Clearing Up Some Common E-Commerce Security Misconceptions
E-commerce continues to experience significant growth. In fact, in 2009, e-commerce sales grew by 5.5 percent to US$205 billion. Online retail sales are expected to increase by another 12.7 percent in 2010, according to Javelin Research.
While the research proves that e-commerce sales will continue to gain popularity as technology advances, there continues to be a correlation with the increased emergence of aggressive cyberthieves who create techniques to breach even the most-protected systems -- and use that card data to purchase unauthorized goods and services.
For many merchants, securing their online business may be an unfamiliar and sometimes overwhelming experience. Following are four common e-commerce security issues that are sometimes overlooked, along with different approaches to addressing them.
Detecting Fraud Beyond the Authorization
True fraud identification processes involve much more than just obtaining an authorization from a card association. Shoppers' overall purchase habits and shopping patterns -- not just transaction data -- can and should be regularly examined for anomalies.
Young and growing online businesses are smart to heed advice on leveraging tools like Address Verification System (AVS) and Card Verification Value (CVV), the three digits on the back of the card, to indicate such anomalies. However, merchants may rely only on these tools to help them make decisions on the appropriate level of fraud risk.
AVS and CVV are helpful features, but they are also widely adopted -- meaning they are simple obstacles for sophisticated fraudsters to overcome. In addition, if merchants set rules to reject purchase attempts that don't match the AVS or CVV, it is possible that this will result in many false positives and rejections of good customers.
Fortunately, powerful tools and technologies that detect fraud -- even before cardholders report their cards have been lost, stolen or compromised -- are now available and affordable for merchants of all types and sizes.
With these technologies, e-commerce merchants have the option to implement fraud management programs using any or all of these three key functions:
- Automated transactional risk scoring
Specific logic and settings can help distinguish normal purchase behavior from risky transactions. Fraud risk is calculated and assigned a score for each transaction. The scores, which are an indicator of relative risk, determine "next steps" according to a merchant's preferences.
- Real-time categorizing and resolution
Transactions with risk scores exceeding certain thresholds -- determined by the merchant, the fraud solution provider, or both -- can be automatically placed into categories for further action. Generally, the transaction is either accepted, rejected, or flagged for manual review. Optimal fraud service offerings also include a user-friendly dashboard or interface for reviewing transactions that fall between "accept" and "reject" thresholds, so the merchant's staff can personally resolve a transaction without losing time or productivity.
- Post-purchase transaction management
The lifecycle of fraud does not begin and end simply with a single purchase attempt. In order to best identify and handle fraud activity (as well as to resolve chargebacks and disputes), merchants need a database in which reporting, analysis and detailed records can be managed for a transaction or a group of transactions. By integrating fraud management tools into checkout processes, even small e-commerce businesses are empowered. Fraud management becomes an intuitive, practical, controllable business process.
The Hidden Impact of Fraud-Related Costs on Revenue
Although e-commerce fraud rates have stabilized in recent years, due in part to retailers' increased vigilance, merchants lost $3.3 billion to online fraud in 2009, according to The Green Sheet .
An often-overlooked aspect of fraud is that it adversely affects both costs and revenues for merchants. While experts and insiders tend to focus on the immense costs of preventing, detecting and resolving fraud, the hidden impact on revenue and reputational damage is not often discussed.
Fraud not only affects a merchant's brand and reputation, but also changes the way consumers behave. Fraud not only affects consumer victims monetarily but also alters perceptions and behaviors, found LexisNexis in a recent study. One in four victims of fraud reported they spent less money, and almost one in three reported switching payment methods. Victims also became more timid in their shopping habits with approximately 36 percent of consumers reporting the intent to avoid certain merchants.
The study also showed consumers' increased insecurities about online shopping, with more than one in four finding information unsafe to very unsafe when shopping online, and another 23 percent uncertain of online security.
Data security trends can be hard to keep up with and are costly, but online merchants need to remember that suffering reputational damage due to a data security incident has severe, long-term consequences that can negatively impact a merchant's revenue. This includes loss of customers and sales that could take years to recover from and mend.
Another area that can impact revenue is chargebacks. Even a small percentage of disputed purchases or fraudulent chargebacks can significantly erode a merchant's profit margins. Chargebacks, which can appear as many as six months after the transaction, are just one component of fraud losses. Other costs include extra shipping expenses, the replacement cost of lost goods, chargeback dispute fees, and possible legal and administrative costs when reviewing transactions and resolving disputes.
Excessive chargebacks can also result in an even more important problem: failure to meet association fraud rate standards. If chargebacks exceed just 1 percent in a particular month, a merchant may be placed on a "watch list" or probation by the association. If losses are not reduced within 90 days, the merchant may lose its ability to accept credit card payments altogether.
Merchants should adopt smart chargeback management practices to prevent a fraudulent transaction before it happens. One method online merchants should embrace is frequent chargeback history reviews to isolate fraud trends. Suspicious activity can vary across merchant types, but merchants shouldn't just pay attention to the payment mechanism used -- they need to look at the entire lifecycle of a purchase, including the products, dollar amounts, shipping regions, and other demographics involved in a chargeback.
Through careful examination of chargeback and return history, a retailer can effectively formulate a set of fraud detection alerts.
Grasping PCI Compliance and New Approaches
One primary responsibility of an e-commerce business related to fraud management is the requirement to comply with the Payment Card Industry Data Security Standard (PCI-DSS). These guidelines help merchants understand how to protect or limit the exposure of payment account data.
While most retailers are familiar with PCI requirements, the landscape is fluid and the technology constantly changes. Many merchants find PCI compliance confusing, expensive and difficult to maintain.
Fortunately for merchants, solutions are available from specific third-party providers to help avoid data breaches and achieve cost-effective PCI compliance. These services assess the overall cardholder data environment, recommend ways to minimize compliance costs, protect transmitted data, and conduct annual audits to maintain compliance.
Merchants can sometimes rely on PCI compliance, but they should also look to new service-based solutions currently available to help secure sensitive information beyond compliance. New, innovative approaches incorporate end-to-end encryption (E2EE) and tokenization. This not only helps merchants achieve cost-effective PCI compliance, but also secures data and removes it from the merchant's environment.
Tokenization is expected to help reduce compliance-related costs. For example, one large merchant reported $2 million in annual savings by moving to an outsourced tokenization solution after it had already become PCI compliant, according to Mercator Advisory Group.
Proactively Approaching Evolving Prevention Strategies
Fraudsters and hackers don't stand still, and neither should online retailers when it comes to security measures and practices. In order to dramatically decrease your vulnerabilities to fraud, a proactive and agile approach is needed. Developing comprehensive, secure e-commerce strategies and measures should be a dynamic and evolving part of your e-commerce business.
Payment processors and other service providers can help new and growing merchants keep up with the constantly changing security landscape. They observe fraud trends closely and update their services promptly to protect against emerging fraud methods and techniques.
For example, some of the more advanced fraud management tools now employ device fingerprinting, which tracks specific details of the computer or smartphone a shopper is using to place orders. By checking to see if the buyer's device has been associated with fraud (along with other device-specific risk factors), this new technology can curtail fraudulent purchases.
Secure e-commerce requires dedication and constant maintenance in order to protect a business, its reputation and its customers. A review of fraud detection processes like PCI DSS compliance, tokenization and encryption technologies, fraud management tools, and chargeback management will help create a tailored, secure e-commerce solution resulting in a more robust approach to fraud prevention.
Merchants that dedicate time and resources to achieving secure e-commerce will alleviate risk, while allowing themselves to conduct everyday operations with peace of mind.
Souheil Badran is senior vice president and general manager, e-commerce solutions, at First Data. He can be reached at firstname.lastname@example.org.