Mitigating payment risks in 5 steps

As the world is shifting from physical to digital, most businesses and their customers opt for online payment methods over traditional cash payments. Such changes have introduced new hazards that many companies worldwide will have to face. Data breaches, identity theft, and payment fraud have already become a part of the everyday payment processing environment. Failure to mitigate technical and operational payment risks can cost you a reputation and billions of lost revenue. To protect your customers and your business while still delivering a great checkout experience, it’s crucial to identify the possible payment risks and implement the best risk management practices for mitigating them. Precaution is always better than cure.

Exploring the payment fraud types

It’s common for convenient one-click online payments to backfire on business owners and their customers. With the swift growth of e-commerce, there has been a significant increase in card data leaks and e-commerce fraud. According to Merchant Savvy, the cost of global losses associated with online payment fraud will hit a record $34.69 billion in 2022, and this indicator will grow every year. Here’s a quick overview of the most widespread online payment fraud types.

Chargeback/friendly fraud

Chargebacks are a painful issue for any e-commerce business, especially for high-risk merchants. When a customer finds a way to abuse company policies, they may declare that they never ordered an item or that it was never delivered. Whatever the complaint, it’s very time-consuming for issuing banks to consider and dispute each case separately, so they often grant the cardholder’s request to satisfy them.

Friendly fraud is similar to chargeback fraud, but it’s not carried out with malicious intent. For example, someone from the family of a cardholder used the card without notifying the owner. The other common situation is when a customer receives a product that does not meet their expectations, or they misunderstand the merchant’s shipping or return policies.

Card testing fraud

Credit card testing is a fraudulent activity when someone tries to check if the stolen or generated credit card information is valid and available for making purchases. Card testers usually make small payments without being noticed by the cardholder. The inability to track such small transactions makes this type of fraud highly attractive to criminals and frustrating for businesses. They get hit with plenty of chargebacks initiated by cardholders after discovering suspicious activity.

It’s worth noting that companies with excessive chargeback rates run the risk of falling into card networks dispute monitoring programs, such as Fraud Monitoring Program (VFMP) or Excessive Fraud Merchant (EFM) from Visa and High Excessive Chargeback Merchant (HECM) from Mastercard. As a result, the merchant may lose partnership with payment processors. Find out how to fight chargebacks in this article.

Return/refund fraud

This type of fraud is about stealing from a merchant by returning merchandise to a retailer for a refund, violating the merchant’s return policy. For example, a customer wears or uses an item intending to return it later, or a fraudster buys goods with a stolen credit card and returns the merchandise, asking the merchant for a cash refund. Another common type of refund fraud is when a buyer claims an item hasn’t been delivered or was partially delivered. Since merchants may have weak control over shipping and packing, return/refund fraud is a tidbit for swindlers.

Authorised push payment (APP) fraud

APP fraud is one of the fastest-growing types of scams in the business environment. To perpetrate APP fraud, scammers gain access to a company’s data via hacking its email account or phishing and then tricking the employees into willingly sending money to them. By tracking the company’s activity for some time, scammers choose the most appropriate time to launch their attack, for example, a day of payment for rent, utilities, financial services, etc. The fraudsters then send an email from a hacked or similar-looking email address posing as partners or vendors of the company, sending fake invoices, or tricking employees into authorising payments. Most finance departments and outsourced teams don’t have the time and resources to re-validate the correct bank details for each payment.

How merchants can reduce payment risks

Do you still want to provide great products and services to your customers? Then we will describe the underlying steps to increase the resilience of your business to different payment risks.

Implement 3D secure

3D secure is the most widely adopted authentication protocol that enhances payment processing security. It provides an additional layer of verification for card-not-present transactions, giving merchants confidence that the transaction is carried out by the cardholder and not by anyone else. The customer's identity may be verified using passive, biometric, and two-factor authentication approaches.

3DS1 or 3DS2 allows merchants, card networks, and financial institutions to share information and access risky transactions with minimal friction. Plus, when your payment provider uses 3D Secure to authenticate a payment, the transaction is considered completely safe, shifting liability for fraudulent chargebacks from the merchant to the issuer. This way, merchants can avoid operational risks and reputation losses from fraud.

Monitor fraud

Payment fraud can be tough to detect − especially given the intricacy of the digital payment system. This is where fraud monitoring and risk management systems will be helpful. They identify possible financial and operational risks and reduce the number of suspicious operations.

Anti-fraud is a comprehensive fraud monitoring and prevention system that verifies every online payment in real time. Current anti-fraud systems take into account many parameters to determine suspicious transactions, for example, amount, unique bank card token, user’s digital fingerprint, the IP address of the payer, etc. Each anti-fraud system uses its own rules and filters, as well as machine learning technologies to detect and block fraudulent activities.

Ensure PCI DSS compliance

The PCI DSS is an internationally-used standard that aims to ensure that all organisations involved in accepting, processing, transmitting, and storing payment information take due care of the security of their customer’s sensitive data. PCI DSS compliance means adherence to the list of requirements set by the Payment Card Industry Security Standards Council. If you or your third-party payment provider don’t comply with the PCI standard, this strongly signals that the data may be compromised and used for fraudulent purposes. In addition to damaging a company’s reputation, non-compliance can lead to hefty fines.

More detailed information on PCI DSS compliance is provided in this article.

Train and educate

Reducing payment risks for online businesses is a complex and ongoing process requiring every team member's involvement. Besides sophisticated tools and techniques, payment fraud often involves social engineering tricks that target company employees. Train your staff to recognise fraudulent emails and phone calls, avoid following suspicious links, and develop an internal risk management policy to guide each team member in the event of an incident. It’s essential to update your knowledge base (if you have one) and look for new ways to prevent payment hazards before they come.

Choose trusted payment partners

Since most businesses rely on a third-party provider to process their transactions, your payment partner must be fully secure and compliant.

There are three main building blocks of a secure payment infrastructure:

• Infrastructure reliability. Corefy’s PCI-compliant payment platform runs entirely on AWS, relying on security best practices and auditability. Our entire infrastructure is monitored by a series of internal monitoring platforms that alert our engineers around the clock, 365 days a year, of predictive failures, warnings, and hard errors.
• Security management. We scan, monitor, and penetrate to guard against suspicious or unauthorised activities. For security enhancement, all inbound and outbound traffic from our platform is monitored by an active intrusion prevention system (IPS) which blocks the threat of common exploits and zero-day attacks.
• Ultimate data protection. When it comes to your company’s sensitive payment data, we use up-to-date security practices to keep everything safe. All details are managed using multiple encryption keys with split knowledge and dual control. Plus, we don’t store raw magnetic stripes, validation codes, or PIN blocks.

Now you understand the risks you may face and how to minimise them. Online payment security is a vast issue that requires a comprehensive strategic approach. Every payment method involves risk, and a lot depends on the payment services provider you choose. Mitigating your payment risks becomes much easier when you trust a reliable payment partner like Corefy to process your payments. We do our best to protect your business and your customers’ privacy, data, and money.