Card fraud is rampant in South Africa, and growing at an alarming rate. This year, losses due to credit card fraud have increased by 23% to R453,9-million, according to the latest statistics from the SA Banking Risk Information Centre, says Donovan Marais, channel manager at Sage Pay.
Though much of the press coverage focuses on consumer education, merchants absorb many of the risks and losses attached to card fraud. This is especially true of the ‘card not present’ transactions in e-commerce – the most risky form of card payment for an SME.
If you’re taking your small business online, it is essential to protect yourself by following best practices and working with a reputable payment gateway. Here are some hints and tips to help you transact safely online with your customers.
Know your customer
In online commerce, you are not certain of who is sitting on the other end of the Internet connection performing the transaction and you don’t have sight of the debit or credit card. For all you know, it could be someone who has stolen the card details rather than the card owner. For that reason, you need to take every reasonable precaution to ensure the person you are transacting with is who he or she claims to be.
Some steps you can take to this end include:
* Don’t ship to PO boxes, but only to physical addresses.
* Use a reputable delivery stream – i.e. a courier that checks identification on delivery of the goods.
* For a customer’s first transaction, you could insist on clearing it with the bank if delivery is not to the cardholder’s billing address.
* Ask for an ID number and use a service such as Sage Pay ID verification service to check that the ID number actually exists and ties to the name of the cardholder.
* Once customers are registered, you could send a one-time PIN via SMS or email (in much the same way as the banks) when they transact. That gives your customers an extra layer of protection in case their passwords are stolen.
Get PCI-compliant or don’t store payment details
Every company that accepts credit card payments must be aware of the Payment Card Industry’s Data Security Standards (PCI DSS) – a regulatory framework from the financial services industry. Its requirements include protecting data behind firewalls, encrypting cardholder data, staying up to date with virus protection, and controlling who has access to customers’ card details.
As a small business, you might not be able to afford all of the information security requirements demanded by PCI. It may make sense to allow a payments provider like Sage Pay to collect and manage card data on your behalf. When customers pay, they’ll be directed to a secure page operated by your payment gateway and your business won’t need to store their data. This will help protect you and your customer alike.
Comply with 3D Secure for digital payments
In a brick and mortar store, customers these days need to punch a PIN code in at the point of sale before their card payment is processed. Online, you should use the 3D Secure technology from Visa -and MasterCard to verify payments.
Customers will be directed to a secure web page hosted by their bank, where they will need to supply a one-use code they received by SMS or email sent by their bank. That helps to limit fraud since the fraudster will need more than the basic credit card information to complete an online transaction. If you are working with a good payments company, it will not only support 3D Secure – it will insist on it.
Set a sensible floor limit
One good way to protect your business and your customers from the threat of big financial losses is to set a sensible floor limit. This refers to the maximum value of a transaction you will allow without calling the bank to verify its authenticity. For example, you might decide that you will not automatically process a transaction of more than R5000 without giving the bank a call first to validate it.
Work with reputable couriers
If you’re delivering goods to customers that shop online, you should work with a credible courier company. When delivering expensive items, insist that the courier verify the customer’s identification by asking to see his or her green ID book. And the courier must always get the person taking receipt of the goods to sign for them.
Monitor chargebacks carefully
Payments companies (Visa and MasterCard) give cardholders 180 days to dispute any credit card transaction. Verify every chargeback to ensure that customers aren’t disputing valid transactions. If a chargeback is valid, make sure that the customer has returned faulty or incorrectly delivered goods so that you can limit your losses, another reason why you should know who you are selling to and where they are located.
Closing words
Banks and card payment firms tend to protect the interests of the cardholder in the event of fraud. If you accidentally deliver to a fraudster, there is no guarantee that you’ll recover the loss. That means it’s up to you to protect your business against card fraud risks.
Luckily, you can prevent most incidents if you follow the right procedures, and outsource the complexities of payment to a gateway with the right security infrastructure and processes in place.