Buying products and services online has become so easy. Your favorite merchants have seemingly perfected the process. You may be tempted to create a quick payment form for your own business … how hard can it be? Not so fast. Before you start online sales, it's vital to have the right security checks in order.
Posted in Financial Services on Monday, May 24, 2021
Before You Accept Online Payments
Imagine putting your credit card terminal on the internet and letting anyone use it. That’s basically what accepting online payments is. You want your customers to purchase products and pay for services online. Unfortunately, many other people know how to gain access to your online credit card terminal and use it maliciously.
These people create bots that search the internet all day for vulnerable websites, payment pages and other forms. They may be secure, but don’t have proper fraud settings.
It’s important to take security measures so not everyone can process payments through your online credit card terminal. This is why payment gateways have fraud modules, which are automated tools to help prevent people from hacking into your site or completing fraudulent sales.
PCI DSS compliance is not the same as fraud modules for your website. PCI is for the protection of cardholder information. Fraud modules are for your protection when it comes to online transactions.
Top 3 Fraud Modules
Payment gateways have a variety of fraud modules available. More than likely, you won’t need to use all of them. Let’s start with three that all businesses should have activated for each transaction. With these three items in place, a majority of possible fraud can be stopped.
- Address verification – This verifies that the address of the cardholder matches the one their statement is sent to. Verifying this validates that the card is legitimate.
- CVV2 code – This is also called the card security code (CSC). It’s the three-digit number on the back of most credit cards, to the right of the signature panel. (The security code for American Express® is a four-digit number on the front of the card, above and to the right of the card number.) This code should be required for all transactions.
- CAPTCHA – CAPTCHA requires users to do something before completing a transaction. It helps make sure the user is a human, as opposed to a robot. There are different versions of CAPTCHA. You probably recall having to retype curved letters or identify elements in a photo like traffic lights before purchasing something online.
Additional Fraud Modules
Here are two more fraud modules you may want to activate.
1. Velocity filter
Most gateways have this fraud prevention tool option. It may be called a transaction filter. As soon as a fraudster finds a vulnerability, they instantly start sending several stolen credit card numbers to test which ones are good. This fraud module helps control this when you establish four different settings:
- Time period in which a certain number of cards can be processed.
- Number of cards processed in that time period.
- Number of declined transactions allowed for a certain card in the time period.
- Block options. You can choose to block certain IPs, order numbers and more.
2. Country IP Blocker
This allows you to block transactions from entire countries. This is especially important if you don’t do international business. If that is the case, you can turn off anything you receive from a foreign country.
There are a couple easy ways to tell if you are the victim of fraud or attempted fraud.
Emails – Make sure you have your emails turned on in the gateway settings. If set up correctly, you’ll get an email for each transaction. If you have several transactional emails in your inbox – hundreds or even thousands – that is a good indicator.
Daily reports – Log in to your gateway and check your daily reports. If you see a spike of activity or declines, take a look. Be mindful of anything outside of your normal processing.
Believe it or not, one of the most common types of fraud is internal employee theft – even when it comes to online payments.
You can decrease the chances of this happening with the right safeguards in place. All your employees should have a separate payment gateway login. (This is necessary for PCI DSS compliance.) Logins should never be shared. You can choose the level of access each employee has to the gateway. If they are a “Clerk,” don’t give them the ability to run a refund. That should be reserved for a supervisor or manager. Make sure everyone has the access they need, but no more than that.
These parameters make it easy to track who did what. For example, if someone runs a refund on their personal credit card or a friend’s credit card, you will be able to see which user it was with a paper trail.
Adjusting Your Fraud Modules
It is generally pretty easy to add or change your fraud modules. The process does vary, depending on your particular payment gateway. If you or your payment gateway administrator are having trouble, contact your payment gateway company directly. Or, we’ll be happy to help.
Fraud Module Checkups
It never hurts to check your fraud modules to make sure you have the right ones set up correctly. But, there are definite times when it’s absolutely necessary:
- You begin accepting online payments – Get things off on the right foot. Make sure you know how to set them up and do so properly.
- An employee leaves – If the departing employee is your payment gateway administrator, that’s a good time to make sure someone else in the business knows how to check and update the modules. If possible, have the departing employee train the one taking over the task.
- A new employee/administrator starts – Train the new person on the correct module settings for your business, including how to make changes. You don’t want a new employee to assume your settings are the same as previous places they’ve worked and make unexpected adjustments.
- You get a new payment gateway – Remember, payment gateways may have different fraud settings or use different terms. If you switch to a new one, familiarize yourself with it as soon as possible.
- Every month – If you haven’t checked the modules for one of the reasons above, it’s a good idea to check things monthly. If you have more than one administrator, make sure they are all on the same page.
If Fraud Happens
If you are the victim of a fraud or attempted fraud, call Professional Solutions at 800-437-0712 right away. We’ll review your account with you to help you identify fraudulent transactions, mediate any damage and button up any vulnerabilities.
Keep in mind that it’s far easier to prevent attacks to your payment gateway in the first place than deal with the consequences. We can help.
The credit card processing program is administered through Professional Solutions Financial Services, a division of NCMIC Finance Corporation.
Trademarks listed are the property of their respective owners.