Small Business Reports

business journal for business owners

SmallBusinessReports.org

 


 

SPECIAL REPORT

 

Four security questions to ask your payment provider

Considering a new payment service provider? Security should be top of mind. It's important to ask these four critical security questions of your payment provider to help you make the best decision for your business. The way a provider answers your questions will shed light on their approach to payment security and how they will protect sensitive cardholder data to mitigate your risk.

1. How do you secure data?

How a payment provider secures sensitive card and personal data helps you understand if it's handling and storing your customers' payment details safely and securely.

At a minimum, your payment provider needs to be PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for the proper handling and storing of cardholder data from credit card transactions. PCI-certified auditors, known as Qualified Security Assessors or QSAs assess businesses to ensure compliance. There are different types of PCI certification, so ask about any audits and certification levels your payment provider holds. Most payment providers are Level 1 in the context of PCI DSS, which is the minimum you should expect when it comes to data security compliance.

2. How do you go above and beyond compliance?

Yes, it's important for a payment provider to meet compliance standards, but this payment security question helps you go one step further. Asking for details on how a payment provider approaches compliance from the foundational level and on a continuous basis will help you make sure their vision aligns with yours.

EMV, GDPR, and PCI are table stakes. So how does your payment service provider go beyond these industry standards and regulations to protect data proactively? How do they addresses potential vulnerabilities that arise?

The best approaches will demonstrate that a payment provider understands where risks are, employs proper security to those risks, and manages compliance as a natural result of that security investment.

3. How do you authenticate data?

This security question for your payment provider will probe how they handle security once data leaves your platform, cloud, or system. Your partner must authenticate data— which verifies that card data and personally identifiable information is correct—on their end. Learning how they do that will help you feel confident your customer data stays secure throughout the entire process.

And while you may not get a full peek behind the curtain for security reasons, understanding your payment provider's approach to authentication security is helpful. Look for industry-standard protocols for securing APIs such as REST APIs that leverage Open Authentication (OAuth).

4. How does your technology facilitate a seamless customer experience while applying maximum security?

It's critical for your business to be able to provide minimal friction and maximum security. This is especially true now that consumers use multiple devices to interact and transact. You can provide a frictionless and secure payment experience for your customers, but it's not easy to retrofit security measures. So, think about security as part of the onboarding process of new technologies and solutions.

Your choice of payment provider will not only impact your customers' data security, it will impact your business' ability to compete. These security questions for payment providers will help you feel comfortable with your decision.

 

Tips to prevent the four most common data breaches

With the dramatic growth of ecommerce, cyber threats are on the rise. According to IBM's Cost of a Data Breach Report 2021, data breaches had the highest average cost in 17 years at $4.24 million per breach. A breach could easily disrupt a business—and even threaten its survival. However, by keeping your eye on security, knowing what vulnerabilities to look for and taking precautionary steps, you can greatly reduce your risk of data breaches.

These are the four most common data breach vulnerabilities that cybercriminals are on the hunt for:

1. Unsecure third-party vendors

One of the most common data breach vulnerabilities that directly impacts the security of your business' environment is the use of unsecure third-party vendors. These vendors often provide businesses with payment processing services, but not in a secure manner.

Data thieves have learned they can exploit unsafe vendors to reach several customers and compromise the business' clients' credit card information. One common example involves vendors utilizing remote access to the customer's processing environment for routine maintenance. The data thieves looking to exploit a business leverage default passwords or phishing scams directed at the vendor to obtain credentials that grant them access into a business' environment to deploy malware, ultimately leading to card data being compromised.

"Ensure you know all of the third-party vendors that are involved with your credit card environment, and know their roles in that environment," advises Stacy Hughes, Chief Information Security Officer. "You should know if those vendors are PCI DSS compliant and if they are implementing their processes securely."

In addition, verify what security functions your payment provider uses such as encryption, tokenization and 3D Secure to reduce your customer data and fraud risk. A well-secured vendor can offer payment security products that can greatly protect you, and reduce your chance of becoming the victim of a data breach.

2. Security patches

Another common data breach vulnerability involves security patches. In many cases, businesses are not aware that routine security patches for their firewalls, antivirus software or software platforms are out of date. Software and platform providers often release security updates for users to implement to ensure their software is up to date to protect against data breaches and cyber attacks.

"You should complete every necessary security patch on all systems that are linked to your processing environment," said Hughes. "You can schedule these routinely so you don't have to worry about missing any necessary changes."

3. Weak or stolen passwords

According to Verizon's 2019 Data Breach Investigation Report, 80% of hacking-related activities involve compromised or weak credentials. Typically, weak passwords are the result of using default passwords, such as "password," "welcome," "12345," from third-party vendors. In many cases, account holders forget or fail to change the password that was assigned arbitrarily from a third-party vendor to gain first-time entry. The end result? Hackers exploiting this vulnerability resulting in a potential data breach.

"It's imperative that you create unique passwords associated with your computer systems, internet access and payment environment," Hughes says. "Use strong passwords that include at least seven characters with numbers, symbols and letters – at least one capitalized. And change it frequently, preferably every three months."

Stolen passwords are easily obtained by hackers through phishing attacks. Hackers pretend to be a legitimate contact (for example, part of the IT team) and reach out to your employees trying to trick them into providing their password.

"It's crucial to train your employees on how to protect themselves from phishing attacks, as well as on company security policies. For instance, employees should know to never give out their passwords or login credentials and to be suspicious of emails requesting them," Hughes says.

4. Ecommerce vulnerabilities

Card data thieves will search websites for a number of vulnerabilities like weak or outdated SSL certificates or software platforms. Software platforms like Adobe's Magento often release security updates for users to implement to ensure their software can protect against the latest cyber attacks. However, individuals that are responsible for managing the ecommerce implementations often are not aware, or simply have not taken the necessary steps, to upgrade their solution with these security updates. This leaves them vulnerable to a cyber attack. Cybercriminals can then utilize JavaScript skimmers where they inject malicious JavaScript code into the merchant's website to steal the credit card data.

What's more, cybercriminals are now sophisticated enough to create copies of the merchant's shopping cart or iFrame so they can steal card data. And, to the cardholder, it appears they are still directly on the merchant's website when, in fact, they are not.

Any entity that handles credit cards and accepts them as payment is responsible for ensuring they handle all credit card data securely as guided by the Payment Card Industry Data Security Standard (PCI DSS).

To help you stay on top of security, the following due diligence checklist can help:

  • Have your software platforms been patched with any and all security updates? Are you using the latest version of the software?
  • Do you know whose responsibility it is to implement the updates and patches? Yours or the hosted service provider? Visit the PCI Data Security Standards and reference the roles and responsibilities breakdown in the appendix. It's important to ensure your shopping cart has the most up-to-date security features when accepting payments via the internet. Having a third party such as your payment processor or acquirer maintain or "host" some of these features including JavaScript or iFrames can help better secure your customers' data.
  • Ensure you're utilizing the most secure SSLl/TLS certificates such as TLS 1.2
  • Always remember the big three elements present in most data breaches:
    • Software updates and patching are baseline controls critical to your security
    • Password management and strong passwords are essential
    • Tightly manage and limit administrative access, as well as any remote access to the administrative portal

If you discover or have been notified that a compromise or data breach may have occurred, take these steps:

  • Stop processing on the compromised ecommerce environment, at least temporarily. Seek alternative processing methods such as credit card terminals through dial-up.
  • Do not delete anything or attempt to "clean-up" any data. This could impact the success of any needed investigation.
  • Customers should notify us immediately.
  • Notify your third party hosting provider (if applicable).

As you navigate today's new commerce landscape, we're here to help keep your business and your customers safe. To do so, we created the Merchant Protection Program to assist you with securing your processing environment and achieving PCI DSS compliance. Another helpful resource is the PCI SSC Merchants Microsite, which has many useful guides including patching resources to help with outdated software.

On the whole, machine learning helps predict fraud with better precision than other methods. Our fraud prevention solution combines data from more than 68 billion Visa transactions worldwide and over 260 fraud detectors with machine learning of static- and self-learning models. For more tailored targeting, merchants can customize fraud detection rules to meet unique business needs. It all adds up to maximum prediction accuracy to help prevent more fraud.

Who's at risk?

Every merchant—from the biggest multinationals to the smallest micro-merchants—is at risk of transaction fraud. Large enterprise businesses without sufficient safeguards are vulnerable. Cybercriminals look for high-value, in-demand goods that can be quickly resold. Smaller merchants are also at risk, as fraudsters typically migrate to the weakest link, those that haven't yet employed extra layers of sophisticated fraud prevention.

Today, many merchants aren't doing enough, and have left themselves highly exposed to potential fraud. And unfortunately, merchants often misunderstand the concept of card acceptance liability, which will fall to the seller unless it follows strict card-acceptance rules promulgated by the networks. Common refrains we hear from victims are, “I've been doing this for years and I've never gotten hit," and “It's never happened to us." Understandably, in volatile economic times such as during a pandemic, merchants might be all-too-eager to process large transactions, which at first glance could make a difference between a mediocre and good month sales-wise.

Yet if a sale is too good to be true, it often is. And it's the smaller merchants that are typically the least able to sustain big losses. Once fraudsters find a vulnerable merchant and a transaction goes through, they'll keep hitting the merchant until the business realizes there's something wrong. We often see single fraudulent transactions ranging from $5,000 to $50,000, which can be crippling for smaller operations.

Make machine learning part of your fraud prevention

At a minimum, every merchant needs a fraud prevention strategy. Merchants that have sustained fraud losses often say that what turned out to be a fraudulent transaction was too good to be true. They accepted it and didn't trust their gut. But leveraging machine learning for fraud detection lets the vast computer power of a processing network do the hard work, allowing it to flag suspicious transactions with greater accuracy and lower false positives.

For merchants that can't integrate machine learning at this time, we urge them to use other advanced fraud prevention technology such as 3D Secure 2, which uses biometrics and other methods for quick, smooth authentication on any device. 3D Secure raises the security of an online transaction to the level of a face-to-face transaction at the point of sale. Also, merchants should notify people picking up the goods in person that the transaction will be processed as a face-to-face transaction, which usually stops the fraudsters in their tracks.

Keeping up with the leading fraud prevention technology is protection for businesses of all sizes. After all, fraudsters are constantly refining their tactics. Shouldn't you?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

by: contributing editors 

SmallBusinessReports.org 


 

Small Business Reports   (415) 878-6276
educational professional business resource


No products or services are sold by this educational information resource

Editorials, opinions and articles are not a solicitation or an offer to sell, refer or arrange financing. Features in this publication do not promote or sell products, goods or services.   SmallBusinessReports.org does not receive sales commissions or referral fees. 


IMPORTANT INFORMATION: This is not investment, financial, tax, or legal advice. If you have questions, please consult your own attorney, tax accountant, financial advisor or other appropriate professional having expertise in the area of your question or before making important decisions in these areas. This website assumes no liability whatsoever for any information that is communicated or quoted by its sponsors or sources.

© Copyright 2010-2021  SmallBusinessReports.org  All Rights Reserved 

Use of this site constitutes acceptance of our user agreement and privacy policy, California privacy rights.  User Privacy Policy
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of SmallBusinessReports.org.