The Great American EMV card transition is finally complete, which is great news for EMV-compliant storefront retailers; card-present fraud is in decline thanks to the shift. However, online merchants are getting hit by a new wave of fraud as crooks turn to card-not-present (CNP) transactions with their stolen cards. And just like regular thieves looking for open windows to rob homes, cyber-crooks are looking for vulnerabilities in payment gateways to commit fraud. If you are processing CNP transactions, you need to prepare yourself for this new wave of fraud. Let’s take a look at how you can fortify your transactions.
Just over a decade ago, Visa and MasterCard got together to create a best-practices doctrine for payments processing. It was dubbed the Payments Card Industry Data Security Standards, or PCI DSS. PCI standards have since become the reference of record for merchants who want to ensure the comprehensive security of their transactions with customers. Though merchants are not required to be PCI complaint per se, a merchant is not likely to be accepted for processing Visa or MasterCard without meeting some minimum PCI requirements. Merchants can assess their compliance by running a vulnerability scan through the PCI Security Standards Council.
But before you get totally granular on your security assessment, there are a few simple questions to ask yourself to see where you stand on payments security:
More Steps to Fight Fraud
Is your processing infrastructure secure?
If you go to your gateway page, and look at the url in your browser, it should begin with an “https://”. If it has the general “https://” your gateway is not using TLS/SSL (Transport Layer Security and its predecessor Secured Sockets Layer, both commonly referred to as SSL), and you and your customer’s data are exposed to unauthorized access. SSL protocols certify that the channels that data is sent over and stored on are encrypted and secure. It’s basically a secret handshake between your server and your customer’s device that ensures a higher grade of privacy. Savvy consumers won’t make purchases on sites if they do not see that “https://”.
Is the data you are processing secure?
This is where a lot of merchants are vulnerable. When a customer submits their payment information, that data itself is sometimes unencrypted until it reaches the merchant’s acquiring bank. To ensure this data is protected the moment the cardholder provides it, your payment gateway should have end-to-end encryption. That means that once the cardholder hits submit, that information is tokenized. Tokenization assigns a unique surrogate value to the payment information, and that value is what is stored and sent through the processing network. That way, the information is useless to anyone outside of that network, even if it is intercepted.
Is your payment gateway doing the simple things?
When your customer enters their billing address, is that address AVS verified to match the card they are using? If you’re processing card-not-present transactions, does your gateway have a required field for the verification code on the back of the card? Are you validating the customer’s email address? All these data points can be verified automatically and seamlessly. If your gateway is not doing that, you’re needlessly inviting fraud and chargebacks into your network.
Make no mistake, if you can check out your processing to answer any of these questions, so can fraudsters. And if you answer “no” to any of them, that’s where your fraud is coming from. If you have any “open windows” in your payments processing, you are inviting fraudsters to run their stolen cards through your gateway and flood you with chargebacks.
ChargebackHelp can eliminate your chargeback pain-point. Give us a call today and we’ll help you get set up with PCI-compliant processing: 1.800.975.9905