Site iconSite icon IFSEC Insider | Security and Fire News and Resources

Retailers: how to build trust online

The biggest unknown in e-commerce is trust – between customer and merchant, and vice-versa. The customer parts with card details, trusting the merchant to take the funds and dispatch their goods promptly. For its part, the merchant trusts that the customer is indeed the authorised card holder.

When fraud does occur, however, it causes tremendous upset for merchant and customer alike. The merchants do, in the main, view fraud as someone else’s problem. According to a survey of smaller online retailers we commissioned over the summer, more than 80% of respondents said either banks, payment companies or card issuers should be the ones to deal with it.

Sadly, this is not the case. If a customer experiences fraud on a particular site, they’re unlikely to return. Perhaps for this reason, consumers still overwhelmingly gravitate towards the bigger online retail names, putting lesser-known companies at a disadvantage.

That said, it’s possible to turn back this particular tide, building trust with customers and protecting the business from excessive fraud claims. The keys to online trust are to be found in the payment platform which handles the money.

Doing the detective work

First, let’s dispel a myth. Eradicating fraud altogether is impossible. Luckily, a great many fraudsters leave tell-tale signs behind which security professionals can discern quite easily. For example, a simple check involves ensuring a match with the CVV (cardholder verification value) code printed above the signature strip on the card. This confirms that the buyer is actually holding the card.

Discrepancies between the cardholder’s address and the dispatch order for the goods is another key indicator. One can take this a step further by cross-checking the geographic location of the customer’s computer IP address and matching this with the card’s country of issue.

These are but a couple of dozens of different checks and tests that can be performed. Yet in an environment where one might be processing hundreds – if not thousands – of transactions every day, it’s simply not practical to check each one manually. The online payment system needs to be able to carry out many of these checks automatically, and produce a live assessment of each transaction, ideally before the funds change hands.

This real-time insight is vital. If a transaction that had been accepted is later declared as fraudulent, the burden of proof lies on the merchant to prove its legitimacy. Therefore, any detective work which can be done before payment is actually made will help retailers drastically reduce their exposure.

To contain the damage caused by the few instances of fraud that do slip through the net, retailers need to be ready to defend their due diligence to the card issuers. The ‘Chargeback’ mechanism used by card issuers to recover losses due to fraud requires the retailer to show that all reasonable checks were carried out at the time of sale. Any failure to provide detailed, documented evidence will immediately elicit the suspicions of the card companies. Persistent offenders risk being ‘blacklisted’. In other words, suspended altogether from accepting card payments.

Setting the standards for payment protection?

In response to ballooning levels of fraud across the globe, card issuers are developing standards and technologies to prevent card data theft and create more barriers for counterfeiters. Two initiatives in particular stand out: the Payment Card Industry Data Security Standard (PCI DSS) – already covered in some detail by SMT in print and online formats – and 3D Secure. Both should be viewed as de facto requirements for any e-commerce site, but neither is particularly straightforward to implement unaided.

Using an externally hosted payment platform which already supports these capabilities does, however, make the merchant compliant by default. In other words, outsourcing the payment platform can do the job of compliance for you.

The PCI DSS sets stringent technical requirements for ensuring cardholder data is encrypted and stored in highly secure systems to minimise any possibility of it being stolen. This has been mandatory for all retailers since June 2008, but securing compliance is no easy feat (particularly so in the case of online retailers). The standard is very exacting when it comes to the security of online payment applications.

3D Secure is better known by its brand names Verified by Visa and Mastercard Securecode. This adds an extra layer of authentication to the payment process by prompting the cardholder to enter a secret PIN code before the transaction is finalised. Since the code is supposed to be known only to the cardholder, it offers a solid liability shield for the merchant. If the vendor can show a disputed transaction was 3D Secure approved, in most cases they’ll not be liable for a penny.

Building trust with the customers

Using payment technology to manage fraud risks and limit liabilities is all well and good, but the final piece of the puzzle lies in demonstrating this trustworthiness to customers themselves.

According to our survey, over 90% of online shoppers look out for at least three different online security features – such as the padlock icon in the browser tray or a ‘Verified by Visa’ logo – before clicking ‘pay’. However, we also found that four-in-five would ‘trust’ a site that was clear and easy to use, regardless of its security features. Clearly displaying these hallmarks – and those of the payment provider used – will do much to allay consumers’ concerns over security and fraud.

By way of a final statement, it’s worth bearing in mind that in today’s tightening economic climate, consumers may be drawn more than ever to sites with offers that could be, quite literally, too good to be true. People need to remain on their guard against criminals. The retail sector as a whole has a role to play in educating the public along those lines.

Alessandro Hatami is managing director of PayPoint.net

Exit mobile version