Diary of a Start Up Part 4: E-Security

• Tweet

After discussing how to implement an e-payment system into an e-commerce business, Diary of a Start Up Part 4: Security takes on website security and fraud.

With e-payments ticked off, looking at e-security is the natural next step in the process of setting up an e-commerce business.  In Dairy of a Start Up Part 4, we will look at the security and fraud implications of e-payments.  We will also answer the following questions:

1. Do I need a returns and refund policy?
2. Do I need a Privacy Policy and Terms and Conditions?
3. How should I handle fraud and malicious transactions?
4. What is Payment Card Industry (PCI) Data Security Standards (DSS) compliance and does it concern me?

1. Security

Objective:

• Managing card data security.

Prerequisites:

• Ensure you want to offer card payments on your new website. Visit PCI Security Standards Council and review the information about PCI DSS, or ask your bank for information.

Tasks:

• Review the present flow of data on the current or planned website. Cover everything from capture, storage and transmission of card data. Determine if a PCI scanning product is required to provide quarterly PCI compliance reports.

Tips:

• Try to minimise the exposure to PCI DSS requirements.
• Easiest way to mitigate is to not offer card payments, but this is not practical given that the majority of consumers use credit, debit and charge cards.
• Let the payment service providers (PSP) or bank capture card details.
• Ensure the partners used are PCI DSS compliant today and ongoing.

Traps:

• Capturing and storing card details on site or system, exposes the business to a greater number of the PCI DSS requirements.
• Avoiding or ignoring card data security can be costly; a card data breach can result in fraud – the cost of which is applicable to the business where the breach occurred.
• PCI DSS compliance is not a once off.  Quarterly checks of systems and processes must be performed.
• PCI DSS compliance impacts both the website and the whole business’s processes and policies in relation to card data.

Do I need a refund policy?
Customers ask for refunds – it’s a fact of life.  If you have a well documented refund policy, it could save a lot of arguments. Laws vary from place to place and some countries (like Australia) have strong consumer legislation that requires businesses to accept returns and issue refunds in certain circumstances.

Another issue here is the cost of refunds. If you use a bank and PSP (for credit card), a fee will be incurred to process refunds. These can be expensive, so check the fees. Sometimes it’s easy to send off a cheque rather than process a refund through a credit card, but remember this may still leave you exposed to chargeback from the credit card account.

Sometimes you will see sales online that are exceptional to your business. Remember the golden rule: If it looks too good to be true, then it probably is a fraud.

2. Fraud

Objective:

• Managing exposure to fraud, charge backs and reducing disputes with customers and the bank.

Prerequisites:

• Carefully map out the fulfillment process and know who the likely buyers and what their purchasing profiles are. Read up on what charge backs are.

Tasks:

• Talk to your service provider.
• Understand what safe guards exist when it comes to minimising exposure to fraud.
• Learn about charge backs and how they’re triggered.
• Establish checks and balances in your fulfillment process to reduce charge backs and disputes.

Tips:

• Some PSPs have anti-fraud systems like eWAYs Beagle.  Ask about the services that are available and try to block fraudulent transactions before they’re processed.
• If refunds are requested, always refund to the card/method from which the payment came (never refund to a bank account when the original payment came from a credit card).
• Ensure a well-presented refund and exchange policy is in place, and provide access to a complaint mechanism.
• Be alert for any differences in card origin, the destination of goods and contact details.
• Implement CVC to deter fraudsters (3 digits on the back of the card).
• Implement 3D Secure (verified by Visa, and MasterCard secure code) to reduce exposure to fraudulent orders.
• Make sure that the name of your website is similar to your trading account details to avoid consumer confusion (on their bank statements) e.g. don’t have website with name ABC.COM while your trading name is XYZ, as this will appear on customers’ card statements or internet banking.
• Resolve disputes with consumers promptly and effectively; don’t let them become charge backs.
• Promptly respond to charge back enquiries from your bank.
• When an order is taken, ensure delivery time frames are effectively communicated to customers. Ensure they’re informed if any delays occur.

Traps:

• Refunding to a different account still exposes you to charge backs from the card originating the payment.
• If an order looks too good to be true (then be aware, call the purchaser and ask probing questions). Look at the size of the order, where it’s from and who is paying. Talk to your bank for advice if in doubt.

Do I need a Privacy Policy and Terms and Conditions?
Again it is recommended that a Privacy Policy and Terms and Conditions (T&Cs) are available on site. These can save a lot of pain. Think of all the issues that need to covered in the T&Cs – for example, are products returnable?  In some countries the Privacy Policy must cover some legal issues and needs to be compliant.  Please check this.

Another issue that varies by country is the provision of company information and contact details. Providing company address and contact details on a website can add to the trust factor for buyers. There are legal requirements to show details such as an Australian Business Number (ABN) for GST Registration.

How should I handle fraud and malicious transactions?

If you sell online or even offline, some percentage of credit card transactions will fail – that’s just the way it is. On the negative side, if you accept payment on a credit card and it is not legitimate, then you may be up for a charge back. That will cost you real money and you lose both ways.

The recommendation is to talk to your bank and better understand the risk profile of the transactions.

You should also create a fraud profile that enables you to better understand what risk might exist in accepting a transaction when you should not. There are many reasons for declined transactions and increasingly we are seeing fraud as a common reason. You should be able to work out the average decline rate and also your average chargeback rate. Create a transaction profile that includes demographics and financial information. Your website analytics system can be very useful in helping understand where visitors are coming from. So look out for unusual transactions by value, time of day, place of origin, product mix in the basket, or lack of or invalid personal details. Always ask for a name, address, phone numbers and email address as mandatory information. If a transaction does not seem to be correct or valid then try to contact the customer. Even use Google Maps to search for the address and see if it is real.

If you get a fraud transaction always refund it to the card that was originally used never refund to a different account, by cash or by cheque. The same rule applies to every refund that you process. Notify your bank that you have a suspicious transaction and let them know why.

Some payment providers will now do fraud scanning as part of the service like the eWAY Beagle anti-fraud system. So also be proactive and ask e-commerce or payment providers.

What is Payment Card Industry (PCI) Data Security Standards (DSS) compliance and does it concern me?

If you want to accept credit cards online, we recommend that you use a Payment Service Provider and process the credit cards via a payment gateway. There are strict regulations around the use and storage of credit card information which are regulated by the Payment Card Industry via their Data Security Standards you can find more information at their website www.pcisecuritystandards.org or through your bank.

Look for solutions that are PCI DSS compliant. Payment gateways have to be integrated into your website.

PCI DSS is a set of security standards developed by the world’s major credit card companies, including MasterCard and Visa. It is aimed at businesses that process credit or debit card transactions and consists of 12 control objectives to protect data.

How does it affect me?

If you use a reputable payment service provider then most of these issues will be handled by them. If you take credit card data on your web site using the manual credit card payment method then you need to be aware of the risk.

The 12 key guidelines are:

• Install and maintain a firewall configuration to protect data
• Do not use vendor-supplied defaults for passwords or other security parameters
• Protect stored cardholder data
• Encrypt the transmission of cardholder data and sensitive information
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications
• Restrict access to data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security