- Online businesses can boost sales and increase customer convenience when accepting credit card payments.
- Online retailers can mitigate the risks of accepting credit card payments by verifying purchaser identities and ensuring their service is PCI-compliant.
- Declined charges and penalties can ensue when retailers ignore credit card acceptance guidelines and best practices.
- This article is for entrepreneurs and small business owners considering accepting credit card payments.
Accepting credit card payments online is an excellent way for small businesses to streamline sales and attract customers. However, safeguarding your business and customers is critical, and so is mitigating common risks and types of fraud that proliferate online.
We’ll explore expert tips and advice about small business credit card processing online and what business owners should understand about card-not-present payments.
Credit card processors also facilitate other payment options to increase customer convenience, including mobile wallet payments via Apple Pay, Samsung Pay and Google Pay.
Tips for accepting online card-not-present payments
Card-not-present payments, such as online payments and credit card payments accepted over the phone, are less secure than accepting a card physically at a retail location. Here are five tips to reduce the risks associated with these transactions.
1. Verify billing addresses.
Want to ensure the person trying to purchase something remotely is the authorized account holder? A straightforward way to check is to ask that person to verify the account’s billing address.
“For mail order or telephone order card-not-present transactions, always use address verification or [the] Address Verification Service,” said Joe Palko, an e-commerce consultant with Your Store Wizards.
The AVS fraud prevention system is an excellent way to ensure the online purchaser or the person on the phone is the cardholder because people who try to commit payment fraud with stolen credit cards often don’t know the billing address.
2. Confirm that the shipping and billing address match.
If your business ships goods to buyers who have paid with a credit card online or over the phone, check the shipping address and the billing address.
“If you are shipping an order for a card-not-present transaction, always look at the shipping address,” Palko advised. “An abnormally large percentage of fraudulent transactions are shipped to addresses that are different from the billing address.”
Additionally, Palko said to pay special attention to shipping addresses in cities known for busy international shipping ports.
“Watch for addresses in Miami or Los Angeles,” he said. “These are major port cities where shipping consolidators will export the products overseas.”
Small businesses that sell products online must also understand and comply with e-commerce sales tax regulations.
3. Research your credit card processor’s PCI compliance.
PCI compliance – a set of credit card processing security standards – is another area of confusion for small business owners accepting online payments.
The PCI Data Security Standard (PCI DSS) is a cross-industry effort to protect payment security. It says that even though the customer isn’t standing in front of you, you’re still required to protect their credit information. Businesses rely on their credit card processor to handle PCI compliance – but just because a digital service provider offers payment processing doesn’t mean it’s PCI-compliant.
If customer data is compromised during credit card processing, it’s your fault. It’s not acceptable to say you didn’t know your provider wasn’t compliant. That means it’s crucial for small businesses to ensure their credit card processor meets all current PCI requirements for credit card transactions.
“Most providers offer some level of security, but it is up to the business owner to do their homework and ensure the payment service provider has met the minimum standards of the PCI requirements,” said Don Bush, senior VP of marketing for Neuro-ID, a fraud prevention and consumer experience technology provider.
And if they don’t meet the standards?
“Change service providers,” Bush said.
4. Take security precautions with your e-commerce website.
Cybersecurity is particularly important for e-commerce businesses that rely on uptime and a reputation for security that helps customers feel safe shopping with them.
Ensure your e-commerce website has an SSL certificate, a digital certificate that authenticates its identity and allows encrypted connections. Do everything you can to prevent and avoid network security threats. Set up a firewall and other intrusion-detection systems and update your platform when necessary.
5. Train your staff to watch for signs of fraud.
Provide everyone on your team with the tools and training to recognize signs of fraud and respond immediately. When everyone on your staff understands secure payment practices, they can spot fraudulent activity while it’s in process and prevent further incidents.
The popularity of digital payments has led to talk of a cashless society, but most businesses will continue accepting cash to accommodate customers without access to credit and traditional banking.
Potential consequences of not following PCI DSS guidelines
Accepting payments online can vastly expand your universe of potential customers, but it comes with credit card security risks that could lead to data breaches, lost revenue, fines, and even having your credit card acceptance privileges revoked.
These are some potential consequences of not following PCI DSS guidelines:
1. The retailer is fully liable for fraudulent online purchases.
If you already accept credit card payments at your store or office, you may feel confident that you have a good understanding of the PCI compliance standards that govern merchant credit card and debit card activities. But there’s a crucial difference between accepting a card when the customer is present and accepting a card for online purchases.
“With purchases made online, the retailer is 100% liable for fraudulent purchases,” said Bush. “Neither the bank that approved the transaction nor the payment-processing service that reviewed the transaction are held responsible for fraudulent purchases. It’s all on the merchant. That means if your company accepts a bad or stolen credit or debit card, the total liability of the loss is yours.”
2. Retailers face fines and could lose credit card acceptance privileges.
What’s the worst that could happen if a business doesn’t follow the PCI DSS guidelines for processing online or over-the-phone credit card purchases? You could lose more than just the revenue from the sale or payment, Bush said. Your business could also lose any shipping costs you’ve incurred and receive fines, similar to the fines that banks charge for bounced checks.
“If you get too many of them, you could lose the ability to take credit or debit cards online,” Bush warned. “That essentially closes your online store.”
Choose your credit card processor wisely
The best credit card processors meet all current PCI requirements and serve your business with fast payments, reasonable fees, and excellent customer service. They also facilitate online and in-person purchases. Here are a few of our best picks:
- Helcim is our top credit card processor choice for established small businesses, offering transparent rates and a price-lock guarantee for the life of your account. To learn more, read our in-depth review of Helcim.
- Square is our top credit card processor choice for small and growing businesses because it allows you to add features and integrations as your business scales. Read our Square review to learn more.
- Clover is our top credit card processor choice for new businesses, offering flat-rate pricing, month-to-month contracts, and affordable POS software and hardware. Read our full Clover review for more information.
Be smart when accepting online payments
The internet helps businesses build broad customer networks. But card-not-present transactions can increase the risk of fraud and associated penalties. Protect your business by selecting a reputable payment processor and doing everything you can to ensure purchases are legitimate.
Alex Halperin contributed to the reporting and writing in this article. Some source interviews were conducted for a previous version of this article.