August 19, 2016
Get Better in 2015
By Karisse Hendrick, Editor-at-Large, CardNotPresent.com
The beginning of a new year is a chance to start fresh—to do new things or just do the things you were doing, but do them better. 2014 was a year of highly publicized data breaches and record sales in the card-not-present space, which meant a record amount of credit card fraud. We also saw new payment methods emerge such as Bitcoin, new mobile wallets, and companies focusing on global expansion more than ever before. Another year has come to an end, but innovation and change in this industry will continue, as always. In that spirit, we have compiled a set of New Year’s resolutions for card-not-present merchants. If you’re already following these suggestions, you’re ahead of many in your field. If not, please consider them as a way to learn from the accomplishments—and mistakes—made by others before you.
In 2015, I resolve to:
Take More Action to Prevent Data Breach
While you may not be formally responsible for information security in your business, you can partner with the group that is to suggest best practices protecting your data as much as possible. Internally, it is important to require strong passwords that require regular updating for all internal systems. Educate all staff on the importance of not opening any link or downloadable file from an outside source. Segment your servers so that should one person’s access be compromised, the cyber thief does not have access to your entire network. To prevent data breaches from an external source, it is important to be vigilant about anti-malware software updates and implement them immediately, comply with all PCI rules regarding the storage of your customer’s payment data and to partner with a company to perform penetration testing annually, at minimum.
Prepare More Thoroughly in the Event of a Data Breach
One thing we have all learned in 2014: no matter how large and secure a company is, none is 100 percent safe from a data breach. In the age where consumers are being notified of a breach at almost the same time that the victim company is discovering it, the importance of having a communications plan in place prior to any attack is paramount. Have a brainstorming session with a representative of every unit in your company to answer the question, “If a data breach were to happen tomorrow, what would we need to do?” Work together with your communications department to pre-draft a letter you may send to the affected customers. Partner with your customer-service team to determine their call-center needs should a breach occur and consider retaining an outsourced call center. Solicit input and feedback from all other departments that need to be involved. Hopefully you will never have to use these response and recovery plans, but if you have these details in place prior to an event, customer service and communications with customers will not suffer, and your company’s focus can be solely on fixing the vulnerability.
Diligently Prepare for EMV
In 2015, the EMV liability shift will be the catalyst for chip-enabled cards to flood the U.S. market. Industry experts have predicted that as the conversion from magstripe to chip cards occurs at the issuer and merchant level over the next few years, fraud in the card-not-present environment will increase dramatically. The best way to prepare for the inevitable increase in fraud attempts is to create a layered approach in your systems and also in the skill sets of the people on your team. Consider using multiple tools that will screen orders at multiple points in the transaction. Whether you decide that you need to invest in new tools or continue to use your current technology, the best way to be prepared for these changes is to be aware and prepared for the almost certain increase in fraud attempts that our industry will endure.
Consider New Payment Methods
With Bitcoin, ApplePay and other new payment options making headlines, it can be confusing as to which payment methods to consider. Will a new option increase your conversion rates or just clutter your checkout page with too many options? Start out by researching the new payment options, focusing on consumers who are using them and compare those to your own target market. If the markets are comparable, then focus on implementation and operations processes such as refunds and fraud: do they align with your current system and policies? Also, reach out to merchants that are currently accepting them, and find out what they’re experiencing. A payment method could be receiving a great deal of publicity, but consumers have not yet adopted it and the cost of implementation is not worth the actual number of consumers who will use it on your site. Or, you could find a new group of consumers that would not otherwise make a payment, and increase your sales and company exposure.
Streamline Fraud Processes & Systems
If you feel like your fraud team is focused primarily on being reactionary—constantly just putting out fires—it is probably a good time to review your overall strategy and processes with the aim of implementing a more proactive system. Your metrics and key performance indicators are a good place to start. Pay close attention to your chargeback rates, manual review rates, false positive rates, etc. They will show you where you may need to focus your attention first. It may be helpful to review your payment processes from end to end, eliminating redundancies and inefficiencies. Say, for instance, your KPIs indicate your manual review rate is higher than it should be. Study the data to determine which combinations of attributes are almost always passed, but are still flagged for manual review. If you were to auto-pass those transactions, your team could use that time to analyze or respond to chargebacks, or another area that needs more attention.
Highlight Your Team’s Value
In many companies, the fraud and payments departments do not get enough credit for the protection and savings they bring the company. Many times they are the last department to be consulted prior to the introduction of a new marketing plan, product or revenue stream. If you dedicate time and energy to educating other departments and executives about the role your team plays and the value it provides, you will be consulted earlier in the process while changes can still be suggested and perhaps receive additional resources for your department’s growth and success. Consider creating a static slide deck that focuses on what the team is responsible for, including your key performance indicators and how they have improved over time. After you have established a baseline of understanding for the service your team provides, continually update leaders in other teams of your metrics, highlighting the accumulated saving to the bottom line from canceled fraud orders and new processes you have put into place to increase conversion rates or to reduce redundancies.
Stay Informed Regarding Changes in the Industry
The fraud, payments and security landscapes in the card-not-present world are changing significantly and quickly. The best way to ensure your business is ready for the changes ahead is to stay informed about new regulations and industry news that will impact your business. Reading industry publications like CardNotPresent.com and attending conferences and networking events where you can meet and learn from peers in the industry are invaluable in this space. While most other departments are competitive with similar departments in other companies, fraud and payments is an industry where the value of learning from others who are also tasked with similar issues far outweighs any drawback. Through attending live events and reaching out to people on social media with similar interests and focus, we can learn from one another where we are strong and how we can improve risk mitigation while maximizing our overall revenue in the coming year.