Well, it’s that time of year again, and I am not talking about pumpkin spice lattes, leaves changing colors and the roving posses of trick-or-treaters, although that’s been happening too. Because of previous pandemic lockdowns, consumers have been advised to start their Christmas shopping early — which means the Christmas holiday shopping season has effectively been bumped up. As a small business owner, you should know what that means. In the past, this would be the time of year every business owner looks forward to. But it seems like small businesses cannot catch a break these days.
First, the good news: consumers have received stimulus checks, businesses are reopening and people are going back to work. As a result, consumer spending is rebounding and folks are ready to buy. The bad news: unfortunately, many stores have empty shelves due to shipping challenges and supply-chain bottlenecks.
Excessive chargebacks can easily cause you to lose your existing processing and you might find your business classified as high-risk, which will result in higher fees for you when you find a new processor.
Even with so much unpredictability, the holidays should be the “most wonderful time of the year” when it comes to sales, whether you have a brick-and-mortar business with an online presence, or your business is strictly internet-based. Unfortunately, while you are dealing with trying to get the product sold and in the hands of your customer, there are criminals out there that are going to do their best to cut into your profit margins.
WHAT IS ECOMMERCE FRAUD?
Ecommerce fraud is a broad topic that covers a wide range of situations. In a nutshell, ecommerce fraud is any fraud that occurs as the result of an online purchase. Identity theft can fall under this category, as well as the obvious credit card fraud, “friendly fraud” and refund fraud. As more businesses have transitioned to ecommerce, the instances of fraud have grown exponentially as have the methods of committing ecommerce fraud.
In the early days of the internet, a popular method of committing credit card fraud was “credit card banging.” In those days, card banging occurred when a website operator used a user's credit card information to enroll them in several subscriptions.
The main harm this caused is that people became wary of making online purchases. Today, this method has evolved to target the ecommerce merchant; you may know it as card testing, account testing or card checking. As you are likely aware, cybercriminals harvest credit card numbers and sell them on what is called the Dark Web. A couple of months ago, a new cybercriminal site reportedly leaked one million stolen credit card numbers to promote themselves to potential buyers.
As one might imagine, trying to verify whether one million credit cards are valid or not, with the correct CVV number, expiration date and zip code, would be quite time-consuming. However, scripts are available that will allow criminals to test hundreds of credit card numbers every hour. These stolen credit cards will be tested by purchasing hard goods, buying virtual services, paying bills and even making donations to charities. The reality is that if you accept credit cards over the internet, you are vulnerable to ecommerce fraud.
THE COST OF CARD CHECKING
Card checking can appear innocent enough; a customer is attempting to make a small purchase with their credit card and the card is denied for one reason or another, so your customer decides to use a different card, which works. Unless you are paying very close attention, you probably do not even know that your customer had one card denied; you just know that you made a sale.
The problem is that the merchant paid a small fee for both of those credit cards. If a cybercriminal runs a script that tests 20,000 credit cards, that would be $4,000 in fees charged to your account! Even if you did make a few sales from those tests, you can be sure that they will result in chargebacks and the associated chargeback fees.
PROTECTING YOURSELF AGAINST CARD CHECKING
Virtually every merchant that accepts credit cards is a potential victim of card checking but it really is one of the easiest ecommerce fraud methods to prevent. You can do that by adding CAPTCHA to your checkout page. Any decent shopping cart should have this option available, and you should absolutely use it.
You can have the best-looking order form known to man, but if you do not set it up properly, it will not be of much use in minimizing fraud. Some countermeasures include requesting the CVV code, checking addresses and zip codes, limiting checkout attempts and blocking repeated transactions from the same IP address.
If you find yourself hiring seasonal help that has access to the processing back end, be sure they get their own login credentials and when the seasonal work ends, terminate those logins. You should also make a monthly habit of changing the logins/passwords of your regular employees.
While you will want to be especially vigilant during the holiday season, the fact is that because of the pandemic, the growth of ecommerce is faster than ever and is unlikely to subside. This means it is more important than ever for you to maintain your PCI compliance and work with companies that have the experience to help you minimize these threats. This should be an especially profitable time of year; make sure it is you and not cybercriminals that are turning a nice profit. Good luck!
Jonathan Corona has over 15 years of experience in the electronic payments industry. As MobiusPay’s COO, Corona is primarily responsible for day-to-day operations as well as reviewing and advising merchants on a multitude of compliance standards set forth by the card associations. MobiusPay specializes in merchant accounts in the U.S., EU and Asia. Follow them @MobiusPay on Twitter, Facebook and IG.
