When it comes to preventing and protecting against ecommerce fraud, businesses need to stay on top of their game.
That’s why we’ve compiled this list of online fraud protection terms and definitions.
Use this all-in-one glossary to stay up-to-date on the latest developments, emerging concepts and rapid-speed ecommerce growth in the fight against online fraud.
We continually update this glossary as new fraud-related terms emerge, and we invite you to check back periodically to stay up to speed.
A
Account Takeover (ATO) Fraud
Account takeover (ATO) fraud is a type of identity theft that occurs when a fraudster uses part of a victim’s identity, such as their Social Security number or email address, to take over the victim’s account.
Fraudsters gain access to a victim’s account through a data breach, malware, phishing and even hacking into mobile phones. Once they have the victim’s credentials, a fraudster will update the account’s contact information and take control of the account. All the while, the victim has no idea their account has been compromised.
ATO fraud has been a growing concern for years. With the pandemic increasing ecommerce traffic exponentially, this type of fraud accounted for every fifth login attempt and 13% of U.S. ecommerce fraud costs in 2021.
Businesses that sell subscriptions often find themselves at a particularly higher risk for ATOs. In these scenarios, companies often become complacent because they’ve already established a relationship with the customer; as a result, if the customer becomes a victim of fraud, multiple fraudulent transactions can potentially be approved before the business realizes what’s happened.
Address Verification System (AVS)
Address verification system (AVS) is a fraud filter many companies use to prevent potentially fraudulent orders from processing. It involves an automatic comparison between the billing and shipping address numbers the customer enters and those on file with the card-issuing bank. If the numbers don’t match, the transaction may be either automatically declined or flagged for manual review.
At the same time, AVS is one of the biggest contributors to false declines. After all, who hasn’t forgotten to update their address after a move or made an online gift purchase during the holiday season and had it shipped directly to the recipient? That’s why transactions with AVS mismatch should be flagged for manual review instead of automatically denied.
C
Card-Not-Present (CNP) Fraud
Card-not-present (CNP) transactions are exactly what they sound like. A customer makes a purchase online where they’re not physically present to show the credit card. While this payment method is convenient for customers and essential to online retailers, it also creates the opportunity for CNP fraud.
CNP fraud is similar to ATO fraud in that it’s usually the result of cybercriminals stealing credit card information — often by skimming or purchasing data on the dark web — and then using the information to make fraudulent purchases. Fraudsters often purchase high-value items, like electronics, to get the most “bang for their buck” before a cardholder realizes their account has been compromised.
On the business side, CNP fraud usually results in significant costs, including the loss of product, shipping expenses, chargeback fees and damage to reputation.
Retailers lost more than $20 billion in 2021, an 18% increase from the year before. As businesses continue transitioning to chip card (EMV) technology, fraudsters will continue to look for new ways to exploit website security vulnerabilities.
Card Verification Value (CVV)
Card verification values (CVVs) are three- to four-digit numbers on either the back or front of credit cards that can help reduce the risk of credit card fraud. These numbers are printed on the card, rather than embossed or stored in the magnetic strip. As a result, requiring these numbers can minimize card-not-present (CNP) fraud, since fraudsters will generally need to have the card in hand to have this information.
Requiring a CVV for every purchase can add another layer of security to online transactions. If the number the customer provides matches what the bank has on file, the transaction can be safely processed. Some credit card issuers will even provide one-time-use CVVs for online purchases, further increasing the security of transactions.
American Express uses a four-digit card identification (CID) code, while MasterCard’s card validation code (CVC2) and Visa’s CVV2 codes are three digits.
Chargebacks
When customers see purchases on their accounts they don't recognize or didn't make, they usually contact their payment processor to request a reversal. From there, the payment processor will investigate the transaction and require proof a legitimate purchase was made. If it’s determined the transaction should be reversed, the business must refund the amount of the transaction and pay an associated fee to the payment processor.
That fee is called a chargeback.
Chargebacks are difficult (but not impossible) to fight, and can be devastating to businesses: For every dollar in chargebacks, merchants lose $2.50 in time, fees, physical goods and shipping costs. Chargebacks can also threaten a merchant’s relationship with payment processors if their chargeback rate is too high.
Chargeback Fees
When a customer opens a chargeback dispute, most acquiring banks immediately return the transaction amount to the customer while the dispute is researched. The bank will also automatically deduct chargeback fees from the company’s account.
For every $1 in chargeback losses, businesses must spend an additional $2.50 on restocking, replacements and fees. And that includes the chargeback fees assessed by the business’s acquiring bank and the credit card processor.
Chargeback Fraud
While chargebacks were established to protect customers against the losses that arise due to both identity theft and unfair business practices, customers are increasingly taking advantage of the loophole that automatically favors customers during a credit card dispute. In these scenarios, the customer files a chargeback on a legitimate transaction so they can keep the product and receive a full refund on the original purchase.
This leaves the company on the hook for the lost revenue they would’ve earned on the sale, plus expensive chargeback fees — not to mention the potential loss of their business account if their chargeback ratio is too high.
Unfortunately, 86% of chargebacks are deemed fraudulent, and they increase at a rate of more than 20% each year.
Chargeback Insurance
For businesses that accept credit cards, chargeback insurance provides a 100% guarantee that protects the company in the event the fraud solution partner approves a transaction that turns out to be fraudulent and results in a chargeback. Chargeback insurance provides a 100% guarantee of protection for businesses that accept credit cards, should the fraud solution partner approve a transaction that turns out to be fraudulent and results in a chargeback. In the event this happens, the Should this happen, the fraud solution partner pays the entire cost of the chargeback.
A good chargeback insurance program works just like any other type of insurance by covering the losses the insured party incurs after paying a nominal premium to the chargeback insurance company.
Chargeback Protection
Chargeback protection generally covers a portion of the losses a business might incur due to fraudulent transactions. Although chargeback protection works to limit fraud losses, it won’t reimburse businesses fully for chargebacks that happen. Instead, businesses receive invoice discounts based on predetermined KPIs that aren’t met.
Chargeback protection can vary greatly by the vendor. Some vendors don’t cover against any losses, instead simply offering tools to help monitor transactions and identify fraud, leaving businesses responsible for any and all chargebacks and penalties.
Chargeback protection also doesn’t protect against damage to the seller’s reputation or against potential increases in payment processing fees that may occur as a company’s chargeback ratio increases.
Chargeback Ratio
A company’s chargeback ratio is the number of chargebacks compared to the overall transactions for a given month. As the number of chargebacks against a retailer rises, so does the ratio.
It’s important to note that each card issuer calculates this ratio slightly differently. Visa, for instance, divides the current month’s number of chargebacks by the current month’s number of transactions. But MasterCard divides the current month’s number of chargebacks by the previous month’s number of transactions.
However, regardless of the issuer, businesses will want to keep their chargeback ratios low—ideally less than 1% of total transactions. A chargeback ratio higher than 1% puts businesses at risk of losing their banking services, of higher program fees and of a high-risk business status. Companies with exceptionally high chargeback ratios may even lose their processing privileges entirely.
Unfortunately, even chargebacks a company wins are still counted against their ratio.
Credit Card Fraud
Credit card fraud refers to theft in which a credit or debit card is used to pay for a transaction, with the intention of keeping the goods and services without paying for them.
Types of credit card fraud include identity theft, CNP fraud and ATO fraud. Fraudsters may obtain a victim’s credit card data by buying the information on the dark web, by using skimmers at gas station pumps or through corporate data breaches.
Ecommerce has made it even easier for fraudsters to use this stolen data, and credit card fraud rose by 44.7% between 2019 and 2021 with 393,207 fraud reports. The true cost of credit card fraud for businesses is more than just the cost of lost merchandise — it also includes lost profits, bank fees and chargeback costs.
D
Dark Web
The dark web (also known as the deep web) is a hidden part of the World Wide Web that’s not indexed by traditional search engines like Google. Dark websites use a layered network structure to encrypt web traffic within multiple layers and bounce traffic to random computers worldwide. Each bounce removes a layer of encryption, preventing anyone from matching the traffic’s origin with its destination.
A surprising variety of goods and services are available for purchase on the dark web, like credit card numbers, fake college degrees, contract killers, stolen Social Security numbers and more.
While there are an estimated 3.66 billion indexed pages on the internet, there are an estimated—and astonishing—7,500 TB of information on the deep web.
Data Breaches
Data breaches occur when sensitive, protected or confidential data (like banking information, health data, passwords or credit card information) is accessed or disclosed through unauthorized means.
Breaches can occur through weak passwords, determined hackers, phishing attacks, missing software patches and more. Data breaches don’t have to be big events like the Facebook breach. They can happen simply as a result of an unauthorized employee watching an authorized employee enter login credentials to a secure site.
U.S. data breaches in 2021 reached their highest number at 1,862, up a whopping 68% from 2020. Exposure of sensitive information such as Social Security numbers was at 83%—up from 2020, but not as high as in 2017.
Deep Learning
Deep learning, a collection of machine learning techniques, is a multilayered approach to learning that lets human analysts feed a learning algorithm and vast amounts of data to a computer and then has the computer teach itself how to make decisions about that data.
The result: Deep learning uses an extensive neural network to ask (and answer) questions about the data and to extract numerical data, using the answers to solve problems that require thought and successfully manage the complexity of classifying datasets.
Amazon uses deep learning today to predict what consumers want to buy (even if the customers don’t yet know it themselves). Google uses it to better understand spoken requests and commands, and Netflix leverages deep learning to suggest what viewers should watch next.
Digital Wallets
Digital wallets like PayPal, Google Wallet, Amazon Wallet and Apple Pay make it easier and faster for customers to make purchases online and at brick-and-mortar locations. Stored on smartphones, this payment method is most popular with younger generations (millennials and Gen Z) and uses advanced encryption technology and passwords to protect against lost phones being fraudulently used for spending sprees.
Not only do these digital wallets store credit card information, but they also store boarding passes and gift cards, allowing people to carry far more data than they ever could in a physical wallet. And with a simple wave or tap of their phones, customers can complete transactions in moments.
In 2020, the number of unique digital wallet users reached 2.6 billion. That number is expected to top 4.4 billion globally by 2025.
Dispute
The Fair Credit Billing Act, created in 1975, established the dispute (or chargeback dispute) process that results from customers questioning and contesting transactions on their statements. Disputes can arise from fraudulent charges, unreceived merchandise, forgotten recurring charges or defective merchandise.
The dispute process starts when a customer contacts the company directly in an attempt to resolve the dispute, which may lead to a chargeback with their credit card company to resolve the dispute. In 2020, businesses lost $17.5 billion to chargebacks.
E
Ecommerce
Electronic commerce (ecommerce) refers to transactions that occur through an electronic medium between businesses and consumers. In common usage, however, ecommerce generally refers to buying and selling products over the internet and can be divided into three categories:
- Business to business (B2B)
- Business to consumer (B2C)
- Consumer to consumer (C2C)
- Also known as person to person (P2P)
As a result of the pandemic, ecommerce in the United States achieved five to seven years’ worth of growth in a matter of mere months: Total volume reached $870.8 billion in 2021, up 14.2% from 2020.
The first ecommerce transaction was said to be a cannabis sale in 1971 or 1972 between students at the Stanford Artificial Intelligence laboratory and the Massachusetts Institute of Technology via the ARPANET. But Mrs. Jane Snowball, age 72, made history as the first online home shopper, when she ordered groceries from Tesco in 1984.
Ecommerce Apps
Ecommerce applications, also called mobile apps, are types of application software that let customers browse and make purchases on mobile devices, like smartphones or tablets. They act much like a retailer’s website, capturing payment information and processing transactions. The difference is they condense functionality to fit on smaller screens while they increase interactivity.
Simple apps let customers browse and make purchases; more complex apps enable location-based features and integrate with social media.
Ecommerce Platform
An ecommerce platform is software technology that lets ecommerce businesses open and manage an online storefront; sell products and services; and perform other functions, like send emails, integrate with social media and create loyalty programs. There are an estimated 12-24 million stores using ecommerce platforms to sell their products online.
Some of the most common platforms include BigCommerce, Magento (now Adobe Commerce), Shopify, Oracle, VTEX and WooCommerce. These platforms range from the simple and free to the complex and expensive; selecting the right platform depends on a business’s budget, goals and needs.
EMV
EMV (or “chip”) technology was developed by Europay, MasterCard and Visa (hence the name “EMV”) to help make credit card and debit transactions more secure. A microprocessor chip is embedded in these cards, and the chip interacts with a business’s point-of-sale system to validate the card. As the new global standard for credit and debit cards, these new cards improve security by being nearly impossible to duplicate.
That’s been bad news for fraudsters. Visa reported in 2019 that EMV adoptions have caused fraud to decrease by 87% among the top five EMV-compliant businesses.
Although EMV has helped protect consumers from card-present fraud, it has done little to decrease online fraud rates. In fact, as criminals shift to the easier targets of ecommerce transactions, card-not-present (CNP) and account takeover (ATO) fraud has been on the rise. Technology opens new opportunities for tech-savvy fraudsters, making even cutting-edge solutions like EMV not enough to stop determined cybercriminals.
F
False Declines
False declines (also called “false positives”) happen when a legitimate transaction is flagged by a business’s fraud protection system and is inadvertently declined. It often occurs because a cardholder trips a business’s fraud detection program (for example, making a large purchase that’s being shipped somewhere other than the customer’s billing address) and is wrongly identified as a fraudster.
False declines are surprisingly common: Nearly 90% of valid transactions are declined.
And while false declines are embarrassing and inconvenient for customers, they’re also costly to businesses: False declines cost businesses more than $118 billion in sales yearly —13 times more than losses to actual ecommerce fraud.
Fraud
Fraud can be referred to anytime a person gains something of value—ranging from money to physical goods to services—by engaging in deliberate criminal deception or omission.
There are myriad types of fraud—including investor, accounting, credit card and insurance fraud—but the end goal is the same: A criminal knowingly receives a benefit they’re not rightfully entitled to.
Fraud Analyst
A fraud analyst monitors customer or business accounts and transactions to identify and prevent suspected fraud. Transactions may be flagged for any number of reasons, including transaction type and amount, shipping/billing address mismatch, or a higher-than-usual volume. If the analyst sees a high-risk or a suspicious transaction, they’ll flag it for further analysis, which may involve contacting the account holder or conducting more research.
Analysts must constantly study fraud prevention, chargeback trends and the evolution of fraudsters’ criminal techniques to ensure no instances of fraud slip by. These human analysts are often used as a complement to machine-learning algorithms to form a comprehensive approach to fraud prevention.
Fraud Filter
Fraud filters are tools businesses add to their ecommerce store to prevent potentially fraudulent orders from processing. They’re commonly included in ecommerce platforms and can be set up to either warn businesses of a potentially fraudulent transaction or cancel an order entirely if it fits certain criteria characteristic of fraud.
There are many different types of fraud filters; some of the more common ones include velocity filters, time of purchase, address verification system (AVS), card verification value (CVV), purchase amount and IP address filters.
Businesses must be careful about the order in which they apply these filters. If layered incorrectly, some rules may cancel out others, reducing the total amount of protection they offer.
While fraud filters are a popular and relatively inexpensive fraud protection strategy, they’re not foolproof: Fraud filters typically generate a false decline rate of approximately 25%.
Fraud Losses
After a criminal fraudulently takes something of value from a business, the company experiences a range of fraud losses, from the product itself to the fees and penalties associated with any chargebacks to the reputational damage associated with fraud.
The Federal Trade Commission reported fraud losses of more than $5.8 billion in 2021, which represents a 70% increase over 2019 volumes.
Small businesses tend to take a bigger hit from fraud because they’re less likely than their larger counterparts to have the resources to invest in anti-fraud practices and technology. Not to mention, the cost of fraud can be more impactful on small businesses’ bottom line.
Fraud Managed Services
The typical organization loses an average of 5% of revenues due to fraud. Fraud managed services focus on preventing fraud from happening, rather than merely reacting to fraud attacks.
With fraud managed services, a team of experienced analysts manages all aspects of the business’s ecommerce activity, actively watching transactions and implementing comprehensive chargeback management strategies to stop fraudulent orders before they’re approved. The fraud managed services provider may be liable for the fraud risk if a fraudulent transaction is approved.
Fraud Prevention Vendors
Every ecommerce business needs a fraud prevention solution, and many vendors are dedicated to monitoring and stopping fraudulent card-not-present transactions. Some vendors provide transactional analysis using advanced artificial intelligence (often as an outsourced solution); others use a managed services solution, in which a team of experts manages every aspect of an ecommerce business’s activity. Still other vendors combine the two for a hybrid approach to fraud management.
When evaluating vendors, companies should compare each vendor’s financial liability, level of service, impact on CX and UX, and ease of integration. A matrix like the one below can be helpful.
Most fraud prevention vendors charge either a percentage of the transaction value or a fixed fee. Some vendors offer a chargeback guarantee that makes them liable for any costs if a fraudulent transaction is approved; others make no such guarantees. Some vendors automatically decline high-risk transactions, while others decide to decline a transaction only after extensive manual review and customer contact.
Fraud Protection Software
Some businesses integrate fraud protection software into their prevention strategies. These automated software programs help businesses identify risky transactions in real time and reduce the impact of customer fraud. Using algorithms, the software scans transactions from multiple sources, uses past transactional data to analyze risk factors and flags transactions for further analysis.
These kinds of solutions are often budget-friendly for smaller businesses, but they’re not foolproof. Many solutions can increase the number of false declines by treating all suspicious transactions as fraud. In turn, this can negate any savings realized from automated fraud protection.
Friendly Fraud
Friendly fraud occurs when a cardholder disputes (or files a chargeback on) a transaction for reasons like forgetting they made the purchase, not recognizing the merchant's name on their statement, not knowing another family member authorized the purchase or misunderstanding the business’s return policy.
What differentiates this type of fraud from others is that these customers aren’t typically trying to be deceitful. Rather, they’re simply making an honest mistake.
Occasionally, one may see “friendly fraud” used to describe situations in which customers make legitimate credit card purchases, receive the product or service, and then intentionally file a chargeback with the intention of receiving a full refund and keeping the product. This type is fraud is more accurately described as chargeback fraud.
H
High-Risk Industry
An industry is considered high-risk when they’re particularly vulnerable to online fraud and chargebacks, such as gaming, adult entertainment, online gambling and travel businesses. Because of this vulnerability, many credit card processors either subject those businesses to less-than-desirable terms and conditions, or they aren’t willing to take the risk at all. Businesses may even find themselves stripped of this agreement if they can’t keep their chargeback ratios within an acceptable range.
Every company is evaluated by different standards, but certain business characteristics are typically labeled as high-risk:
- A new business with little credit card processing history
- A business selling products or services to countries with a high incidence of fraud
- A business with average transaction values of more than $500
- A business that operates in an industry with traditionally high chargeback ratios
I
Identity Theft
Identity theft happens when fraudsters gather enough critical pieces of personal data about an individual (such as name, driver’s license number, date of birth and address) and pose as that person to open new accounts and make purchases. This may also be referred to as “true name identity theft.” A criminal can also use stolen information to hijack a consumer’s existing account—this is called account takeover (ATO) fraud. ATO fraud accounts for every fifth login attempt and 13% of U.S. ecommerce fraud costs in 2021.
Identity theft incidents nearly doubled in the United States in 2021, accounting for $16.9 billion in losses.
M
Machine Learning
Some computer systems have the ability to “learn,” or make progressive improvements on a task based on algorithms and human input. This machine learning is frequently used with fraud software, allowing fraud prevention programs to make fast transactional decisions while minimizing risk exposure.
As machine learning systems find fraud patterns in purchase data, and as they assimilate new data, they can make increasingly accurate predictions and become quite effective at flagging fraud. Yet they can’t work alone. These machines still rely on current data and analysts’ insights to make well-informed decisions.
Manpower Direct Costs
This refers to the cost of the personnel who work directly on a particular job or are involved with the production of certain goods. For example, the salary paid to a landscaper who mows lawns is a direct manpower cost.
Manpower Indirect Costs
Indirect manpower costs refer to the expense of employees who don’t produce goods or services themselves but may improve the efficiency of the production (like security guards or managers) or offer production support. In our example above, a salary for a mechanic who services the lawnmowers would be considered an indirect cost.
Merchant Account
A merchant, or business, account is a special bank account that a business establishes with a merchant account provider (also called a “business acquiring bank”) that lets a business accept electronic payment card transactions and receive transaction funds.
Businesses can select from a variety of merchant account providers and often make their decision based on transaction costs. Businesses labeled high-risk may pay significantly more in fees and penalties.
Merchant Account Provider
Partnering with a merchant account provider (sometimes called a “business acquiring bank”) lets businesses accept credit and debit cards as forms of payment. While many businesses work with banks or financial institutions, other businesses may opt to work with providers like Square, PayPal or QuickBooks to process credit card transactions.
To find the provider that’s right for them, businesses should compare the services, fees and extras each provider offers. Businesses in high-risk categories will find themselves with fewer options.
Merchant Chargeback Insurance Provider
There are a number of online fraud prevention companies that offer a 100% guarantee that the business won’t be held responsible for the costs of fraudulent transactions, if the provider approves a transaction that turns out to be fraudulent and results in a chargeback.
A good chargeback insurance provider will always deliver a final decision on whether to approve a transaction and will guarantee every transaction. But businesses must also understand that guaranteeing transactions isn’t enough.
Sure, businesses want to be confident that their provider will reimburse them for any costs incurred from a fraudulent chargeback. But they also need to know their vendor is thoroughly reviewing every suspicious transaction to determine its validity—not just playing it safe by declining every questionable transaction to avoid paying chargeback fees[JB9] . In the end, it’s about finding a vendor that will optimize approvals while minimizing chargebacks.
Multichannel Business
Multichannel businesses focus on getting their products into the hands of customers, wherever they may be. Over the years, multichannel selling has expanded from brick-and-mortar stores, phone sales and catalogs and now includes ecommerce sales made via apps, mobile devices, social media sites and online marketplaces. Multichannel sales are expected to account for nearly 46% of all ecommerce sales by 2023.
N
Near-Field Communication (NFC) Payments
Sometimes known as “contactless payments,” NFC payments occur when two devices “talk” while they’re near each other and complete a transaction. Apple Pay, Android Pay and Samsung Pay are some of the most common NFC payment platforms.
While many smartphones have this technology built-in, businesses must purchase an NFC-enabled payments reader to accept contactless payments.
Because NFC mobile payments are dynamically encrypted, they’re considered a safe way to process transactions. Customers think so, too: The number of worldwide NFC payment users skyrocketed to more than 1.18 billion in 2020, an increase of over 22% compared with 2019’s levels.
O
Omnichannel Ecommerce
Omnichannel businesses are looking to do more than just sell on every channel available to them. Instead, they want to create seamless shopping experiences, regardless of whether a customer is shopping on the web, via an app or in a brick-and-mortar location. So omnichannel ecommerce focuses on fusing online and offline channels into a singular shopping experience with a consistent look and feel.
For example, 90% of customers desire the buy online, pickup in store (BOPIS) customer experience. Omnichannel ecommerce can deliver. Customers are more likely to be loyal as a result. Omnichannel businesses retain an average of 89% of customers, compared with 46% of businesses with multichannel strategies.
Online Scam
While the internet has made it easier to complete daily tasks, like shopping, banking and booking vacations, it’s also made it easier for fraudsters to carry out their cybercrimes. Some of the most common online scams include phishing, account takeover (ATO) [JB10] fraud, card-not-present (CNP) fraud, pandemic-related fraud and gift card fraud.
P
Payment Fraud
Payment fraud refers to any fraudulent transaction a criminal executes which results in stealing a victim’s money, property or sensitive data. Traditional fraud prevention controls were once enough to prevent payment fraud, but fraudsters have gotten smarter and more practiced. Businesses need a comprehensive fraud prevention strategy that includes machine learning, data analytics and secondary review.
Payment Card Industry (PCI) Compliance
Since the pandemic, the number of cybercrimes has increased 300%, from about 1,000 cases to between 3,000 and 4,000 cases each day. That’s why every business handling payment cards must follow the 12 control objectives established by the Payment Card Industry (PCI) Security Standards Council. These objectives include security measures like:
- Installing and maintaining firewalls to protect cardholder data
- Encrypting cardholder data transmissions
- Testing security systems and processes regularly
A business’s transaction volume, card-handling method and security breach history determine how often and what kind of security audits and scans are required to establish compliance. Many businesses may be eligible to conduct a self-assessment, while larger businesses or those experiencing previous breaches will need to have an independent Qualified Security Assessor perform the audit.
Compliance with PCI Data Security Standards (PCI DSS) is at only 27.9%, which exposes businesses to customer data breaches, financial penalties from the acquiring bank, costly audits and investigations, and the risk of business accounts being terminated.
Payment Card Industry Data Security Standards (PCI DSS)
The Payment Card Industry Data Security Standards (PCI DSS) were established in 2004 in response to increased data theft. PCI DSS compliance focuses exclusively on implementing standards for keeping credit card data secure as it makes its way from a business to the credit card processor. Every business handling payment cards must follow the 12 PCI-established control objectives that dictate the encryption and transmission of credit card data.
The major credit card companies (Visa, MasterCard, Discover, American Express and JCB) formed an independent body in 2006, called the PCI Security Standards Council, to manage the ongoing evolution of the standards and to highlight ways businesses can improve payment security.
Pharming
A common scam by fraudsters is “pharming” attacks, which are similar to “phishing” attacks, with one important difference: Phishing attacks require victims to click on a link to take them to the fraudulent website, whereas pharming attacks automatically install malware on a computer and misdirect users to fraudulent websites. Because this code requires neither consent nor knowledge to execute, many victims don’t even realize they’ve been targeted.
Pharming attacks are increasing, in part because fraudsters are looking for new ways to collect sensitive personal data from internet users who are learning how to avoid phishing attacks. In 2017, a pharming attack hit more than 50 financial institutions and their customers in the United States, Europe and Asia-Pacific. Before it was stopped, the attack infected more than 3,000 computers in three days.
Phishing
A form of social engineering and identity theft, phishing scams try to trick individuals into revealing personal information. Fraudsters typically contact victims by text, email or phone, posing as an authority figure or a seemingly legitimate company to get the victim’s confidential data.
Phishers may also install malicious software on computers, infect computers with viruses or even steal personal information off computers.
More than 2 million new phishing sites are created monthly at an average cost to consumers of 14.65 million.
Point-to-Point Encryption (P2PE)
The PCI Security Standards Council established P2PE standards to improve the security of credit card transactions. During the P2PE process, transactional data is securely encrypted at the business’s point-of-sale entry and continues until the final credit card processing point.
Many systems use public key encryption, symmetric encryption keys or hashing to disguise sensitive data as it progresses through the transaction life cycle. This layer of protection is used in addition to SSL encryption.
Businesses who use a P2PE-validated solution aren’t held responsible for any data loss, fees or penalties that may result from fraud.
Purchase Amount Filter
Fraud filters make it easier for ecommerce businesses to identify and respond to potentially fraudulent transactions. One of the most common is a purchase amount filter, which lets ecommerce businesses set upper and lower limits for transaction amounts. Any purchase that falls outside the range can be flagged and held for further review, processed as usual but trigger a report, or automatically declined. Because most businesses know their typical transaction size, setting the filter will notify them when unusual transactions occur.
Fraud filters can be extremely effective when used properly. But if a business layers multiple filters incorrectly, they may not work as intended, with some rules being overruled by others and decreasing the efficacy of the system.
R
Risk Management
Businesses engage in risk management processes to identify, evaluate, analyze and prevent exposure to the risks that threaten capital and earnings. These risks come in many forms, including weather-related risks, liability judgments, employee theft and credit card fraud.
Ecommerce businesses have become increasingly focused on securing their digital assets, including a customer’s personally identifiable information, and have implemented risk management programs that help them:
- Improve transaction approval rates
- Reduce false declines
- Decrease chargeback ratios and fraud-related chargeback costs
- Shorten response time
S
Skimming
Skimming is the act of using hard-to-spot electronic devices or card readers at point-of-sale systems to capture and copy electronically transmitted account information from a valid credit or debit card. The fraudster then clones that data on a counterfeit card to make in-store purchases, uses the card information to place fraudulent online transactions or sells the data on the deep web.
In 2016, one man was arrested in California for placing skimmers in eight Wells Fargo ATMs. He captured data from almost 4,900 cards, created counterfeit cards and then stole nearly $500,000. Skimming instances have been decreasing as ecommerce fraud increases.
T
Tokenization
Payment services like Apple and Android use tokenization to protect sensitive data, swapping out personal information with randomly generated data. As a result, a customer’s actual credit card data is never used or accessed.
There are three benefits to using tokenization:
- The process is frictionless for (and nearly invisible to) customers.
- This technology helps protect against the theft of credit card information during the transaction process.
- It helps businesses comply with industry security standards like PCI DSS.
Tokenization is believed to be one of the best solutions currently available that can secure credit card transactions without significantly altering the cardholder experience.
V
Velocity Filters
Velocity filters monitor specific data elements (like email addresses, phone numbers and billing/shipping addresses) and limit the number of transactions that a website can process in a certain time frame (e.g., an hour, a day) using this data.
Why might a business want to limit the number of transactions? When a fraudster gets their hands on credit card numbers from the dark web, they might start rapidly testing those numbers on a business’s site — looking to see which cards work. If a transaction goes through, the fraudsters often try to max out the card with more (and bigger) purchases.
The effective use of velocity filters relies on a business understanding their good customers and knowing how large and how frequent their purchases usually are.
