The ability to accept payment on a website is a vital part of the internet sales process, but one that is fraught with danger for small firms. The trick, says Jo Faragher, is to research the options carefully
Did you know that on the ‘dark web’, the secret encrypted network, you can buy any number of individuals’ credit card details, complete with expiry dates and the crucial three numbers on the back, for a matter of dollars? Personal data, even log-ins for services such as Uber and Netflix, can command even more, according to security company Trend Micro.
Almost eight in 10 FSB members use the internet for selling, while 63 per cent use it to take payments, found a 2015 report by the FSB into digital adoption. So it’s crucial for members to be aware of the risks presented by transacting online – whether that’s theft of credit card details or theft of personal data.
Before signing up with a PSP, do your research. The market for these services providers has become increasingly competitive, and prices can vary considerably. You can choose from services offered by your bank, well-known names such as Worldpay – which provides FSB’s card payment processing offer – and PayPal, or a growing number of start-ups in this area. Choose a service provider that meets your needs, not just the one with the most attractive price point.
While card fraud is a real threat – fraud losses resulting from online card transactions totalled more than £260 million in 2015, according to Financial Fraud UK – it’s not the only aspect of trading online where small firms need to protect themselves. If a criminal steals personal data, you could end up facing an investigation by the Information Commissioner’s Office (ICO) or even a hefty fine.
Under the Data Protection Act, if you hold and process information about clients or suppliers, you are obliged to protect it and to be explicit about what you intend to do with it. From 2018, a European law known as the General Data Protection Regulations is being introduced, applying a potential penalty of 4 per cent of your company’s turnover if you don’t comply.
So it’s important not to get complacent about the security of your website just because you pay a service provider to process your payments. “As a payment gateway provider, it is our responsibility to build gateways that are secure and based on simple command structures,” says David Midgley, Head of Operations at Total Processing.
“However, ecommerce sites can further minimise the risk of a breach by ensuring their site is built securely and any application program interfaces can’t be easily infiltrated.”
One challenge of making transactions secure is ensuring customers’ experience of using your site is positive while protecting them from fraud and identity theft. This can be a difficult balancing act, says Ms John from Symantec. “People might not want to register or enter a password just to browse, but they tend to expect it when they purchase,” she says. You could use two-factor authentication, whereby a transaction requires something extra such as a one-off code. But bear in mind whether this adds or detracts from the customer’s ‘journey’ through the site, she adds.
Some websites allow consumers to log in using their social media accounts such as Google or Facebook, but not everyone trusts these routes because of privacy concerns, so it’s important to offer an alternative. A new option for those looking to have an online presence but without having to maintain a site is FSB Marketplace, a secure online selling portal where members can sell to both members and non-members. Register at fsbmarketplace.co.uk
Cybercriminals and fraudsters are increasingly focusing their efforts on smaller businesses because they perceive them to be less secure, according to James Frost, UK Chief Marketing Officer for Worldpay, which runs card processing services for FSB members (see fsb.org.uk/benefits for more information).
Its survey found that data breaches increased by 144 per cent for small firms in 2015, with the majority of problems traced back to small businesses hosting their own payment pages.
“These businesses are leaving themselves vulnerable to cyber-attacks,” says Mr Frost. “Fraudsters are also increasingly keen to exploit so-called ‘cardholder not present’ opportunities online, which typically represent a softer target than in-store transactions.”
Some of the signs of potential online payment fraud include:
Shopper fails address verification (AVS), CVV or 3D-Secure checks
Multiple purchases of the same and/or high value items
Inconsistencies in purchase data – for example a UK billing address but US card and French IP address
Multiple declines relating to the same email address, billing/delivery address or cardholder name
Unusual foreign card use
Delivery address is in a different country from the billing address
Failing to take steps to stop fraud could be costly, warns Mr Frost: “Data breaches could lead to industry fines and clean-up costs, while fraud usually results in chargebacks and the cost of items that have been purchased fraudulently, not to mention the potential impact of an attack on your brand and customer loyalty.”