Online transactions are still the weakest point of the card payment network, as a stolen card can easily be used online on sites where basic security features are not implemented. Some of these features may be enabled automatically by your payment gateway, or you may have to turn them on yourself. Make informed decisions, based on your business needs, rather than going with default settings.
Account settings
- 3D Secure. This is an extra step requiring customers to enter a password (“Mastercard secure” or “Verified by Visa”). As well as genuine crime, 3D secure can protect you from disputes in grey areas where, for example, a teenager has used a parent’s credit card, or an employee has made an unauthorised purchase on a business card.
- AVS – Automated address verification. AVS requires the customer’s billing address and checks that it’s the address where the card is registered.
- Overseas. You may wish to restrict transactions involving certain high-risk countries.
- IP addresses – software is available that will check whether the computer used to place an order is located in the same country as the billing address.
Office practice
- All your computer networks must be fully secured, including wireless routers.
- Make sure all computers that access your card payment systems have fully up-to-date virus protection.
- Choose secure login details with strong passwords for the order processing side of your website and to your card processing software.
- Do not allow staff to share login details.
- When a member of staff leaves make sure their login is completely deactivated.
- Prevent staff from being able access sensitive systems on their smartphones, tablets or personal computers by restricting logins to your office IP address.
- Bogus refunds are a common method of insider fraud – all card refunds should be signed off by a supervisor.
- Set up user groups with different levels of access, so that sensitive information and processes are available only to those who actually need them.
Don’t assume that if a payment has been accepted by your payment gateway then everything is fine. Keep an eye out for odd behaviour, such as multiple orders from the same email address but with different details, deliveries to PO boxes or hotels, or large order quantities. Be wary of last minute large orders, or orders for bespoke goods or services where the buyer doesn’t seem interested in the details.
You know your business better than anyone, and so you are in the best position to notice any strange purchasing patterns. If in doubt, contact your merchant provider, or decline the transaction.
Remember to follow your merchant provider's own fraud prevention procedures. We also recommend that you read the detailed guidelines published by the UK Card Association in the “merchants” section of their website.