In the financial year to 30th June 2019, card spending in Australia grew by 4.2% while card fraud dropped by 6.9%. This sounds like a great achievement, right?
Despite the decline, card-not-present fraud still accounts for $455.5 million in losses for Australian consumers. In addition, skimming fraud and lost/stolen fraud is to blame for $18.6 million and $43 million in annual losses respectively.
For businesses acquiring merchant services through a payment service provider (PSP), it is expected that fraud management capabilities are built into this solution. Yet many businesses are actually unaware of what they should expect from their PSP, or more alarmingly, what it is that they’re actually receiving.
Regardless of the payment methods you offer, your payment processing systems need to deliver a certain level of security to your customers in order to remain compliant and for your customers to feel comfortable shopping with you.
What to expect from a competent payment service provider (PSP)
Payment Card Industry Data Security Standards
PCI DSS is an information standard for businesses taking card payments – whether in person or online. This security standard is designed to mitigate the risk of credit card fraud and make it safer to process and store card data.
There are various levels of PCI DSS requirements depending on factors such as potential fraud risk and how many transactions are being processed per year.
You, as a merchant accepting credit card payment, are required to adhere to these guidelines, which can be quite significant and difficult to manage.
To help minimise the scope of compliance obligations, many merchants turn to a PSP.
As a base measure, you should expect your payment service provider to be adhering to level 4 PCI requirements. However, a good PSP will offer you level 1 compliance – the highest and most comprehensive level of protection.
On a transactional level, your payment service provider should be conducting fraud screening to identify any fraudulent transactions to mitigate suspected skimming fraud or other large scale online attacks’ so that it puts some focus on this at a lower level.
If you’re not sure what level your PSP offers, it’s recommended that you discuss this with them to ensure you’re offering the greatest protection to your customers.
While PCI DSS is mandatory, tokenisation is an optional yet highly recommended fraud mitigation process that you should expect your PSP to offer.
Tokenisation is a form of encryption, whereby sensitive or personal information (such as a debit card or credit card number) is substituted with a unique ID number known as a token. As this token sequence is randomly generated, it is much more difficult to crack than standard methods of encryption.
The benefits of tokenisation are substantial. Essentially, your customer data could be compromised but deemed unusable without the proper detokenisation system.
For obvious reasons, tokenisation offers a highly secure method of preventing fraudulent activity and should be expected of your PSP.
When assessing your payment service provider for fraud prevention capabilities, you should also be looking for additional authentication processes.
A good PSP will offer additional services such as automatic and human-driven data analysis to ensure that any suspicious activity is picked up and examined before the payment is processed.
These types of measures should analyse online behaviour and purchasing patterns and compare them with available data to identify negative data matches.
To be effective, this process will be completed in real-time to minimise loss to your customers.
These authentication process should also include alerts for potentially fraudulent transactions and include a support team who can assist you with denying suspicious purchase attempts.