Protecting your online business against credit card fraud

As eCommerce grows, so does the frequency of cyber attacks. According to the Australian Payments Clearing Association, in 2016 in Australia, $521 million of online spending resulted from fraud. That’s 74 cents out of every $1000, up from 60 cents in 2015. Here’s what you can do to protect your business.

When SecurePay’s Head of Risk, Kian Jackson, talks about the current risks in the world of online business, he contrasts them with the security of a local shop.

“Businesses who operate online today want that unique customer experience, frictionless payments and easy to navigate website. In a small village store, the shopkeepers know everyone on a first-name basis, understand what customers usually order and when they want their goods,” explains Kian.

“But there are risks when trying to replicate this online as you’re operating in a global marketplace and have more decisions to make with a lot less information.”

Current fraud trends

Unlike that village store, where you’d be hard-pressed to purchase something with a stolen card, the anonymity of the web has enabled cyber criminals to take advantage of data and credit card theft and what are called card-not-present transactions.

“Attackers are more sophisticated and are targeting larger sets of data using ransomware, malware, phishing and social engineering. Card-washing is the result of attacks where criminals attempt to validate cards,” says Kian.

Phishing emails are those with dodgy attachments carrying malware, which when opened give the criminals the opportunity to access your data. There’s also spear-phishing, which is when a particular weakness in a business is identified and targeted.

After a data breach, if the data accessed contains credit card information, the criminals will then carry out a card-washing attack, explains Kian. “Using the card information they have stolen they will attempt to make multiple micro purchases to understand if the card is active or not. Once the information is washed then it will become apparent which cards are valid and which are not”.

Another common attack on online businesses is called social engineering, reveals Kian. “A customer might do a pretty big order and it might look too good to be true. There’s a couple of thousand dollars on product that needs to be shipped, or they book a service like a hotel. Then all of a sudden there’s a tragedy and the goods have to be returned or the person can’t get to the hotel and for some reason they’ve lost their credit card. So they ask the merchant to wire their funds back.”

Of course, the credit card is stolen and so they don’t want the funds to go back onto it. “The advice for this is to identify the card holder and only ever refund to the credit card through which payment was made,” stresses Kian.

“If the local shop has CCTV footage and locks on the doors, then PCI DSS compliance is the cyber equivalent.”

Fraud software

To stay competitive, online businesses often don’t extract as much information from customers as they would like. The key then, is to manage the information you have access to and go through it with a fine-toothed comb to find out if a customer and an order is trustworthy. This is at the heart of fraud software and it acts in place of the all-knowing shopkeeper, keeping an eye on the customers.

Fraud software will therefore look at information such as the IP address of a computer and compare it with the purchasing and delivery address. If they’re different countries, for example, alarm bells will ring.

“With FraudGaurd – SecurePay’s proprietary fraud software – there are certain parameters or alerts you can set up, such as the country where the payment comes from, amount thresholds, customer IP settings to see if the payment is coming from a high-risk country or not, and so it can be matched with the billing address,” explains Kian.

“Different rules are given different scores so once a transaction has breached different rules it will create an overall fraud score. This means you can systematically block those transactions on a real-time basis. You can also set up an email trigger so you can be alerted immediately of anything looks risky. That works well with eCommerce because it means you’ve got time to review orders before you send any goods.”

If an order looks risky but you’re not sure, you might decide to call the customer and check in with them. Or a great strategy is doing a micro payment to the customer’s card. This means charging a very small amount such as $1.23 so they can then confirm this number back. “It’s a great way to validate the cardholder.”

PCI DSS compliance

The other way to protect yourself is to be PCI DSS compliant. This applies to any organisation that accepts, transmits or stores any cardholder data. “I would highly recommend that every merchant review their obligations if they haven’t done so. When it comes to PCI there are four different levels based on your card volume. At SecurePay we’re level 1 – we’re fully PCI DSS compliant. That means that security is paramount to the business and strict standards are adhered to at all times. More information on your obligations can be found at,” says Kian.

“If the local shop has CCTV footage and locks on the doors, then PCI DSS compliance is the cyber equivalent.”

Orders to keep an eye out for

While fraud software is the safest way to keep an eye on risky orders, Kian lists things you can keep an eye out for yourself, especially if several of these points coincide in one order.

  • Orders from overseas – especially from high-risk areas such as Africa and Central and South America
  • Unusually large orders requesting urgent delivery
  • First-time customers dispatching goods to a freight forwarding company
  • Orders where the delivery name doesn’t match the credit card name
  • Orders with a different billing and shipping address
  • An order from someone who has had a previously declined order
  • Orders with different IP and billing locations

Related articles

How will data breach laws affect your business? How will data breach laws affect your business?
In early 2018 certain businesses will be required to notify their customers and the Privacy Commissioner if they experience …
Infographic: 2017 Mobile UX trends Infographic: 2017 Mobile UX trends
According to eMarketer, there are now more people making their online purchases from smartphones than computers. So it’s never …
What you need to know about cyber security What you need to know about cyber security
Martin Littlewood, head of cyber security at SecurePay, gives us the lowdown on his talk for Seamless eCommerce expo …
Website features to help you get sales, part 2: Cross-sell and up-sell strategies Website features to help you get sales, part 2: Cross-sell and up-sell strategies
There are many website plug-in options these days to support cross-selling and up-selling. We look at different strategies and …

Sign up to our newsletter

Online payments
just got easier