The economic downturn is fuelling record levels of fraud. In the UK alone, reported fraud broke the £2billion barrier in 2009 for the first time. (Source: Fraudtrack 7, BDO, 2010). As merchants are predicting an increase in online revenue of 20% in 2010, ecommerce businesses represent an attractive target for the credit card fraudster. If you run an online business, how do you protect yourself from this worrying threat?

One of the most important factors to consider in preventing this form of fraud is the payment gateway. The gateway takes the submitted billing information from your customer's computer, through your secure server, and on to your merchant account at a processing bank. The gateway transaction is seamless and invisible to the customer; but to those concerned about security, it is anything but invisible.

You should ensure that when customers are entering sensitive information, such as credit card details, your site is using SSL security. Such a system is indicated by a locked "padlock" or "key" icon at the bottom of the browser window, and effectively ensures that no one is viewing the current activity. If you are using a third party to automate payments, SSL will already be utilized.

Using SSL, along with a digital certificate, provides protection for sensitive data during its transmission to your secure server. This encryption requires two keys: one is a public key which is used to encrypt the data through your customer's browser, and the other is a private key which decrypts the data and is held only by you (or those you authorise). By using a digital certificate provider (like VeriSign), the holder of the decryption key is validated as the correct owner and can then use the data as they need.

SSL functionality can be provided by your hosting service as an added cost. Site developers generally use SSL as a matter of course for transaction functions, however you should formally confirm this is the case before launching your site.

The payment gateway provider you select should:

1. Maintain their operations in state-of-the-art datacenters and utilize the latest security methods

2. Be fully compliant with major credit card providers' security initiatives, including the Visa Cardholder Information Security Program (CISP), MasterCard Site Data Protection (SDP), and Discover Information Security and Compliance (DISC).

3. Any payment gateway you work with must be certified as a PCI Level 1 service provider.

If you are considering using a lesser-known provider, verify that the service is compliant with all these initiatives, otherwise you could be faced with higher fees, account closure, or having your organisation added to credit card processing blacklists.

It is critical that the payment gateway you choose supports basic fraud detection and that all required authentication measures are in place. For the most part, credit card fraud is carried out by individuals that have only the credit card number rather than the physical card itself. Here are two authentication measures that payment gateway providers should have available:

* The Address Verification System (AVS) authenticates a credit card purchase based on the billing address. During the online transaction, the customer is asked to supply their billing address, which should match the address on the credit card bill. The drawbacks to this kind of authentication are that it is very easy to mistype an address, or for an updated address to not be fully propagated within a credit card company.

* The Card Verification Value (CVV), also known as Card Security Code (CSC), is an authentication method based on the 3 or 4 digit number on the back of VISA, MasterCard, or Discover cards, or on the front of American Express cards. This number, called the CSC (also known as a CCID or Credit Card ID), is used by merchants so that they can secure "card not present" transactions, as are those conducted over the Internet. Supplying this code in a transaction is intended to verify that the customer has the card in their physical possession.

When it comes to choosing a payment gateway provider, you need to scrutinize their security measures because your business reputation will depend on it. The provider should be effectively managing all facets of security on an ongoing basis. The data should be secured via a 128-bit Digital Certificate. The data center where the payment gateway servers are housed requires ongoing requirements regarding physical security as well as information security. The provider should have firewall and intrusion detection systems installed at the operating system and application layers, as well as have database security and transaction security .in place.

Of course, your own business should adhere to the same stringent security guidelines you expect of your gateway provider. At a time when identity theft and fraud is on the rise, you need to ensure you have earned your customers' trust before they will conduct business with you online.