Card-not-present (CNP) transactions, in which the cardholder is not physically present, have always been riskier than card-present transactions. That’s because, by their nature, card-not-present transactions have more blindspots when it comes to authorization of cardholder identities. In recent years, however, CNP fraud — and e-commerce fraud, in particular — have risen to rates never seen before. Driven by the growth of e-commerce sales, an onslaught of bad actors during the COVID-19 pandemic, and increasingly sophisticated fraud tactics, e-commerce fraud losses have reached new heights. A survey from 2021 found that e-commerce merchants experienced a 140% increase in attacks since 2020!
Not only is e-commerce fraud more common now, but it’s also more costly. E-commerce businesses today are finding that fraud is taking a bigger bite out of their bottom line. Research by LexisNexis found that in 2021, each $1 in fraud cost U.S. retailers $3.60 in total expenses, up from $3.13 prepandemic.
All this means that payment fraud prevention tools and strategies are playing an increasingly important role in protecting merchants. With the right fraud prevention program and tools in place, online businesses are able not only to prevent fraud but to minimize losses if and when they occur. In fact, recent research found that companies that implement fraud prevention programs can reduce their fraud response expenses by 42%.
For online businesses and other e-commerce industry professionals such as independent software vendors (ISVs) and software-as-a-service (SaaS) providers, it’s essential to have a working knowledge of online fraud and to know the steps you can take to prevent it. Additionally, a keen awareness of the integrated payments space and its role in preventing e-commerce fraud can make all the difference for industry players. In this white paper, we will explore the common types of e-commerce fraud and various red flags to look out for, discuss the negative consequences of online fraud for businesses, and explore some practical ways in which payment technology can keep fraud at bay.
What is E-Commerce Fraud?
E-commerce fraud refers to malicious or unauthorized transactions made online for financial gain. Oftentimes, these transactions are made using stolen payment details or identities. The negative repercussions of e-commerce fraud are significant, with online payment fraud losses expected to exceed $200 billion between 2020 and 2024.
Over the years, fraudsters have diversified their tactics and found new ways to exploit online businesses. Unfortunately, there are now many types of payment fraud that businesses need to be on the lookout for. Here’s a short list of some of the most common ones.
Common Types of Online Fraud
Many technologies have made modern unattended retail solutions possible, but a few notable advancements stand out. Take a look at how these key innovations have laid the groundwork:
- Credit Card Fraud
Credit card fraud refers to any transaction made with stolen credit card details. While these fraudulent transactions can occur in-store, they have become much more common online — particularly since EMV chip card technology has made it more difficult for fraudsters to create counterfeit cards to use at the point of sale. Fraudsters have a number of ways in which they obtain stolen credit card details, such as phishing emails, malware, or targeted data breaches. Once the data is stolen, it’s often sold on the dark web to other bad actors. Since credit card fraud relies on the unauthorized interception of card data, payment infrastructure weaknesses and improper payment data handling are often singled out when a fraudulent attack occurs. Later on, we will briefly discuss how businesses can protect sensitive card data from getting stolen. - Card Testing Fraud
When a fraudster obtains stolen card information, one of the first things they do is start testing each card’s validity and available funds by making many small purchases online. Oftentimes, these fraudulent attacks are performed by bots. Once the fraudster determines which cards are active and have sufficient funds, they will begin using those cards to make larger purchases. - Friendly Fraud
Friendly fraud is really not so friendly — it’s when a cardholder makes a purchase online and then disputes the transaction with their card issuer in order to get their money back. Friendly fraudsters will claim that the item wasn’t delivered, that they didn’t even make a purchase, or that the merchant never processed their refund (among other false assertions). This type of fraud not only causes merchants to lose out on sales but also imposes chargeback fees and could potentially harm the status of the merchant’s payment processing account. - Refund Fraud
Refund fraud is when a malicious actor uses a stolen card to make a purchase, then requests a refund to a different card — the card that they actually possess. Merchants in this situation often won’t realize that they’re dealing with fraudulent behavior, as they’ll believe the fraudster’s claim that the original card is no longer active. - Account Takeover Fraud
This malicious tactic is when fraudsters hack into customer accounts on online storefronts in order to make purchases or steal payment data. It is one of the fastest-growing fraud tactics today, and in fact, incidents of account takeover fraud grew by 90% between 2020 and 2021.
Impact of E-Commerce Fraud on Merchants
While the financial costs of fraud are quite obvious, there are many other negative consequences for online merchants who are hit by fraud. E-commerce businesses can experience a surge in chargebacks, a tarnished brand image and lost customer trust, and a potential threat to their payment processing account.
It’s important for business owners to realize that no matter the size of their business or industry, they are at risk for fraud. A survey taken in 2019 revealed that nearly half of small businesses in the U.S. and Canada didn’t think they were big enough to be targeted — yet unfortunately, this couldn’t be further from the truth. Verizon’s “2019 Data Breach Investigations Report” found that 43% of cyberattacks specifically target small businesses. The reality is, small businesses are often more likely to lack the security prevention measures needed to combat fraud, and fraudsters are all too aware of this.
With that in mind, let’s take a closer look at the biggest negative consequences of online fraud:
- Financial LossesOne of the most significant costs of fraud is the financial loss the merchant incurs. Depending on the type of fraud that’s occurring, merchants are likely to lose out on inventory, actual business funds, or both. That’s not all, though — merchants who have been hit by fraud often have to shell out additional money to respond to and resolve the situation. In fact, the costs of responding to fraud are often far more than the amount that was actually stolen. Businesses may need to pay legal fees and non-compliance fees, hire in-house security experts to boost operational security, and implement or improve security infrastructure and systems.
- Damaged ReputationCustomers and business partners are likely to lose trust in a business that experienced a fraudulent attack. In fact, a survey from 2019 found that 81% of consumers would stop engaging with a brand online in the aftermath of a data breach. This means that fraud not only causes merchants direct, immediate losses, but it also can result in lost sales and a shrinking customer base down the road.
- ChargebacksA chargeback is when a customer disputes a transaction with their card issuing bank and asks them to reverse it. While actual credit card fraud is a legitimate reason for a cardholder to file a chargeback, there are fraudsters who will file friendly fraud chargebacks even after they’ve received the product or service. No matter whether it’s actual fraud or a friendly fraud chargeback, the merchant loses out either way. Every chargeback incurs a fee, and as chargebacks accumulate on the account, the merchant’s processing rates are likely to rise — and they may be at risk of their account getting shut down altogether. Chargebacks are also quite time-consuming since the merchant has to respond to every chargeback with appropriate documentation.
Of course, this is not an exhaustive list of red flags, and it is also possible that a legitimate transaction could fall under one of the above categories. That’s why AI-driven fraud prevention tools are a great supplement to manual fraud detection.
How E-Commerce Merchants Can Prevent Online Fraud
Now that you’re more familiar with online fraud and its warning signs, let’s take a look at some actionable steps you can take to curb its occurrence. As mentioned, fraud prevention is a multi-pronged approach that requires cross-departmental security awareness and robust security solutions. Here are some tips that encompass both of these approaches:
- Monitor for Unusual BehaviorAs discussed above, fraudsters will often leave footprints behind. It’s essential that business owners and their employees have a thorough awareness of fraud warning signs so that they can take further action — such as declining suspicious transactions or blocking certain IP addresses — when needed.
- Use Address Verification Service (AVS)AVS is a tool offered by the credit card brands to verify cardholder identities. It does so by checking that the provided billing address matches the address that’s on file with the bank. This process happens in real-time when the transaction is authorized.
- Maintain PCI ComplianceMaintaining compliance with the Payment Card Industry’s Data Security Standards (PCI DSS) is one of the most important things that businesses can do to ensure that customer card data is protected from fraudsters. PCI DSS consists of a set of policies and procedures that when adhered to, help ensure maximum card security — such as maintaining secure networks and firewalls, encrypting stored data, and regularly testing security systems. It’s important to note that since PCI compliance is required by the credit card brands, noncompliance could put online retailers on the hook for fees. Fortunately, many merchant service providers and payment technology providers help simplify the path to PCI compliance by offering advanced solutions and ongoing support.
- Require CAPTCHA and Card Verification Value (CVV) at CheckoutBoth of these helpful tools are a great way to authenticate the cardholder. CAPTCHA is a test used to tell humans and robots apart, and most commonly it involves identifying distorted letters and numbers. CVV refers to the three- or four-digit number on the back of credit cards. Requiring entry of this number at checkout weeds out fraudsters who don’t actually possess the credit card.
- Disclose Clear Refund PoliciesCustomers who are unhappy with an item or service but aren’t eligible for a refund may sometimes resort to friendly fraud. That’s why it’s important to ensure that your clients know in advance if there are any restrictions that apply to returns and refunds. Providing this information upfront can also serve as supporting evidence in the event of a chargeback.
- Only Issue Refunds to the Card Used for the Original PurchaseTo prevent refund fraud, avoid issuing refunds to an alternative credit card or with cash or check. Issuing refunds to the original payment method is the only way you can ensure that it’s not getting into the wrong hands. Plus, doing so leaves a paper trail that the refund was made, and this evidence could come in handy.
- Integrate Advanced Payment Security TechnologyNo fraud prevention program is truly complete unless it includes powerful security solutions. With the help of a secure payment gateway integration, you’ll find that it’s much easier to reduce fraud, maintain PCI compliance, and minimize chargebacks. Fortunately, today’s payment gateways offer an impressive array of fraud prevention tools that will save you time on manual labor and protect your business. In the following section, we will provide an overview of integrated payment technology and pinpoint several must-have security features.
Harnessing the Power of Integrated Payment Technology to Fight Fraud
For e-commerce merchants, payment gateway integrations are essential to facilitating secure transaction processing. The payment gateway serves as a middleman between the cardholder’s bank and the issuing bank, interfacing with the merchant’s online storefront and financial institutions. Since the payment gateway is responsible for transmitting data, it plays an essential role in keeping data secure.
As payment security evolves rapidly, partnering with an innovative payment gateway can make all the difference for e-commerce merchants. When looking for the right payment integration, merchants should focus on finding a provider that’s cutting-edge and committed to rolling out the latest technologies. This is essential in keeping one’s business safe as fraudsters continue to scheme up new tactics and the payments landscape evolves. At the same time, staying on top of payment security trends often translates directly into a more frictionless, faster, and customer-friendly checkout experience that improves brand loyalty and conversions.
There is an incredible range of payment gateway security features available on the market, and while some are offered across the board, others are limited to the most innovative and feature-rich gateways. Here’s a look at some of the top payment gateway security solutions for online merchants:
Top Payment Gateway Security Features
Data Tokenization
Tokenization technology replaces sensitive card data with randomly-generated tokens that are indecipherable and meaningless to fraudsters. The payment gateway assigns each payment method a token and stores the actual payment details in its secure vault. Meanwhile, the merchant only uses the associated tokens during transaction processing or to store payment information.
3DS2 Authentication
3-D Secure 2.0, commonly known as 3DS2, is a next-generation authentication solution launched by EMVCo to verify cardholder identities in real time. When a transaction is processed on a gateway that supports 3DS2, key data points are passed along to the cardholder’s issuing bank to evaluate risk. Only transactions that are determined to be low-risk are authorized, thus filtering out fraudulent transactions and preventing chargebacks.
Gateway Filters
Gateway filters automatically block transactions based on parameters that are likely to indicate fraud. Most payment gateways give merchants the ability to set up filters per their preferences. For example, merchants can choose to block transactions based on the following parameters, among others:
- IP addresses
- Failed AVS checks
- Specific card or BIN numbers
- High dollar amounts
- High velocities (in a given time period)
Automated Fraud Screening
Fraud screening solutions scan incoming orders for signs of fraud — often using AI technology — and provide the merchant with a score or yes/no decision. These tools offer a significant advantage over manual screening alone, as they pick up on red flags that may be missed, and they also reduce the odds that legitimate transactions will be unnecessarily declined.
End-to-End PCI Compliance
Using a payment gateway that’s PCI compliant greatly simplifies the merchant’s path to PCI compliance. Merchants can rest assured that the gateway is regularly being updated to adhere to PCI standards, which takes some of the burden off of the merchant.
Support for Secure Payment Methods
The latest payment methods offer an added layer of security that benefits cardholders and merchants alike. Digital wallets like Apple Pay and Secure Remote Commerce (SRC) keep payments extra secure since data is tokenized and the cardholder must verify their identity — using biometrics or another method — when making a payment.
Boost E-Commerce Security With the Sola Gateway
As a leading e-commerce payment gateway, Sola offers unmatched security that provides e-commerce merchants with incredible protection and peace of mind. Sola supports all of the above features and has an in-house team of security and PCI experts to guide merchants, ISVs, and SaaS providers on all things related to secure payment integrations. Plus, users of the Sola gateway can enjoy access to cutting-edge payment solutions for in-store and mobile channels, which can be easily synced with e-commerce sites for a complete omnichannel experience. For ISVs and SaaS providers, Sola’s Partner Program provides lucrative integrated payment acceptance options, with the option to become a payment facilitator.
Interested in learning more about how the Sola gateway can level up your business with industry-leading security and payment solutions? Contact us today to learn more!