Chapter 1

Understanding Security and Your Risks

IN THIS CHAPTER

check Recognizing your liability

check Establishing written guidelines

check Setting up secure ordering

check Gaining third-party approval

Internet-related fraud cost consumers and businesses more than $1 billion in 2015, as reported by the Internet Crime Complaint Center (IC3), which is a joint effort between the Federal Bureau of Investigations (FBI) and the National White Collar Crime Center, established to track cybercrime. Founded in 2000, the government-based organization receives nearly 300,000 complaints from U.S. consumers each year, or approximately 800 complaints every day. These complaints represent only 15 percent of actual incidents, as most go unreported, according to the IC3.

As both a consumer and an e-commerce merchant, you are vulnerable to becoming a victim of cybercrime. Each year the IC3 receives a large number of complaints involving identity theft and nondelivery of payment or merchandise, including credit card charge backs. Complaints from both buyers and sellers continue to grow. Technology has advanced to help protect against fraud, and both consumers and merchants are doing more than ever before to combat fraud. Unfortunately, e-commerce continues to breed opportunities for online thieves in areas that include credit card fraud, phishing scams, personal and business e-mail scams, identity theft, and personal data breaches.

In recent years, several large-scale security attacks have revealed the vulnerability of all types of businesses and organizations, including retailers such as Target, T.J. Maxx, Kmart, and Neiman Marcus. Even the IRS has fallen victim to a major security breach that exposed the personal data of millions of U.S. taxpayers. In each case, some type of malware or intentional online breach was suspected in the compromise of customers’ credit card data, Social Security numbers, and other valuable, personally identifiable information that translate into estimated financial losses in the billions for each incident. Any merchant (and its customers) is susceptible to cyber-related crime. The burden always falls on you, the online business owner, to provide a safe, secure shopping environment for your customers while protecting both your customers and yourself from potential financial losses.

In this chapter, we talk about what you can do to keep your customers as safe as possible so that they continue shopping with you.

Legal Responsibility: The Merchant and the Customer

As the owner of your business, you’re responsible for protecting not only your data but that of your customers as well. With identity theft and fraud continuing to rise at alarming rates, credit card companies and regulatory agencies are saddling e-commerce merchants with the bill (including shipping fees and the costs of the goods). You can prevent your customers from being victims of identity theft and fraud — and stay in business yourself — by being vigilant about the credit card payments you accept and keeping your customers’ information as private as possible.

Avoiding charge backs

Most of the time, fraud comes in the form of charge backs. Customers using credit cards and other online forms of payments (that access credit cards and bank accounts) can request that charges be removed. The Fair Credit Billing Act (FCBA) allows consumers to dispute purchases.

A customer can request that a charge be removed for two reasons:

  • The card is stolen or otherwise used without the legal cardholder’s permission.
  • The customer doesn’t believe that you fulfilled your obligation in delivering the product. (You either didn’t deliver it or delivered a different product from what you promised.) Mistakenly delivering an incorrect product isn’t a true case of fraud, but it does lead to charge backs. It becomes fraud if you did indeed ship the correct product but the customer insists that you did not. Often referred to as “friendly fraud,” the purposefully deceitful act represents the largest portion of e-commerce charge backs.

Charge backs happen frequently, and proving a customer wrong is difficult — and expensive — for an online business. LexisNexis reports that online retailers lost just over 1 percent in revenue to fraud in 2015. While that doesn’t seem like a large amount, consider that those losses from “friendly fraud” alone totals up to over $11 billion annually. For each dollar in fraud, online retailers actually lose $2.40 in actual revenue, according to LexisNexis, due in part to charge backs and their related fees and costs. Because you simply don’t have the same ability to authenticate or verify a cardholder’s identification as you do in a bricks-and-mortar environment, you get stuck with the cost of the merchandise, the shipping fees (possibly), and the processing fee that your credit card vendor charges for every transaction. Those amounts, as estimated by LexisNexis, add up quickly. Another concern lies in the fact that fraud prevention is advancing in traditional retail stores with the increased use of EMV or “chip” technology in credit cards and debit cards. Many industry analysts anticipate these renewed efforts to protect offline theft will drive fraud attempts away from bricks-and-mortar stores and toward online stores. Juniper Research expects fraudulent online payments to skyrocket to nearly $26 billion in losses by 2020, translating to $4 of fraud for every $1,000 spent online.

It may seem like a gloomy time for the e-commerce landscape, but don’t despair! Being educated about online fraud is the best way to fight it. Fortunately, you can minimize your risk of excessive charge backs. To avoid them, use some basic security strategies for your site:

  • Verify the cardholder’s address. Credit card merchants offer an address verification service (AVS) that compares the billing address a customer provides with the cardholder’s name. You’re notified immediately if the billing address and name don’t match the information associated with the account. You can also make this comparison manually if AVS protection isn’t included with your online merchant account.
  • Get the card verification value. When you’re completing an order from a customer, make sure to ask for the card verification value (CVV2). Because this set of numbers appears only on the customer’s credit card, the customer must have physical access to the card to see the numbers. This set of numbers appears as four digits on the front of an American Express card or as three digits on the back of a Visa, MasterCard, or Discover card.
  • Use 3D Secure. The 3D verification process is just as it sounds. It uses multiple sources to help identify the validity of the payment method for an online transaction. Online merchants have hesitated to use this approach in the past because it requires the consumer to leave the merchant’s website for a moment and validate the payment on a third-party site, such as that of the credit card issuer (Visa or MasterCard). This interruption to the purchase process is thought to contribute to shopping cart abandonment. However, improvements have been made to the verification process, making it less cumbersome to the buyer when checking out.
  • Process only approved transactions. If a card is declined for any reason, don’t process it. Although this advice seems obvious, you might be tempted to believe that the message is a mistake and try to process the order anyway.
  • Scrutinize e-mail addresses. Always ask for a customer’s e-mail address at the time of purchase. If the address looks suspicious, don’t hesitate to call the customer and verify the order.
  • Be wary of excessive orders. Buyers using stolen or compromised credit cards sometimes purchase extremely large orders or purchase several units of the same item. Call the number on the billing address to verify unusual orders.
  • Maintain good records. Keep copies of an online order transaction, verification e-mails, and records of any other communication you might have with the customer.
  • Keep your end of the bargain. If you experience a delay in shipping the product or the product is out of stock, notify the customer immediately and do not make any charges until the product ships.
  • Clearly post your return policy. Preventing or fighting a charge back is tough if you’re not clear about your return and shipping policies. Having this information readily available to customers makes it difficult for customers to use the lack of information or lack of a formal policy as a reason to decline a payment to you.
  • Follow merchant-issued policies. Whether you use PayPal or a credit card vendor to process customer transactions, be aware of its charge back policy. PayPal updated its charge back policies in 2016 to provide enhanced protection to the merchant. However, the new policies also limit what types of charges are protected (for example, excluding charges to crowdfunding sites because of an increased risk). If you deal in those types of transactions, you are excluded from protection. Always make sure you’re following the vendor’s recommendations for the prevention and dispute of charge backs.

tip You can dispute any charge back by contacting your credit card vendor directly. Before calling, be prepared to show how you complied with verifying the card’s authenticity at the time of purchase. Hang in there because you might have to wait several months for a claim to be settled.

Keeping your customer information secure

Charge backs aren’t the only issue you have to worry about with online purchases. The second part of your security obligation to your customers is proving that you consistently handle their private information with the utmost care. Specifically, customers want to know how you collect and store sensitive data, including credit card numbers, Social Security numbers, birthdates, and even phone numbers. As we mention earlier in this chapter, even the U.S. government has fallen victim to massive data breaches targeting the IRS and the Office of Personnel Management, which stores personal data on millions of government employees, contractors, and their family members.

As an online business owner, your first step is to provide transparency of data collection to your customers. Somewhere on your website (usually in a privacy or security policy), you should explain how and why you collect and save customer information. Here are the questions your customers want answered about how you hold onto their data:

  • Do you see customers’ credit card numbers before they’re processed?
  • Are credit cards processed in real time, which means that you might have access to only the last four digits of an account? Or are they processed manually, which means that you see and have access to the full account number?
  • How many people have access to the information?
  • How are customer files stored? Are they recorded only as electronic files or printed for filing and storage?
  • What precautions do you take to keep data secure? Are paper files locked away? Do you have a firewall or other security layers to protect electronic files?
  • Are your computers password protected? Who has access to them?
  • If you assign passwords to customer data, how are they maintained and secured?

tip The Federal Trade Commission and other agencies offer information to help your business comply with e-commerce policies. You can access the information from its website at www.ftc.gov.

As part of the Payment Card Industry Data Security Standard, an alliance of the leading credit card institutions created a policy designed to provide some level of compliance with how your customers’ personal data is processed and stored on your site. Depending on the number of online transactions you process each year, compliance can be either mandatory or self-regulated (if you have fewer than 20,000 transactions per year). As with other government agency policies, failing to comply with this enforceable standard can cost you a fine of as much as half a million dollars. Book 2, Chapter 1 covers this standard.

Fortunately, certain organizations are dedicated to helping protect you and your customers from all types of online fraud. You can join a membership-based group, such as the Merchant Risk Council (www.merchantriskcouncil.org). It provides access to articles, tools, and vendors that help you secure your site. Membership fees start at $500 per year for online businesses with annual revenues of $10 million to $75 million. The fee covers membership for two people.

Defining Your Privacy Policy

When you’re tackling security concerns, you have two goals as an online merchant: Do everything possible to make your site secure and safe for both you and your customers, and promote buyer confidence by letting visitors know that you take all necessary precautions to keep the online shopping experience safe.

One of the best ways to stay ahead of the security game is by being clear about your online policies. Also, regulatory agencies might want confirmation that you’re looking out for your customers’ best interests. Here are two types of policies you can institute:

  • Security: A security policy should explain what protection is in place when you’re processing customers’ orders. You want to educate visitors on how information is collected, stored, and protected.
  • Privacy: This type of policy was once best known for letting customers know whether their e-mail addresses were shared with or sold to third parties. Privacy policies are now much more inclusive: They include details on which information is collected and why; how customers can update, change, or delete stored information; and how they can notify you if they believe that their information has been breached. When you develop your policy, consider these three categories, which can be areas of concern:
    • Personally identifiable: Information that connects your customer to your site
    • Sensitive: Information that’s private to customers, such as transaction histories or e-mail addresses
    • Legally protected: Information protected by law, including credit card numbers, financial accounts, medical records, and even education-related details

Privacy and security policies are the two types most prevalent to your site. Don’t forget that online fraud and charge backs are always at issue, too. You need to include or refer to other types of policies, especially when a customer makes a purchase. Don’t hesitate to direct buyers to policies that spell out conditions relating to shipping, back orders, returns, and even customer disputes. (Book 1, Chapter 5 covers these policies in depth.)

Keeping Your Website Secure

No matter how much online security and privacy policies are heightened, buyers are still uncertain about their online security and privacy. Research shows that people are hesitant to give out personal information or credit card numbers to websites, even though e-commerce has become accepted as a viable alternative to storefront shopping. The risk of online fraud and identity theft are two big factors that make consumers skeptical, but lots of other issues keep online shoppers frustrated. The Federal Trade Commission (FTC) tracks top complaints of online shoppers. You probably aren’t surprised to know these complaints include things such as never receiving merchandise, not having refunds honored, and other misrepresentations by online merchants.

The FTC also keeps track of which online products or industries warrant the most complaints. Shop-at-a-home or catalog sales account for close to a fifth of the complaints each year, while Internet auctions typically comprise only a small percentage of the complaints. Although these complaints don’t seem to keep people from buying online, they provide another reason to go out of your way to make your site secure. One of the easiest and, possibly, most expected ways to do this is by using Secure Sockets Layer (SSL) certificates.

technicalstuff SSL is a protocol, or method of communication, for scrambling information as it travels across the Internet. Any type of data, whether it’s a medical record or credit card number, can be encoded so that only the authorized sender and receiver can view it. Without this protocol, the sending process would be similar to stuffing all your private information into a clear plastic bag, sealing it, and passing it around a crowded room. Even though the bag is tightly closed, anyone who has access to it can see everything inside.

Having an SSL certificate for your website lets customers know that their confidential information is protected when they send it over the Internet for you to process.

Using SSL is just a matter of licensing the right to use the protocol through an approved vendor and having it installed on your server. You can get a certificate directly from a private company, such as Symantec (previously VeriSign), or (usually) from your web hosting or domain registration company. Some e-commerce and shopping cart providers now offer basic SSL certificates for free as part of their monthly or annual service plans. If buying one directly, prices vary greatly. Some are advertised for less than $10, but a more typical range is $60 to more than $1,500 annually. The difference in price depends on the type of certificate you choose and the level of validation attached to it. For instance, the SSL certificate on the low end of the range may validate only your site’s domain name. The more expensive certificates often provide financial warranties of varying amounts and validate these factors:

  • Domain name registration
  • Business owner’s identity
  • Company identity and address (possibly requiring copies of business licenses and incorporation documents)

The more expensive SSL certificates also claim to provide a higher level of encryption. The industry standard is 128-bit encryption, and an advanced 256-bit version is available. A higher level of encryption just makes compromising (or hacking) data a little more difficult.

tip If you’re not certain what level of encryption you need for your SSL certificate, or how those levels may affect your customers when they visit your site, check out the great resource page on the Symantec website that discusses SSL certificates and more: www.symantec.com/ssl-certificates.

After you purchase your SSL certificate, you’re given instructions on how to activate it on your site’s server. However, in many cases, your web hosting company or a professional website developer can install the encryption certificate for you.

remember If you use an e-commerce–enabled server that’s shared by others, or use a third-party merchant like PayPal, you might not have to purchase an individual SSL certificate. Some companies provide encryption service to all their customers by using a single server.

Displaying Seals of Approval

When most people shop at a store online, they look for signs that the business is legitimate — particularly if it’s new or located in a different city or if they’re just not familiar with it. Offline, people look for a valid business license hanging behind the counter or a local Chamber of Commerce sign.

The online equivalent of the local Chamber of Commerce is a seal of approval from one or more third-party organizations. Customers feel safer shopping online with you when you post a seal of approval on your site. Table 1-1 lists organizations that provide seals. Although these seals aren’t requirements, they definitely boost buyer confidence.

TABLE 1-1 Organizations Providing Reliability and Privacy Seals

Organization

Seal Type

Reliability

Fees

BBB (www.bbb.org)

BBB Accredited, Dynamic

Member of Better Business Bureau; in business one year

Membership fee; licensing fee based on size of company

Guardian eCommerce (www.guardianecommerce.net)

Safe Site or Approved Site

SSL certificate and other site information submitted for review

Annual fee of $19.99

TRUSTe (www.truste.com)

TRUSTed certifications for websites, apps, cloud, downloads, and more

Pass site audit

Annual fee

remember You can apply for the following types of seals:

  • Reliability: Posting this type of seal on your site confirms that its sponsoring companies have verified information about your business. Additionally, it confirms that you agree to abide by certain online advertising and operating standards and dispute-resolution guidelines. Often, part of the qualifying process for the seal requires that you be in business for a certain length of time (usually, a minimum of a year).
  • Privacy: You’re eligible to display a privacy seal on your site if you meet stringent guidelines. You usually have to create, post, and adhere to a privacy policy, along with other industry standard recommendations. The organization issuing the seal is likely to conduct a security and privacy assessment on your site before giving you the seal.
  • Kids’ privacy: The Children’s Online Privacy Protection Act (COPPA) hands out a seal of its own. Check out Book 1, Chapter 5 for more information.

Because application and licensing fees can range from slightly less than a hundred dollars to several hundred dollars for each seal, you might not be prepared to apply for them when you’re just starting your business.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.165.66