Transaction Security for the Holiday Season
The holiday season is upon us, and with it comes an increase in customer traffic and purchases. More than 164 million consumers planned to shop on Thanksgiving weekend alone, according to the National Retail Federation, while a Deloitte survey found 51% of that spending will be done online.
It’s a huge opportunity to beat sales forecasts, but fraud can quickly eat into the revenues generated. Data breaches are on the rise, and, while you see the increased holiday traffic as a way to be nice to customers, hackers see it as an opportunity to be naughty.
Protecting customer information and securing financial transactions have always been major concerns for all businesses. But these measures can especially make or break your business during a time when even a second of downtime can be costly. The purpose of this guide is to walk you through essential security protocols you should have in place before the holiday rush hits.
- Online Transactions
- Protecting Your In-Store Network
- Guarding Against Fraudulent Transactions
- Training Your Seasonal Staff
- A Warning About EMV Liability Rules
Most holiday purchases this year will happen online, so that’s where we’ll start with security. For starters, you’ll want to ensure that your transactions are encrypted and as secure as possible.
One of the most common (and best) ways to secure online transactions is using 3-D Secure (a.k.a. Verified by Visa, MasterCard SecureCode, and American Express SafeKey).
With 3D Secure, transactions receive an extra layer of security by transferring customers to the card issuer’s secure 3DS portal for password authentication. This extra level of verification helps prevent fraud with online transactions, as customers input their personal PIN to complete the transaction.
Utilizing 3D Secure can also help protect you from chargebacks, and the card brands consider it to be one of the most stringent anti-fraud tools available. When used properly, it can be cited as a defense if you receive a chargeback that successfully passed 3D Secure.
If you haven’t implemented 3D Secure and want to take advantage of the service, check out our articles below for more details.
Regardless of whether you utilize 3D Secure, end-to-end encryption is necessary throughout your company’s networks, databases, and websites to ensure communications between your servers and a consumer’s web browser are secure. You can check the security of your ecommerce website at Qualsys SSL Labs.
Address Verification Service is another method that can be used as an online fraud deterrent. When you use AVS, the person paying by credit or debit card is asked to enter their name and address, which is then cross-referenced against the information that the card issuer has on file. If the address and zip code don’t match, it’s flagged as a likely fraudulent transaction.
You can control how strictly AVS is enforced. Some processors allow you to choose whether to automatically decline transactions if any part of the address doesn’t match, decline transactions if only a piece of the address doesn’t match (such as an incorrect zip code or street number), or flag transactions for manual review instead of automatically declining.
Protecting Your In-Store Network
Although Cyber Monday encourages online shopping, 47% of American adults still prefer shopping in store, according to a recent Coldwell Banker Commercial Affiliates survey. To help lure more customers, many brick-and-mortar locations are now adding high-tech concepts, including virtual and augmented reality, geo-tracking, and more.
This technology is great, but it also needs to be secure. A Ponemon Institute Survey sponsored by Arbor Networks found it takes an average of 197 days for digital threats to be identified in the retail industry. Cybersecurity is a 0-day environment, and a breach that isn’t identified for 6 months can be devastating for any business.
Even something as simple as offering free Wi-Fi to customers can compromise your store’s network if not properly encrypted. A KRACK WPA2 Wi-Fi vulnerability was made public in October 2017, and you can bet bad actors will be trying to exploit the plethora of WPA2-secured Wi-Fi networks. Make sure you update your Wi-Fi router to protect it from this crippling vulnerability.
Any customer using your store’s Wi-Fi can essentially exploit the entire network, accessing cloud-connected POS terminals, backend customer databases, and more. Be sure to carefully monitor in-store network traffic at all times this holiday season. PC Magazine has a great chart of leading tools to accomplish this.
Also be on the lookout for card skimmers and shimmers. While most POS terminals in the U.S. have been upgraded to accept chip cards, they still allow for magnetic stripe cards, which are susceptible to card skimmers.
On top of this, new devices called shimmers can pull information off a chip card to create a magnetic stripe card. Even with a self-checkout terminal, it’s important to have staff supervision and security measures in place to prevent these devices from being attached to your card readers. Regularly inspect credit card machines for signs of tampering.
Guarding Against Fraudulent Transactions
Most of the information in this article is geared toward what you can do as a business to mitigate fraud, but banks and credit card companies are also hard at work combatting it. New technologies are constantly being released, and EMV chip cards are hardly the end-all solution. One promising technology is biometric cards.
By 2022, analysts predict over 160 million payment cards with fingerprint sensors will be shipped. Fingerprints have long been used by law enforcement and government agencies to identify people, and fingerprint sensors are commonly used in new-model smartphones like the iPhone and Galaxy. The fingerprint verification is then implemented in mobile payment and digital wallet solutions.
It only makes sense to have these sensors built into payment cards as well. If someone stole your credit card, they’d also need to steal your fingerprint, or it would be useless. Biometric cards are still five years away from becoming commonplace, but know that the credit card and banking industries are constantly researching new ways to proactively defend against fraud.
Training Your Seasonal Staff
Both IT professionals and hackers know that the weakest link in digital security will always be people. Your business can have all the high-tech security of Fort Knox, but it can still be compromised by employee negligence or incompetence. The problem is exacerbated during the holidays when your schedule is filled with temporary employees who don’t always have the same dedication or training as your full-time team.
It’s important to keep your staff (especially customer-facing employees) abreast of fraud trends and what to look out for. Criminals use a variety of ways to steal from retailers, including printing fake UPC codes to purchase goods at a lower price, returning products that were never purchased, and so much more.
Make security a top priority for all team members, and ensure everyone is on the lookout for telltale signs of fraudulent activity.
A Warning About EMV Liability Rules
Since October 2015, EMV requirements have shifted fraud liability to businesses that don’t use chip readers. This means if you’ve upgraded to EMV chip-capable terminals, you’re protected, right?
With the introduction of chipped cards, fraudulent activity has increased 113% in call centers, according to Pindrop’s 2017 Call Center Fraud Report. Whereas in 2015 one out of every 2000 calls was fraudulent, one of every 937 were fraudulent in 2016. Scammers have learned it’s relatively easy to social engineer call center employees to illegally access accounts, make purchases, use reward points, etc.
While most business owners focus security for online and in-store transactions, call centers are easily the softest target for crime during the holiday season. In addition to the online security steps listed above, ensure your customer contact teams are fully trained on how to recognize and handle these problems.
Before accessing any in-store rewards account, it’s necessary to obtain two forms of verification, such as the customer’s date of birth, last four digits of their SSN, or billing address. This provides a layer of proactive protection before the call even starts. Purchases and orders should be sent to the billing address on the card used to make a purchase, and common sense must be used to ensure the person you’re talking to is who they say they are.
No security system is 100% full-proof. It takes a team effort to keep your business safe during the holiday rush. But with a little bit of proactive planning, training, and monitoring, you can reduce the revenue lost to financial fraud. Good luck, and stay safe this holiday season.