By Dr. Heather Mark, CCEP

In the wake of the COVID-19 pandemic, fraudulent activity and scams have been on the rise.  As a result, scammers are looking for ways to test their stolen card information.  One way they do that is to find portals or e-commerce sites that have payment forms and use those forms to “test” cards.  This is done by running hundreds or thousands of small transactions to see if they will be authorized.  If these small transactions are authorized, the criminals assume the card is “good.”  Meanwhile, the merchant may not know that this has happened until an expensive invoice is received for those “auths.”

In order to combat these types of scams, here are three ways merchants with an internet presence can mitigate their risk proactively:

  • Implement CAPTCHA – CAPTCHA is an easy test that users take on web-based forms to prove that they are not a “bot.” These may include simple math questions or identifying pictures from an array.  This simple step allows merchants to filter out bad actors and helps to ensure that their payment site is not being misused.
  • Use TC CrediGuard TC CrediGuard is a product offered by Sphere that allows merchants to set parameters for certain transaction patterns. Merchants can set TC CrediGuard to deny transactions based on a set of predetermined criteria.  For example, a merchant may set parameters to deny transactions after five attempts from the same IP address within 7 minutes.  Or, if the IP address of a bad actor is known, a merchant may block that specific IP address.
  • Add a Log-in Screen – Payment forms that reside in front of a log-in page may be more convenient for your customers, patients, or donors, but it can also make it easier for criminals to use that payment screen as a tool for testing card numbers.  By adding a log in screen, you create a barrier that may protect your business from becoming a target for these types of schemes.

By implementing these recommendations, merchants can take significant steps towards mitigating the likelihood of a Primary Account Number (PAN) or Card Testing event.

To learn more about secure online payment solutions and fraud reduction tools, please contact a Solutions Consultant at 800.915.1680, option 2 or sales@spherecommerce.com.

By Dr. Heather Mark, CCEP

The data economy has become so pervasive in today’s business that it sometimes is necessary to pause and think about where we’d be without the explosion of data that businesses have at their disposal.  Cloud software firm, Domo, releases an annual report each year on the astronomical growth of data.  Their report, Data Never Sleeps, provides a fascinating example of just how people are using the internet, leaving digital trails to be followed.  According to Data Never Sleeps 7.0, more than 511,200 tweets, 18, 100,00 texts, and 188,000,000 emails are sent PER MINUTE. And that doesn’t include our unintentional data creation – the Internet of Things, or our browsing history, or geolocation data. Our world runs on data, which means that as consumers, we need to be able to trust that our data won’t be misused by the companies with which we do business.

A PwC survey conducted in 2017, tells us that consumers are becoming more cynical about how companies handle data.  Just 25% of survey respondents believe that companies handle data responsibly and less than 15% believe that the data will be used to improve lives. Further, 87% of those respondents have said that they will take their business elsewhere if they don’t trust the data handling practices of a company.

In Francis Fukuyama’s book, Trust: The Social Virtues and the Creation of Prosperity, he proposed the idea that trust and ethics was central to economic well-being.  “If people who have to work together in an enterprise trust one another because they are all operating according to a common set of ethical norms, doing business costs less…”  It costs less because we know that our colleagues and our partners will behave in ways that we expect, and that serve the good of the organization.  Similarly, as consumers, we are more likely to do business with organizations that we trust.

An essential element of trust is transparency. Again, referencing the PwC survey, 71% of consumers find the privacy policies posted by companies to be difficult to understand.  If a consumer believes that an organization is intentionally obfuscating its practices, trust erodes.  When trust erodes, consumers say they will take their business elsewhere.

The moral of the story here is that as we move more fully into the data economy, we must also move more fully into being trustworthy stewards of personal data.  We do that, by adhering to the letter and the spirit of the data protection laws and establishing strong information practices.  Some of those practices include:

  • Data Flow and Categorization – It sounds cliché, but you can’t protect what you don’t know you have. So, the first step that is typically suggested is doing a data flow or data mapping.  This helps you to determine where the date is coming from, how it’s being used, and who you might be sharing it with.  You may find that you’re collecting more data than you need, or that you’re sharing it with vendors that don’t need it.
  • Limit Collection of Data – Another old axiom in the data security and privacy business is “don’t collect what you don’t need.” To put it simply, it’s difficult to disclose or inappropriately use data that you don’t have.  Once you’ve done a data mapping exercise, you can review this with your team to determine which data is strictly needed as opposed to “nice to have.”  Moreover, many of the fair information practices are built on the notion of only collecting the data that you need to complete transaction with the individual.
  • Disclosures – Transparency with your constituency about what data you’re collecting and when, and how it’s being used is one of the simplest, but most important, steps that can be taken with respect to privacy. Visitors to your site, and consumers of your product or services, can’t make informed decisions about sharing their data if they don’t understand how that data might be used. Providing clear and concise information about your information practices helps to engender trust and stands you in good stead with legislative privacy regimes.
  • Awareness and Training – In today’s economy, most of our businesses and non-profits run on data. Whether we intend to or not, we become dependent on data transmission, data analysis, data storage, and data collection.  That means that everyone in our organization is going to encounter personal data at some point.  Given that fact, it’s important that your team knows what data is considered sensitive, and how that data is to be treated. An important part of training, that can be easy to overlook, is how to report a potential incident.  For example, what should be done if someone has emailed a payment account number?

The dilemma facing businesses today is encapsulated nicely in the January 2019 issue of the Frontier Technology Quarterly:

On one hand, the data economy is radically transforming many economic activities and creating new levels of prosperity. On the other, it presents the possibility of a perilous dystopia … A market economy cannot function without trust, and the data economy is no exception. Trust deficits can unravel the data market and undermine social cohesion, stability and peace.