The same, recurring themes often come up when people talk about digital security. Understanding exactly what they are and how your business might be prone are the first steps in learning to safeguard you, your customers and your business.
Fraud is the act of deceiving an individual or business to illegally obtain money, goods or services. One of the most common ways small businesses encounter it is through payment processing. And even more common is fraud taking place through “card-not-present” transactions — those processed virtually, without the physical use of a payment card by the cardholder. It’s for this exact reason that eCommerce businesses who rely entirely on online transactions, are at extra risk from fraud.
A typical example of fraud taking place is where an individual attempts to use stolen credit card information to purchase something through a website. The fraudster essentially deceives the business into thinking that they are the owner of the funds being used in the transaction, enabling them to illegally acquire products or services. If and when the real cardholder realises their card is being used by someone else, they will likely file a dispute (see the next section).
There are many ways both to avoid fraud and to cope in the unfortunate situation where it happens anyway. You can start out by reading our detailed but easy-to-action help article on how to protect yourself from scams and fraud.
Take Secure Payments with Square Point of Sale
The point-of-sale system designed to grow with you.
A payment dispute is when a cardholder contacts their bank to request the cancellation of a transaction. If the cancellation is approved, the bank reverses the transaction by issuing a dispute, before debiting your business’s account for the disputed funds. This final debit back to the customer’s account is called a chargeback.
There are a number of reasons a cardholder might file a dispute:
- They were dissatisfied with a purchase
- They never received their purchase
- Their payment card was stolen
- The payment card information was compromised by a data breach
A cardholder has the right to initiate a dispute. If the bank deems their dispute to be legitimate, the cardholder will receive their money through the chargeback. Chargebacks are bad for your business’s cash flow generally, but there are a number of other reasons why they are best avoided:
- For every chargeback, your bank will also charge you a fee
- If the total number of chargebacks exceeds your bank’s fixed threshold you may receive a fine
- Excessive chargebacks may result in the bank terminating your account
- Even if you have a legitimate case against a customer’s dispute, it can take a lot of time and effort to recoup the original funds and any fees
- Even if you win a chargeback dispute, your account could still be closed if you exceed the chargeback limit set by your bank
Bearing in mind all of the above, you can see why avoidance is the best approach to payment disputes. The good news is, there are ways to do so. And some are as simple as choosing a payment provider who protects you in the first place. Read more about how to protect your business from payment disputes and chargebacks.
3. Account takeover
When accounts aren’t secure — whether that’s your email account, bank account or an account for software you use — individuals can seize control and use them with criminal intention. There have been a number of big news stories about data breaches in recent history, with all kinds of establishments targeted, from Facebook to the NHS.
Hackers often engineer these data breaches through websites or apps to access user information like saved email addresses and passwords. They then use these login details to make fraudulent transactions, sell them to other criminals on the dark web, hold the affected business to ransom or simply make an example of that business’s insufficient security.
A perpetrator might also pose as a legitimate business to trick people into freely giving them their personal information. This is known as “phishing”. After logging into the victim’s account, they may change their login information to prevent them from getting back in and — with bank accounts — transfer funds to their own account.
There are a number of ways to protect yourself from account takeovers:
- Only use websites and apps that operate with two-step (or “two-factor”) verification
- Avoid saving your passwords, personal information or card details on websites unless absolutely necessary
- Never log in or make a payment on websites that aren’t using the secure HTTPS protocol in the address bar of your browser
In the same way you would protect your own data using the tips above, you should also be offering the same safeguards to your customers so that their data stays secure.
4. Data security
Data security refers to practices and techniques that stop data being accessed by hackers. These can be carried out using software (like a firewall) or hardware (like WIPS) that detect suspicious activity, help you secure payment devices and monitor the authenticity of transactions.
To ensure that business owners keep their customers’ data secure, the five major credit card brands — Visa, Mastercard, Discover, American Express and JCB — have created a series of regulations called the Payment Card Industry Data Security Standard (PCI DSS) under their collective organisation, the PCI Security Standards Council. PCI DSS obliges businesses to maintain a specific standard of security when accepting, processing, storing and transmitting payment card information to stop cardholder information falling into the wrong hands. Businesses that are found to be noncompliant may receive penalty fees.
Maintaining compliance in-house is time-consuming and expensive for businesses, all the more so if you’re small. This is why it’s a good idea to choose a payments partner that handles all the PCI compliance for you.
Encryption is the process of converting private information into a line of code that is readable only to those with a special security key. In end-to-end encryption, when a device sends encrypted information, only the device receiving that information is able to decrypt it. This keeps the information safe from decryption taking place through the servers and networks that transport it between the two designated devices.
Here’s a step-by-step example of how payments companies encrypt payments:
- A Debit card is tapped or inserted into a card reader
- The customer’s payment data is immediately encrypted by the reader
- The encrypted data is sent securely to Square’s servers
- The payment is processed
- The data is encrypted again before being set to the merchant’s bank
This means that if a business’s WiFi network was compromised during a transaction, all the data being transferred (the card details, customer billing information, transaction information etc) would remain unreadable and unusable to hackers.
Hacking is the act of using a device (most often a computer) to obtain private data, typically for illegal use. Hacking methods include using malicious software to attack users’ devices, creating fake websites that trick users into entering personal information or sending emails that request users’ personal information directly.
As we mentioned previously the technique of phishing relies on users mistakenly thinking they’ve received an email from a legitimate source, such as a bank or reputable individual. The hacker poses as one of these sources, and requests information such as the user’s bank details or email password.
There are some simple ways to protect yourself from hacking:
- Never give out personal details without confirmation of the source
- Always check the legitimacy of the URL in the address bar before entering details on a website
- Never click on website pop-ups unless you’re sure they are legitimate
- Never leave your computer, laptop or phone unlocked in a public space
- Never click on links in emails unless you’re sure where you will be directed (tip: if you hover over links with your mouse, you will see a preview of the URL somewhere in the corner of your browser window)