In the financial year to 30th June 2019, card spending in Australia grew by 4.2% while card fraud dropped by 6.9%. This sounds like a great achievement, right?
Despite the decline, card-not-present fraud still accounts for $455.5 million in losses for Australian consumers. In addition, skimming fraud and lost/stolen fraud is to blame for $18.6 million and $43 million in annual losses respectively.
For businesses acquiring merchant services through a payment service provider (PSP), you expect that fraud management capabilities will be included. Yet many businesses are unaware of what they should expect from their PSP. More alarmingly, many businesses are unaware of what they’re actually receiving.
Regardless of the payment methods you offer, your payment processing systems should deliver a certain level of security to customers. This is essential to remain compliant and for your customers to feel comfortable shopping with you.
What to expect from a competent payment service provider (PSP)
Payment Card Industry Data Security Standards
PCI DSS is an information standard for businesses taking card payments – whether in person or online. This security standard is designed to mitigate the risk of credit card fraud and make it safer to process and store card data.
There are various levels of PCI DSS requirements depending on factors such as potential fraud risk and how many transactions you process per year.
You, as a merchant accepting credit card payment, must adhere to these guidelines, which can be quite significant and difficult to manage.
To help minimise the scope of compliance obligations, many merchants turn to a PSP.
As a base measure, you should expect your payment service provider to be adhering to level 4 PCI requirements. However, a good PSP will offer you level 1 compliance – the highest and most comprehensive level of protection.
On a transactional level, your payment service provider should be conducting fraud screening to identify any fraudulent transactions. This helps to mitigate suspected skimming fraud or other large scale online attacks’ so that it puts some focus on this at a lower level.
If you’re not sure what level your PSP offers, it’s recommended that you discuss this with them to ensure you’re offering the greatest protection to your customers.
While PCI-DSS is mandatory, tokenisation is an optional (yet recommended) fraud mitigation process that you should expect from your PSP.
Tokenisation is a form of encryption, whereby sensitive or personal information (such as a debit card or credit card number) is substituted with a unique ID number known as a token. As this token sequence is randomly generated, it is much more difficult to crack than standard methods of encryption.
The benefits of tokenisation are substantial. Essentially, your customer data could be compromised but deemed unusable without the proper detokenisation system.
For obvious reasons, tokenisation offers a highly secure method of preventing fraudulent activity and should be expected of your PSP.
When assessing your payment service provider for fraud prevention capabilities, you should also be looking for additional authentication processes.
Good PSPs offer additional services such as automatic and human-driven analysis, ensuring they pick up suspicious activity before processing payments.
These types of measures should analyse online behaviour and purchasing patterns and compare them with available data to identify negative data matches.
To be effective, we complete this process in real-time to minimise loss to your customers.
These authentication process should also include alerts for potentially fraudulent transactions and include a support team who can assist you with denying suspicious purchase attempts.