As online fraud becomes more pervasive, merchants need to strengthen their defenses against would-be cyber thieves.

There are several ways to accomplish this, including approaches that place some of the responsibility on the consumer. A recent American Express survey suggests that the majority of customers are willing to take extra steps to enhance the security of their information.

But for these approaches to work, the merchant must be certain the customer is who they say they are.

Customer or criminal?

Knowledge-based authentication, for example, can help validate customer identities. This requires customers to enter information such as the name of their first pet or their first car in addition to their name and password. Tom Byrnes, chief marketing officer of Vesta Corporation, a global payment solutions provider, also recommends merchants use CAPTCHA, a method of testing whether a user is a human or a script.

In addition to validating customer identities, some level of real-time fraud monitoring is important for merchants of all sizes, experts say. For smaller businesses, basic fraud prevention tools provided by payment gateways can be a good first layer of defense, says Gerry Carr, chief marketing officer at Ravelin, a London-based fraud protection company.

For instance, merchants can create a set of rules around transaction size, frequency and other factors that must be met before a purchase can be authorized. To be most effective, merchants should continually refine their criteria.

Larger merchants with more frequent online transactions may consider machine learning to analyze data. Carr recommends merchants continually monitor various types of data such as a customer’s device ID, account set up, email address and historical buying trends to better identify possible fraud.

Device security

Merchants may also consider adopting tokenization, which allows them to replace real card account numbers with tokens. Secure keypads are also becoming increasingly important for businesses where staff members routinely take card data over the phone. Without an encrypted keypad, fraudsters can easily obtain the card data, explains Ken Paull, chief revenue officer at Cayan, a Boston-based payment technology provider.

Ashley McAlpine, fraud prevention manager at TMG, a payments processor in Des Moines, Iowa, says she expects more merchants to sign up for 3D Secure over time as the need to defer chargeback responsibility increasingly outweighs the potential for customer dissatisfaction.

Despite the potential that some customers won't like taking the extra authentication steps, she predicts many merchants are ultimately going to choose 3D Secure because of the chargeback protection it offers. “I think they are going to experience more fraud losses and the costs are going to add up.”

The card networks developed 3D Secure to add a layer of authentication to the checkout process. In typical setups, this allows online shoppers to create and assign a password to their card that is then verified whenever a transaction is processed through a site that supports 3D Secure; more recently, the card networks have put in alternatives to password authentication, such as Mastercard Identity Check, better known as selfie pay.

Although it shifts the financial responsibility from the merchant to the acquirer, some merchants have been loath to adopt 3D Secure fearing that the increased burden on customers will hurt business.

Technology is important to automate processes and create a positive customer experience, but the human element is just as vital and companies must match their technology investment with the proper level of staffing. “The people part of this equation should not be underestimated,” says Byrnes of Vesta.