As more businesses focus on e-commerce, the risk of cybercrime increases too. Visa’s Sam Gianniotis offers guidance on how businesses can protect their customers – and themselves – when operating online. 

With New Zealanders retreating into their homes as lockdown took hold, businesses realised that to stay open they’d need to adapt to an online-first environment. Suddenly everyone was ‘pivoting’. Many smaller enterprises that had never before had an online presence entered the digital game.

Online consumer spending went through the roof. Under level three and four lockdown in April and May, New Zealand’s overall online purchasing was up 47% and 50% year-on-year respectively, according to monthly reports by Marketview. There was an even larger increase in domestic e-commerce sales, with 88% and 93% annual increases in local online spending for those two months.

As local businesses harness this digital shift, it’s essential that they ensure their customers – and their own operations – remain safe and secure online. Because while digital commerce provides merchants with significant opportunity, it also comes with risks. 

Payments company Visa works closely with New Zealand businesses and banks to implement global industry standards for payments security. Fraudsters target the weakest link, says Sam Gianniotis, Visa’s Chief Risk Officer for Australia, New Zealand and South Pacific, and those new to online sales are always more vulnerable.

“If I’m a business owner about to move into the online space, I’m trying to manage a business, keep the cash flow going, attract and retain customers, and many more things, and suddenly I’ve got online security to worry about as well,” says Gianniotis. “As more businesses move online, greater awareness and easy to access information is needed to help business owners navigate this complex space.”

Gianniotis has three essential security considerations for anyone starting an online business or shifting to digital. 

Your customers’ data is precious – treat it that way

When someone plugs their payment details into your company’s website, they’re doing so with faith that their data will be subject to the best possible protections. This is where the jargon starts to appear, but it’s important the business has an understanding of how the technology works. 

Visa requires PCI DSS compliance from any business that stores, processes or transmits Visa cardholder data. The acronym stands for ‘Payment Card Industry Data Security Standard Compliant’ and means that a business has met the security standards approved by the major payment networks. Visa breaks the compliance down into 12 categories, covering everything from password complexity to the encryption of cardholder data. 

Concealing customers’ details means sensitive information is protected even when a breach happens. Businesses can do this through tokenisation, a technology that replaces an account holder’s sensitive information like card numbers and expiry dates with a unique digital “token”. This means sensitive data suddenly becomes worthless to a hacker.

There are other benefits to tokenisation too.

“Up until last year, every time a consumer got a new card – for example, when theirs expired, or was lost or stolen – they would have to update the card details everywhere their card was stored online. In the world of digital subscription services, online shopping, and order ahead apps, that could be a daunting task. With recent innovations around online tokenisation, they don’t need to do that anymore – tokens are refreshed, even when card details are updated.”

By removing the hassle of updating card information, tokenisation benefits merchants by reducing the chance of a lost sale. Updating card details on multiple websites now happens seamlessly in the background without the consumer or merchant needing to do anything. It’s one example of the way security technology is also innovating the online shopping experience. 

To take advantage of the benefits of tokenisation, businesses should speak to their acquiring bank about tokenising their customers’ data.  

E-commerce took another major step forward recently with the launch of click to pay – an online checkout that mirrors the consistent in-store experience with one button to accept all cards. Click to pay removes the need for manual card entry, passwords and other hurdles of the online environment. When combined with tokenisation, the solution helps to reduce fraud and protects consumers’ payment details.    

Leverage data to protect your customers against fraud 

Every time a Visa transaction occurs, Visa’s systems analyse it, assessing over 500 risk characteristics to identify how likely it is to be fraudulent (and therefore whether it should be approved). To do this, Visa uses AI technology that has learnt from every transaction that processed via Visa’s global network. 

“If I make an in-store purchase in Auckland and then another one in Christchurch 30 minutes later, that would be a simple example of a red flag. But our systems also consider things like where your card usually transacts, and via which channels.”

With these technological developments, Visa expects worldwide payment fraud to halve by 2025. But businesses need to contribute to this reduction by ensuring their own systems are up to scratch.

Gianniotis points to tools like 3-D Secure, a two-factor authentication process. 3-D Secure involves businesses and banks communicating with one another to share data within the milliseconds involved in processing a transaction, enabling more informed decision-making. 

“When businesses, banks and payments networks share data about a specific transaction, it gives the business’ bank confidence that the person is who they say they are. This enables more transactions to be approved as there are fewer false positives, overall helping businesses complete a greater number of sales and ultimately to grow,” he says. 

To use 3-D Secure, businesses should contact their acquiring bank. 

Protect your business from cyber attacks

Cyber crime – and its cost – is rising. And as more businesses move online or offer a greater digital service after the impact of Covid-19, this is when they’re most vulnerable. 

“We’ve seen globally that cyber attacks are real, they can be large, they’re sophisticated, and fraudsters always test out new online businesses to see whether they’ve got security software in place,” says Gianniotis. 

Fortunately, having robust protection in place is effective. Cybersecurity consultant FireEye Mandiant found that organisations are finding and containing attackers faster. During 2019, the average dwell time – the number of days an attacker is present in a victim network before they are detected – was 54 days for the Asia Pacific region. This was a significant improvement on the 204 days in the previous year. 

It’s not always easy for a new business owner to know where to start with this type of preventative security. A lot of the information can be overwhelming for a new business owner, but they don’t need to be an expert – they need to talk to the experts. Asking the right questions of their bank is the first place to start, says Gianniotis.

“The important thing is to work with your acquiring bank to determine what layers of security are appropriate for your business. Whilst business owners don’t need to be security experts, they do need to ask questions and seek help from their banking partner, who can ensure they have the right safeguards in place.”

It’s all about balancing the speed and ease of e-commerce with safety, he says. Visa believes that security must keep pace with innovation and convenience, and that the increasingly fast and easy ways to pay must remain secure. And as the payments industry continues its focus on security, businesses too have a critical role in ensuring their online offering is secure.

Top online security tips for small businesses

• Ask the experts – speak to your acquiring bank to get the right security set up.
• Treat your customers’ payment data as if it were your own – don’t store it on a spreadsheet or word file.
• Ensure you use a recognised payment provider for all your e-commerce transactions. Find out the status of Visa providers that are PCI DSS Compliant here.
• Always ask customers for identification before releasing ‘click and collect’ purchases.
• If you have a website, talk to your web developer or provider about ensuring the ‘shopping cart’ page is continually and proactively updated with the most recent security patches.