A big deadline is nearing rapidly in the credit card industry. Starting October, 1st 2015 most merchants are required to accept chip cards. These cards which are sometimes referred to as “chip and pin” have a special chip in them that allows the card reader to determine if the card is authentic. This chip is extremely difficult to counterfeit making it a lot more secure than the traditional magnetic swipe. If you don’t process chip cards properly you could be held responsible for fraudulent charges.
What has been a little lost in the coverage of this transition is what do the changes mean for e-commerce or online retailers? I did some research and reached out to my payment gateway Braintree to get some answers. Most e-commerce and online transactions are considered “card not present” transactions. Those types of transactions are not affected by the new rules. That doesn’t mean that these types of transactions are in the clear though.
People trying to commit credit card fraud are going to do it the easiest way possible. As the adoption of EVM chip cards increase more fraud is going to shift to e-commerce and online transactions. Online transactions are going to become the least secure method because of the limited ways that a merchant can verify that a charge is valid. Address verification and security codes (CVV) don’t provide as much security as physically scanning the chip in a credit card. Fraudsters can obtain address information easily and they can even get their hands on security codes. You are going to want to be extra vigilant when it comes to credit card transaction security in the coming months.
What Can You Do?
Address Verification And CVV
Even though address verification and CVV is not the most fraud proof method of verification it is better than nothing. You want to be sure that it is part of your process for all online transactions.
Being proactive is your best defense. PCI Compliance or PCI DSS which stands for payment card industry data security standard is a set of standards that all merchants who accept credit cards must follow. Reviewing these requirements and making sure that you are in compliance will help you to be more secure and minimize your risk if someone commits fraud on your site.
Review Your Site
Go through your site from the perspective of a customer. Make sure that your payment process and site in general makes sense, is secure, and gives the sense of security to buyers. Over time software updates to your platform and changes to things that seem unrelated to payments can cause the payment process to change unexpectedly. Going through the process as a customer on a regular basis will help you to make sure everything is working properly, and there aren’t any security flaws that have snuck in.
Know What Data You Are Collecting
Collecting sensitive data like credit card numbers can open you up to a lot of risk. Don’t do it. There isn’t any reason to. You want to have your payment gateway collect the sensitive credit card data. They specialize in collecting that data and making sure their systems are secure. The best way to do this is to send the customer to a page at your payment gateway when it is time to collect credit card information. The customer will enter the information directly in the payment gateway and then when they finish they will be taken back to your site. This process is user friendly and reduces your risk significantly. If you have the page where credit card information is collected on your website you are responsible for a much higher level of PCI compliance. If fraud happens on your site and you are found to not be PCI compliant you will potentially be liable for the fraud, and may be fined or penalized. It isn’t worth it. Use the pay page on your payment gateway.
The good news is the roll out of EVM chip cards isn’t changing anything for online credit card transactions. All this buzz is just a good reminder to keep an eye on the security of your site and be vigilant for any signs of fraud. If fraud does shift more to online transactions you can bet that new rules and procedures will come out for online transactions in an effort to reduce fraud. As merchants let’s be proactive to prevent fraud so we can avoid having more rules, and hoops to jump through.