Payment processing - make sure you get it right

To stay in business, any company must be able to process payments from its customers. While this may seem like a low-level detail, the impacts on your organisation of getting this processing wrong can be immense, and range from fraud, compliance issues and damage, to corporate reputation. Improving how you handle payments can deliver substantial benefits to the bottom line.

In this two-part series of articles, I will explain why payment processing is an important subject that should have the attention of C-level executives, and what your business can do to minimise risk, stay on the right side of the law, and maximise profitability. In this first part, I will discuss the issues of fraud, compliance and corporate reputation. In part two, I’ll look at how changing how you process payments can improve your profitability and open up foreign markets, and review some of the alternatives to credit cards for online payments.

THE MAIN ISSUES
Perhaps the most obvious risk is fraud – at a low level from customers disputing transactions and paying with fraudulent cards, or on a large scale if the credit card data or other personal details you hold on customers is hacked. There’s also a strong risk to corporate reputation; if it becomes known that your company has failed to secure customers’ details, you could lose your expensively-created public image overnight, with a corresponding sharp drop in business.

Closely linked with fraud are issues of compliance, in particular related to protecting personal financial data. Data protection and privacy laws vary from country to country and can be complex, making it vital to ensure that the information you hold from payment processing is stored and processed correctly and legally. Falling foul of California’s disclosure laws or European privacy rules can result in serious implications for a company and its executives, for example including imprisonment for up to two years in the UK for negligently disclosing personal data.

Lest this all seem overly negative, the good news is that by reviewing how you process payments, your company can increase revenues and profitability. While many businesses assume that accepting credit cards is the only requirement for online commerce, in fact many consumers don’t have access to credit cards, or don’t like using them online. By opening up your doors to other payment mechanisms, you would be welcoming a whole new group of customers, and potentially gaining a significant advantage over your competitors – for example, only 26 percent of shoppers in Germany, Europe’s second largest online shopping market, list credit cards as their preferred method.1 And improving how you handle online payments can also increase your business from overseas customers paying in different currencies.

THE COSTS OF PAYMENT FRAUD
Industry analysts estimate the annual cost of online credit card fraud to be as much as US$60 billion.2 Depending on the type of transaction and industry, recent research estimates anywhere between three percent and 20 percent of online orders are fraudulent, with costs adding up to 10 percent of gross online revenue.3 This poses a significant risk to merchants who are solely dependent on credit cards as their primary method of online payment.

Unlike face-to-face transactions, all credit card payments that take place online are virtually invisible, labelled in the industry as “Card-not-Present” (CNP) transactions. The retailer can neither physically verify the presence of the card, nor the cardholder, which opens the door to fraudulent transactions, resulting in disputed transactions and charge-backs for you, the online merchant.

Additionally, the problem with credit cards is that authorisation does not guarantee payment. It only confirms that the card being used on your site has not been reported lost or stolen and that there are sufficient funds available.

Fraudulent credit card activity can originate from identity theft or customer data hacks on your site and anything in between. Protecting against fraud is time-consuming, but if left unmanaged, these threats end up hitting your bottom line. And when those fraudsters are hitting you from other countries, it is either impossible or cost-prohibitive for you to do debt recovery.

PROTECTING YOUR BUSINESS AGAINST FRAUD
Credit cards today have an ever-evolving set of security features. To combat CNP fraud and disputed transactions, credit card companies recently introduced 3-D Secure™, an authentication protocol that requires cardholders to enter a user-generated PIN or password to verify their identity and validate the transaction.

3-D Secure shifts responsibility away from merchants back to the cardholders and credit card companies, thus eliminating the risk of “cardholder unauthorised” charge-backs for merchants and increasing consumer confidence. However, the biggest obstacle to 3-D Secure is the additional authentication window that means many customers will give up and abandon their purchase. Adoption by consumers has been generally low.

Over the next three to five years, the single most important element in fraud detection and prevention is going to be the identification of real-time behavioural profiling. To protect your business from the risks associated with credit cards, you’ll need to build a comprehensive fraud mitigation program which requires establishing business rules, transaction processing, identity verification, KYC (Know your customer) and data security practices. This is inevitably a complex and costly process.

Another alternative to reducing fraud risk is to outsource to an external payment processor to handle your credit card payments. The payment services provider would take on the responsibility and risk of customer identity verification and transaction security, with indemnified funds, and may also be able to provide additional facilities such as “e-wallets” and other non-card payment mechanisms.

MAINTAINING YOUR CORPORATE REPUTATION
It’s a truism in the corporate world that it takes years to build a reputation, and days or even minutes to lose it. While you may ensure you never do anything to destroy your reputation yourself, external events can drastically reduce your standing in the eyes of customers.

One easy way to rapidly destroy confidence in your business is to get hacked. Whether you feel it’s your fault or not, if customers feel that their credit card details or other personal information are not safely held by your business, they won’t hand them over to you. And that means they’ll stop shopping with you.

In one of the biggest examples, retailer TJX (which owns the Marshall and TJ Maxx chains) had the data from over 45 million credit cards stolen from its computers. According to the US Attorney, the criminals behind this theft also stole tens of millions of credit and debit card numbers from other retailers including Barnes & Noble and OfficeMax, and the overall cost to consumers, retailers and banks was tens of millions of dollars. The UK has also suffered similar frauds, with the best-known example being a theft from clothes retailer Cotton Traders.

As a result, TJX has agreed to pay more than US$60 million to MasterCard and Visa. Leaving aside the financial loss for a moment, these stories have huge coverage in the media, and are remembered long after companies have ensured their systems are safe again. Consumers have long memories, and headline writers can over-dramatise stories to grab attention on the crowded newsstand.

Securing your sensitive data is expensive and difficult, with many staff having access to databases, and multiple ways for hackers to gain entry to corporate networks. You may wish to consider outsourcing your payment processing to an expert, handing over the risk to a payment services provider that is an expert in security of this kind of data.

ENSURING COMPLIANCE
Failure to comply with the regulatory standards and security practices for processing CNP transactions could result in heavy fines, processing surcharges and potentially the loss of your Merchant ID status – meaning you would not be able to process any more card payments at all.

Recent high-profile security breaches and escalating fraud activities have prompted credit card companies to step up their enforcement. In 2006, Visa announced plans to reward companies that comply with the PCI DSS standards for online security with lower transaction fees. On the other hand, they began fining repeat offenders US$5,000 to US$25,000 per month for failing to comply. In 2006, Visa levied US$4.6 million in fines for the mis-management of sensitive customer data, up from US$3.4 million in 2005.

PCI compliance is a moving target. As fraudsters become increasingly sophisticated in their attacks or change their methods, and as changes in technology warrant implementing new data protection controls, the payment card industry responds with a new set of standards.

Beyond PCI compliance, there are other regulations which must be adhered to. For example, the European Union has strict Data Protection laws which must be followed when processing payments.