This is “chargeback” fraud, in which a customer claims that an item was never delivered, and then requests a refund. In some circumstances, the bank will forcibly recover funds from your account. Not only will you lose these funds, but you will be liable for the fees incurred by the bank in recovering them.
The solution here is to use delivery tracking numbers for ALL of your deliveries, so you can verify that a package was delivered. You then have proof that a customer received an item, even if they claim that they didn’t.
8. Actually Require Strong Passwords
Cybersecurity professionals have a saying: don’t trust the user. No matter how secure the systems they design are, they can count on users to undermine this. One solution to this, from the perspective of an ecommerce retailer, is to require that your customers use strong passwords (or even multi-factor authentication) when they sign up for an account.
Of course, a handful of customers will refuse to sign up just to make a purchase. That’s fine, but you should attempt to encourage them to do so after they’ve made a purchase by explaining the security risks of not having an account. You can even offer them money off their next purchase if they sign up, in the knowledge that limiting fraud is going to make up for this cost.
The importance of education cannot be overstated when it comes to cybersecurity. Even if you have the best security measures available, these can be undermined if your staff don’t use them correctly.
There are several key areas in which employees should receive frequent training. One is the use of strong, unique passwords for all the systems they use. Another is to always use a VPN whenever they are working remotely. More specifically, read user-based VPN reviews to find a top-tier VPN service, which will give you a number of important security measures including data leakage protection, a logging ban, and security protocols such as PPTP. A third is giving them the tools to recognize phishing attempts, and in particular email attachments to avoid.
Ultimately, the best defense against fraud is to have a well-trained team who can instantly spot an a fraud attempt, take action to mitigate it, and report it.
10. Track Fraudulent Transactions
Finally, make sure you keep a detailed list of the fraudulent transactions you encounter. You should attempt to gather as much information on these as possible, because over time you can build a database to inform your mitigation processes.
In particular, you should look out for:
- Particular countries or geographic regions
- Shipping addresses that don’t match the billing address
- Unusually large orders
Many EU countries have nailed this down, thanks to stricter tracking laws. As pointed out by Jochen Schmidt, CTO at Admiral Markets in Berlin, “Since the implementation of GDPR in 2017, we’ve seen a marked drop in the number of fraudulent attempts at bypassing our payment processing systems.”
As we’ve pointed out above, it’s important give your staff the training and tools necessary to spot orders like this. If you see a repeat of a previous fraudulent transaction, you can then use your payment processing system to put the order on hold until you can investigate it.
The Bottom Line
All of the steps above will help you to reduce fraud for your ecommerce business, and most of them are free. In the long term, in fact, they could save you a lot of money in defeated fraud attempts and lost reputation.
If you want to go a step further, though, you can also use the kind of qualitative and quantitative metrics produced by your web analytics software to identify website visitors who are likely to make fraudulent transactions. To start doing that, check out our article on web analytics challenges.