Consumers, retailers, payment processors work together to reduce fraud and enhance security in this holiday shopping season
Thanksgiving in the United States has already come and gone, and we’ve dived headlong into the heart of shopping season. And the season doesn’t stop at the end of December; the shopping frenzy will continue – globally – through February 14 of next year. Many forecasts from research and retail organizations (see some links below) predict retail sales will rise around three percent when compared to the previous year, but the biggest gains will be made in online and mobile commerce. According to Adobe Systems, Black Friday online retail sales in the US were up 21.6 percent this year, while sales via mobile devices were up 33 percent.
More than other times of the year, fraud and security are on the minds of both consumers and the entities involved with settling the transactions, including retailers, banks and payment processors. Payment data, such as credit card or debit card numbers, can be stolen in large quantities and monetized quickly and profitably. This is primarily why financial and personal data remain a prime target for hackers. While there are existing security best practices and safeguards to protect consumers from fraud, it takes both the consumers and the settlement entities to work together to successfully reduce payment fraud.
Here are some tips for consumers on how to keep your data safe in the era of cyber shopping. Some additional tips for both in-person and online shopping experiences:
- For in-person shopping, use your smart payment cards, also known as chip-and-PIN cards. These cards have been proven to reduce counterfeiting. The chip embedded in the card makes the transaction more secure by encrypting information when completing a transaction at a chip-enabled payment terminal. It has been available in most of the rest of the world and is now (finally!) available in the U.S.
- When shopping online, look for reputable payment processing partners like PayPal, Authorize.Net, and for SSL certificates like Verisign, or accredited by the Better Business Bureau. Whenever you enter payment information online, there should be a lock symbol by the browser’s URL.
- If you are a first-time buyer on an online store and you are not sure whether they have solid security practices, make your purchase as a guest instead of creating an account if there’s an option. This way, your personal and payment data will not be stored.
- Another way to assess whether the online store has sound security practices is to see whether it has published security and privacy policies on the website. A reputable online merchant will communicate such policies publicly. It’s a good way to learn more about the company.
- Keep good records – always check purchases against credit card or bank statements. Report discrepancies immediately to your bank. If you use credit cards, your liability is limited. In some cases, banks will refund the entire purchase.
As the consumers’ partners-in-anti-crime, the retailers, banks and payment processors are the other side of the coin in fighting fraud. Here are some best practices for IT departments to secure their apps and consumer data against fraud:
- For retailers, when completing a transaction, use payment terminals from reputable vendors that are secure and support end-to-end (or point-to-point) encryption, including Ingenico, Vantiv and Heartland. End-to-end encryption means payment data is encrypted immediately when you enter your card number, and that the data remains encrypted as it is transmitted to the processing system. Other acceptable data anonymizing methods include masking and tokenization.
- Don’t keep the data in your payment terminals or on mobile devices that accept credit cards via a dongle, or in any of the apps in your data centers if you can help it. Transmit the payment data directly to the bank or global payment processor to settle the charge. But if you have to store personal or payment data in your IT system, make sure that data is encrypted, masked or tokenized, and that the application is segmented from other applications.
- For banks and payment processors that have to keep the payment data for settlement purposes, purge the transactions from the database as soon as you no longer need them. Unless the transactions are recurring for subscription services, get rid of payment data after the normal length of time that banks allow for processing chargebacks (in the U.S., generally 18 months). For storage, always make sure the data is anonymized and that the database is separated from other apps that are vulnerable to malware, like web apps.
- Maintain Payment Card Industry Security Standards Council (PCI-DSS) compliance for starters, but keep updated on all security best practices. Perform constant penetration testing against the system. Bring on board reputable security assessors to check out your systems. Don’t forget to train your employees to observe security practices, as well as ensure physical offices and stores are designed to discourage insider threats.
Only together can consumers and settlement entities reduce fraud and enhance security in a meaningful way. Start now and don’t stop fighting the good fight! Happy shopping!
For more on retail forecasts:
- Read PwC’s forecast for 2016 holiday shopping season in the U.S.
- Read eMarketer’s forecast for 2016 shopping season in the U.K
- Read the US online retail and mobile sales figures for Black Friday 2016
Follow YuTing Huang on Twitter
Follow Citrix Solutions for Financial Service and Insurance on Twitter