May 13, 2021
Hacking & Security Measures for Merchants and Payment Processing Companies
by Gabrielle Geruntho, Department of Criminal Justice -- DeSales University
*[GGR1]This blog post contains a brief overview of Payment Card Industry Data Security Standard (PCI DSS) compliance. Individuals or companies looking for more detailed information should review the PCI DSS website at PCIComplianceGuide.org.
Companies face many challenges when defending against cybercriminals. These crimes are typically carried out through hacking, social engineering, the use of malware, or through vishing/phishing. Common types of attacks could include, but are not limited to, business email compromise (BEC), email account compromise (EAC), and data breach. The net loss reported by the Internet Crime Complaint Center (IC3) for BEC and EAC combined was over $1.8 billion in 2020. Due to the disconnect between law enforcement agencies and private sector companies, it is difficult to stop and apprehend these individuals. (Goldman & McCoy, 2016). Therefore, it is recommended that organizations take an offensive approach to mitigate the payoff for a cybercriminal during a financially motivated fraud attack. This is accomplished by increasing the level of difficulty of infiltration, which causes the attacker to spend more time and resources to try and gain entry (Goldman & McCoy, 2016).
During the checkout process, payment gateways may be vulnerable to intrusion. To minimize this risk, companies will want to meet the Payment Card Industry Data Security Standards (PCI DSS). This is the set of security standards that all companies that store or transmit cardholder data must comply with (PCIComplianceGuide.org, n.d.). The PCI standards are in place in order to improve the security of online transactions and secure the storage of sensitive cardholder information. All companies that process payment transactions must be PCI compliant. By following these guidelines, companies can minimize the risk of fraud and data breaches occurring. Failure to comply with Payment Card Industry standards may not only result in decreased security for an organization, but the company could incur penalties and fees. That is all on top of the potential loss of revenue from a breach, loss of customer trust, and the negative impact on the organization’s reputation. Ultimately, it could result in a company's inability to accept any card payments.
How to Become PCI Compliant
Review the following information to determine your PCI Compliance:
- Determine your PCI level using the PCI Merchant Level Table
- Each level has different PCI DSS requirements that need to be satisfied
- Complete the Self-Assessment Questionnaire (SAQ)
- Complete an Attestation of Compliance (AOC) form to determine the service provider’s final PCI DSS results
Payment processors act as an intermediary, securely carrying out payments between consumers, merchants, and their associated financial institutions -- such as an issuing bank. These companies can reduce a merchant’s chance of falling victim to fraud during the checkout process. Merchants who outsource their payment processing should carefully consider which company to trust with their customers’ information. The final decision should be made based on the processor’s ability to safely, securely, and efficiently send a payment through a gateway. Keep in mind that consumers that struggle during the checkout process may be more likely to abandon their cart. High rates of card abandonment may indicate that there is a flaw in the check-out process.
Payment Gateway Vulnerabilities
Security Measures for Payment Gateways
In order to safeguard the payment gateway, encryption is typically used. A couple of examples of encryption include tokenization and protocols like Secure Socket Layer (SSL). These methods create a more secure connection during transactions by ensuring that decryption only occurs from the payment gateway's private key. This way if an attacker attempts to intercept a transaction, the data will remain encrypted. For further safety, merchants should also implement common prevention techniques, such as:
- Card Verification Numbers (CVV, CID, CV2)
- Two-Factor Authentication
- Manual Review
- Authentication Programs
It is recommended that a company utilize a combination of both human and machine reviews. The human review comes with the risk of human errors and oversight. While the drawbacks of machine learning are that it may produce false positives and/or overlook instances of fraud. By utilizing the combined review process, there can be a checks and balances system. Merchants should also be sure to scan their websites and platforms for malware and check that all software is up-to-date. By having a more securely designed website, there are fewer vulnerable areas to be attacked. Regardless of the prevention methods utilized, there is still the potential for a breach to occur. Meaning, a plan of action should be in place to quickly limit the damage to systems and exposure to sensitive information caused by the cybercriminal.