Preventing merchant fraud.

Apr 10 2018 | PayPal editorial staff

You might think your ecommerce website is too small to be of much interest to online criminals. Sadly, you’d be dead wrong.
According to a study by Nationwide, 63% of small businesses have fallen victim to a cyberattack.1

An attack like that can be very damaging. At the very least, if you accept a fraudulent payment, you could be held financially responsible for the loss. But there are steps you can take to help minimize your risk, and we’ve outlined them below.

How fraudsters operate.
Before we talk about what you can do to minimize your risk, it’s helpful to understand common tactics fraudsters use. Generally, online fraudsters usually use two methods to steal money:
  • Account takeover: You probably provide customers with accounts that store personal information, financial information, and purchase history. Fraudsters often hack into these accounts through phishing schemes. In one of the most common, fraudsters send emails to trick customers into revealing usernames and passwords. The fraudsters then log in to your customers’ accounts, change the passwords, and make unauthorized purchases.
  • Identity theft: Although most businesses take many precautions to secure customer data, fraudsters still manage to hack into databases and steal usernames, passwords, credit card numbers, and personal information.
Hackers often sell credit card numbers to other fraudsters who open accounts with online retailers and use the stolen numbers to pay for purchases. This type of fraud is difficult to detect because many people don’t check their credit card statements thoroughly — and because victims typically have no idea that someone opened an online account in their names.

PCI compliance and you.
To help businesses protect themselves and their customers from online fraud, the Payment Card Industry Security Standard Council (PCI), a forum of global brands, including Visa, Inc., MasterCard, etc., has developed a set of best business practices to safeguard consumers’ data.

Complying with these standards (aka, PCI Compliance) is not optional and is strictly enforced. While many of the following recommendations fall within the PCI Standards, visit the PCI Security Standards website for full requirements. Also, your payment processor can help you be compliant; in fact many, like PayPal, build PCI compliance into the solutions they offer businesses of all sizes.

Managing your risk.
Although the potential for fraud is high in online transactions, it doesn’t mean you must accept it as part of doing business online. By putting the right tools and processes in place, you can help keep your business and your customers secure – and reduce your chances of drowning in chargeback fees and lost revenues.

Below are a few recommendations from the PayPal Security Center.

Monitor transactions and reconcile your bank accounts daily.
Nobody knows your business as well as you do. You know your biggest spenders and their buying patterns. Monitor your accounts and transactions looking for any red flags, such as inconsistent billing and shipping information, as well as the physical location of your customers — there are tools that trace customers’ IP addresses and alert you to those from countries known as a base for fraudsters.

Also, check to see if your customers are using free or anonymous email addresses (such as Gmail or Yahoo email addresses), as there’s a much higher incidence of fraud coming from free email service providers than from paid. Check out Common Fraud Schemes from the FBI for more information.

Consider setting limits.
Using your unique knowledge of your business, set limits for the number of purchases and total dollar value you’ll accept from one account in a single day. It can help keep your exposure to a minimum should fraud occur.

Use the address verification system (AVS).
AVS compares the numeric parts of the billing address stored within a credit card to the address on file at the credit card company. This is a fraud tool included in most payment processing solutions, but check with your payment processor to be sure it’s supported.

Require the card verification value (CVV).
You’re familiar with this three-digit or four digit security code printed on credit cards. What you might not know is that PCI rules prevent you from storing the CVV along with the credit card number and card owner’s name. (That’s why it’s so effective – it’s virtually impossible for fraudsters to get it unless they’ve stolen the physical credit card.) Most processors include a tool to require CVV as part of their checkout templates. Use it.

Get tougher with password requirements.
Hackers employ sophisticated programs that can run through all the permutations of a password. It won’t take them long to crack a four digit, alpha-numeric password (such as, “abcd”). Best practices these days call for (at least) an eight-digit alpha-numeric password that requires at least one capitalization and one special character (for example, “P0r$che9!!”). Your customers might grumble, but it’s better safe than hacked.

Keep your platforms and software up to date.
Make sure you’re running the latest version of your operating system (OS), as OS providers continually update their software with security patches to protect you from newly discovered vulnerabilities, as well as the latest viruses and malware.

Likewise, install and regularly update business-grade anti-malware and anti-spyware software (free, limited-feature, and consumer-strength anti-virus software are not sufficient) to prevent attacks that exploit outdated software vulnerabilities.

Note: If your site is hosted on a managed solution, such as Bigcommerce, automatic security patches help ensure that any vulnerabilities are quickly resolved.

An ounce of prevention…
Use these tools in tandem to enhance your risk management processes while remembering that only you can decide whether to accept a transaction. It’s up to you to implement a coherent, consistent fraud management process. Following the above recommendations is a good start to protecting your customers and your business. More powerful protection comes when you combine multiple improvements. Your customers have entrusted their financial information when purchasing from you — make sure you keep it secure.

 
The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

Nationwide, “Most Small Businesses Unprepared for Cyber Criminals,” November 2015.

Frequently asked questions.

Fraud tools are used throughout the industry to help fight fraud. The fraud tools listed below are available through PayPal and other fraud management vendors.


Address Verification Service (AVS)
  • Use AVS to verify the billing address matches the one that the card issuer has on file. AVS compares the street number and ZIP code entered by the customer with information maintained by the card issuer.
  • How to set up AVS fraud filter through PayPal
  • Maximum Transaction Amount filters the total amount of the transaction (including tax, shipping, and handling fees). Transactions that exceed the maximum amount trigger this filter.
  • Unconfirmed Address filters payments when we have not confirmed the customer’s shipping address and the transaction is more than an amount you specify.
  • Country Monitor filters payments from countries that you believe pose an increased risk of fraud. This filter screens the customer's IP address, billing address, and shipping address for matches with your list of high-risk countries.
     
Here's how to set up your basic Fraud Management Filters.
  1. Click Tools.
  2. Click All Tools.
  3. Scroll down and click PayPal Fraud filters.
  4. Enable desired filters.
  5. Click Save.
Card Security Code (CSC)
  • Ask customers for their CSC. This is the 3 or 4 digit number located on the card that helps confirm they have the card with them. The CSC filter compares the number provided by the customer against the number on file with the issuer. A valid CSC helps verify that your customer has a physical card with them when they place an order. An invalid code could be the result of a customer's typographical error or it could indicate that a fraudster did not have the card with them.
  • How to set up CSC fraud filter through PayPal
  1. Click Tools.
  2. Click All Tools.
  3. Scroll down and click PayPal Fraud filters.
  4. Enable desired filters.
  5. Click Save.

Lookup the card BIN
  • The first 6 numbers listed on a card is called a Bank Identification Number (BIN). It gives you details about the financial institution that issued the card or card issuer. Use a BIN check service to find out where the card was issued. Be cautious if the billing address country and the card issuer country don’t match.
  • BIN checks are available at www.bin2country.com can be purchased through fraud management companies.

Use IP geolocation tools
  • IP geolocation is a good way to pinpoint the geographic location of the computers used for transactions, including the city, state and country. To be proactive about a potential fraudulent transaction, you can check the geolocation details against the billing and shipping address country your customer provided. If the geolocation information doesn’t match, it could be fraud.
  • You can also use IP geolocation to look for anonymous proxies (a tool that attempts to make online activity untraceable). Orders that originate from anonymous proxies are more suspicious because fraudsters use them to hide their location. However, legitimate customers who value privacy could also use anonymous proxies to protect their information, so this might not always indicate fraud.
  • What can I do if the IP geolocation information does not match the billing or shipping address?
    • Resolve the discrepancy by contacting the customer or by following step 3 below.

Device Identification
  • Device Identification tools can be used to help identify the computer or phone that placed the order. Each computer or phone has unique characteristics.
  • Device identification can determine if a buyer is repeatedly visiting your site using different information (names, addresses, IPs, credit cards, computer browsers, etc.) to mask their identity.
  • You can search online for a list of third party vendors providing this service.
Fraud tools are used throughout the industry to help fight fraud. The fraud tools listed below are available through PayPal and other fraud management vendors.

Address Verification Service (AVS)
Use AVS to verify if the billing address matches the one that the card issuer has on file. AVS compares the street number and ZIP code entered by the customer with information maintained by the card issuer.

Here's how to set up AVS fraud filter through PayPal:
  1. Log in to your PayPal account.
  2. Go to the Business Profile icon beside "Log out" and select Profile and settings.
  3. Click My Selling Tools.
  4. Click Update next to "Managing Risk and Fraud" in the "Getting paid and managing my risk" section.
  5. Review your AVS settings and if you find it necessary, edit your settings
Card Security Code (CSC)
Ask customers for their CSC. This is the 3 or 4 digit number located on the card that helps confirm they have the card with them. The CSC filter compares the number provided by the customer against the number on file with the issuer. A valid CSC helps verify that your customer has a physical card with them when they place an order. An invalid code could be the result of a customer's typographical error or it could indicate that a fraudster did not have the card with them.

Here's how to set up CSC fraud filter through PayPal:
  1. Log in to your PayPal account.
  2. Go to the Business Profile icon beside "Log out" and select Profile and settings
  3. Click My Selling Tools.
  4. Click Update next to "Managing Risk and Fraud" in the "Getting paid and managing my risk" section.
  5. Review your CSC settings and if you find it necessary, edit your settings
Lookup the card BIN
The first 6 numbers listed on a card is called a Bank Identification Number (BIN). It gives you details about the financial institution that issued the card or card issuer. Use a BIN check service to find out where the card was issued. Be cautious if the billing address country and the card issuer country don’t match. BIN checks are available at www.bin2country.com can be purchased through fraud management companies.

Use IP geolocation tools
IP geolocation is a great way to pinpoint the geographic location of the computers used for the transaction. These tools can help you locate the area of the computer used during online order including the city, state and country. To be proactive about a potential fraudulent transaction, you can check the geolocation details against the billing and shipping address country your customer provided. If the geolocation information doesn’t match, it could be fraud.

You can also use IP geolocation to look for anonymous proxies (a tool that attempts to make online activity untraceable). Orders that originate from anonymous proxies are more suspicious because fraudsters use them to hide their location. However, legitimate customers who value privacy could also use anonymous proxies to protect their information, so this might not be an example of fraud in all instances.
  • What can I do if the IP geolocation information does not match the billing or shipping address?
    • Resolve the discrepancy.by contacting the customer or by following other steps listed under step 3 below.
Device Identification
Device Identification tools can be used to help identify the computer or phone that placed the order. Each computer or phone has unique characteristics and this tool can determine if a buyer is repeatedly visiting your site using different information (names, addresses, IPs, credit cards, computer browsers, etc.) to mask their identity. You can search online for a list of third party vendors providing this service.

 

PayPal lets you quickly and securely send and receive money for goods, services and more.

With PayPal you can:

  • Shop online in more than 200 countries and regions.
  • Send money securely to friends and family around the world.
  • Checkout quickly at hundreds of your favorite online stores.
  • Accept credit cards on your website.
  • Make donations to your favorite charity.
  • Set up an online shop and receive payments.
  • Use your credit card and earn rewards.

At PayPal, your financial security is our highest priority. We use the latest anti-fraud technology to help make sure your transactions are safer and you’re 100% protected against unauthorized payments sent from your account.

PayPal Payments Standard is the easiest way to securely accept debit and credit cards, PayPal and PayPal Credit. It takes the hassle out of accepting payments online. You handle the sales. We handle everything from the checkout process to security and mobile compatibility. Plus:
  • No advanced programming is needed.
  • Your customers don’t need a PayPal account to pay you.
  • It’s optimized for customers on smartphones or tablets.
And unlike many full payment-processing solutions, PayPal Payments Standard has no application, setup or monthly fees, or long-term commitments. You start paying when you start selling.

What can I do with PayPal Payments Standard?

PayPal Payments Standard lets you accept credit and debit cards on your website or through an online marketplace such as eBay or Etsy. Buying is straightforward: We handle the checkout process and then send customers back to your site. Fees are a flat amount per transaction, so selling is just as simple. To see all discounts and fees, take a look at our fees page.

You can use PayPal Payments Standard to send invoices online too, so you can get paid sooner. For offline payments, you can add PayPal Here, a mobile payments solution, to your account to let you take payments on the go using your smartphone or tablet. (alternate rates apply).

With PayPal Payments Standard, you’re also eligible to apply for the free PayPal Business Debit MasterCard®.

As with all of our payment solutions, PayPal Payments Standard helps protect your business with our Automatic Fraud Screening, industry-leading data security and reliable customer service.

Get Started Now.