In the UK and across the English speaking world, credit card payments remain prominent, totalling £14.6 billion in May 2015 alone. Despite new innovative payment methods on the horizon, the popularity of credit cards as an online payment method shows no signs of diminishing and renewed efforts to fight fraud are not making much of a dent.
For those operating across international online borders, getting to grips with and fighting card fraud can be even more difficult. For example, in Germany, credit card usage for online payments and “card not present” transactions is low, with invoice and SEPA direct debit leading as the more popular options. In the Netherlands, almost two thirds of shoppers use iDEAL which prevents the misuse of sensitive data by putting the onus on the shopper to initiate the payment meaning merchants don’t collect it in the first place. In the US, credit card use is prevalent but they are only just undergoing migration from magnetic strip to chip–and-pin so the nature of fraud in this territory will change from cloned cards to “card not present” transactions in the near future.
Varying credit card penetration and usage across different territories can make a global response difficult. But with e-commerce an easy target for fraudsters and at best, attempts by the industry to stay one step ahead are still a few years behind, risks of credit card fraud still remain no matter who you are and where in the world you operate.
Assessing the risks
The use of credit cards to make a purchase can be a double edged sword for both merchants and consumers alike. For merchants, credit card payments will increase conversion rates in those territories where usage is high but with that, the likelihood of fraud also increases which could lead to both monetary and reputational consequences.
High profile cases of Sony Playstation, Xbox and Amazon user accounts being hacked and credit card numbers and expiry dates being published, are increasing in occurrence alongside the more common, daily risk of chargebacks. This shows just how vulnerable and valuable customer data is to a fraudster and how companies which rely on credit card payments to seal the deal, could also be opening themselves up to financial and reputational damage.
For larger companies, being able to deal with fraudulent transactions and data theft might not have a significant impact on their bottom line or long-term reputation, but for smaller ones, a fraudulent transaction or data breach could cost them dearly.
The right response?
We have already discussed security measures and the attempts to minimise fraudulent online transactions, but what steps can merchants realistically take to minimise the impact whilst still ensuring consumers can use credit cards safely and securely?
As a rule, these types of “pull” payments – i.e. those initiated by merchants – are less secure and appropriate for online purchases, with the merchant storing customer data and becoming an easy target for data theft. To try and counteract this risk, the credit card industry has introduced measures including 3D Secure to authenticate online payments which prompts the card holder to provide a password associated with that card, making them more of a “push” experience. These efforts have however had a largely detrimental effect on transaction rates and as such adoption among merchants is still low.
On top of this, merchants can incur the additional risk of chargebacks. Originally designed to provide security for dissatisfied customers, by enabling them to dispute charges and receive their money back, this concept has established itself as a playground for swindlers. In “friendly fraud”, customers simply maintain that they did not place a particular order, or that they never received their items. In such cases, merchants are almost always left holding the baby.
Credit cards are an integral part of online shopping, but a “healthy mix” is recommended. Online merchants should always offer “push” payment methods as well as including invoicing, prepayment and real-time bank transfer systems and schemes such as giropay and SOFORT banking in Germany, iDEAL in the Netherlands, Przelewy24 in Poland or Boleto Bancario in Brazil, all of which prevent misuse of sensitive data by not collecting it in the first place.
These consumer initiated payments mean the shopper needs the merchant’s details but their details remain secure. With push payments fraud is reduced, but there is a trade-off between convenience and a more robust, secure option. For merchants, push methods mean less work, they don’t have to adhere to the strict PCI (payment card industry data security standards) rules and the shopper has no chargeback right as they would with a credit card payment. The onus is therefore very much on the consumer to initiate the payment which can require more administration and effort. As a result, push payments could be perceived as an inconvenience for those used to the ease of paying by credit card or one-click ordering.
In addition to considering alternative methods of payment it is important for merchants to know how to reduce the risks associated with credit card payments so they can continue to offer it alongside additional options.
In our experience, there are a number of key steps that merchants can take to minimise the risk of fraudulent card transactions:
- Understand your customers – for smaller merchants in particular, knowing your customers’ buying habits and patterns will help identify any unusual behaviour.
- Be vigilant – be suspicious of unusual behaviour as it could be a fraudulent transaction made using a stolen card. If in doubt, contact the customer to confirm the order. It might set alarm bells ringing and enable the merchants to halt the transaction if they feel it could be fraudulent.
- Work with a PSP. Merchants don’t need to go it alone. Whereas some of the bigger merchants might have their own risk models and the financial and reputational repercussions of a fraudulent transaction or data breach can be minimised and easily managed, for smaller players it could have devastating, long-lasting consequences. Working with an expert to help understand the options available could help put in place other payment methods which will minimise risk to merchants’ businesses.
[su_box title=”About PPRO Group” style=”noise” box_color=”#336588″]
The PPRO Group, ‘The Payment Professionals’, enables integrated electronic payment processing on a global scale spanning the entire payments value chain from acquiring through to issuing and processing. A financial institution certified within the EU with an e-money license issued by the UK financial regulatory body FCA, PPRO is also a PCI-certified principal member of MasterCard and Visa.
Payment service provider and software platform partners enter a single agreement with PPRO to benefit from access to a full range of international payment schemes. PPRO offers regulated merchants acquiring and payment services as well as PCI DSS certified technical processing solutions via a single integration.
PPRO has developed a fully integrated interactive platform supporting a multitude of national and international payment schemes throughout more than 190 countries, giving payment service providers and software platform partners a single, fast, easy-to-use and customisable interface to the payment methods in PPRO’s portfolio.
An FCA authorised e-money institution, PPRO also offers a full range of issuing services for debit and prepaid cards. Under its own brand name VIABUY, PPRO issues Visa and MasterCard prepaid cards to consumer and corporate based customers. PPRO also offers comprehensive programmes enabling B2B prepaid solutions either under its own CROSSCARD brand or on a cobrand basis. These cards can be issued both physically and as virtual cards (e.g. vouchers) or NFC devices (e.g. stickers). As part of its e-fulfilment services, PPRO leverages an extensive partner network to distribute and resell products for commercial third parties in the form of software, mobile phone top-up cards and online vouchers.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.