Everything you need to sell online

Set up an online store in minutes to sell on a website, social media, or marketplaces.

The State of Ecommerce Payment Security

20 min read

When the pandemic hit, ecommerce blew up.

With people locked down and with little to do, buying online seemed the only escape. The global ecommerce market jumped to $26.7 trillion. Customer habits, too, were changing. In one survey, 60% of respondents agreed that COVID-19 had changed their relationship with technology.

But it wasn’t just the sales that were soaring. And it wasn’t just the ecommerce industry’s businesses that were busy–but its fraudsters, too.

In just a single year (between 2020 and 2021), ecommerce fraud rose 18%: from $17.5 billion to $20 billion. One look at the similarly burgeoning ecommerce fraud prevention market–expected to hit a whopping $70 billion by 2025–and it’s clear this line of “work” is only rising in popularity.

The bottom line? Ecommerce fraud is something you can’t afford to turn a blind eye to. After all, it’s not just a threat to your profits but your brand image. If customers don’t feel they can pay securely through your website, they won’t trust you. Once you lose that consumer confidence, it’s extremely difficult to win back.

Below, we’ll unpack the state of payment security, starting with the most common types of ecommerce fraud. We’ll also offer actionable advice for protecting your customers, your website, and–ultimately–your bottom line. Read on!

How to sell online
Tips from e-commerce experts for small business owners and aspiring entrepreneurs.
Please enter a valid email address

Most Common Types of Ecommerce Fraud

As the world of ecommerce expands and evolves, so too do its villains. So over the last few years, it’s not only the number of fraudulent transactions–and the overall value of the stolen wares–that has risen. It’s the type of ecommerce fraud, too.

From pharming and account takeovers to “friendly” and “silent” fraud (not to mention straight-up identity theft), fraudsters’ methods are becoming increasingly dynamic and diverse. Let’s take a look at a few.

Pharming

Pharming is a type of ecommerce fraud in which fraudsters redirect web users (without their knowledge or consent) to a fraudulent website. This website might look and feel like the one the customer intended to reach, but with a key difference–it’s completely fake.

Designed only to simulate the original website, its fake counterpart exists for one reason only–to trick the user into entering their personal information and credit card details. Fraudsters can then use this info to steal the individual’s money, or worse–their identity.

Chargeback Fraud

Also known as “friendly fraud,” chargeback fraud is when a customer fraudulently attempts to claim a refund by abusing the chargeback system.

A chargeback is a step introduced by banks way back in the ’70s to boost public confidence in the credit card (which, at that stage, was a new-fangled thing). It allows consumers to dispute a card payment, and after the bank sides with their case, claim a refund.

Let’s say you’re off to Santorini for a holiday, and your card is stolen at the airport. By the time you get to Greece, you realize the thief has made $700 in fraudulent purchases on your card. In this situation, you could (quite legitimately) request a chargeback.

The problem? When it’s not legitimate. Whether maliciously or “innocently” (customers forgetting about a transaction on their statement or a recurring billing cycle), fraudsters can take advantage of the chargeback process to claim money back on totally valid purchases.

The worst part? That, when a chargeback claim is upheld by the bank, the bank then claims the money (along with a fee on top, for their troubles!) back from you. Add that to the stock you’ve already lost to the fraudster, and chargebacks offer an all-too-real threat.

Identity Theft

Because of popular movies dealing with the subject (The Talented Mr. Ripley, anyone?), identity theft is one of the more well-known types of ecommerce fraud. But that doesn’t make it any less dangerous.

Here, a fraudster falsely assumes another person’s identity: using their name, personal information, and documents to open credit cards, then hitting the high street.

Beyond the impact on the victim, why is this bad news for your online business? After all, you’re still selling…right?

Wrong. Think back, for a second, to our Santorini example above. Pretty soon, the person whose identity was stolen will become aware of the litany of fraudulent purchases made under their name and–you guessed it–raise a chargeback. When the bank upholds this, they’ll be claiming the money back–from you.

Making up 71% of all attacks, identity theft is by far the most common type of ecommerce fraud. Plus, fraudsters are also becoming more sophisticated, now using the personal devices, IP addresses, and user accounts of targets to assume their identities, which makes them a threat to be alert to.

Account Takeovers

At some stage or other while shopping online, all our customers have done it. Ticked that box that says “Save My Credit Card Details.” It’ll save them a minute the next time they come back to make a purchase, so it’s a no-brainer, right?

Right. Unless that is, a fraudster is able to get their sticky-fingered paws on that customer’s login details. Should that happen, the thief has easy access to their payment details. Meaning all they have to do is change the shipping address and start buying.

And when they do? Expect chargebacks from the real customer, leaving your business out of pocket.

Malware and Ransomware

Does your computer keep freezing up? Are there ads popping up everywhere? Do links take you to the wrong destination, or are new icons appearing on your desktop and browser?

If so, you may have inadvertently installed malware (mal = bad, ware = software…it’s bad software) on your device. Even the term “malware” itself includes a range of different malicious code types, each more nefarious than the last. These include spyware, “Trojan Horses,” and ransomware–code that locks you out of your system until you pay the hacker a “ransom” to get back in.

The problem for ecommerce store owners is that malware, whether on your system or that of your customers or admins, can steal sensitive data. That includes the names and address details of your customers, as well as their payment information. If any of that’s compromised, it won’t just be profits or data you’ll be losing, it’ll be your credibility.

What’s more, malware attacks pave the way for an emerging form of ecommerce deception called “silent” fraud. After using malware to illegally access a number of accounts, fraudsters, instead of snatching thousands, hundreds, tens, or even ones, swipe a few cents alone. Done at scale and with regularity, these thefts can total huge amounts of stolen funds. Not so “silent” after all!

Ways to Protect Your Customers

Knowing what the main types of ecommerce fraud are is one thing. But being able to effectively insulate you and your customers from fraud’s ill effects is quite another.

Below, we’ve rounded up our top tips for helping you, your customer base, and your business remain beyond the covetous clutches of fraudsters.

Safeguard Customer Information

The first way you can protect your customers? Safeguarding their most important details. Here’s how:

Firewalls

By filtering and monitoring incoming (and outgoing) traffic, firewalls help maintain the security of your website, acting, basically, as a literal wall between your network and the wild, wild West of the internet at large.

Through this lens, firewalls are vital not only for securing your data systems but for maintaining PCI compliance. PCI DSS (Payments Card Industry Data Security Standards) is a set of regulations all businesses accepting credit and debit cards must follow. PCI compliance is a kind of “seal of approval” that shows your customers, regulators, and the wider market that you can be trusted to handle sensitive data.

If you sell online with Ecwid by Lightspeed, your store is already PCI DSS compliant. Ecwid by Lightspeed is a PCI DSS validated Level 1 Service Provider. This is the highest international standard for secure data exchanges for online stores and payment systems.

Enable Two-Factor Authentication (2FA)

Ensure 2FA is implemented, so anyone attempting to access your business’s backend platforms and processes will need to log in through two devices. If you or one of your team members is logging in from a desktop computer, for instance, you’ll also need to confirm the attempt on another device, such as your phone, to gain access.

Other variations include:

  • Two-step variation (2SV): involves receiving a one-time code or password via email, message, or phone call which you must enter to log in.
  • Multi-factor authentication: a mix of multiple forms of authentication for one of the highest levels of security.

Business owners selling online with Ecwid by Lightspeed can use their Google or Facebook accounts to sign in to their Ecwid store. Enable two-factor authentication for your Google or Facebook account and thus protect your login information for Ecwid as well.

If you want to add other team members (like fulfillment staff or a designer) to your Ecwid store, never share your Ecwid login with them. Instead, create separate staff accounts for each user in your store. Staff accounts have separate logins and don’t have access to your profile and billing pages.

Use a Secure Payment Gateway

If you want to offer your customers the highest level of payment peace of mind possible, a secure payment gateway is a must.

A payment gateway is the tech merchants use to accept credit and debit card purchases: both in-person and online. But not all payment gateways are created equal, particularly when it comes to fees and payout times. So be sure to pick the right one for your business’s unique needs.

Ecwid by Lightspeed is integrated with dozens of secure payment gateways. You can choose a payment system that is convenient both for your business and your customers.

More: How to Pick a Payment System For Your Ecommerce Store

Share Advice and Info with Your Customers

One of the easiest ways to protect your customers? Informing them.

Whether through emails, texts, or dedicated sections on your website, let your customers know of the fraud that exists and how they can protect themselves from it. (And help you protect them from it!)

Be sure to clearly lay out:

  • How your business greets its customers (so they can spot discrepancies)
  • How your business doesn’t greet its customers, and what it won’t request (i.e., their login details or to click a link to log in)
  • Clear, actionable tips for customers to keep their account details safe (if your business keeps customer accounts)
  • How to get in touch if something doesn’t look right or if the customer has questions
  • What security checks you’re introducing, if any
  • How the customer can safely update their details
  • What to do if they receive a scam email (i.e., a fraudster posing as your business) and how to report the fraudulent communication

Needless to say, these kinds of comms are vital. Not only do they inspire trust and offer an excellent user experience, but they also help reduce the risk of your customers falling prey to ecommerce fraud.

Remember, too, to make this info as accessible as possible. Your customers might not read their emails or thoroughly read through your website. So the more channels you can publicize this advice on, the better!

Keep Your Site Updated and Conduct Regular Security Audit

Earlier, we analogized the wider internet as a kind of “Wild West”: a frontier state where bandits and lawlessness abound.

Now, while that might be a little on the harsh side, there are plenty of threats out there and myriad methods via which phishers, hackers, and fraudsters can derail your business:

  • DoS (Denial of Service) attacks: a hacker attempts to stop users from accessing your site’s services.
  • DDoS (Distributed Denial of Service) attacks: the perpetrator doesn’t attack you directly but instead uses your site as a “zombie” with which to harm another site. In a DDoS attack, your servers are inundated by requests from a bunch of untraceable IP addresses, crashing your site, and stopping traffic and sales.
  • Brute force attacks: here, hackers hit your website with thousands of different password combinations in an attempt to gain access.
  • Man in the middle (MITM) attacks: if your customer is accessing your site via a vulnerable network (i.e., public WiFi), hackers can “listen in” to the transaction and use it to extract sensitive data.
  • SQL injections and cross-site scriptings: these attacks exploit vulnerabilities in your site. In an SQL injection, hackers target your forms to gain access to, corrupt and steal information from your site’s backend. In cross-site scripting, hackers insert malicious snippets of code that steal your visitors’ information.

The fact that all these modes of attack exist? That’s the bad news. The good news, however, is that these hackers are opportunists. They’re looking for vulnerabilities in your site’s security and fraud prevention setup. That means, by keeping your site updated and regularly identifying, understanding, and plugging its vulnerabilities you can reduce the risk of a hacker targeting your website and business.

To do this, conduct regular security audits. Assess your site’s infrastructure for loopholes, exploring the backend and code (including extensions and themes) for anything hackers can exploit. Ensure:

  • Your passwords are strong
  • Your software is up to date
  • Your site’s SSL (Secure Sockets Layer) certificate is up to date

Speaking of SSL certificates, if you created your ecommerce website with Ecwid by Lightspeed, you already have an SSL certificate by default.

If you added your Ecwid store to an existing website, you already have the free SSL certificate for your store. However, the rest of the website is a separate matter. You need to purchase an SSL certificate to protect sensitive information. Learn how to do that in the Ecwid Help Center.

Another way to protect your website is to revise the list of your online store’s staff accounts and remove the staff members that you do not work with anymore. This way, you prevent hackers from taking advantage of these “back channels” to gain access to your site.

Key Times to Protect Your Website

So, now that we’ve explained what fraud to look for and how to protect your website from it, let’s look at the when–at the key times throughout the year when hackers are most active.

Public Holidays

“The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends–when offices are normally closed–in the United States, as recently as the Fourth of July holiday in 2021.” — Ransomware Awareness for Holidays and Weekends, 2021.

Christmas, Easter, Memorial Day, Independence Day–though the rest of us are spending time with our families and unwinding, hackers are doing anything but relax.

Increased distraction on the part of the customer or end-user and less staff and resources on the business’s end means conditions are rife for hacking.

Against this backdrop, don’t let your business get caught out. Don’t wait until the next holiday to set your site’s security up for success, or find yourself scrambling to audit your site mere days before the long Mother’s Day weekend. Remember that old Chinese proverb?

The best time to plant a tree was 20 years ago. The second best time is today.

Weekends

Hackers tend to target businesses when they’re most vulnerable and when they’re closed.

That’s why weekends, particularly long ones, where public holidays are involved, are ripe opportunities for hackers. Still, that doesn’t mean you should let your guard down during the rest of the week. Hackers, on average, attack a staggering 26,000 times per day, so you need to remain vigilant.

Conclusion

As the opportunities of ecommerce evolve, so do its threats.

With so many scaremongering statistics out there, it can be easy to want to put your fingers in your ears, turn a blind eye, and take an “ignorance is bliss” approach.

But this mentality doesn’t take into account that with those threats come even more exciting opportunities.

To make the payment process safer, easier, more convenient and more consistent than ever before. To build your brand, engender customer loyalty, and boost trust with your audience by showing them that you value their privacy and respect the sensitivity of their data. And, in the process, lay the foundations for your ecommerce business’s solid, sustainable success.

 

Table of contents

Sell online

With Ecwid Ecommerce, you can easily sell anywhere, to anyone — across the internet and around the world.

About the author

Rob Binns is a freelance copywriter and editor based in Melbourne, Australia. When not penning content about ecommerce and digital security, he’s playing (or watching!) football, or relaxing in the sun with a book and a cold beer.

Ecommerce that has your back

So simple to use – even my most technophobic clients can manage. Easy to install, quick to set up. Light years ahead of other shop plugins.
I’m so impressed I’ve recommended it to my website clients and am now using it for my own store along with four others for which I webmaster. Beautiful coding, excellent top-notch support, great documentation, fantastic how-to videos. Thank you so much Ecwid, you rock!
I’ve used Ecwid and I love the platform itself. Everything is so simplified it’s insane. I love how you have different options to choose shipping carriers, to be able to put in so many different variants. It’s a pretty open e-commerce gateway.
Easy to use, affordable (and a free option if starting off). Looks professional, many templates to select from. The App is my favorite feature as I can manage my store right from my phone. Highly recommended 👌👍
I like that Ecwid was easy to start and to use. Even for a person like me, without any technical background. Very well written help articles. And the support team is the best for my opinion.
For everything it has to offer, ECWID is incredibly easy to set up. Highly recommend! I did a lot of research and tried about 3 other competitors. Just try ECWID and you'll be online in no time.

Your ecommerce dreams start here

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
Your Privacy

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information

More information

Strictly Necessary Cookies (Always active)
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Functional Cookies
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
Performance Cookies
These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site.