By John Rampton
When I started in the online invoicing and payment acceptance business, I was concerned about the potential for fraud. I didn't have the mechanisms in place to protect personal and financial data at the time, which put me at the risk of losing customers.
Plus, recent statistics revealing fraud as a global problem, especially for online businesses despite advancements in technology, wasn't comforting. A 2014 ACFE global fraud survey found that a typical business loses five percent of its revenues each year to fraud. The Nelson Report shared more statistics about fraud with debit and credit cards, including the fact that losses from fraud totaled $16.31 billion in 2014.
With those startling statistics in mind, I wanted to make sure that my online business was as secure as possible, and that I didn't have to be accountable for those losses. Based on my experience, here are some of the tips I have for limiting fraudulent payments for your online business that have served my company well:
Understand Fraudsters
I don't have the mind of a criminal, so I had to learn more about how some of these people think and operate. I spent considerable time studying the common tactics they use in order to understand what type of security I had to implement.
I learned that online fraudsters like to steal money through account takeovers and identity theft. By providing my customers with an account in which they can store their personal and financial data, I created a point of entry for these fraudsters to trick the account holder into disclosing login information. Although I was using some security measures, the database that we used to store credit card numbers, passwords and usernames could have been vulnerable.
My whole team now undergoes regular security training so they can stay on top of the latest threats, and know what to look for when they are working within our payments system. They also know how to run scans and recognize what type of activity should immediately be reported as suspicious.
Fraudsters not only are external threats, but can lurk within your company. I enacted processes like separation of duties, a checks-and-balances system, background checks and third-party audits to track each employee's behavior. You might feel like you're treating your employees like criminals, but it's ultimately important to protect both yourself and your clients.
Ensure PCI Compliance
In order for me to undertake payments as I expanded Due, it was of the utmost importance to ensure that the business was PCI compliant. The Payment Card Industry Security Standard Council (PCI) is composed of numerous credit card company brands like American Express, Visa and MasterCard, and has developed a set of best practices that every business should implement to secure customer data. As such, before handling any payments, I enact these practices into my business.
Proactively Address Risk
Once I learned how these fraudsters think and act, it was up to me to identify and implement the tools and processes that could stop them in their tracks and discourage them from repeated attempts.
In terms of processes, I recommend having a system in place to monitor transactions on a daily basis. Regularly checking these transactions helped me identify anything that seemed out of place, such as inconsistent billing or payment information. I would also use tools to track a customer's IP address so I could ensure it was indeed my customer rather, than someone coming from another country that is often a hotbed for fraud.
I also looked at the email addresses that were being used as more fraud comes through email platforms such as Yahoo and Gmail. Another way I found to ensure more secure payments was to use the Address Verification System, which compares the numeric parts of a billing address to the one that is on file with the credit or debit card company.
The Card Verification Value (CVV) is also a must to include on all payment forms as a required field, because it is virtually impossible for a fraudster to obtain unless they actually stole the physical card. Ask customers to use a much longer alpha-numeric password, like eight digits and that must include a special character and one capitalized letter. Try also adding a two-step login process for further security: this involves a single-use code that each user has to enter after they receive it via their phone or tablet.
In making all these proactive changes, I alerted my customers so they knew why I was adding in layers of security and asking them to create longer passwords. In return, I got positive responses and realized the extra effort to keep customers safe went a long way toward building a trusting relationship.
Don't Skip Software Updates
While I was busy getting my company off the ground, I thought I could wait to do updates to my platform and software. This is the worst thing that I could have done because I left my system completely open to attack. Needless to say, I no longer do this.
These updates are needed primarily to address vulnerabilities that have been discovered related to new viruses and malware, which could compromise the security we've worked so hard to get. That's why as soon as an update becomes available, I make sure it's implemented. I will never rely on consumer-grade antivirus solutions for my system because that level of security does not address the sensitive nature of payments my company is handling.
Never Relax
Finally, I can never relax or let my guard down when it comes to payments security. That's because fraudsters have nothing but time and ingenuity to work with in order to create the next scheme or opportunity to compromise online payments systems.
John Rampton is the founder of Palo Alto, California-based Due, a free payments company specializing in helping businesses bill their clients easily online. You can connect with him @johnrampton.