To minimise the risk of fraudulent transactions and hackings, retailers must wise up to the danger signs in their data.
Fraudulent transactions and cyber hacking to mine payment and personal data pose serious threats to fashion retailers’ online operations.
Last week, Brazil World Cup sponsor Adidas was warned by hacker group Anonymous it could be attacked as part of a protest against the amount of money spent on the event, while last month footwear retailer Office was forced to notify some of its customers that their personal data had been compromised.
Although Office did not have customers’ payment details stolen, data thefts often focus on obtaining shoppers’ card details. With this information in the wrong hands, retailers across the UK battle daily against fraudulent attempts to purchase their products using stolen or false identities. Figures documenting the severity of these cyber crimes vary.
A report by PricewaterhouseCoopers, commissioned by the Department for Business, Innovation & Skills, found 81%of large companies had experienced a security breach (down from 86% in 2013), with the average cost of the worst breaches rising from between £450,000 and £850,000 in 2013 to between £600,000 and £1.15m this year.
Some 60% of small businesses were hit (down from 64%), with an accompanying cost in the worst cases rising from between £35,000 and £65,000 in 2013 to between £65,000 and £115,000 today.
The 2014 Payment Landscape survey by Sage Pay revealed 40% of businesses reported losing money through fraud, with the average loss amounting to more than £4,500. With the fear of fraud so high, 40% of large businesses were found to be simply voiding transactions immediately if they looked suspicious rather than undertaking further checks, meaning genuine customers could be lost.
A report by Financial Fraud Action UK found online fraud against UK retailers totalled an estimated £105.5m in 2013, a rise of 4% on the previous year.
The Sage Pay report noted: “Although it can be tempting to tighten security controls in the face of fraud, keep in mind that for every extra action a consumer is asked to make, you are prolonging their journey and increasing the risk they will drop out of the buying process.
“Experiencing no fraud may mean your controls are too tight and legitimate transactions are being rejected. However, too much fraud suggests controls are not tough enough. The key is finding the right balance.”
There are easy steps to take to avoid processing fraudulent transactions. First of all, look for transactions where the card is registered in a different country to the delivery address, and when orders are placed late at night or early in the morning and are of a high quantity or value. Checks should also be made on the validity of the delivery addresses - avoid PO boxes in particular - while geo-location technology can be used to identify shoppers’ locations to see if the order is from a country deemed to be high risk. Analysis of customer information and purchasing behaviour can also be useful to build profiles to help raise flags about fraudulent orders.
Employees should also be trained to ensure they are not lax with information.
Sage Pay head of strategic programmes Chris Wade explains: “The main weakness in any system is the people who have access to it.
“Employees should not write down card details or passwords, businesses shouldn’t give staff unnecessary privileges to access information and workers should be warned about not having sensitive information on devices such as laptops that could be used if lost or stolen.”
Phillip Smith, UK country manager for Trusted Shops, which audits websites for retailers including Asos, Marks & Spencer and GAP and provides financial guarantees to consumers on their safety, adds: “You don’t need extra resources, but you need to work the checks into your processes and train staff to know what to look for.”
He said 3D Secure, which is designed to provide an additional layer of security for online transactions by asking customers to provide extra passwords linked to the payment card, should always be enabled, since if the transaction passes through this barrier the liability to refund the fraudulent payment moves from the merchant to the bank.
Some retailers tend to switch this security system off as it can mean shoppers do not complete their orders when they cannot remember their details.
Preventing the hacking of online retailers’ databases is more difficult. Paul Martini, chief executive of online security firm Iboss Network Security, suggests: “The first thing retailers should do is ask themselves whether it is worth storing customers’ card details. [Not doing so] reduces the risk substantially as you are dealing with just passwords to your site, and any overlap with passwords on other sites.”
If breached, retailers can react immediately by advising customers to change passwords. Martini said it is essential retailers respond quickly and proactively to security breaches when they take place, so they are the first to inform their customers of the issue.
To avoid storing unnecessary and vulnerable data, the use of tokenisation is also recommended. This involves the creation of a token that links card details with personal accounts on retailers’ websites that can be stored for repeat visits but are worthless to hackers.
Retailers’ payment providers should also be PCI DSS (the Payment Card Industry Data Security Standard) compliant, meaning they adhere to best practice to protect businesses against data theft
The Sage Pay survey found 42% of businesses did not know whether or not they were PCI DSS compliant and only 27% said they fully understood how to meet the requirements.
Lastly, Smith says all IT software should be regularly updated to limit breaches - but as hackers constantly work to find weaknesses in systems, with no certain way of preventing data breaches, retailers need to focus on building trust with their customers as “if you’ve got trust there, [a security breach] is easier to recover from”.