Hacking & Security Measures for Merchants and Payment Processing Companies
*[GGR1]This blog post contains a brief overview of Payment Card Industry Data Security Standard (PCI DSS) compliance. Individuals or companies looking for more detailed information should review the PCI DSS website at PCIComplianceGuide.org.
Introduction
Companies face many challenges when defending against cybercriminals. These crimes are typically carried out through hacking, social engineering, the use of malware, or through vishing/phishing. Common types of attacks could include, but are not limited to, business email compromise (BEC), email account compromise (EAC), and data breach. The net loss reported by the Internet Crime Complaint Center (IC3) for BEC and EAC combined was over $1.8 billion in 2020. Due to the disconnect between law enforcement agencies and private sector companies, it is difficult to stop and apprehend these individuals. (Goldman & McCoy, 2016). Therefore, it is recommended that organizations take an offensive approach to mitigate the payoff for a cybercriminal during a financially motivated fraud attack. This is accomplished by increasing the level of difficulty of infiltration, which causes the attacker to spend more time and resources to try and gain entry (Goldman & McCoy, 2016).
PCI Compliance
During the checkout process, payment gateways may be vulnerable to intrusion. To minimize this risk, companies will want to meet the Payment Card Industry Data Security Standards (PCI DSS). This is the set of security standards that all companies that store or transmit cardholder data must comply with (PCIComplianceGuide.org, n.d.). The PCI standards are in place in order to improve the security of online transactions and secure the storage of sensitive cardholder information. All companies that process payment transactions must be PCI compliant. By following these guidelines, companies can minimize the risk of fraud and data breaches occurring. Failure to comply with Payment Card Industry standards may not only result in decreased security for an organization, but the company could incur penalties and fees. That is all on top of the potential loss of revenue from a breach, loss of customer trust, and the negative impact on the organization’s reputation. Ultimately, it could result in a company's inability to accept any card payments.
How to Become PCI Compliant
Review the following information to determine your PCI Compliance:
- Determine your PCI level using the PCI Merchant Level Table
- Each level has different PCI DSS requirements that need to be satisfied
- Complete the Self-Assessment Questionnaire (SAQ)
- PCI Compliance SAQ A Requirements
- For merchants that outsource all of their payment processing
- PCI Compliance SAQ A-EP Requirements
- PCI Compliance SAQ A Requirements
- Complete an Attestation of Compliance (AOC) form to determine the service provider’s final PCI DSS results
Payment Processors
Payment processors act as an intermediary, securely carrying out payments between consumers, merchants, and their associated financial institutions -- such as an issuing bank. These companies can reduce a merchant’s chance of falling victim to fraud during the checkout process. Merchants who outsource their payment processing should carefully consider which company to trust with their customers’ information. The final decision should be made based on the processor’s ability to safely, securely, and efficiently send a payment through a gateway. Keep in mind that consumers that struggle during the checkout process may be more likely to abandon their cart. High rates of card abandonment may indicate that there is a flaw in the check-out process.
Payment Gateway Vulnerabilities
During online transactions, the consumer’s card data goes through a payment gateway. Oftentimes the level of security is achieved through data encryption. However, there are still vulnerabilities, or various points of entry, for cybercriminals. Specific entry points that may be compromised include the payment gateway, payment processor, merchant networks, or other third-party services. This is most often due to e-skimming. This attack is used by hackers to inject malicious code during payment processing. E-skimming exploits a platform in the following ways: finding vulnerabilities, accessing networks through phishing emails or brute force entry, adding skimming code to JavaScript used by third-party processors, and redirecting customers during checkout to a spoofed domain (NICCS, 2019). These fraudsters will often be able to acquire private data, like user credentials or customer payment card information. Despite anti-fraud features at most companies, there are still some instances of cybercriminals successfully gaining access to payment platforms and merchant networks. Some obvious warning signs of a breach could include, receiving multiple customer complaints and/or the merchant landing page reporting a 404 error (page not found).
Security Measures for Payment Gateways
In order to safeguard the payment gateway, encryption is typically used. A couple of examples of encryption include tokenization and protocols like Secure Socket Layer (SSL). These methods create a more secure connection during transactions by ensuring that decryption only occurs from the payment gateway's private key. This way if an attacker attempts to intercept a transaction, the data will remain encrypted. For further safety, merchants should also implement common prevention techniques, such as:
- Card Verification Numbers (CVV, CID, CV2)
- Two-Factor Authentication
- Biometrics
- Manual Review
- Authentication Programs
It is recommended that a company utilize a combination of both human and machine reviews. The human review comes with the risk of human errors and oversight. While the drawbacks of machine learning are that it may produce false positives and/or overlook instances of fraud. By utilizing the combined review process, there can be a checks and balances system. Merchants should also be sure to scan their websites and platforms for malware and check that all software is up-to-date. By having a more securely designed website, there are fewer vulnerable areas to be attacked. Regardless of the prevention methods utilized, there is still the potential for a breach to occur. Meaning, a plan of action should be in place to quickly limit the damage to systems and exposure to sensitive information caused by the cybercriminal.