6 best practices for securing your eCommerce website

Editorial Team

5 min read
Person making eCommerce transaction

Your eCommerce website is always open 24/7, 365 days a year. That’s why you chose to do eCommerce business, so you could make sales any time, any day. The unfortunate truth is that eCommerce fraud is also a round-the-clock operation. Cybercriminals are actively scoping out websites and checkout forms and pages looking for vulnerabilities to help them gain access to the things they want – valid credit card numbers and merchandise for free.

How eCommerce fraud happens

When customers pay for goods or services on your website, they are making a card-not-present (CNP) purchase, which means you – the merchant – were not presented with a physical credit card by the cardholder. You have to trust that the person authorizing the transaction is the cardholder. That’s why CNP transactions are susceptible to being fraudulent, as they’re basically “anonymous.”

Although there are many types of eCommerce fraud, and new methods emerging all the time, two of the most common fraud types are:

  • Stolen Credit Card Usage: Cybercriminals use stolen credit card numbers to make large ticket purchases. The goods are sent to reshippers in an attempt to collect the stolen merchandise.
  • Card Testing: Cybercriminals run transactions for small amounts, such as $.01, on eCommerce checkout forms to see if account numbers are still valid. They could potentially test thousands of cards on your account, resulting in an abundance of unnecessary transaction fees. This is known as a velocity attack.

According to the True Cost of Fraud Study from LexisNexis Risk Solutions, every $1 of fraud loss actually costs a company $3.13.1 This is partially due to transaction fees, chargeback fees, losses from goods, and declined sales due to decreased customer confidence. Small businesses that become victims of cyberattacks rarely bounce back from the damage. In fact, 60 percent of small to midsized businesses close their doors within six months of being hacked.2

What you can do to minimize eCommerce fraud

To help reduce your website’s fraud risk, here are six eCommerce fraud prevention best practices to follow.

1. Enable fraud protection tools

Depending on the payment gateway you use to accept online transactions, you may have access to fraud protection tools. Some may be free, but even if there is a monthly charge associated with them, it’ll be worth it in the long run to pay a minimal monthly cost upfront rather than potentially tens of thousands of dollars down the road in fees and damages.

At a minimum, these filters should be enabled to allow you to reduce fraudulent attempts and collect as much information as you can:

  • Velocity filter – prevent card runners from testing cards on your accounts
  • Card Verification Value (CVV) filter – require customers to enter the 3- or 4- digit code  on the back of the card (on the front for American Express)
  • Address Verification filter – verify that the billing address and zip code provided during the transaction match what the issuing bank has on file
  • Unmatched Refunds – stop refunds from going back to cards that didn’t have the original sales charged to them.

2. Pair CAPTCHA with hosted payment form

When customers checkout on your website, they are asked to identify a combination of distorted letters and/or numbers or asked to classify pictures to complete the transaction. This is known as CAPTCHA – Completely Automated Public Turing test to tell Computers and Humans Apart. Pairing this method with your hosted payment form provides an extra layer of security that helps reduce your risk of counterfeit transactions and protects bots from infiltrating your website.

3. Maintain PCI compliance

Any merchant storing, processing, transmitting, or affecting credit or debit card information must adhere to and comply annually with the standards set forth by the Payment Card Industry Security Standards Council (PCI SSC). These standards were established to help ensure the security of customers’ credit card data within merchants’ payment environments, including eCommerce websites. Regardless of your accepted payment methods, PCI compliance is an on-going process for every business that accepts credit and debit cards.

4. Keep platforms and software up-to-date

Cybercriminals use tools to detect sites with unpatched applications. By keeping your website and backend software updated with the latest security patches, you reduce the risk of exposing vulnerabilities to potential hackers. Additionally, install and regularly update anti-malware and anti-spyware software developed for businesses. The free antivirus software isn’t enough protection to keep your systems from being exploited.

5. Monitor transactions and reconcile accounts daily

It’s not enough to only review your transactions and accounts on a weekly basis. You may check on Friday and by Monday something’s gone awry. Fraud happens daily, and that’s why you need to look for suspicious transactions, such as small amounts or mismatched shipping and billing information. Staying on top of this and notifying your merchant services account provider and bank as soon as you notice something out of the ordinary will help minimize any potential damages.

6. Stay educated on the latest fraud tactics

It’s easier to combat fraud when you know what you’re up against. Cybercriminals are always searching for new ways to thwart technology and invade your payment environment. They’ll even go so far as to hack into a smart appliance, like a refrigerator, to obtain any personal details or account information that will allow them to make money or gain something for free at your expense. Stay on top of the latest news by subscribing to industry journals, e-newsletters, or blogs.

If you need help securely accepting payments for your online business, schedule a free consultation with our merchant services team today.

1 “Study Preview Finds Cost of Fraud for E-Commerce Merchants Highest Ever,” CardNotPresent.com, 6 June 2019

2 “60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here’s How to Protect Yourself,” Inc., 7 May 2018

Popular Topics

Recent Stories

Please share your contact information
to access our premium content.