Have $46,000 to spare? That’s the average total of direct and indirect costs of SMB businesses trying to recover from credit card fraud.
Typically, the hackers and scammers who specialize in credit card fraud use one of two tactics:
- Focusing an attack one large company, as when Target suffered a data breach involving 70 million credit and debit cards.
- Striking at multiple ATMs and small businesses, affecting thousands of people, one card at a time.
That second tactic is where your business potentially becomes a victim.
For solopreneurs or small-to-medium-sized business (SMB) owners who don’t have the financial cushion of larger corporations, recovery from credit card fraud can be financially devastating. The effects are long-ranging, from immediate recovery to trying to fix a damaged reputation.
Before we continue, it’s worth noting that not all fraud is criminal. Some of it is friendly fraud, caused by buyer’s remorse or forgetfulness. You can read more about friendly fraud and disputes here, and more about how to prevent friendly fraud here.
When it comes to fraud, an ounce of prevention is worth a pound of cure. That prevention can take several forms, and experts aren’t 100% agreed on which ones are the best. For example, EMV (chip) technology has, according to Visa, dropped the dollar amount of credit card fraud by 76 percent. On the other hand, some industry gurus think that chip technology simply shifted the problem from in-person transactions to card-not-present and new account transactions.
The one thing everyone is clear on is that as a business owner, you can’t rely on anyone else to protect you. You need to have a fraud prevention plan in place, and actively take steps to protect your business. Here’s how you can get started:
When you start looking into fraud prevention, it’s easy to get confused and overwhelmed immediately. The good news is that you don’t have to know everything there is to know about fraud right now. There are some simple things you can do to protect yourself immediately, starting with…
Additionally, be aware of social engineering and what a social engineering attack looks like, where someone might obtain credit card numbers through persuasion, or talk their way past security measures meant to prevent fraud. “Credit card fraud” isn’t as simple as someone using a stolen card any more — fraud prevention and security requires learning about, and planning for, for these other scenarios, too.
Your team is your first line of defense against online fraud. In addition to the realities of modern fraud that we’ve already discussed, your team members should be trained in:
- Who to contact in the event of a fraudulent purchase getting through, and what information to provide to them
- What the potential red flags are for a fraudulent purchase and how to spot them
- What specific decline codes mean (especially “Stolen Card”), and what your company does for each one (For more about how to lower decline rates, head here , and for more about transaction response codes, head here .)
- If applicable: how to use tech-related prevention tools like the ones we talk about in the second half of this post — blocklists, risk scoring, etc. — and what your company protocols are around each one
Customers may be leery about the information they share with you, so be selective in what you ask for. Many customers are also well-educated about the risks of divulging information to a caller and will not sign up for or purchase anything unless they initiate the transaction.
Make sure your business model supports customers in protecting themselves. You can do this by:
- Tell your customers how you’ll contact them, and what information you’ll ask for (for example, having a note on your customer service page that says “Our email address is email@example.com , and when we contact you via email, we’ll never ask you to send your credit card number via email”)
- Include a fraud-prevention note in your customer emails about what phishing is and what it looks like
- Encourage customers to create strong passwords for logins, if applicable for your business
- Make good use of dynamic descriptors (the descriptions that show up on a billing statement), which can remind customers who charged them (so they’re less likely to file a dispute and know who to contact if they want a refund)
There’s a wealth of material online to help customers report fraudulent businesses; make sure you know how to respond when your business is attacked by fraudulent customers. In the world of brick-and-mortar employment, there’s the idea of an emergency response plan — the idea being that this plan is already created, discussed with employees, and is posted where anyone can see it. Now, in the event of an emergency, everyone knows what to do and can proceed in an orderly fashion, instead of panicking and trying to create an emergency plan on the spot.
As an online business owner, you need a fraud response plan, even if you hope to never use it. For example, if you suspect a fraudulent transaction, you’ll want to alert:
- Your credit card processor
- The issuing bank
- Legal authorities, if applicable (police and/or a lawyer), depending on the laws around online business in your locality
You can also familiarize yourself with the rules card issuers have in place for handling fraudulent transactions, and the penalties for not processing fraudulent transactions. For example, if your payment gateway does not ask for the CVC code or zip code verification, your responsibility for credit card fraud increases.
The steps in the previous section can be done by anyone — regardless of what their subscription tech stack looks like. No matter who your payment gateway, merchant account provider, or subscription billing management tool is, you can do the tasks above.
This next section has some more specific steps. Depending on the details of how your subscription business is set up, you might not be able to customize things like blocklists, or use risk-scoring. However, it’s still worth learning about more advanced fraud prevention tips. That way, when you are on a subscription billing tool that has the below capabilities (if you’re looking for one, we have some ideas), you can take these additional steps to protect yourself.
Recognize normal behavior patterns so that you can spot behaviors that are out of the ordinary. Whether you collect customer data online or from in-person transactions, knowing your customers enables you to fine-tune your own risk scoring and your processing company’s fraud filters.
The way risk scoring works is by assigning a number value (the score) to a transaction based on a number of parameters (more on that in a minute). If the score is over a certain value (let’s say, 30), then the transaction is either automatically blocked or flagged for manual review by a team member.
The basic risk scoring parameters we suggest include:
- Transaction velocity (how many transactions from a single source you accept with a certain time period)
- Whether the issuing bank country matches the customer’s geographic location (someone with an IP address from the United States is attempting a purchase with payment information based in Brazil)
- Whether the billing address country matches the customer’s geographic location (someone with a billing address from the U.S. is attempting a purchase, but based on their IP, they’re in Brazil)
If you can, setting up blocklists is a great way to automate your fraud prevention. Blocklists are exactly what they sound like — if a would-be customer matches an item on the blocklist, they’re permanently barred from buying. Blocks can also be temporary, by setting up a TTL (Time to live) when configuring the blocklist.
Both types of lists can be matched with any number of identifying factors, including but not limited to:
- Device fingerprints
- Credit card numbers
- IP addresses
Whether something goes on a blocklist depends on what attribute it is you want to block, and why. If it’s a residential IP address (which changes frequently), you might want to do a 7-day block (which would mean putting the IP address on a blocklist with a TTL setup). On the other hand, if you have a credit card number that you know is stolen, to the blocklist it goes. To learn more about blocklists and how to use it to prevent chargebacks, head here.
2FA, or “two factor authentication,” relies on a second factor to verify a person’s identity. Example: a user logs in, enters their password, and is then sent a six-digit code via text message. They enter in the code to prove their identity, making it harder for someone to steal a password and log in (since the thief would need access to both the password and the phone to successfully log in).
You can make use of this in two ways:
- Setting up 2FA for you and your team, making it harder for someone to hack your store. (To read about how this works in Rebilly, head here .
- Setting up 2FA for customers, using something like Authy or Google Authenticator. That way, before customers can login and update payment or shipping information, there’s an extra step of identity verification.
3D Secure is an extra security step that you can take to shift your liability for certain chargebacks onto the issuing bank. You can read more about how to set it up at the following providers:
These steps don’t guarantee you won’t be a victim of fraud — but they can help prevent it. For more tips on fraud prevention and strengthening your security, check out these other posts:
- Stop Losing Money to Chargebacks — Here’s How
- How to Automate Your PCI Compliance
- How to Avoid the Most Common Subscription Business Struggles
- The Full Cost of Chargebacks (Infographic)
- Subscription Billing Challenges: Payment Processing
Want more tips on how to sort true fraud from “friendly” fraud, and increase your CLV as a result?
Our Retry Strategy guide teaches you exactly how to use data like decline codes and card types to increase successful charges and your customer lifetime value—to the tune of 43% or more. Get it for free below: