Customer credit card security is important if you want to retain customers and protect your business. The first major vulnerability for an ecommerce site is the checkout page where the customer’s credit card information is collection and transmitted. At an absolute minimum you need to have your checkout page hosted on a secure server.A secure server is evidenced with a URL that starts with HTTPS:// and not the traditional HTTP://.
Secondarily, it’s a good idea to invest in an SSL or certified secure server page. Both the secured server and certified SSL will be offered by your hosting company and can easily be set up. A certified SSL comes with a certificate that customers can validate the encryption services and security of your website. Securing your checkout page limits the risk of your customer’s credit card information being stolen by identity thieves and therefor limits your liabilty.
A second and an increasingly apparent vulnerability for ecommerce sites are credit card validation procedures. It is a good idea to validate customer credit card information on as many fields as possible. Now there is certainly a balance here as you don’t want to force your customers to enter too much data at checkout, however to few and you open yourself up to fraud. Here are the minimums suggested.
- Billing Address
- Billing Zip
- Credit Card Number
- Expiration Date
- CVV Code
If you do not capture the CVV code at the time of checkout you waive your rights to fight charge backs initiated by the customer. Additionally, if you do not validate the credit card credentials you open your business up to liability from credit card testing programs. A credit card testing program is a computer generated attack on your website in which credit card numbers are tested to see if an authorization can be acheived. It is not uncommon for credit card testing programs to run 100,000 credit cards on your website overnight. The unsettling part, your business is liable for the transaction charges for the attempted authorizations. 100,000 attempted authorizations at $0.08 per transaction comes out to be $8,000 in transaction charges, over night.
Next, it is a good idea to choose a trusted merchant service provider that has tools to help limit your exposure to cyber-attacks. Let’s face it, more online business means more online criminals. The most common cyber-criminals are those attempting to steal credit card numbers to then purchase items with the stolen card numbers. How can you protect against these types of attacks?
Choose a merchant service provider that offers fraud protection tools
Fraud protection tools are cheap insurance against cyber criminals. The right tools can make the difference between a successful online presence and being put out of business. Fraud attempts can be eliminated with a rules based fraud detection application that examines each transaction before it is processed. Here are some examples of the rules that can be set up.
- If a daily, weekly or monthly number of transactions or total dollar amount is exceeded. Flag transaction for review or auto decline
- If a user tries a credit card X number of times, flag or decline
- If the first XXX digits of a credit card are attempted, flag or decline
- If daily, weekly or monthly number of transactions or total dollar amount attempted from a single IP address or block of IP addresses, flag or decline
- Ban a single IP address or blocks of IP addresses
- Ban specific credit cards
- Ban geographic areas
Last, make sure your customers know the effort you have made to protect them and their credit card information. By taking the appropriate steps to protect your customers you are laying the foundation for a very successful online presence.