6 Best Practices for Fighting Online Retail Fraud

credit-card-1591492_1920

As the shift from customers shopping in-store moves online, retailers are not only faced with providing a great online experience but also insuring that this process is safe and secure every step of the way for their customers. With the growing ecommerce presence, it is becoming more and more important that online retailers protect customers from fraud.

For online retailers, fraud prevention today is all about fraud detection. EMV is driving criminals to card-not-present transactions, which, to a large degree, means online transactions. To protect themselves from fraudulent transactions, e-retailers now need sophisticated systems to automatically detect and respond to a fraudulent event, without any human intervention. The challenge lies in having balance between having enough security but not too much. The customer experience can suffer when fraud prevention systems are too rigidly applied.

Luckily, the latest tools and techniques have the ability to help retail security leaders enhance their fraud capabilities while still delivering a frictionless customer experience. Online systems have become more sophisticated with the use of fraud prevention tools, intrusion detection systems and web application firewalls. How can retailers best combat the bad actors trying to get into online experiences? Here are six practices retailers can adopt now to prevent online fraud.

1. Event Correlation is Key

To detect fraud, retailers should turn to software tools that can monitor different behaviors of online transactions, along with a decision engine to determine whether or not the transaction is fraudulent. This is called event correlation. Here’s how it can make a difference: Let’s say the software detects a transaction from a man whose account says he lives in Austin, Texas, but the transaction comes from an IP address originating in Alaska. Perhaps the Texas man is simply travelling. But there was another event by the same man only one hour earlier that came from Texas. Now the system has sufficient information to decide this is a fraudulent transaction, and the customer can be notified immediately.

2.Start Watching for Social Engineering Fraud.

One of the newer tactics is social engineering, where criminal are able to bypass many controls and gain access to the platform. If fraudsters can get an employee in a call center, for example, to register them as a store or give them store privileges on the system, they have a direct line into committing fraud. There are few technological controls, unfortunately, that can fully compensate for social engineering. Instead, merchants need to have a solid policy in place and train employees to comply with the policy at all times and be aware of potential bad actors.

3. Both In-Store and Online Retailers Have to Fight Returns Fraud

In-store and online retail purchasing channels differ significantly – in-store purchases can be verified by the latest terminals, whereas online channels are vulnerable to card-not-present fraud. One big commonality that they do share, however, comes in the form of returns. Retailers need to have strong anti-fraud programs in place for returns, whether the return comes from an in-store transaction or an online transaction. The system should closely track all returns and identify patterns that could indicate fraud, such as a high number of returns from one person, an employee that takes an unusual amount of returns, or high numbers of returns without receipts.

4. PCI Compliance Remains the Gold Standard

There are a number of challenges for retailers with achieving and maintaining PCI compliance. When it comes to ecommerce platforms, PCI DSS section 6.5 is very important. Developing a secure web application takes discipline, knowledge and skill, plus the time to do the job right in the first place. Once you have created a secure website, prove it by complying with section 11.2 of the PCI DSS and executing regular internal and external scans.

5. Engage Your Customers and Employees in Fighting Fraud.

When it comes to gaining fraud prevention support from employees and even customers, the message needs to be that fraud has an impact on us all. This includes the higher prices that merchants must charge for their products in order to absorb the costs of fraud. It also includes the inconveniences we encounter when anti-fraud systems decline our legitimate transactions because something in the transaction triggers an alert. Customer and employee support is very important and must be handled correctly to balance the customer experience with needed anti-fraud mechanisms. It begins by educating customers and employees as to the reasons for different fraud prevention mechanisms. Once people understand why these are needed, they become more palatable and the overall retail experience improves.

6. Spend the Right Amount on Security

While there are some regulatory requirements that need to be met, much of the retailer’s security budget is going to revolve around a Return on Investment calculation. A balance must be struck between how much you spend on security and how much this investment will return to the company by preventing fraud. It would not be reasonable, for example, to spend a million dollars on a fraud program that will save a thousand dollars a month – you would never recoup your investment. The CFO, then, must work with the CISO to determine the correct balance for protecting your organization from fraud while also safeguarding the customer experience.

 

About Denis Brooker (VP Information Security)