Keeping your business secure

The Australian card fraud landscape is changing. Alex Cherniakov, from Suncorp’s Group Financial Crimes, explains the impact and how you can keep your business secure.


Australian financial institutions have historically invested heavily into secure EFTPOS and ATM payment systems. However, fraudsters, along with many shoppers, have moved into doing their business online. Knowing that using physical cards is harder than ever, fraudsters now prefer to use card numbers online, over the phone and via email. Businesses with an online presence, can be accessed by anyone in the world, rather than just the local fraudsters that would have traditionally targeted your business.


Protecting your brand.

Well publicised recent compromise of over 77 million customer records from a multi-national company, had a significant impact on company’s reputation. There are many Australian businesses that fall victim to online data compromises every year. Complying with PCI DSS requirements is one of the best ways to protect your business, your brand and your reputation. Taking a few simple steps, such as not storing unnecessary customer details and credit card numbers, will significantly decrease your risk. It will also make your website unattractive to fraudsters in the first place.


Protecting your website.

Investing in a quality and secure website will pay for itself. Genuine shoppers are becoming more security-aware and, when shopping online, will compare websites. Just like with your physical shopfront, customers will avoid poorly designed sites where they don’t feel safe.


Fraudsters around the world, will run an automated script on shopping baskets to test card numbers by repeatedly entering random card numbers into a payment page. Such activity significantly impacts your website’s performance and prevents genuine customers from using it.


The best way to stop such activity is by ensuring that your payment page cannot be accessed without making a purchase, entering customer details and delivery instructions. From there, only allow customers to attempt 3-5 times to make a payment, then clear the shopping cart.


If you are a service provider or allow periodic payments to be made via your website, ensure that your customers enter valid payment credentials (invoice number, name and email address) before allowing payments to proceed. Be sure to also limit number of payment attempts within a set period of time.


Protecting your business.

Don’t fall victim to fraudsters constantly trying to buy goods using stolen card numbers. Remember, the business owner is almost always liable to repay funds taken from a stolen card number, if accepted without the card being present, such as with online orders.


With that in mind, consider investing in fraud detection software or sign up with a provider of such a service to help you monitor your orders.


Even if your business is just starting up and fraud detection software is not on your list of priorities, speak to your Webmaster to see what data is captured with online orders. Use any data that is available to you:

  • Device details – review orders for multiple customers coming from the same device
  • IP Address – ensure IP address matches billing and delivery addresses
  • Delivery address – check that goods are not being mailed to a vacant block of land or a hotel
  • Order details – check that customer is purchasing what your other customers purchase and not just high value goods that are easily resold


Be on the lookout for the warning signs and maintain a blacklist – don’t get caught with the same fraud twice. Keep a record of known fraudulent details (email address, mobile number, IP address etc).


Don’t have a website.

Many small businesses have a false sense of comfort if they don’t have a website. However, almost every business can be found online, even if it was only ever listed in a phone directory. Fraudsters quickly figured out that businesses without a website are actually less prepared for fraudulent sales and will try and defraud over the phone and via email.


It is important to have effective procedures for phone and email sales that reduce the risk of accepting stolen credit card numbers.


Your business is connected to the world one way or another and highly skilled and competent fraudsters are constantly searching the web looking for weaknesses. You could be the next target, so ensure your online, phone and email sales are secure.