A Guide to Preventing E-Commerce Fraud

Card-not-present (CNP) transactions, in which the cardholder is not physically present, have always been riskier than card-present transactions. That’s because, by their nature, card-not-present transactions have more blindspots when it comes to authorization of cardholder identities. In recent years, however, CNP fraud — and e-commerce fraud, in particular — have risen to rates never seen before. Driven by the growth of e-commerce sales, an onslaught of bad actors during the COVID-19 pandemic, and increasingly sophisticated fraud tactics, e-commerce fraud losses have reached new heights. A survey from 2021 found that e-commerce merchants experienced a 140% increase in attacks since 2020!

Not only is e-commerce fraud more common now, but it’s also more costly. E-commerce businesses today are finding that fraud is taking a bigger bite out of their bottom line. Research by LexisNexis found that in 2021, each $1 in fraud cost U.S. retailers $3.60 in total expenses, up from $3.13 prepandemic.

All this means that payment fraud prevention tools and strategies are playing an increasingly important role in protecting merchants. With the right fraud prevention program and tools in place, online businesses are able not only to prevent fraud but to minimize losses if and when they occur. In fact, recent research found that companies that implement fraud prevention programs can reduce their fraud response expenses by 42%.

For online businesses and other e-commerce industry professionals such as independent software vendors (ISVs) and software-as-a-service (SaaS) providers, it’s essential to have a working knowledge of online fraud and to know the steps you can take to prevent it. Additionally, a keen awareness of the integrated payments space and its role in preventing e-commerce fraud can make all the difference for industry players. In this white paper, we will explore the common types of e-commerce fraud and various red flags to look out for, discuss the negative consequences of online fraud for businesses, and explore some practical ways in which payment technology can keep fraud at bay.

Get the print version
Read the full white paper anytime and anywhere.

What is E-Commerce Fraud?

E-commerce fraud refers to malicious or unauthorized transactions made online for financial gain. Oftentimes, these transactions are made using stolen payment details or identities. The negative repercussions of e-commerce fraud are significant, with online payment fraud losses expected to exceed $200 billion between 2020 and 2024.

Over the years, fraudsters have diversified their tactics and found new ways to exploit online businesses. Unfortunately, there are now many types of payment fraud that businesses need to be on the lookout for. Here’s a short list of some of the most common ones.

Common Types of Online Fraud

Many technologies have made modern unattended retail solutions possible, but a few notable advancements stand out. Take a look at how these key innovations have laid the groundwork:

Credit Card Fraud
Credit card fraud refers to any transaction made with stolen credit card details. While these fraudulent transactions can occur in-store, they have become much more common online — particularly since EMV chip card technology has made it more difficult for fraudsters to create counterfeit cards to use at the point of sale. Fraudsters have a number of ways in which they obtain stolen credit card details, such as phishing emails, malware, or targeted data breaches. Once the data is stolen, it’s often sold on the dark web to other bad actors. Since credit card fraud relies on the unauthorized interception of card data, payment infrastructure weaknesses and improper payment data handling are often singled out when a fraudulent attack occurs. Later on, we will briefly discuss how businesses can protect sensitive card data from getting stolen.
Card Testing Fraud
When a fraudster obtains stolen card information, one of the first things they do is start testing each card’s validity and available funds by making many small purchases online. Oftentimes, these fraudulent attacks are performed by bots. Once the fraudster determines which cards are active and have sufficient funds, they will begin using those cards to make larger purchases.
Friendly Fraud
Friendly fraud is really not so friendly — it’s when a cardholder makes a purchase online and then disputes the transaction with their card issuer in order to get their money back. Friendly fraudsters will claim that the item wasn’t delivered, that they didn’t even make a purchase, or that the merchant never processed their refund (among other false assertions). This type of fraud not only causes merchants to lose out on sales but also imposes chargeback fees and could potentially harm the status of the merchant’s payment processing account.
Refund Fraud
Refund fraud is when a malicious actor uses a stolen card to make a purchase, then requests a refund to a different card — the card that they actually possess. Merchants in this situation often won’t realize that they’re dealing with fraudulent behavior, as they’ll believe the fraudster’s claim that the original card is no longer active.
Account Takeover Fraud
This malicious tactic is when fraudsters hack into customer accounts on online storefronts in order to make purchases or steal payment data. It is one of the fastest-growing fraud tactics today, and in fact, incidents of account takeover fraud grew by 90% between 2020 and 2021.

Impact of E-Commerce Fraud on Merchants

While the financial costs of fraud are quite obvious, there are many other negative consequences for online merchants who are hit by fraud. E-commerce businesses can experience a surge in chargebacks, a tarnished brand image and lost customer trust, and a potential threat to their payment processing account.

It’s important for business owners to realize that no matter the size of their business or industry, they are at risk for fraud. A survey taken in 2019 revealed that nearly half of small businesses in the U.S. and Canada didn’t think they were big enough to be targeted — yet unfortunately, this couldn’t be further from the truth. Verizon’s “2019 Data Breach Investigations Report” found that 43% of cyberattacks specifically target small businesses. The reality is, small businesses are often more likely to lack the security prevention measures needed to combat fraud, and fraudsters are all too aware of this.

With that in mind, let’s take a closer look at the biggest negative consequences of online fraud:

Financial Losses
One of the most significant costs of fraud is the financial loss the merchant incurs. Depending on the type of fraud that’s occurring, merchants are likely to lose out on inventory, actual business funds, or both. That’s not all, though — merchants who have been hit by fraud often have to shell out additional money to respond to and resolve the situation. In fact, the costs of responding to fraud are often far more than the amount that was actually stolen. Businesses may need to pay legal fees and non-compliance fees, hire in-house security experts to boost operational security, and implement or improve security infrastructure and systems.
Damaged Reputation
Customers and business partners are likely to lose trust in a business that experienced a fraudulent attack. In fact, a survey from 2019 found that 81% of consumers would stop engaging with a brand online in the aftermath of a data breach. This means that fraud not only causes merchants direct, immediate losses, but it also can result in lost sales and a shrinking customer base down the road.
Chargebacks
A chargeback is when a customer disputes a transaction with their card issuing bank and asks them to reverse it. While actual credit card fraud is a legitimate reason for a cardholder to file a chargeback, there are fraudsters who will file friendly fraud chargebacks even after they’ve received the product or service. No matter whether it’s actual fraud or a friendly fraud chargeback, the merchant loses out either way. Every chargeback incurs a fee, and as chargebacks accumulate on the account, the merchant’s processing rates are likely to rise — and they may be at risk of their account getting shut down altogether. Chargebacks are also quite time-consuming since the merchant has to respond to every chargeback with appropriate documentation.

Of course, this is not an exhaustive list of red flags, and it is also possible that a legitimate transaction could fall under one of the above categories. That’s why AI-driven fraud prevention tools are a great supplement to manual fraud detection.

How E-Commerce Merchants Can Prevent Online Fraud

Now that you’re more familiar with online fraud and its warning signs, let’s take a look at some actionable steps you can take to curb its occurrence. As mentioned, fraud prevention is a multi-pronged approach that requires cross-departmental security awareness and robust security solutions. Here are some tips that encompass both of these approaches:

Monitor for Unusual Behavior
As discussed above, fraudsters will often leave footprints behind. It’s essential that business owners and their employees have a thorough awareness of fraud warning signs so that they can take further action — such as declining suspicious transactions or blocking certain IP addresses — when needed.
Use Address Verification Service (AVS)
AVS is a tool offered by the credit card brands to verify cardholder identities. It does so by checking that the provided billing address matches the address that’s on file with the bank. This process happens in real-time when the transaction is authorized.
Maintain PCI Compliance
Maintaining compliance with the Payment Card Industry’s Data Security Standards (PCI DSS) is one of the most important things that businesses can do to ensure that customer card data is protected from fraudsters. PCI DSS consists of a set of policies and procedures that when adhered to, help ensure maximum card security — such as maintaining secure networks and firewalls, encrypting stored data, and regularly testing security systems. It’s important to note that since PCI compliance is required by the credit card brands, noncompliance could put online retailers on the hook for fees. Fortunately, many merchant service providers and payment technology providers help simplify the path to PCI compliance by offering advanced solutions and ongoing support.
Require CAPTCHA and Card Verification Value (CVV) at Checkout
Both of these helpful tools are a great way to authenticate the cardholder. CAPTCHA is a test used to tell humans and robots apart, and most commonly it involves identifying distorted letters and numbers. CVV refers to the three- or four-digit number on the back of credit cards. Requiring entry of this number at checkout weeds out fraudsters who don’t actually possess the credit card.
Disclose Clear Refund Policies
Customers who are unhappy with an item or service but aren’t eligible for a refund may sometimes resort to friendly fraud. That’s why it’s important to ensure that your clients know in advance if there are any restrictions that apply to returns and refunds. Providing this information upfront can also serve as supporting evidence in the event of a chargeback.
Only Issue Refunds to the Card Used for the Original Purchase
To prevent refund fraud, avoid issuing refunds to an alternative credit card or with cash or check. Issuing refunds to the original payment method is the only way you can ensure that it’s not getting into the wrong hands. Plus, doing so leaves a paper trail that the refund was made, and this evidence could come in handy.
Integrate Advanced Payment Security Technology
No fraud prevention program is truly complete unless it includes powerful security solutions. With the help of a secure payment gateway integration, you’ll find that it’s much easier to reduce fraud, maintain PCI compliance, and minimize chargebacks. Fortunately, today’s payment gateways offer an impressive array of fraud prevention tools that will save you time on manual labor and protect your business. In the following section, we will provide an overview of integrated payment technology and pinpoint several must-have security features.

Harnessing the Power of Integrated Payment Technology to Fight Fraud

For e-commerce merchants, payment gateway integrations are essential to facilitating secure transaction processing. The payment gateway serves as a middleman between the cardholder’s bank and the issuing bank, interfacing with the merchant’s online storefront and financial institutions. Since the payment gateway is responsible for transmitting data, it plays an essential role in keeping data secure.

As payment security evolves rapidly, partnering with an innovative payment gateway can make all the difference for e-commerce merchants. When looking for the right payment integration, merchants should focus on finding a provider that’s cutting-edge and committed to rolling out the latest technologies. This is essential in keeping one’s business safe as fraudsters continue to scheme up new tactics and the payments landscape evolves. At the same time, staying on top of payment security trends often translates directly into a more frictionless, faster, and customer-friendly checkout experience that improves brand loyalty and conversions.

There is an incredible range of payment gateway security features available on the market, and while some are offered across the board, others are limited to the most innovative and feature-rich gateways. Here’s a look at some of the top payment gateway security solutions for online merchants:

Top Payment Gateway Security Features

Data Tokenization

Tokenization technology replaces sensitive card data with randomly-generated tokens that are indecipherable and meaningless to fraudsters. The payment gateway assigns each payment method a token and stores the actual payment details in its secure vault. Meanwhile, the merchant only uses the associated tokens during transaction processing or to store payment information.

3DS2 Authentication

3-D Secure 2.0, commonly known as 3DS2, is a next-generation authentication solution launched by EMVCo to verify cardholder identities in real time. When a transaction is processed on a gateway that supports 3DS2, key data points are passed along to the cardholder’s issuing bank to evaluate risk. Only transactions that are determined to be low-risk are authorized, thus filtering out fraudulent transactions and preventing chargebacks.

Gateway Filters

Gateway filters automatically block transactions based on parameters that are likely to indicate fraud. Most payment gateways give merchants the ability to set up filters per their preferences. For example, merchants can choose to block transactions based on the following parameters, among others:

IP addresses
Failed AVS checks
Specific card or BIN numbers
High dollar amounts
High velocities (in a given time period)

Automated Fraud Screening

Fraud screening solutions scan incoming orders for signs of fraud — often using AI technology — and provide the merchant with a score or yes/no decision. These tools offer a significant advantage over manual screening alone, as they pick up on red flags that may be missed, and they also reduce the odds that legitimate transactions will be unnecessarily declined.

End-to-End PCI Compliance

Using a payment gateway that’s PCI compliant greatly simplifies the merchant’s path to PCI compliance. Merchants can rest assured that the gateway is regularly being updated to adhere to PCI standards, which takes some of the burden off of the merchant.

Support for Secure Payment Methods

The latest payment methods offer an added layer of security that benefits cardholders and merchants alike. Digital wallets like Apple Pay and Secure Remote Commerce (SRC) keep payments extra secure since data is tokenized and the cardholder must verify their identity — using biometrics or another method — when making a payment.

Boost E-Commerce Security With the Cardknox Gateway

As a leading e-commerce payment gateway, Cardknox offers unmatched security that provides e-commerce merchants with incredible protection and peace of mind. Cardknox supports all of the above features and has an in-house team of security and PCI experts to guide merchants, ISVs, and SaaS providers on all things related to secure payment integrations. Plus, users of the Cardknox gateway can enjoy access to cutting-edge payment solutions for in-store and mobile channels, which can be easily synced with e-commerce sites for a complete omnichannel experience. For ISVs and SaaS providers, Cardknox’s Partner Program provides lucrative integrated payment acceptance options, with the option to become a payment facilitator.

Interested in learning more about how the Cardknox gateway can level up your business with industry-leading security and payment solutions? Contact us today to learn more!

Get the print version
Read the full white paper anytime and anywhere.

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
ep201	30 minutes	This cookie is set by Wufoo for load balancing, site traffic and preventing site abuse.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
OptanonConsent	5 months 27 days	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_L91N7MKDFX	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_53045244_1	1 minute	Set by Google to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
handl_landing_page	1 month	Understand which page was the first webpage a user visited.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
pi_opt_in1055213	7 days	The cookie is used by SalesForce/Pardot to store privacy preferences.
utm_campaign	past	Google Ad Services sets this cookie to store session campaign value if present.
utm_content	past	This cookie is used for storing the session content value if present.
utm_source	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
utm_term	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
visitor_id*	past	Pardot sets this cookie to store a unique user ID.
visitor_id*-hash	past	Pardot sets this cookie to store a unique user ID.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
utm_medium	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.

Cookie	Duration	Description
__wpdm_client	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_splunk_rum_sid	15 minutes	No description
AnalyticsSyncHistory	1 month	No description
AWSALBTG	7 days	No description available.
AWSALBTGCORS	7 days	No description available.
email	past	No description available.
experiments-fingerprint	6 months	No description
experiments-raw	6 months	No description
gclid	past	Used by Google to track conversions,
handl_ip	1 month	No description available.
handl_original_ref	1 month	No description available.
handl_ref	1 month	No description available.
handl_url	1 month	No description available.
li_gc	5 months 27 days	No description
TESTCOOKIESENABLED	1 minute	Description is currently not available.
username	past	No description available.