Accepting credit card payments online is an excellent way for small businesses to streamline sales and attract customers. However, safeguarding your business and customers is critical, and so is mitigating common risks and types of fraud that proliferate online.
We’ll explore expert tips and advice about small business credit card processing online and what business owners should understand about card-not-present payments.
Card-not-present payments, such as online payments and credit card payments accepted over the phone, are less secure than accepting a card physically at a retail location. Here are five tips to reduce the risks associated with these transactions.
Want to ensure the person trying to purchase something remotely is the authorized account holder? A straightforward way to check is to ask that person to verify the account’s billing address.
“For mail order or telephone order card-not-present transactions, always use address verification or [the] Address Verification Service,” said Joe Palko, an e-commerce consultant with Your Store Wizards.
The AVS fraud prevention system is an excellent way to ensure the online purchaser or the person on the phone is the cardholder because people who try to commit payment fraud with stolen credit cards often don’t know the billing address.
If your business ships goods to buyers who have paid with a credit card online or over the phone, check the shipping address and the billing address.
“If you are shipping an order for a card-not-present transaction, always look at the shipping address,” Palko advised. “An abnormally large percentage of fraudulent transactions are shipped to addresses that are different from the billing address.”
Additionally, Palko said to pay special attention to shipping addresses in cities known for busy international shipping ports.
“Watch for addresses in Miami or Los Angeles,” he said. “These are major port cities where shipping consolidators will export the products overseas.”
PCI compliance – a set of credit card processing security standards – is another area of confusion for small business owners accepting online payments.
The PCI Data Security Standard (PCI DSS) is a cross-industry effort to protect payment security. It says that even though the customer isn’t standing in front of you, you’re still required to protect their credit information. Businesses rely on their credit card processor to handle PCI compliance – but just because a digital service provider offers payment processing doesn’t mean it’s PCI-compliant.
If customer data is compromised during credit card processing, it’s your fault. It’s not acceptable to say you didn’t know your provider wasn’t compliant. That means it’s crucial for small businesses to ensure their credit card processor meets all current PCI requirements for credit card transactions.
“Most providers offer some level of security, but it is up to the business owner to do their homework and ensure the payment service provider has met the minimum standards of the PCI requirements,” said Don Bush, senior VP of marketing for Neuro-ID, a fraud prevention and consumer experience technology provider.
And if they don’t meet the standards?
“Change service providers,” Bush said.
Cybersecurity is particularly important for e-commerce businesses that rely on uptime and a reputation for security that helps customers feel safe shopping with them.
Ensure your e-commerce website has an SSL certificate, a digital certificate that authenticates its identity and allows encrypted connections. Do everything you can to prevent and avoid network security threats. Set up a firewall and other intrusion-detection systems and update your platform when necessary.
Provide everyone on your team with the tools and training to recognize signs of fraud and respond immediately. When everyone on your staff understands secure payment practices, they can spot fraudulent activity while it’s in process and prevent further incidents.
Accepting payments online can vastly expand your universe of potential customers, but it comes with credit card security risks that could lead to data breaches, lost revenue, fines, and even having your credit card acceptance privileges revoked.
These are some potential consequences of not following PCI DSS guidelines:
If you already accept credit card payments at your store or office, you may feel confident that you have a good understanding of the PCI compliance standards that govern merchant credit card and debit card activities. But there’s a crucial difference between accepting a card when the customer is present and accepting a card for online purchases.
“With purchases made online, the retailer is 100% liable for fraudulent purchases,” said Bush. “Neither the bank that approved the transaction nor the payment-processing service that reviewed the transaction are held responsible for fraudulent purchases. It’s all on the merchant. That means if your company accepts a bad or stolen credit or debit card, the total liability of the loss is yours.”
What’s the worst that could happen if a business doesn’t follow the PCI DSS guidelines for processing online or over-the-phone credit card purchases? You could lose more than just the revenue from the sale or payment, Bush said. Your business could also lose any shipping costs you’ve incurred and receive fines, similar to the fines that banks charge for bounced checks.
“If you get too many of them, you could lose the ability to take credit or debit cards online,” Bush warned. “That essentially closes your online store.”
The best credit card processors meet all current PCI requirements and serve your business with fast payments, reasonable fees, and excellent customer service. They also facilitate online and in-person purchases. Here are a few of our best picks:
The internet helps businesses build broad customer networks. But card-not-present transactions can increase the risk of fraud and associated penalties. Protect your business by selecting a reputable payment processor and doing everything you can to ensure purchases are legitimate.
Alex Halperin contributed to the reporting and writing in this article. Some source interviews were conducted for a previous version of this article.