Minimizing your financial losses

E-commerce sites lose billions of dollars to online credit card fraud every year. Worldwide, credit card fraud exceeded $16 billion in 2015, according to The Nielsen Report (www.nielsen.com). The losses don’t stop there. Data breaches caused by hackers or malicious intent cost businesses $4.77 million (on average) per breach in 2015, according to the annual data breach report from IBM. Included in that financial loss is the actual cost of the lost data, recovery and mediation costs, and the estimated cost to the company’s reputation.

As an online business, your vulnerability to these types of losses is real. We don’t say this to scare you, but to illustrate how quickly costs add up from what might seem like a minor, one-time security slip. And consider that while protection against credit card fraud is tightening offline, with the required use of new data chip credit and debit cards, fraud experts anticipate this will only drive up fraud attempts online. Shoppers may be more willing to buy online than ever before, but security concerns over credit card and personal data loss still worry consumers. The fear of identity theft and credit card fraud make 34% of consumers hesitant to buy online, according to a study from Bizrate Insight (http://connexity.com/bizrate-insights). All these statistics add up to potentially less revenue for your online business.

You want to be aware of potential security problems so you can combat them and protect your prospective revenue. Here are just a few of the ways that your online business can get hit with fraudulent transactions — and end up losing merchandise and money:

• Customers buy a product but then claim that they didn’t order it (or file a similar complaint), and the credit card company deletes the charge.
• You unknowingly process stolen credit cards.
• You process invalid credit cards or cards that you should have declined.

Although you might think that the big online retailers are most at risk, smaller sites are often more likely targets because smaller sites usually have less sophisticated resources for detecting fraud. Fraudulent credit card orders increasingly account for a larger percentage of all processed online orders. Although the percentage is still relatively small (less than 10 percent), that doesn’t help if you’re the one suffering a loss.

Protecting against online crime means that you have to stay alert, cautious, and informed. As with any security concern, seek ways to reduce your risk:

• Validate credit cards. Whether you process manually or in real-time, confirm that the credit card is approved. If a card is declined or shows up with a questionable item, resist the urge to process it anyway.
• Verify suspicious orders. Don’t hesitate to contact a customer by e-mail or phone to confirm an order to validate a card number. If everything is okay, your customer will be impressed that you take this degree of precaution.

• Fight excessive charge backs. Even if a card is valid, a customer can steal from you by refusing to pay for the product or service after receiving it. If the customer gives a valid reason (such as the product was damaged or appears to have been used or refurbished), the credit card company removes the charge. Because you have no signature on file for an online transaction, you’re stuck paying the bill — plus a charge back fee from your credit card company. You can challenge the claim by responding to the charge back complaint that the credit card company sends you. You need diligence and patience to fight this type of complaint, and you won’t win them all. Still, you can recover some losses, making your time invested worthwhile. (For more information on fighting charge backs, see Chapter 1 of this minibook.)

  If you suspect a problem or perhaps an honest mistake, call your customer directly to work it out. Keeping good records and documenting follow-up calls go a long way toward fighting charge backs.

• Add fraud protection. Online payment processors sometimes offer fraud protection programs for e-commerce sites. These services add screening features as well as links to fraud alerts to minimize the acceptance of bad orders. This service is considered an add-on, so expect to pay a monthly fee, plus a small transaction fee on every order.
• Use card codes. As part of your ordering process, ask for the credit card verification code, which usually appears as a three-digit number on the back of a Visa or MasterCard credit card, or a four-digit number on the front of an American Express card. Asking for this information requires that the user has the physical card in hand (or at least knows the number).
• Accept online checks. You can choose to accept electronic checks or Internet checks to provide another payment alternative with fewer fraud risks. On the flip side, restricting your payment options can hurt your sales. Limiting customers to only one form of payment (such as online checks) likely can turn off many customers.

Work directly with your online payment processor to see how to further protect yourself. When selling on eBay or other third-party sites, always read the fraud policies to understand your rights as a merchant — before a sale goes wrong.

Protecting customers’ privacy and financial data

Luckily, only a small percentage of customers — if any — turn out to be thieves. A bigger challenge is protecting your customers’ data from online crooks and potential carelessness. One of these violations can land your customers’ data in the wrong hands — and also land you in a lot of hot water:

• Online security breach: A lone successful hacking attempt can leave your online database of records as open game. Names, addresses, passwords, and credit card numbers — some of the most sought-after information — is easily left at risk.
• Offline theft: Someone can break into your office and access customer files filled with personal financial data. Don’t discount internal theft, where the thief is someone you knowingly invite into your office space.
• Sloppy disposal: Okay, maybe you have extra copies of customer data or you decide that the statute of IRS limitations has passed and you can now get rid of old files. How you dispose of this information can leave customer records vulnerable.
• Vendor carelessness: Your security and data storage practices aren’t the only factors that can lead to a mishap. Any vendor that you partner with — and who has access to your customer data — can cause a security mishap. (Think about scandals in which credit card companies and delivery services have mishandled or lost customer information.) How they handle — or mishandle — data can affect your site’s reputation.

The preceding list gives you some good ideas about how easily a problem can occur. Now all you have to do is make sure it doesn’t. Take these precautions to minimize your risk:

• Store data properly. You probably have two basic methods of keeping data — hard copy files and online databases. Make sure that each one is tightly secured:
  • Hard copy: Paperwork and hard copies of backup files that contain sensitive customer information must be kept in locked file cabinets or in rooms and storage facilities with locks and limited access.
  • Online: Online information should be password protected and have the added protection of a firewall.

• Dump your data properly. When it’s time to get rid of hard copy documents, these files must be thoroughly shredded. You can even hire a professional document disposal service that will come to your location to shred documents. How convenient is that?

  Before getting rid of old computers or disposing of any electronic files, erase or overwrite the machine or files (as opposed to simply deleting individual files). You can use a free, downloadable program from Active@ KillDisk at www.killdisk.com. Or try guaranteed erasure and hard drive destruction services from companies such as Shred-it (www.shredit.com) or Kroll Ontrack (www.krollontrack.com).

• Add layers of security. Be sure to protect any type of company information, not just customer data. Showing that you have multiple layers of security processes is important. Having only one type or layer of security can become a compliance issue if your data is compromised. Include these items in your layers, as shown in Figure 4-1:
  • Antivirus: Keep antivirus software updated.
  • Backups: Back up data regularly.
  • Checks: Conduct regular security checks.
  • Encryption: Use encryption tools to code information in case your data is compromised. Encryption lets you hide your data from hackers and other unwanted eyes. Only someone with the proper password can decrypt the information for proper viewing.
  • Firewalls: Maintain active firewalls on your computers and servers.
  • Inventory: Keep an inventory of your files.
  • Offline security: Lock up data that’s stored offline.
  • Security policy: Write an official security policy to ensure that you cover your bases (see Chapter 2 of this minibook).
  • VPN: Use a virtual private network (VPN) when sending information over a wireless connection.
• Institute a notification policy. Taking preventive measures also involves planning for the worst. Follow up your privacy policy with an internal policy describing how you will handle a security breach as well as the process for notifying authorities and customers.

You might be a one-person show when you’re starting your online business, but the stakes for messing up are the same as they are for the big guys. Mishandling, losing, or compromising customer information can cost you thousands of dollars in fines, possible jail time, and untold damage to your image as a reputable online store.