May 2, 2008, 12:00 AM

Safety Payoff

(Page 2 of 2)

Watching for unusual activity. Online merchants should monitor trends in sales and shipping patterns-for example, unusual spikes in sales, requests to ship products to unusual destinations, or requests for multiples of the same high-ticket items, such as an order for five identical high-end sound systems. The most diligent companies keep track of all data associated with all orders and employ advanced modeling to find things that fall outside their typical sales patterns, such as unusual order sizes, and to track historical patterns of fraud. In this way they have a much higher probability of identifying fraudulent orders.

Considering advanced solutions. Retailers should also consider more advanced approaches, particularly merchants that ship products internationally. For example, some risk management providers offer retailers Internet geolocation solutions that give them greater information about a buyer’s ISP, computer set-up, and physical location-country, state and city-at the time of order. Someone trying to make an online purchase from Germany with a credit card whose actual owner’s address is in southern California, for example, might set off an alert that would inform the merchant that this transaction has a higher potential for fraud. The merchant could then decide (either manually or, more likely, through an automated system) whether to request additional information to verify identity, or to cancel the transaction.

Retailers should also consider tracking IP addresses to look for one-to-many relationships between names and the IP addresses. Multiple names tagged to the same IP address should raise flags. Retailers can check this by installing risk management software or working through a third-party provider.

Common sense

In addition to identifying fraudulent purchases, e-retailers need to vigorously guard customer data, not only to protect customers but also to defend themselves from losses and liabilities that might arise from a security breach.

The best way for online retailers to safeguard customers’ data is by staying in compliance with the Payment Card Industry Data Security Standard, or PCI DSS, a set of requirements for enhancing payment account data security. Developed by the founding payment brands of the PCI Security Standards Council, including Discover Financial Services, MasterCard, Visa and American Express, the data security standard is designed to help organizations proactively protect customer account data. The standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

PCI requirements are not meant to be taken a la carte, but should be adopted as a whole. However, if there is one piece of advice to take away from the standards and from this article, it is this: Never store sensitive authentication data. Failure to follow this rule consistently has led to many of the largest cases of payment fraud.

How difficult is it to deploy and get into compliance with PCI requirements? The answer will depend on the business and its current IT set-up, infrastructure, etc. Retailers should consider obtaining the advice and guidance of a certified quality service assessor, a list of which is available at

When it comes to the fight against fraud, there is no substitute for common sense and a healthy dose of caution. These two attributes, combined with the measures described above employed on a consistent basis, can go a long way toward protecting your company and customers from being victims of online payment fraud.

Rob Tourt is vice president of network services for Discover Financial Services. He can be reached at


Some basic must-haves

To keep up with best practices, e-retailers should consider joining the Merchant Risk Council, an organization dedicated to preventing online fraud and promoting e-commerce. The Council offers a checklist of fraud-prevention suggestions, including:

  • Design a retail web site to default to the highest SSL encryption supported by a customer’s browser
  • Certify online shopping carts to industry best practices
  • Avoid the storage of any credit card account data on servers connected to the Internet
  • Scan web servers for security vulnerabilities at least every 90 days
  • Update virus protection at least every 30 days.
comments powered by Disqus




From The IR Blog


Anna Johansson / E-Commerce

Why is social proof big for niche brands?

A small online retailer that lacks brand recognition can get a big boost from high ...


Donn Davis / E-Commerce

Technology takeover: The fashion industry is next

We are now entering the third decade of the Amazon effect, and it is just ...

Research Guides