alexlukin - Fotolia
Two years ago Kari Bernardo was a program manager in Visa's risk acceptance group when Speck Products came to her attention. The small San Mateo, Calif.-based online retailer was struggling with online credit card fraud, bouncing in and out of Visa's excessive chargeback programs. More alarming, the retailer, which makes stylish protective cases for electronic devices, had no systems in place to stop the fraud. That's when Bernardo decided to become Speck's e-commerce risk manager.
"I took it as, there could be something I could fix for them," she said.
Bernardo's first order of business was putting in security tools, but like Goldilocks, she found that getting just the right solution proved challenging. Some software tools were geared to mom-and-pop operations and insufficient to handle Speck's volume of business, she said. The company recorded net sales in 2013 of $104.8 million. Other tools were designed for large corporations. One contender was simply too new at the time to trust.
"The main thing was cost," Bernardo said. Speck, which runs a lean operation with 113 employees, needed a system with a flat fee that also was easy to implement and use.
Bernardo ultimately went with Kount, software designed specifically for companies in "card-not-present" environments (e.g., Internet retailers), which analyzes variables and behaviors to detect anomalies that could mean stolen credit cards are being used.
Being able to determine a real customer from a fraudster made an immediate impact. Within 30 days of implementation, Speck had left the excessive chargeback programs, and within five months, the company saved $103,000 in chargeback fees, fines and lost merchandise, Bernardo said.
Fraud a huge problem for small businesses
Not many small companies have the benefit of having a veteran credit fraud specialist in-house, but Speck, which was acquired by Samsonite in May, is hardly alone in its battle to get a handle on credit card fraud. While most of the press around credit cards focuses on the breaches at the world's largest retailers, online credit card fraud has become a major risk for small businesses, according to the Merchant Fraud Squad. Nearly half, or 47%, of small and medium-sized Internet merchants say that fraud is their biggest problem.
Indeed, the real and perceived risk related to credit cards may be contributing to a sharp decline in the number of small businesses accepting credit cards, according to the National Small Business Association's most recent Small Business Technology Survey. Among the survey findings: Of the 845 small business respondents, only 69% accepted credit or debit cards in 2013, down from 91% in 2010, while use of third-party vendors such as PayPal more than doubled for the same time period, due in part to worries about cybersecurity.
For Speck Products, it was important to bring credit card processing in-house to have complete control over transactions, Bernardo said. "We had outsourced everything to our old [third-party] processor, and the only time we heard from them was when there was an issue. The fines associated to the [Visa/MasterCard] chargeback and fraud programs are hefty," she said.
Do your research
Security software, however, is not a magic wand, Bernardo stressed. Combatting credit card fraud requires "a lot of research, reading, and knowledge and asking questions," she said. Bernardo is a member of the Merchant Risk Council, mines her Visa and MasterCard contacts for information, and is not afraid to ask questions of her vendors.
Plus, credit card fraud is just one of the online security plagues on small business, according to Julie Conroy, research director at Boston-based research and consulting firm Aite Group. "Small businesses are absolutely in the crosshairs," she said, noting that organized crime rings are targeting them through malware as well -- 200,000 unique strains every day, with more than half of those meant to capture credentials to empty out bank accounts.
Tools are definitely helpful, especially those offered by banks, Conroy said. "When a [small and medium-sized business'] financial institution offers enhanced security for online and mobile banking, they need to take it," she said, noting that some banks offer free software to protect against credential-stealing malware.
Cost-benefit analysis points startup to third-party processing
While Speck Products decided it was important to handle credit card transactions in-house, many businesses have opted to let a third party with experience handle online credit card transactions.
"We did a cost-benefit analysis, and we have decided to let PayPal, Google and Apple take care of all of our payments … because we are a small startup and we cannot afford to make our own custom and extremely risky payment portal," said David Mohajer, CEO at Ottawa, Ontario-based communications platform Xahive.
Because the company is completely Internet-based and sells across international borders, dealing with taxes, currency conversions and other credit card payment hassles is too much. For its smartphone apps, Xahive prefers to let the Apple store and Google Play store take their cut and handle conversions. "We only lose a small percentage of the transaction in fees, which we have decided is well worth the benefits," Mohajer said.
But relying on PayPal or other third-party services won't deter cybercriminals, experts caution. "Payment solutions, whether they are credit and debit cards or alternatives like PayPal, are only as secure as the environment they are deployed in," said Chris Camejo, director of assessment services for Bloomfield, Conn.-based consulting firm NTT Com Security.
The methods used by cybercriminals to target Home Depot and Target, for example, could be used to compromise third-party alternatives to credit cards, either by directly intercepting credentials or spoofing the company website to collect credit card information, he said.
Mohajer doesn't disagree, and he said Xahive hasn't ruled out managing credit cards in the future. "When we reach a certain point of being able to afford full-time lawyers, accountants and Web developers, we will tackle the payment system and implement our own solution that can safely allow for payments, while at the same time not increasing the risk to users and ourselves," he said.
Christine Parizo is a freelance writer specializing in business and technology. Contact her at [email protected].
Big data takes a bite out of credit card bust-out fraud
Chip and PIN security no panacea against payment card fraud
Weighing the pros and cons of end-to-end encryption and tokenization