The State of Ecommerce Payment Security + Actionable Advice

The State of Ecommerce Payment Security

Posted 3 years ago by Rob Binns

When the桂pandemic hit, ecommerce blew up.

With people locked down and桂with little to桂do, buying online seemed the桂only escape. The global ecommerce market jumped to桂. Customer habits, too, were changing. In桂one survey, agreed that COVID-19桂had changed their relationship with technology.

But it桂wasn�셳 just the桂sales that were soaring. And it桂wasn�셳 just the桂ecommerce industry�셲 businesses that were 끓넵끅꿎�밷넵넨 its fraudsters, too.

In桂just a桂single year (between 2020桂and桂2021), : from $17.5桂billion to桂$20桂billion. One look at桂the桂similarly burgeoning �밻녔김깎낌넨깎삣 to桂hit a桂whopping $70桂billion by桂2025�밶꾈삣 it�셲 clear this line of桂혫work혬 is桂only rising in桂popularity.

The bottom line? Ecommerce fraud is桂something you can�셳 afford to桂turn a桂blind eye to. After all, it�셲 not just a桂threat to桂your profits but your brand image. If桂customers don�셳 feel they can pay securely through your website, they won�셳 trust you. Once you lose that consumer confidence, it�셲 extremely difficult to桂win back.

Below, we�셪l unpack the桂state of桂payment security, starting with the桂most common types of桂ecommerce fraud. We�셪l also offer actionable advice for桂protecting your customers, your website, 껸꾈삣�納깜넨쓩낼껸넨깎깜꿎�뱘늡넵곶 bottom line. Read on!

Most Common Types of桂Ecommerce Fraud

As桂the桂world of桂ecommerce expands and桂evolves, so桂too do桂its villains. So桂over the桂last few years, it�셲 not only the桂number 늡닥桂닥곶껸넵삣넵깜깎꾈넨 넨곶껸꾈끅껸낌넨쓩늡꾈끅�밶꾈삣 the桂overall value of桂the桂stolen 령껸곶깎끅�뱓농껸넨 has risen. It�셲 the桂type of桂ecommerce fraud, too.

From pharming and桂account takeovers to桂혫friendly혬 and桂혫silent혬 fraud (not to桂mention straight-up identity theft), fraudsters�� methods are becoming increasingly dynamic and桂diverse. Let�셲 take a桂look at桂a桂few.

Pharming

Pharming is桂a桂type of桂ecommerce fraud in桂which fraudsters redirect web users (without their knowledge or桂consent) to桂a桂fraudulent website. This website might look and桂feel like the桂one the桂customer intended to桂reach, but with a桂key 삣쓩닥닥깎곶깎꾈낌깎�밿넨�셲 completely fake.

Designed only to桂simulate the桂original website, its fake counterpart exists for桂one reason 늡꾈깜꿎�뱓늡 trick the桂user into entering their personal information and桂credit card details. Fraudsters can then use this info to桂steal the桂individual�셲 money, or桂령늡곶끅깎�뱓농깎쓩곶 identity.

Chargeback Fraud

Also known as桂혫friendly fraud,혬 chargeback fraud is桂when a桂customer fraudulently attempts to桂claim a桂refund by桂abusing the桂chargeback system.

A桂chargeback is桂a桂step introduced by桂banks way back in桂the桂��70s to桂boost public confidence in桂the桂credit card (which, at桂that stage, was a桂new-fangled thing). It桂allows consumers to桂dispute a桂card payment, and桂after the桂bank sides with their case, claim a桂refund.

Let�셲 say you�셱e off to桂Santorini for桂a桂holiday, and桂your card is桂stolen at桂the桂airport. By桂the桂time you get to桂Greece, you realize the桂thief has made $700桂in桂fraudulent purchases on桂your card. In桂this situation, you could (quite legitimately) request a桂chargeback.

The problem? When it�셲 not legitimate. Whether maliciously or桂혫innocently혬 (customers forgetting about a桂transaction on桂their statement or桂a桂recurring billing cycle), fraudsters can take advantage of桂the桂chargeback process to桂claim money back on桂totally valid purchases.

The worst part? That, when a桂chargeback claim is桂upheld by桂the桂bank, the桂bank then claims the桂money (along with a桂fee on桂top, for桂their troubles!) back from you. Add that to桂the桂stock you�셶e already lost to桂the桂fraudster, and桂chargebacks offer an桂all-too-real threat.

Identity Theft

Because of桂popular movies dealing with the桂subject (The Talented Mr. Ripley, anyone?), identity theft is桂one of桂the桂more well-known types of桂ecommerce fraud. But that doesn�셳 make it桂any桂less dangerous.

Here, a桂fraudster falsely assumes another person�셲 identity: using their name, personal information, and桂documents to桂open credit cards, then hitting the桂high street.

Beyond the桂impact on桂the桂victim, why is桂this bad news for桂your online business? After all, you�셱e still selling�쫞ight?

Wrong. Think back, for桂a桂second, to桂our Santorini example above. Pretty soon, the桂person whose identity was stolen will become aware of桂the桂litany 늡닥桂닥곶껸넵삣넵깜깎꾈넨 purchases made under their name 껸꾈삣�뱘늡넵 guessed 쓩넨�뱑껸쓩끅깎 a桂chargeback. When the桂bank upholds this, they�셪l be桂claiming the桂money 끓껸낌곗�밼곶늡낼 you.

Making up桂, identity theft is桂by桂far the桂most common type of桂ecommerce fraud. Plus, fraudsters are also becoming more sophisticated, now using the桂personal devices, IP桂addresses, and桂user accounts of桂targets to桂assume their identities, which makes them a桂threat to桂be桂alert to.

Account Takeovers

At桂some stage or桂other while shopping online, all our customers have done it. Ticked that box that says 혫Save My桂Credit Card Details.혬 It�셪l save them a桂minute the桂next time they come back to桂make a桂purchase, so桂it�셲 a桂no-brainer, right?

Right. Unless that is, a桂fraudster is桂able to桂get their sticky-fingered paws on桂that customer�셲 login details. Should that happen, the桂thief has easy access to桂their payment details. Meaning all they have to桂do桂is桂change the桂shipping address and桂start buying.

And when they do? Expect chargebacks from the桂real customer, leaving your business out of桂pocket.

Malware and桂Ransomware

Does your computer keep freezing up? Are there ads popping up桂everywhere? Do桂links take you to桂the桂wrong destination, or桂are new icons appearing on桂your desktop and桂browser?

If桂so, you may have inadvertently installed malware (mal =桂bad, ware =桂software�쫒t�셲 bad software) on桂your device. Even the桂term 혫malware혬 itself includes a桂range of桂different malicious code types, each more nefarious than the桂last. These include spyware, 혫Trojan Horses,혬 and桂곶껸꾈끅늡낼령껸곶깎�밹늡삣깎 that locks you out of桂your system until you pay the桂hacker a桂혫ransom혬 to桂get back in.

The problem for桂ecommerce store owners is桂that malware, whether on桂your system or桂that of桂your customers or桂admins, can steal sensitive data. That includes the桂names and桂address details of桂your customers, as桂well as桂their payment information. If桂any桂of桂that�셲 compromised, it桂won�셳 just be桂profits or桂data you�셪l be桂losing, it�셪l be桂your credibility.

What�셲 more, malware attacks pave the桂way for桂an桂emerging form of桂ecommerce deception called 혫silent혬 fraud. After using malware to桂illegally access a桂number of桂accounts, fraudsters, instead of桂snatching thousands, hundreds, tens, or桂even ones, swipe a桂few cents alone. Done at桂scale and桂with regularity, these thefts can total huge amounts of桂stolen funds. Not so桂혫silent혬 after all!

Ways to桂Protect Your Customers

Knowing what the桂main types of桂ecommerce fraud are is桂one thing. But being able to桂effectively insulate you and桂your customers from fraud�셲 ill effects is桂quite another.

Below, we�셶e rounded up桂our top tips for桂helping you, your customer base, and桂your business remain beyond the桂covetous clutches of桂fraudsters.

Safeguard Customer Information

The first way you can protect your customers? Safeguarding their most important details. Here�셲 how:

Firewalls

By桂filtering and桂monitoring incoming (and outgoing) traffic, firewalls help maintain the桂security of桂your website, acting, basically, as桂a桂literal wall between your network and桂the桂wild, wild West of桂the桂internet at桂large.

Through this lens, firewalls are vital not only for桂securing your data systems but for桂maintaining PCI compliance. PCI DSS (Payments Card Industry Data Security Standards) is桂a桂set of桂regulations all businesses accepting credit and桂debit cards must follow. PCI compliance is桂a桂kind of桂혫seal of桂approval혬 that shows your customers, regulators, and桂the桂wider market that you can be桂trusted to桂handle sensitive data.

If桂you sell online with 붚죕쳔 by桂Lightspeed, your store is桂already PCI DSS compliant. 붚죕쳔 by桂Lightspeed is桂a桂PCI DSS validated Level 1桂Service Provider. This is桂the桂highest international standard for桂secure data exchanges for桂online stores and桂payment systems.

Enable Two-Factor Authentication (2FA)

Ensure 2FA is桂implemented, so桂anyone attempting to桂access your business�셲 backend platforms and桂processes will need to桂log in桂through two devices. If桂you or桂one of桂your team members is桂logging in桂from a桂desktop computer, for桂instance, you�셪l also need to桂confirm the桂attempt on桂another device, such as桂your phone, to桂gain access.

Other variations include:

Two-step variation (2SV): involves receiving a桂one-time code or桂password via email, message, or桂phone call which you must enter to桂log in.
Multi-factor authentication: a桂mix of桂multiple forms of桂authentication for桂one of桂the桂highest levels of桂security.

Business owners selling online with 붚죕쳔 by桂Lightspeed can use their Google or桂Facebook accounts to桂sign in桂to桂their 붚죕쳔 store. for桂your Google or桂Facebook account and桂thus protect your login information for桂붚죕쳔 as桂well.

If桂you want to桂add other team members (like fulfillment staff or桂a桂designer) to桂your 붚죕쳔 store, never share your 붚죕쳔 login with them. Instead, for桂each user in桂your store. Staff accounts have separate logins and桂don�셳 have access to桂your profile and桂billing pages.

Use a桂Secure Payment Gateway

If桂you want to桂offer your customers the桂highest level of桂payment peace of桂mind possible, a桂secure payment gateway is桂a桂must.

A桂payment gateway is桂the桂tech merchants use to桂accept credit and桂debit card purchases: both in-person and桂online. But not all payment gateways are created equal, particularly when it桂comes to桂fees and桂payout times. So桂be桂sure to桂pick the桂right one for桂your business�셲 unique needs.

붚죕쳔 by桂Lightspeed is桂integrated with dozens of桂. You can choose a桂payment system that is桂convenient both for桂your business and桂your customers.

More: How to桂Pick a桂Payment System For Your Ecommerce Store

Share Advice and桂Info with Your Customers

One of桂the桂easiest ways to桂protect your customers? Informing them.

Whether through emails, texts, or桂dedicated sections on桂your website, let your customers know of桂the桂fraud that exists and桂how they can protect themselves from it. (And help you protect them from it!)

Be桂sure to桂clearly lay out:

How your business greets its customers (so they can spot discrepancies)
How your business doesn�셳 greet its customers, and桂what it桂won�셳 request (i.e., their login details or桂to桂click a桂link to桂log in)
Clear, actionable tips for桂customers to桂keep their account details safe (if your business keeps customer accounts)
How to桂get in桂touch if桂something doesn�셳 look right or桂if桂the桂customer has questions
What security checks you�셱e introducing, if桂any
How the桂customer can safely update their details
What to桂do桂if桂they receive a桂scam email (i.e., a桂fraudster posing as桂your business) and桂how to桂report the桂fraudulent communication

Needless to桂say, these kinds of桂comms are vital. Not only do桂they inspire trust and桂offer an桂excellent user experience, but they also help reduce the桂risk of桂your customers falling prey to桂ecommerce fraud.

Remember, too, to桂make this info as桂accessible as桂possible. Your customers might not read their emails or桂thoroughly read through your website. So桂the桂more channels you can publicize this advice on, the桂better!

Keep Your Site Updated and桂Conduct Regular Security Audit

Earlier, we桂analogized the桂wider internet as桂a桂kind of桂혫Wild West혬: a桂frontier state where bandits and桂lawlessness abound.

Now, while that might be桂a桂little on桂the桂harsh side, there are plenty of桂threats out there and桂myriad methods via which phishers, hackers, and桂fraudsters can derail your business:

DoS (Denial of桂Service) attacks: a桂hacker attempts to桂stop users from accessing your site�셲 services.
DDoS (Distributed Denial of桂Service) attacks: the桂perpetrator doesn�셳 attack you directly but instead uses your site as桂a桂혫zombie혬 with which to桂harm another site. In桂a桂DDoS attack, your servers are inundated by桂requests from a桂bunch of桂untraceable IP桂addresses, crashing your site, and桂stopping traffic and桂sales.
Brute force attacks: here, hackers hit your website with thousands of桂different password combinations in桂an桂attempt to桂gain access.
Man in桂the桂middle (MITM) attacks: if桂your customer is桂accessing your site via a桂vulnerable network (i.e., public WiFi), hackers can 혫listen in혬 to桂the桂transaction and桂use it桂to桂extract sensitive data.
SQL injections and桂cross-site scriptings: these attacks exploit vulnerabilities in桂your site. In桂an桂SQL injection, hackers target your forms to桂gain access to, corrupt and桂steal information from your site�셲 backend. In桂cross-site scripting, hackers insert malicious snippets of桂code that steal your visitors�� information.

The fact that all these modes of桂attack exist? That�셲 the桂bad news. The good news, however, is桂that these hackers are opportunists. They�셱e looking for桂vulnerabilities in桂your site�셲 security and桂fraud prevention setup. That means, by桂keeping your site updated and桂regularly identifying, understanding, and桂plugging its vulnerabilities you can reduce the桂risk of桂a桂hacker targeting your website and桂business.

To桂do桂this, conduct regular security audits. Assess your site�셲 infrastructure for桂loopholes, exploring the桂backend and桂code (including extensions and桂themes) for桂anything hackers can exploit. Ensure:

Your passwords are strong
Your software is桂up桂to桂date
Your site�셲 (Secure Sockets Layer) certificate is桂up桂to桂date

Speaking of桂SSL certificates, if桂you created your ecommerce website with 붚죕쳔 by桂Lightspeed, you already have an桂SSL certificate by桂default.

If桂you added your 붚죕쳔 store to桂an桂existing website, you already have the桂free SSL certificate for桂your store. However, the桂rest of桂the桂website is桂a桂separate matter. You need to桂purchase an桂SSL certificate to桂protect sensitive information. Learn how to桂do桂that in桂the桂.

Another way to桂protect your website is桂to桂revise the桂list of桂your online store�셲 staff accounts and桂remove the桂staff members that you do桂not work with anymore. This way, you prevent hackers from taking advantage of桂these 혫back channels혬 to桂gain access to桂your site.

Key Times to桂Protect Your Website

So, now that we�셶e explained what fraud to桂look for桂and桂how to桂protect your website from it, let�셲 look at桂the桂령농깎꾈�밶넨 the桂key times throughout the桂year when hackers are most active.

Public Holidays

혫The Federal Bureau of桂Investigation (FBI) and桂the桂Cybersecurity and桂Infrastructure Security Agency (CISA) have observed an桂increase in桂highly impactful ransomware attacks occurring on桂holidays and桂령깎깎곗깎꾈삣끅�뱖농깎꾈 offices are normally 낌깜늡끅깎삣�밿꾈 the桂United States, as桂recently as桂the桂Fourth of桂July holiday in桂2021.혬桂�� , 2021.

Christmas, Easter, Memorial Day, Independence 뛰껸꿎�뱓농늡넵껨농 the桂rest of桂us桂are spending time with our families and桂unwinding, hackers are doing anything but relax.

Increased distraction on桂the桂part of桂the桂customer or桂end-user and桂less staff and桂resources on桂the桂business�셲 end means conditions are rife for桂hacking.

Against this backdrop, don�셳 let your business get caught out. Don�셳 wait until the桂next holiday to桂set your site�셲 security up桂for桂success, or桂find yourself scrambling to桂audit your site mere days before the桂long Mother�셲 Day weekend. Remember that old Chinese proverb?

The best time to桂plant a桂tree was 20桂years ago. The second best time is桂today.

Weekends

Hackers tend to桂target businesses when they�셱e most vulnerable and桂when they�셱e closed.

That�셲 why weekends, particularly long ones, where public holidays are involved, are ripe opportunities for桂hackers. Still, that doesn�셳 mean you should let your guard down during the桂rest of桂the桂week. Hackers, on桂average, attack a桂staggering , so桂you need to桂remain vigilant.

Conclusion

As桂the桂opportunities of桂ecommerce evolve, so桂do桂its threats.

With so桂many scaremongering statistics out there, it桂can be桂easy to桂want to桂put your fingers in桂your ears, turn a桂blind eye, and桂take an桂혫ignorance is桂bliss혬 approach.

But this mentality doesn�셳 take into account that with those threats come even more exciting opportunities.

To桂make the桂payment process safer, easier, more convenient and桂more consistent than ever before. To桂build your brand, engender customer loyalty, and桂boost trust with your audience by桂showing them that you value their privacy and桂respect the桂sensitivity of桂their data. And, in桂the桂process, lay the桂foundations for桂your ecommerce business�셲 solid, sustainable success.

桂

About The Author

Rob Binns is a freelance copywriter and editor based in Melbourne, Australia. When not penning content about ecommerce and digital security, he�셲 playing (or watching!) football, or relaxing in the sun with a book and a cold beer.

붚죕쳔