Breakthrough Coaching

NCMIC is proud to help Breakthrough Coaching Members protect and grow their practices.

Man reading a mobile tablet

Online Payments

Mitigating Security Risks

It may seem simple to start accepting online payments. Just put a form out there and wait for the sales, right? Not quite. Amazon and other popular merchants certainly make it look easy. But, there are security measures that need to be in place before your first online sale.

Your Credit Card Terminal — Online

Think about your credit card terminal. Imagine putting it on the internet for anyone to use. That’s basically what accepting online payments is. You want your patients to be able to buy products and pay for services online. But, there are people out there who know all the tricks and loopholes to gain access to your online credit card terminal and use it maliciously.

These people create bots that search the internet all day for vulnerable websites, payment pages and other forms. They may be secure, but lack certain fraud settings.

It’s vital to take steps to lock things down so not everyone can process payments through your online credit card terminal. This is why payment gateways have fraud modules, automated tools to help prevent people from hacking into your site or completing fraudulent sales.

Note: PCI DSS compliance is different than fraud modules for your website. PCI is for the protection of the cardholder’s information. Fraud modules are for your protection, particularly your automated online transactions.

3 Must-Haves for Every Transaction

There are several fraud modules available through payment gateways. Depending on your practice, you likely won’t need all of them. Let’s start with three that every practice should activate for every transaction. By employing these three things, you can curb a majority of possible fraud right off the bat.

1. Address Verification 

This verifies that the address of the cardholder matches the one their statement is sent to. Verifying this validates that the card is legitimate.

2. CVV2 Code

This is also called the card security code (CSC). It’s the three-digit number on the back of most credit cards, to the right of the signature panel. (The security code for American Express® is a four-digit number on the front of the card, above and to the right of the card number.) This code should be required for all transactions.


CAPTCHA requires users to do something before completing a transaction. It helps make sure the user is a human, as opposed to a robot. There are different versions of CAPTCHA. You probably recall having to retype curved letters or identify elements in a photo like traffic lights before purchasing something online.


Here are a couple more common fraud modules to activate on your site.

1. Velocity Filter

Most gateways have this fraud prevention tool option. It may be called a transaction filter. As soon as a fraudster finds a vulnerability, they instantly start sending several stolen credit card numbers to test which ones are good. This fraud module helps control this when you establish four different settings:

  • Time period in which a certain number of cards can be processed.
  • Number of cards processed in that time period.
  • Number of declined transactions allowed for a certain card in the time period.
  • Block options. You can choose to block certain IPs, order numbers and more.

2. Country IP Blocker

This allows you to block transactions from entire countries. This is especially important if you don’t do international business. If that is the case, you can turn off anything you receive from a foreign country.

Identifying Possible Fraud

There are a couple easy ways to tell if you are the victim of fraud or attempted fraud.

Emails — Make sure you have your emails turned on in the gateway settings. If set up correctly, you’ll get an email for each transaction. If you have several transactional emails in your inbox — hundreds or even thousands — that is a good indicator.

Daily reports — Log in to your gateway and check your daily reports. If you see a spike of activity or declines, take a look. Be mindful of anything outside of your normal processing.

Internal Fraud

Believe it or not, one of the most common types of fraud is internal employee theft – even when it comes to online payments.

You can decrease the chances of this happening with the right safeguards in place. All of your employees should have a separate payment gateway login. (This is necessary for PCI DSS compliance.) Logins should never be shared. You can choose the level of access each employee has to the gateway. If they are a “Clerk,” don’t give them the ability to run a refund. That should be reserved for a supervisor or manager. Make sure everyone has the access they need, but no more than that.

These parameters make it easy to track who did what. For example, if someone runs a refund on their personal credit card or a friend’s credit card, you will be able to see which user it was with a paper trail.

How to Update or Change Your Fraud Modules

It is generally pretty easy to add or change your fraud modules. The process does vary, depending on your particular payment gateway. If you or your payment gateway administrator are having trouble, contact your payment gateway company directly. Or, we’ll be happy to help.

When to Check Fraud Modules

It never hurts to check your fraud modules to make sure you have the right ones set up correctly. But, there are definite times when it’s absolutely necessary:

1. You start accepting online payments — Get things off on the right foot. Make sure you know how to set them up and do so properly.

2. Employee departure — If the departing employee is your payment gateway administrator, that’s a good time to make sure someone else in the practice knows how to check and update the modules. If possible, have the departing employee train the one taking over the task.

3. You hire a new employee/administrator — Train the new person on the correct module settings for your practice, including how to make changes. You don’t want a new employee to assume your settings are the same as previous places they’ve worked and make unexpected adjustments.

4. A different payment gateway — Remember, payment gateways may have different fraud settings or use different terms. If you switch to a new one, familiarize yourself with it as soon as possible.

5. Monthly — If you haven’t checked the modules for one of the reasons above, it’s a good idea to check things monthly. If you have more than one administrator, make sure they are all on the same page.

In Case of Fraud

If you are the victim of a fraud or attempted fraud, call NCMIC at 800-437-0712 right away. We’ll review your account with you to help you identify fraudulent transactions, mediate any damage and button up any vulnerabilities.

Keep in mind that it’s far easier to prevent attacks to your payment gateway in the first place than deal with the consequences. We can help.

Trademarks listed are the property of their respective owners.

This website uses first party and third party cookies to improve your experience and anonymously track site visits. By visiting this website, you opt-in to the use of cookies. OK