SMES AND ONLINE FRAUD

The introduction of Chip and PIN last year was the banking industry’s attempt to stem the tide of credit card fraud. According to the banking organisation, APACS, in 2004 card fraud soared to £504m, up 20 per cent on 2003. When a similar system to Chip and PIN was launched in France, card crime was reduced by 80 per cent and early indications suggest that the scheme will also be a success in the UK.

The losses incurred in 2005 as a result of lost, stolen and counterfeit cards will be greatly reduced as a result of the widespread use of Chip and PIN, according to APACS.

 

Thanks to such innovations consumers can, with some justification, feel that their personal finances are being protected from fraudsters but what about small and medium sized businesses (SMEs)? Are their interests being well-served as part of the banking industry’s approach to curbing card fraud? More importantly, what are the practical steps that SMEs can take to ensure they do not fall victim to online con-artists?

 

Card fraud affects most business areas, but is of particular concern for e-business. Cardholder-not-present fraud (CNP) was the biggest single type of fraud in 2004, accounting for £150.8m of the total. This has risen in line with the growth of businesses offering transactions made by fax, phone or online, not just the internet. Unfortunately for businesses, in the case of online transactions, authorisations on the web are not a guarantee that the cardholder is aware of the transaction or that the individual placing the order is the genuine cardholder.

 

Every time an unauthorised card transaction occurs, the retailer in question is liable for an expensive chargeback fee. In many cases the business loses out twice over; once to the fraudster and then again to the card company who will charge a fee on the fraudulent sale. It’s not difficult to see how this could seriously impact on a business’s bottom line. For a small business, this type of loss can be devastating.

 

Unfortunately the value of chargeback fees is always in-line with the value of the original transaction and is not in any way linked to the size of the company that has been defrauded. No special allowances are made for SMEs in cases of online fraud; a small business with just a few members of staff will have the same level of liability as a large multinational company. To make matters worse, by their very nature smaller businesses are at increased risk of falling prey to scams as they have fewer resources to combat them.

 

Earlier this year the Federation of Small Businesses (FSB) called on ministers to do more to protect small firms from scams. This came hot on the heels of the Office of Fair Trading’s (OFT) launch of ‘scam awareness month’, a campaign to raise awareness of financial fraud among consumers. The OFT is able to serve ‘Stop Now Orders’ on those trying to scam consumers but a clause in the 2002 Enterprise Act denies the self-employed and businesses similar protection.

 

It is, of course, unlikely that smaller businesses will have the resources to come up with their own bespoke fraud screening service. However, one simple way smaller businesses can have confidence they will not fall prey to costly scams, online at least, is to use a trustworthy cardholder authentication service.

 

In addition to fraud and as an added incentive to merchants to implement appropriate security systems, from 30th June this year, all businesses who take more than 20,000 online payments a year will be required to comply with new Payment Card Industry (PCI) standards. These rules govern the handling and security of sensitive information. In practical terms, this means that companies must scan networks four times a year and carry out an annual audit (at a cost to themselves) to ensure their compliance with the new security standards. Companies who do not adhere to these rules may have their merchant acquiring facilities withdrawn and hence not be able to trade.

 

Although these changes are potentially time consuming for SMEs to implement it is absolutely crucial that such systems are put in place. In the event of card fraud, banks will quite simply not talk to businesses that do not have these standards in operation.

 

Growing numbers of businesses now use a real-time payment service such as SECPay to process online card payments. Those merchants that use such a service will find their obligations under PCI are fulfilled automatically. This is part of SECPay’s payment service.

 

In addition to easing the massive burden of collecting relevant data, real-time payment services also provide businesses with all-important security systems to minimise many of the risks associated with collecting card payments online. Mastercard’s ‘SecureCode’ and Visa’s ‘Verify by Visa’ authentication systems work to fight fraud by checking previously registered identification details to confirm a cardholders identity, by either PIN or password. These systems are the electronic commerce equivalent of Chip and Pin. Both systems are available to SECPay’s clients free of charge, giving them additional peace of mind when trading online. These schemes move the liability for most fraudulent transactions to the card issuers and not the merchants.

 

Even with the authentication schemes in place merchants must still be conscious of fraud levels and actively take steps to prevent fraud. They can still have acquiring facilities withdrawn if fraud levels rise, so just because the expense is carried by the card issuer it is not an excuse for complacency. In addition Mail Order / Telephone Order transactions are not covered by the VBV and Securecode schemes so vigilance is especially important here. In addition with fraudsters being squeezed by Chip and Pin on one side and VBV/Securecode on the other, fraud will tend to migrate to Mail Order / Telephone Order. SECPay provides a number of products to help detect the occurrence of fraud and to aid merchants in mitigating it's effects.

 

So many anti-fraud measures appear to come from a system that actively works to protect the rights of the consumer but does not make good business sense to merchants. Many measures are difficult for businesses to administer and implement. It is good to know, therefore, that there are steps businesses can take with a minimum of fuss to ensure they are better protected against online fraud.

News from SECPay

September 2006 - SECPay, the UK’s leading independent internet payment service provider, tod...

July 2006 - Philip Whittaker, SECPay's Chief Information Security Officer, has earned the de...

9 May 2006 - Leading independent internet payment service, SECPay, today announces the launc...