Managing your money and cash flow has never been easier.
Learn More
July 29, 2021
Average Read Time: 5 minutes
By now, even the not-so-aware know that ecommerce soared in the past year. After all, if they don’t read the news or appreciate the statistics, surely they’ve noticed all the cardboard boxes left on their (and the neighbors’) doorsteps.
Driven by the pandemic, total U.S. ecommerce sales jumped 32.4% in 2020, reaching levels not previously expected until 2025, according to the IBM U.S. Retail Index. And ecommerce is here to stay. Estimates indicate that it will bring in more than $843 billion in sales this year, up another 8% over last year.
Of course, with online shopping comes online payment. And to no one’s surprise, with the increase in online payment came an increase in credit and debit card fraud. As payments moved online, fraudsters followed.
A recent Federal Trade Commission report shows that the government agency returned $483 million to victims of fraud and identity theft in 2020, an increase of 108% over the previous year, according to Credit Card Insider. Reports of credit card fraud jumped by 107% from the beginning of 2019 to the end of 2020.
All told, online sellers will lose $130 billion to payment fraud between 2018 and 2023, Juniper Research estimates. Losses come from merchandise shipped and never recovered, refunds to scammed cardholders, and chargeback fees for processing fraudulent purchases. If sellers experience too many fraudulent charges, they can lose their merchant bank accounts and therefore their ability to process card transactions -- a major blow to any ecommerce business.
Merchants in general are aware of security risks and concerned about them. Our own Small Business Survey Report found that businesses rank security and privacy as the main factor in selecting financial tools. Almost two-thirds of respondents said security/fraud is their #1 challenge.
Given the prevalence of payment card fraud and its cost to businesses, the worry is understandable. But merchants aren’t powerless in the face of fraud; they can take steps, and good ones at that, to limit it. Following are four effective ways to reduce instances of payment card fraud.
PCI compliance means following the Payment Card Industry Security Standards Council rules to protect customer payment card data. Maintaining payment security is required for all entities that store, process, or transmit cardholder data, including merchants. And merchants aren’t only responsible for their own PCI compliance; they must ensure the compliance of any vendors that supply them with software or services. That includes payment processors.
Guidance for maintaining payment security is provided in PCI security standards. A payment processor should be PCI-compliant and be able to assist you with your compliance, such as providing PCI checklists for your use. Some merchant services providers, including MerchantE, have a PCI program to assist businesses in complying with the rules. The program includes reimbursement to help merchants cover costs in the event of a data breach, which does add additional peace of mind.
The Address Verification Service (AVS) is a tool provided by credit card processors and issuing banks to merchants to help detect suspicious credit card transactions. AVS checks addresses provided at the time of sale against those that cardholders have on file with their issuing banks. The AVS responds with a code that helps a merchant understand if the transaction has a full AVS match. If it doesn’t, further investigation is necessary: check the CVV (see section below), email address, and/or IP address on the transaction, or allow your payment gateway to decline the transaction.
AVS is typically an option that a merchant can choose to enable, or not. It is an effective fraud-fighting tool for card-not-present transactions, but also can play a role in reducing payment card interchange fees. Visa and Mastercard both support AVS globally, and in the U.S., Visa incentivizes businesses to use AVS by providing a lower interchange rate when they do.
The Card Verification Code (CVV) is the 3- or 4-digit code on every credit card that acts as an added security measure when cardholders pay online. CVVs verify that they are in possession of a physical card and should never be stored in a database by a merchant or payment processor. They aren’t a guarantee against fraud, of course, as someone could steal a card and have enough additional information (such as an address and/or zip code) to use it.
While some merchants choose not to ask for CVVs (often because they fear reducing conversions), that’s a mistake. CVV codes are an important line of defense against fraud. If an order is placed on your website and the CVV does not match the credit card number, you should allow your payment gateway to decline the transaction.
With stolen card information, fraudsters will take a shot at making large transactions before the card is blocked. If you allow a fraudulent transaction, you’ll bear the cost. You can limit the number of large transactions by specifying a ceiling for the amount you’ll allow any one customer to charge.
While payment card fraud causes billions of dollars in losses to merchants each year, small businesses suffer disproportionately. A big business “can absorb . . . even a pretty significant loss,” said Julie Fergerson, CEO of Merchant Risk Council. “If a small one-shop business or a restaurant all of a sudden has a $10,000 loss, that could be the difference between making payroll and not making payroll for that company.”
Small businesses moving into the world of online commerce can be particularly vulnerable. Transactions often scale faster than their fraud protections, opening the door to losses.
With the digital economy evolving rapidly, businesses both large and small need to evaluate how they mitigate payment card fraud. The steps outlined above will take you a long way. In addition, ask your payment processor what it does to guard against card fraud – and how it can help you with best practices and tools to help prevent it.
Ensuring the privacy and security of data entrusted to us is at the core of MerchantE's mission.
