Retailers moving into the online space for the first time face risks that don't exist in the bricks-and-mortar world.
So says Brendon Williamson, GM of business development at payment services provider PayGate, who also notes that the retailers need to ensure they are well protected.
Recent reports indicate that point of sale systems are increasingly being exploited by attackers to gain credit card details and other personal information.
In the US, two recent attacks have drawn a lot of attention, with Target disclosing it had lost 40 million card details, and perhaps as many as 110 million customer records. Neiman Marcus was also attacked, with lower but still considerable losses: about 1.1 million records.
According to the South African Banking Risk Information Centre, the banking industry's gross fraud losses, due to South African-issued credit card fraud, increased by 22% from R300.6 million in 2012 to R366.8 million in 2013.
The most vulnerable
Williamson believes that merchants selling virtual goods like airtime or vouchers are the most vulnerable.
"I've quite literally seen people start up a Web site selling airtime and go bang within a fortnight. The more quickly your product is delivered, and the easier it is to resell, the more careful you have to be about your payment security.
"Different kinds of business may attract different kinds of online threats, but nobody is completely safe," says Williamson. "Even if you're selling a physical product, somebody may buy goods with a stolen card, have them shipped to a temporary address and then resell them before anybody's worked out what's going on."
This is not particularly hard, says Williamson: "Even if a card holder blocks their card the moment they know it's stolen, there still remains that initial window period. It is almost impossible for a database to keep up with the millions of cards and millions of transactions happening around the world every second."
Web sites that use affiliates to drive traffic are susceptible to their own set of scams, as are accommodation establishments.
"Even if you don't sell anything more valuable than cupcakes, you may find your site targeted by criminals who run through lists of stolen credit cards to make sure they're working before selling them on," he says.
"The financial loss may not be that big, but it can take a lot of time and resources that small business don't have to sort things out."
Know your customer
The first step to take in protecting your online business is to know your customers and their buying habits if possible, says Williamson.
"A simple welcome call once they've registered, if your volumes allow it, can tell you a lot. And obviously the longer a customer has been with you and the more often they've made purchases, the more you can trust them. Don't automatically relax the rules for accounts over a certain age, though - fraudsters are wise to that one."
Limiting your exposure by imposing a transaction limit for new customers, or waiting a day or two before shipping, can also help, he adds. The art to managing your online risk is ensuring you are not over exposed, but at the same time gaining maximum return from your valid customers.
Then there is the 3D Secure system from Visa and Mastercard, he says - but it is not right for everyone, and can't be used as the only security measure.
"Some customers hate it and will abandon the transaction when the 3D Secure page comes up, so you may need to do some education," he says. "And it doesn't apply to US credit cards or even to commercial Mastercards, so you need other protection as well."
Whatever you do, he says, don't just set up a Web site with a shopping cart and assume all will be well. "Fraudsters are smart, brazen individuals - they're not to be underestimated."
Reputable payment gateway providers should offer extra levels of fraud protection, he says. "It's essential to have a conversation with your supplier about what they offer, what risks they can protect you against and whether they can give you access to more specialised third-party protection services if your need warrants it."
Share