As the U.S. moves further away from recession and retail sales continue to pick up momentum, merchants must keep an eye on their credit card sales. Fraudsters have long been a threat to retailers and consumers alike, but the proliferation of mobile phones and other technology resources are now serving as entry points for scammers looking to capitalize on poor credit card security measures in place at some retail outlets.
Compounding the issue, a new Javelin Strategy & Research study found that only 44% of issuers are adequately satisfying fraud prevention criteria. This figure is down from 54% last year.
Since issuers aren’t necessarily establishing themselves as a deterrent, retailers should be cognizant of the methods fraudsters are using to steal customers’ credit card information. Here are some suggestions for identifying and preventing costly credit card fraud:
Advertisement
- Be vigilant in identifying/preventing tampering. Make certain all employees tasked with the responsibility of accepting credit and debit cards from customers understand the looks and functionality of the payment processing equipment they’re using. Scammers often try to tamper with a business’ payment processing equipment in an effort to steal credit card information. Altered equipment usually consists of a small piece of hardware physically attached to the terminal itself. An attentive employee who knows what to look for should be able to easily identify an extra attachment to the device or oddly functioning software.
- Take steps to eliminate the need to keep credit card data on hand. To avoid one of the biggest PCI compliance risks, you should do everything in your power to not store credit cards numbers. Look for a payments provider whose platform is designed so credit card information is never stored at your business site or on your business software. Your provider should be able to process the transaction and then store your customers’ card information in a secure “vault” in the cloud. They should provide you with an encrypted ID, so when you want to do another transaction for that same customer, your software can pass the payments provider the encrypted ID so your company never comes in contact with the stored credit card data.
Don’t forget that PCI compliance is crucial. It’s against card brand regulations to not be Payment Card Industry (PCI)-compliant when accepting credit or debit cards. Make certain your payment processing software security is current and is PA-DSS (Payment Application Data Security Standard)-certified, and that your business receives their PCI-DSS (Payment Card Industry Data Security Standard) certification.
PCI certification provides a level of confidence and assurance that a processor has followed and passed a robust set of best practices for securing the information being processed when credit card payments are made. There’s no silver bullet here. You have a responsibility to protect your customers’ credit card information, just like you should be protecting all of your customer data.
The depth of the audit required will depend on your business volume and systems, but a full PCI audit will offer a scorecard across your business’ payments environment, including all connected back-office applications, allowing you to make critical changes before thieves expose security holes.
- Protect sensitive data with end-to-end encryption. End-to-end encryption (E2EE) essentially boils down to scrambling the data sent from one device to another. It starts with your payment capture devices, and goes all the way to the transaction being authorized. E2EE technology prevents the card account data from being stolen electronically and lessens the cost and impact for your business to become PCI-certified. A company’s mobile payment devices, credit card terminals, software applications and online payment portals need built-in encryption functionality when transmitting customer information.
Your company should select a technically savvy payments provider. Look for a partner that supports E2EE technology. You’ll need to balance cost versus product and service here. Using the low-cost provider could come at the expense of limited product functionality, potential security holes and lower levels of customer service.
- Respond promptly to any known security breaches. It’s critical to understand that even if all cautious, conservative steps are taken, and the best payment processing security is installed, a breach can still occur. If it does, you must have detailed credit card sales records to refer back to as a means of retracing your steps. This will help in determining when and where the breach took place and therefore mitigate the potential for additional losses. Furthermore, a proper assessment of the initial attack may ultimately provide a trail back to the source of the breach.
The bad news is that credit card fraud is here to stay for the discernible future. Completely eliminating the problem is not a realistic objective at this point. The good news is fraudsters and scammers attack people and businesses that are ill-prepared for their tactics. Integrate the above suggestions into your retail outlet’s fraud prevention strategy to effectively minimize the threat of credit card fraud happening to your business and customers.
Rob Bertke is Senior Vice President of Research & Development at Sage Payment Solutions, a division of Sage North America. Bertke has been in the commercial payments and business-to-business electronic commerce industry for 15 years. In 1995, he helped Wachovia Bank release its first commercial card products by creating a technology solution for card transaction GL (general ledger) coding and management information reporting. He left Wachovia in 1997 to join the American Express Technical Consulting team, where he was a member of the ANSI X12 committee developing card-specific EDI (electronic data interchange) transactions, and acted as product manager and technical consultant for key e-commerce initiatives.