Chapter 1
IN THIS CHAPTER
Recognizing your liability
Establishing written guidelines
Setting up secure ordering
Gaining third-party approval
Internet-related fraud cost consumers and businesses more than $1 billion in 2015, as reported by the Internet Crime Complaint Center (IC3), which is a joint effort between the Federal Bureau of Investigations (FBI) and the National White Collar Crime Center, established to track cybercrime. Founded in 2000, the government-based organization receives nearly 300,000 complaints from U.S. consumers each year, or approximately 800 complaints every day. These complaints represent only 15 percent of actual incidents, as most go unreported, according to the IC3.
As both a consumer and an e-commerce merchant, you are vulnerable to becoming a victim of cybercrime. Each year the IC3 receives a large number of complaints involving identity theft and nondelivery of payment or merchandise, including credit card charge backs. Complaints from both buyers and sellers continue to grow. Technology has advanced to help protect against fraud, and both consumers and merchants are doing more than ever before to combat fraud. Unfortunately, e-commerce continues to breed opportunities for online thieves in areas that include credit card fraud, phishing scams, personal and business e-mail scams, identity theft, and personal data breaches.
In recent years, several large-scale security attacks have revealed the vulnerability of all types of businesses and organizations, including retailers such as Target, T.J. Maxx, Kmart, and Neiman Marcus. Even the IRS has fallen victim to a major security breach that exposed the personal data of millions of U.S. taxpayers. In each case, some type of malware or intentional online breach was suspected in the compromise of customers’ credit card data, Social Security numbers, and other valuable, personally identifiable information that translate into estimated financial losses in the billions for each incident. Any merchant (and its customers) is susceptible to cyber-related crime. The burden always falls on you, the online business owner, to provide a safe, secure shopping environment for your customers while protecting both your customers and yourself from potential financial losses.
In this chapter, we talk about what you can do to keep your customers as safe as possible so that they continue shopping with you.
As the owner of your business, you’re responsible for protecting not only your data but that of your customers as well. With identity theft and fraud continuing to rise at alarming rates, credit card companies and regulatory agencies are saddling e-commerce merchants with the bill (including shipping fees and the costs of the goods). You can prevent your customers from being victims of identity theft and fraud — and stay in business yourself — by being vigilant about the credit card payments you accept and keeping your customers’ information as private as possible.
Most of the time, fraud comes in the form of charge backs. Customers using credit cards and other online forms of payments (that access credit cards and bank accounts) can request that charges be removed. The Fair Credit Billing Act (FCBA) allows consumers to dispute purchases.
A customer can request that a charge be removed for two reasons:
Charge backs happen frequently, and proving a customer wrong is difficult — and expensive — for an online business. LexisNexis reports that online retailers lost just over 1 percent in revenue to fraud in 2015. While that doesn’t seem like a large amount, consider that those losses from “friendly fraud” alone totals up to over $11 billion annually. For each dollar in fraud, online retailers actually lose $2.40 in actual revenue, according to LexisNexis, due in part to charge backs and their related fees and costs. Because you simply don’t have the same ability to authenticate or verify a cardholder’s identification as you do in a bricks-and-mortar environment, you get stuck with the cost of the merchandise, the shipping fees (possibly), and the processing fee that your credit card vendor charges for every transaction. Those amounts, as estimated by LexisNexis, add up quickly. Another concern lies in the fact that fraud prevention is advancing in traditional retail stores with the increased use of EMV or “chip” technology in credit cards and debit cards. Many industry analysts anticipate these renewed efforts to protect offline theft will drive fraud attempts away from bricks-and-mortar stores and toward online stores. Juniper Research expects fraudulent online payments to skyrocket to nearly $26 billion in losses by 2020, translating to $4 of fraud for every $1,000 spent online.
It may seem like a gloomy time for the e-commerce landscape, but don’t despair! Being educated about online fraud is the best way to fight it. Fortunately, you can minimize your risk of excessive charge backs. To avoid them, use some basic security strategies for your site:
Charge backs aren’t the only issue you have to worry about with online purchases. The second part of your security obligation to your customers is proving that you consistently handle their private information with the utmost care. Specifically, customers want to know how you collect and store sensitive data, including credit card numbers, Social Security numbers, birthdates, and even phone numbers. As we mention earlier in this chapter, even the U.S. government has fallen victim to massive data breaches targeting the IRS and the Office of Personnel Management, which stores personal data on millions of government employees, contractors, and their family members.
As an online business owner, your first step is to provide transparency of data collection to your customers. Somewhere on your website (usually in a privacy or security policy), you should explain how and why you collect and save customer information. Here are the questions your customers want answered about how you hold onto their data:
As part of the Payment Card Industry Data Security Standard, an alliance of the leading credit card institutions created a policy designed to provide some level of compliance with how your customers’ personal data is processed and stored on your site. Depending on the number of online transactions you process each year, compliance can be either mandatory or self-regulated (if you have fewer than 20,000 transactions per year). As with other government agency policies, failing to comply with this enforceable standard can cost you a fine of as much as half a million dollars. Book 2, Chapter 1 covers this standard.
Fortunately, certain organizations are dedicated to helping protect you and your customers from all types of online fraud. You can join a membership-based group, such as the Merchant Risk Council (www.merchantriskcouncil.org
). It provides access to articles, tools, and vendors that help you secure your site. Membership fees start at $500 per year for online businesses with annual revenues of $10 million to $75 million. The fee covers membership for two people.
When you’re tackling security concerns, you have two goals as an online merchant: Do everything possible to make your site secure and safe for both you and your customers, and promote buyer confidence by letting visitors know that you take all necessary precautions to keep the online shopping experience safe.
One of the best ways to stay ahead of the security game is by being clear about your online policies. Also, regulatory agencies might want confirmation that you’re looking out for your customers’ best interests. Here are two types of policies you can institute:
Privacy and security policies are the two types most prevalent to your site. Don’t forget that online fraud and charge backs are always at issue, too. You need to include or refer to other types of policies, especially when a customer makes a purchase. Don’t hesitate to direct buyers to policies that spell out conditions relating to shipping, back orders, returns, and even customer disputes. (Book 1, Chapter 5 covers these policies in depth.)
No matter how much online security and privacy policies are heightened, buyers are still uncertain about their online security and privacy. Research shows that people are hesitant to give out personal information or credit card numbers to websites, even though e-commerce has become accepted as a viable alternative to storefront shopping. The risk of online fraud and identity theft are two big factors that make consumers skeptical, but lots of other issues keep online shoppers frustrated. The Federal Trade Commission (FTC) tracks top complaints of online shoppers. You probably aren’t surprised to know these complaints include things such as never receiving merchandise, not having refunds honored, and other misrepresentations by online merchants.
The FTC also keeps track of which online products or industries warrant the most complaints. Shop-at-a-home or catalog sales account for close to a fifth of the complaints each year, while Internet auctions typically comprise only a small percentage of the complaints. Although these complaints don’t seem to keep people from buying online, they provide another reason to go out of your way to make your site secure. One of the easiest and, possibly, most expected ways to do this is by using Secure Sockets Layer (SSL) certificates.
Having an SSL certificate for your website lets customers know that their confidential information is protected when they send it over the Internet for you to process.
Using SSL is just a matter of licensing the right to use the protocol through an approved vendor and having it installed on your server. You can get a certificate directly from a private company, such as Symantec (previously VeriSign), or (usually) from your web hosting or domain registration company. Some e-commerce and shopping cart providers now offer basic SSL certificates for free as part of their monthly or annual service plans. If buying one directly, prices vary greatly. Some are advertised for less than $10, but a more typical range is $60 to more than $1,500 annually. The difference in price depends on the type of certificate you choose and the level of validation attached to it. For instance, the SSL certificate on the low end of the range may validate only your site’s domain name. The more expensive certificates often provide financial warranties of varying amounts and validate these factors:
The more expensive SSL certificates also claim to provide a higher level of encryption. The industry standard is 128-bit encryption, and an advanced 256-bit version is available. A higher level of encryption just makes compromising (or hacking) data a little more difficult.
After you purchase your SSL certificate, you’re given instructions on how to activate it on your site’s server. However, in many cases, your web hosting company or a professional website developer can install the encryption certificate for you.
When most people shop at a store online, they look for signs that the business is legitimate — particularly if it’s new or located in a different city or if they’re just not familiar with it. Offline, people look for a valid business license hanging behind the counter or a local Chamber of Commerce sign.
The online equivalent of the local Chamber of Commerce is a seal of approval from one or more third-party organizations. Customers feel safer shopping online with you when you post a seal of approval on your site. Table 1-1 lists organizations that provide seals. Although these seals aren’t requirements, they definitely boost buyer confidence.
TABLE 1-1 Organizations Providing Reliability and Privacy Seals
Organization |
Seal Type |
Reliability |
Fees |
BBB ( |
BBB Accredited, Dynamic |
Member of Better Business Bureau; in business one year |
Membership fee; licensing fee based on size of company |
Guardian eCommerce ( |
Safe Site or Approved Site |
SSL certificate and other site information submitted for review |
Annual fee of $19.99 |
TRUSTe ( |
TRUSTed certifications for websites, apps, cloud, downloads, and more |
Pass site audit |
Annual fee |
Because application and licensing fees can range from slightly less than a hundred dollars to several hundred dollars for each seal, you might not be prepared to apply for them when you’re just starting your business.
18.117.165.66