E-commerce is booming and has become an essential sales channel for small businesses both domestically and internationally. The profitability and reach of an on-line business is hard to beat in the off-line world. And off-line businesses that don't have an on-line presence are at a serious competitive disadvantage. Unfortunately, e-commerce has also become an attractive revenue source for criminals who perpetrate Internet fraud. As an Internet merchant, you need to be aware and informed so that you can take steps to protect your business. Online payments security and fraud prevention is everyone's responsibility.

• Why every merchant should be concerned about Internet fraud.
• Liability for Internet fraud
• Internet fraud; what it is and how it happens
• Who is at risk for online fraud
• What banks and credit card associations are doing to prevent online credit card fraud
• Protecting your business against fraud
• Let customers know that your store is safe to do business with
• Save time and money while protecting your business with VeriSign^® Fraud Protection Services.

It's simple, a single fraud incident can put a merchant out of business. And every merchant is at risk for fraud. So it just makes good business sense to be aware and informed of your exposure and what you should do to protect your business.

As a merchant doing business online, you should be particularly concerned about fraud. Internet fraud is more prevalent than "brick and mortar" fraud and much more difficult to detect. Off-line merchants can see who they are doing business with, look at their credit card and watch them sign the receipt. In the online world however, customers are virtual and never sign a paper receipt, so authentication becomes a challenge. Moreover, in the online world, hackers can break into your network without you being aware of it to steal money, products and sensitive information. They can also break into your network to steal customer identities and commit crimes against other merchants, using your business as a launch pad for further crimes.

Moreover, it's easier for a criminal to "break-in" to an online store than an off-line store, and much easier for them to break in undetected. In the online world, criminals have multiple access points for break-ins, because the merchant store is networked internally and networked to other businesses. A criminal who breaks into a physical store is also much more visible and easy to detect than a criminal who breaks in through the web and erases their footprints.

Because of this, online transaction fraud is 17 times higher than in-store fraud, according to Gartner Group estimates. Fraudulent transactions make up 1.06% of total online transactions vs. only .06% of off-line transactions. In 2003 alone, online transaction fraud is estimated to reach $1.8 billion. And these figures don't include the cost of additional labor and fees associated with fraud investigations and merchant fines. The problem impacts consumers as well, 1 in 6 online consumers has been the victim of credit card fraud, 1 in 12 has had their identity stolen.

Perhaps the most disturbing facet of fraud is its high growth rate. As system complexity increases and technology advances, criminals have better access to more merchant goods and merchant cash. In 2002 the FBI reported Internet fraud complaints had tripled from the year before.

The threat of online fraud is so pervasive that the government has begun mandating security requirements for businesses that handle financial information online. Today these regulations apply mainly to the banking community, but as an Internet merchant you access the financial networks for each transaction made on your site. Because of this, security at the point of sale is becoming an increasing concern for both credit card associations and the government.

Security must therefore be a key merchant concern, and running efficient security operations that don't impact your bottom line is essential.

All Internet payment fraud is based on stolen consumer or merchant identities. It also requires access to payment networks to complete the fraud. The result is product theft, identity theft and cash theft.

Stolen consumer identities. Credit card information can be stolen in several ways, not all of them online. Ironically, a common source of information for digital crime is discarded paper credit card receipts. These receipts often include the complete credit card number along with the card expiration date, information that is sufficient for most online and telephone credit card transactions. Criminals also use hand held "skimmers" to digitally scan credit card numbers in seconds from the cards themselves. This can happen to unsuspecting customers in restaurants or at cash registers. Lastly, criminals can obtain credit card information virtually by hacking into customer databases. Criminals hack into a network infrastructure via misconfigured web servers or other vulnerabilities in the network, shopping cart or hosting provider. Hackers have also learned how to use technology in their favor. Automated code programs called "spiders" or "port scans" enable criminals to identify these vulnerable points in your network.

Once criminals have access to credit card information they can use it to purchase goods and services for themselves or for resale. This is what is known as "product theft". Credit card information can also be combined with readily available social security numbers and address information to open new credit cards under the criminal's name and address. This is what is typically known as consumer "identity theft" and can ruin a consumer's credit record.

Stolen merchant identities. Just as off-line criminals break into a cash register, online criminals "break into" your virtual cash register by stealing your access information to impersonate you. This is what is typically known as merchant "identity theft." Similar to consumer information theft, criminals obtain merchant information from both on and offline sources. Theft can be internal, employees or building visitors simply copy login and password information from sticky notes attached to computers. Criminals also break into buildings or go through a business's garbage to steal this information. Online merchant identity theft involves hacking into your database or back end systems to obtain payment gateway account password and user information.

This information is used to obtain unauthorized access to your payment gateway account, also known as "merchant account takeover" or "hijacking". Account takeover allows criminals to steal cash directly from your business by issuing credits or other payments to themselves.

Access to payment networks. Stolen identities are the first component of Internet payment fraud, but criminals must have access to payment networks to complete the fraud. Criminals get access to payment networks through two primary channels: 1) your Web site checkout page and 2) your payment gateway account.

Your checkout page is a public web address available to everyone globally, 24 hours a day, seven days a week. The great benefit of a web checkout page is that you can do business with anyone in the world and your store is always open. But this convenience also raises security issues. In one common fraud scheme, criminals access your checkout page to test stolen credit card numbers to see if they are valid, a process known as "carding." Another scheme involves the use of "generators," or software programs that automatically generate and submit spoofed card number sequences to your checkout page until they get a "hit" or an actual credit card number. Without the proper security controls, your checkout page can be an attractive destination for criminals.

More sophisticated forms of fraud actually involve taking over control of your payment infrastructure. In hijacking or merchant account takeover, criminals use merchant identity information in order to impersonate you and access your payment gateway account. Once inside your account, they have full administrative control, and can use this access to steal cash or for other criminal activity. Stealing cash is simple, once the merchant has accessed your payment gateway, the criminal credits funds from your account to his or her own accounts. Criminals can also use your payment gateway to obtain valid credit cards to use for other forms of theft-in effect, using your business to commit crime and costing you thousands of dollars in authorization charges, chargebacks and charge back penalties. Hijacking a merchant account is not limited to external hackers. Current or former employees can also be a source for this form of fraud.

• Inventory loss and shipping costs for physical goods that are fraudulently purchased and delivered.
• Chargeback penalties assessed by the acquiring bank of $15-$30 per fraudulent transaction.

• Higher discount rates assessed as a result of processing fraudulent payments
• Labor cost for the merchant to investigate and resolve the chargeback.
• Five to six-figure card association fines or cancellation of a merchant's account when card fraud rates are consistently high.

It is important to emphasize that every merchant is at risk. Fraud can happen to any merchant at any time and a single fraud incident can be enough to put a merchant out of business. That said, some merchants are at greater risk for certain types of fraud than others. VeriSign has put together the following "risk matrix" to identify some of the higher than average risk categories.

Balancing the online consumer experience with stronger authentication methods has traditionally been difficult. Consumers shop via the Web for convenience and speed, but historical authentication requirements have been cumbersome, time consuming and ineffective.

New Buyer Authentication solutions, such as Mastercard^® SecureCode, and Verified by Visa^®, provide more streamlined and customer friendly authentication via passwords. SecureCode and Verified by Visa enable you to gain liability protection by prompting consumers to share a password with their card issuers at checkout-similar to providing a PIN number for ATM transactions. Transactions in which consumers authenticate themselves to issuers effectively shift liability from the merchant to the issuer. Beginning April 1, 2003, merchants will not be held liable for fraudulent transactions if they have been processed using Buyer Authentication.

VeriSign's new suite of Fraud Protection Services makes it easy for you to take advantage of this powerful new system as customers, acquiring banks and processors begin to deploy it. (Check with your Internet Merchant Account provider directly to determine if they have deployed Buyer Authentication.) Through Fraud Protection Services, one seamless integration gives you access to both Verified by Visa and MasterCard SecureCode with your VeriSign Payflow^® service.

In spite of the growing threat fraud represents to merchants, there are ways to significantly reduce your exposure to fraud. There are essentially three levels of exposure to fraud on the Internet; the individual transactions themselves, access to your payment gateway account and access to your network. Protecting your business from fraud requires that you address each of these levels in an integrated manner. Your VeriSign Payflow service comes standard with several important fraud protection features, but you need to activate them and use them in order to protect your online business. VeriSign Fraud Protection Services offer additional security features plus a single fraud management interface that allows you to access and monitor all of your fraud protection functions easily and conveniently.

Transaction Level. Ensure that each transaction you accept and process is a valid transaction. You should also be careful not to deny suspicious transactions that are actually valid. Validation at the transaction level includes:

• Authenticating buyers when possible. This includes understanding who your repeat customers are. Keeping lists of repeat customers who have legitimately transacted at your site is important not only for fraud control, but also for understanding purchasing patterns and building customer loyalty. Make sure all customer information is encrypted and stored safely. Also, take advantage of MasterCard and Visa's buyer authentication programs described above to authenticate customers and benefit from the liability shift.
• Screening order content for fraud patterns. There is a wealth of information associated with each transaction that can help you understand the risk level. Activate the address verification service and card security code features that are standard with your Payflow service. Other screens such as IP address checks and shipping address validation will also help bring more certainty to a transaction with new customers. Also, keep a list of information associated with "bad" or fraudulent orders and check transactions against them. Similar to your list of "good" or repeat customers, bad lists help you streamline the checkout process. To effectively manage all of the risk information associated with a transaction it is important to use a rules engine. A rules engine automates the process of transaction screening so that you quickly fulfill orders for good customers and proactively block risky orders. VeriSign Fraud Protection Services allows you to cost-effectively deploy a rules engine as well as benefit from VeriSign's robust and continuously updated lists of high risk indicators.
• Reviewing suspicious transactions. Finally, review each transaction that is suspicious to make sure you are doing business with a legitimate customer. Effective screening is essential to ensure that you have all the information necessary to make decisions regarding questionable customer orders before they are fulfilled. Online merchants today reject 5% of all transactions because they do not have the time or information to save a good sale from a suspicious one. VeriSign Fraud Protection Services allows you to automatically and continuously review only the suspicious orders, before you process them giving you time to make an informed decision.

Account Level. Make sure that only authorized users have access to your payment gateway account and be alert for suspicious account access patterns. Protection at the account level includes:

• Locking down administrative access. Activate the "transaction settings" features that are standard with your VeriSign Payflow service. These settings allow you to limit access to high risk administrative transactions, such as issuing credits. You should also change your account password on a regular basis. With VeriSign Fraud Protection Services, you can perform these functions along with other fraud prevention functions and features easily and conveniently using the single fraud manager interface that integrates seamlessly with your VeriSign Payflow service.
• Monitoring account level activity for suspicious patterns. Watch your account for signs of unauthorized access that could indicate merchant account takeover. Account Monitoring from VeriSign Fraud Protection Services offers affordable, customized, live account monitoring staffed by experienced fraud professionals. The service maintains rolling profiles of participating merchant accounts to uncover suspicious pattern indicators. Account Monitoring can help you catch account takeover before it does any damage-whether the takeover is due to a hacker or fraudulent employee usage of your service.

• Locking down network access. Activate the "allowable" IP address feature that is standard on your VeriSign Payflow service. This ensures that only IP addresses you select have access to your network. With VeriSign Fraud Protection Services, you can access this and other fraud protection features from a single interface, easily and conveniently.
• Updating all patches on servers and operating systems. Invest in regularly scheduled security audits or port scans to identify network vulnerabilities. VeriSign Fraud Protection Services offers a free network scan from Qualys, included with every basic or advanced VeriSign Fraud Protection package.
• Monitoring firewall activity. Enterprise level e-commerce companies should also monitor their perimeter security on a 24 hour basis. Through VeriSign's Managed Security Services you can get customized perimeter security monitoring.

Fraud prevention is the first step in ensuring the success and profitability of your online business, but it's just as important that you let your customers know your store is a real business that is safe to do business with.

In the off-line world, customers can visit your store to assure themselves that it is a real business. And when they give their credit card to you, they can see who they're giving it to. In the online world, it's a lot harder to know who you're doing business with. That's why Internet shopping cart abandonment rates are so high. VeriSign Secure Site Services give your customers peace of mind in making a transaction on your Web site. With a VeriSign Secure Site Seal, you get premium business authentication, SSL encryption services and the premiere trust seal on the Web today. Displaying this interactive seal on your site lets your customers know that you are who you say you are.

For many owners of small and medium sized businesses and for IT staff of enterprise-level companies, time is money. Protecting your business against the devastating consequences of even a single fraud attempt requires a significant time commitment and ties up valuable resources. Time and resources that are better served in building and growing your business.

VeriSign has designed its suite of Fraud Protection Services based on VeriSign merchant feedback and the needs of the online business community. And as the market leader in Internet security, VeriSign maintains its position by proactively enhancing its products and services and anticipating new types of fraud attempts. This ensures that VeriSign technology continues to define state of the art for online protection. Our Fraud Protection Services not only provide you with the highest quality protection services at affordable prices, but also save you time and money.

We've made choosing the right VeriSign Fraud Protection Service package for your business easy. And it's simple to upgrade, so you only buy what you need, when you need it.

Fraud Protection Services-Purchase Options:

Detailed Service Descriptions:

Basic Fraud Protection Package
This package offers you a fast and convenient way to protect your online business-no fraud experience required. It provides essential fraud protection services in a simple wizard-based upgrade module.

This package includes:

VeriSign Fraud Manager Interface: A single, consolidated Web interface in plain English integrated with VeriSign Manager that allows you to quickly and easily manage all of your fraud protection features, without complicated "risk scores."

VeriSign Basic Fraud Filters: Instantly and automatically screen your customer orders for potentially fraudulent transactions without impacting your customers' checkout process.

VeriSign Account Security Management Tool: Integrates standard VeriSign account control security features into the Fraud Manager interface for added management convenience. Also allows you to control how administrative transactions are processed through your account.

VeriSign Advanced Fraud Filters-powerful, comprehensive, real-time, automated transaction screening. Filters are transparent to your site customers.
• Geographical location screening filter: State of the art filter that protects against "identity spoofing."
• High risk list filters: A complete suite of filters that reviews for high risk zip codes, high risk IP addresses, high risk countries and more.
• Merchant specified lists filter: Build and manage your own bad and good customers lists. This feature automatically blocks "bad customer" purchase attempts at checkout and speeds loyal "good customers" through.

	Basic Fraud Protection Package	Advanced Fraud Protection Package
VeriSign Fraud Manager
Transaction Review module
Audit trails on all reviewed transactions
Fraud Filters
Unusual Order Filters
High dollar size filter
High item number filter
Shipping/billing mismatch filter
High Risk Payment Filters
AVS failure filter
CSC failure filter
High risk BIN filter
High Risk Address Filters
High risk zip code filter
Freight forwarder filter
US Postal Service address validation filter
IP address risk list match
E-mail service provider risk list match
Geo Location filter
High Risk Customer Filters
Bad e-mail list filter
Bad credit card list filter
International Order Filters
High risk country filter
International/shipping/billing address filter
International IP address filter
International AVS filter
Accept Filters
Good e-mail list filter
Good credit card list filter
Account Security Features
Security audit from Qualys*
Allowed IPs (account access restrictions)
Transaction Settings (control credits)
Password Management
Premium Service Features
Buyer Authentication
Account Monitoring

Account Monitoring Service Add this service to either the Basic or Advanced Fraud Protection Package for premium protection against payment account takeover and hacking. Provides customized transaction monitoring by trained VeriSign security professionals. Also includes:

• Fraud Contact Line: Contact line that allows you to query fraud specialists about suspicious account activity
• Comprehensive investigation services for fraudulent transactions:
• Investigation of VeriSign Internet log files and audit trails relevant to your account
• Packaging of all relevant data to assist in funds recovery process with bank
• FBI notification and data packaging to assist in prosecution of the perpetrator

Managed Security Services. Add this service to either the Basic or Advanced Fraud Protection Package for fully customized, end-to-end enterprise level protection of your perimeter infrastructure. Provides a 24x7 private security staff without the costly overhead and time consuming management requirements of an in-house staff. Services include:

• Managed Firewall service
• Managed Intrusion Detection service
• Managed Virtual Private Network service
• Technical Help Desk service

Secure E-Commerce requires you to establish an online processing system that will allow you to accept secure online payments. VeriSign's secure, cost-effective and customized payment solutions are designed so you can easily buy what you need, when you need it, with the option to upgrade or add services anytime, as your business grows.

In 3 easy steps, you can complete everything you need to accept online payments on your Web site.

1. Choose a payment processing service:
   
   Payflow Pro. Designed for merchants who want maximum customization, control and scalability.
   
   Payflow Link. Designed for merchant who are just getting started on the Web or who have low transaction volumes.
   
   
2. Set up an Internet Merchant
   All online businesses need to operate with an Internet Merchant Account, primarily for depositing and refunding online payments. VeriSign has made getting one an easy process. As you register for either Payflow Pro or Payflow Link, we will provide you the option to apply for an Internet Merchant Account with our preferred Merchant Account provider.
   
   
3. Customize your payment processing service with additional services
   
   Protect your business and your customers from fraud.
   VeriSign Fraud Protection Service. From simple automated credit card fraud screening to enterprise grade perimeter security services, VeriSign can save you time and money while protecting your business.
   
   Accept repeat payments from your customers.
   Payflow Recurring Billing Service. A fast, cost-effective way to accept repeat payments for installment plans, monthly fees or other subscription based services.
   
   Offer your customers an alternative to credit card payments.
   Payflow ACH Payment Service. Make sure you don't lose any sales opportunities by offering your customers ACH, a convenient and reliable alternative to credit card payments. That's it! You've now got everything you need to start accepting payments online, conveniently, reliably and securely.