Getting smart about security when selecting an online payment system
You don’t need to be an online security expert to know that the amount of fraud committed over the internet is on the rise. Criminal misdeeds dominate headlines in what often sounds like a plot from a spy thriller, with tales of “breaches” and “attacks” by shadowy figures lurking in far off lands.
You don’t need to be an online security expert to know that the cost of that fraud is also on the rise. Direct costs to the victims of cyberattacks are staggering, as the most private and sensitive information of individuals, businesses, and governments are laid bare through cybercrime. The indirect costs of fraud are almost incalculable: reputations built meticulously over decades can be irreparably damaged virtually overnight.
You don’t need to be an online security expert to run a small business that accepts payments online. But when selecting an online payments system for your business, you do need to know enough about security to ask the right questions. You need to know enough about security to make smart decisions when selecting the tools and partners that will help you protect your business.
If you run a small business that accepts online payments in 2018, you do need to know the basics: the costs of online fraud for small businesses, the basics of card data security and the promise of tokenization, and a few fraud detection and prevention best practices specific to online sales.
The costs of online fraud to small businesses
Willie Sutton famously robbed banks “because that’s where the money is.” In that respect, not a lot has changed in almost a century: criminals still follow the money. In today’s information economy, though, the “money” criminals are after is the confidential data captured online.
Online (or “card not present”) fraud represents a significant if not potentially existential threat to businesses accepting payments online. A June 2017 study by IBM Security and Ponemon Institute shows that the average cost to businesses of each stolen record containing confidential information is $141. That might not sound like much to worry about, until you multiply $141 by 10, or 100, 1,000, or more. Indeed, the study estimates that the average total cost of a data breach worldwide in 2017 was $3.62 million.
A September 2017 LexisNexis study estimated that every dollar of fraud actually costs e-commerce companies upwards of $2.82 due to the drain fraud causes on resources far beyond IT. The study pegs the average costs of fraud at a shocking 1.58% to 2.39% of total revenue.
Headlines may be dominated by data breaches of large businesses with household names. The latest statistics make clear, however, that criminals do not discriminate their targets based on the size of a business. The fact is that a data breach containing credit card information of almost any size could pose an existential threat to your business. In fact, what we are seeing is a democratization of fraud as criminals simply look for the weakest defenses. Stolen credit card data is just as valuable to criminals whether it was stolen from a large or small business.
eCommerce is a fat target for criminals regardless of the size of the business. Your instincts to think more seriously about security for your online business and potentially upgrade your online payments system are 100% correct.
The promise of tokenization to improve card data security and protect your business
Tokenization is an increasingly popular substitution technique among credit card processing companies for two simple reasons: increased security, and cost effectiveness relative to encryption. The process of tokenization replaces actual credit card information with numerical sequences to represent the card, while hiding its real number from the prying eyes of criminals. Tokens are then used in authorization and other payment processes while the real card data is stored in a so-called “vault.”
Tokenization becomes even more valuable when you develop trusted relationships with your customers. Tokens can facilitate the stored payment data with you for future purchase, such as via a subscription payment arrangement. The token also serves just like the real credit card number for service issues, such as issuing credits or managing chargebacks.
The process of tokenization reflects great strides in the ongoing to effort to secure confidential data, in eCommerce and elsewhere. But even tokenization isn’t enough in the security arms race with organized crime online. Tokenization combined with point-to-point encryption creates a comprehensive solution for protecting data. When exploring your online payment system options, be sure to ask your vendor pointed questions about how they are using tokenization and point-to-point encryption to protect the credit card data of your customers.
Best practices for detecting and preventing online fraud
Card data security and fraud prevention should be among the top considerations when selecting an online payment system for your small or medium-sized business. That means more than just picking a vendor and calling it a day. Data security is a participatory sport, and it means following a few best practices.
Advanced fraud detection and prevention efforts by payment processors can scan patterns of card use and other behaviors to determine the likelihood of fraud. Payment vendors have learned a tremendous amount fighting fraud on the front lines, and they are constantly channeling those lessons into tools and procedures that help protect your business against future fraud attempts. Many of these features also allow you to proactively refund customers for charges that are likely to be fraudulent, which can help reduce the burden and cost of managing the chargeback processes.
Hosted checkouts (also known as “pay pages”) still make sense for many types of online transactions, and several leading payment providers offer pay-page features. Hosted checkout pages remove all card data from associating with or entering your online payments systems. Hosted checkouts also dramatically reduce your PCI scope. Adherence to PCI-DSS standards remains vital, so make sure your company achieves and stays PCI compliant.
Another best practice to help your business prevent online fraud is to use an address verification system (AVS). This system checks the validity of a billing address against the cardholder’s data from the issuing bank. Yes, this adds a few seconds to the checkout procedure. But inserting a simple verification procedure can be the difference preventing and allowing a case of online fraud. Consumers actually want to see reasonable security precautions, because most of them know that they exist in order to protect them.
Your first and last line of defense against online fraud
Cybercrimes are committed on a grand scale seemingly every day against everyone, from individuals to governments to corporate giants. Criminals have moved their operations online because the online world is anonymous, and criminals love anonymity. While battles will continue to rage and online fraud isn’t going away anytime soon, what we’ve seen is that there are many tools and practices at the disposal of small businesses to help reduce the chance of becoming a victim of data breaches and fraud.
You care deeply about the business that you’ve built, and you know that one wrong move can wipe out all the gains you’ve made. You’ve taken the right first steps to educate yourself about how to create that secure environment online. You know that the selection of an online payment system is one of the most important considerations for safeguarding the future of your online business. Making the right selection will go a long way to protect the reputation (and bottom line) of your online business.