According to a 2016 report by the Australian Payments Clearing Association, Australians spent $1.92 trillion using cards and cheques in 2015. Of this amount, $469 million (or 0.025%) was fraudulent. Overall, card fraud is on the rise and this is mostly due to a significant increase in card not present (CNP) fraud, which increased 38% in 2015, with fraudulent transactions of $137.6 million in 2015, up from $99 million the previous year.
This is especially bad news for online retailers, as by their very nature transactions will be of the CNP type. And as a merchant you have obligations to meet to protect your customers’ data. You may also find yourself liable if you don’t have the sufficient risk mitigation steps in place (and that’s before you consider the reputational risk), so it’s vital you know what you can be doing in the fight against fraud.
Understanding your fraud prevention obligations
While cyber criminals sometimes steal card details directly from customers via phishing emails or malware, it’s more typical for the computer systems of merchants or payment systems to be targeted. This is why if you collect card details from your customers that you have the right anti-malware software.
However, your obligations go further than just having anti-virus protection – you’re required to comply with the Payment Card Industry Data Security Standards (PCI DSS). You’ll find all the details on the PCI website, but here’s a summary of some of your obligations:
Have a secure network to protect data, and don’t use the vendor’s default options
Protect cardholder data, and always encrypt data transmitted across public networks
Put strong access control measures in place to limit access by staff to data
Monitor and test networks on a regular basis
Maintain an information security policy
Credit card fraud prevention strategies
There are a number of strategies that can be put in place by merchants, financial institutions and payment providers to help protect customers and businesses. The best approach is considered to be a layered one that combines some or all of these.
Tokenism – replaces card data with a token that is meaningless to outsiders, and has no value outside the specific transaction it is being used for.
Encryption – can be end-to-end encryption (E2EE), where the data is encrypted at the point of entry into the payment process and only decrypted when it reaches the intended recipient, or point-to-point encryption (P2PE), where the data is decrypted at each stop in the payment process.
Identifying fraudulent payments as they happen – where dedicated analytics tools are used to look at data such as location, device being used to make the payment, the type of perchance and payment history are used to identify fraud in real time.
Authentication – new technology means increasingly sophisticated ways to authenticate the card user, such as passwords delivered via SMS or behavioural biometrics (which could include recognising keystroke dynamics)
Making it easy to meet your obligations
The above prevention options probably all sound very daunting and complex, but the easiest way to reduce the scope of your compliance requirements is to use a reputable, fully hosted payment gateway.
Ezidebit meets Tier 1 of the PCI DSS compliance requirements (that’s the same level of data security as the world’s biggest banks). Using one of our payment solutions means you don’t touch your customer’s credit card data as it’s processed directly from their browser to our secure payment gateway.
So why not find out more on how Ezidebit can partner with you to make the payment process as safe and seamless as possible.