Ten ways to save your network
The beginning of October marks the start of the holiday shopping season for many merchants today. But October is also National Cyber Security Awareness Month. – a time devoted to one of the least pleasant issues facing merchants today: data security.
But merchants' dread at the topic can be turned to the advantage of ISOs and merchant level salespeople by advising retailers on the commonsense steps they can take to ensure that their most important time of year is not ruined by a data breach. To that end, cloud-based payment processor 3Delta Systems Inc. released a cyber security best practice document that service providers can use to educate merchants, and themselves.
In Top 10 Best Practices for Fighting Credit Card Theft and Fraud, 3Delta laid out the increasingly complex and dangerous threat landscape for merchants. "Cyber security, fraud detection and prevention are getting more difficult by the day for businesses large and small," the processor stated. "Today's cyber criminals are clever, patient, organized and global."
Patience and skill are indeed virtues for the modern hacker. 3Delta pointed out that fraudsters may penetrate systems, plant their malware and, slowly, over a period of months or years, steal data and funds out of accounts. Hackers are also not dumb crooks from Hollywood caper movies.
"They're masters of social engineering, skilled in targeting the most vulnerable businesses, governments and individuals with the highest potential for gain," 3Delta said. "Online criminals are also persistent, probing a system until they penetrate its perimeter, then continue attacking its vulnerabilities in hopes of hitting the right target."
Tips to save and protect
3Delta's best practices are designed to protect systems from being hacked and minimize exposure to online payment scams. The tips are:
1. Train Employees to Spot Fraud: Ensure that workers are up to date on the company's data security policies and are educated on the latest fraud tactics, including phishing, man-in-the-browser attacks and other social engineering schemes.
2. Train Customers To Spot Fraud: Inform merchants of the ways to check if online transactions are illegitimate. For example, merchants should review log files of batch transactions at the end of each business day and "red flag" anomalous transactions, such as the same user using multiple credit card numbers.
3. Do Your Outsourcing Homework: When choosing a security provider, or an ISO partnered with a security firm, investigate the firm's security capabilities and if it is certified Payment Card Industry (PCI) Data Security Standard (DSS) compliant at the highest level.
4. Adopt Industry Safeguards: Use the PCI DSS not only as a tool against card fraud but as a roadmap for protecting access to sensitive card data and other information.
5. Form a Cyber Swat Team – Before a Breach Happens: Prevent "toxic" data breaches with internal "hazmat" teams trained to prevent and deter attacks.
6. Stay Informed: Be fluent in privacy protection technologies as well as the 212 requirements of the PCI DSS.
7. The Best Defense is a Multilayered Offense: Assume computer systems will eventually be hacked and plan to mitigate damage by implementing multilayered security strategies.
8. Don't Collect What You Can't Protect: Eliminate the storage of sensitive data in merchant networks. This action is "so obvious it is often overlooked," 3Delta said.
9. Change the Target: Employ tokenization techniques to swap random strings of characters for actual card numbers.
10. Lock Down System Gateways and Endpoints: Remain diligent about scanning networks for vulnerabilities; scrutinize all transaction touch points; and never turn off firewalls.
The best practice document can be accessed at www.3dsi.com/pdf/enewsletter/Mktg_Top_10_Best_Practices_for_Fighting_Credit_Card_Theft_and_Fraud.pdf .
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.